Guide: Securely Exposing Local Services in ServBay Using Cloudflare Tunnel
Cloudflare Tunnel (formerly known as Argo Tunnel) is a Zero Trust network service offered by Cloudflare that allows you to securely expose locally running web services, SSH, or other applications to the internet—without opening public ports or configuring complex firewall rules. This guide details how to use the cloudflared
client tool within ServBay's powerful local web development environment to establish a secure tunnel, enabling internet access to your local ServBay services.
Key Benefits:
- Enhanced Security: Leverage Cloudflare's global network security features, including DDoS protection and WAF (Web Application Firewall).
- Simplified Network Configuration: No need to deal with port forwarding, NAT, or firewall rules.
- Zero Trust Model: Connections are outbound, reducing attack surface exposure.
- Cloudflare Integration: Benefit from Cloudflare's caching, optimization, analytics, and other features.
Overview
ServBay provides developers with an integrated, easy-to-manage local development environment supporting multiple languages (PHP, Node.js, Python, Go, Java, Ruby, Rust, etc.), databases (MySQL, PostgreSQL, MongoDB, Redis, etc.), and web servers (Caddy, Nginx, Apache). By default, sites or applications you develop in ServBay are only accessible locally. By combining Cloudflare Tunnel, you can seamlessly share development progress with teammates or temporarily/long-term expose local services to external users, while enjoying Cloudflare's enterprise-level security and performance benefits.
Technical Principle
Cloudflare Tunnel works by running the cloudflared
client on your local network (the machine running ServBay), which proactively establishes one or more encrypted, QUIC-based connections to the nearest Cloudflare edge node. These are outbound connections, so you don't need to configure any inbound rules on your router or firewall. When users access your service via the domain associated with the tunnel, traffic first reaches Cloudflare's edge, then is securely relayed via the tunnel to your local cloudflared
client, which forwards the request to your local service running in ServBay (for example, at https://servbay.local
or http://localhost:8000
). The response is then returned along the same secure path.
Prerequisites
Before starting configuration, ensure you meet these requirements:
- ServBay is installed and running: Your ServBay environment is properly set up, and the local website or service you wish to expose is running within ServBay. For example, the default local domain
servbay.local
should be accessible. - Cloudflare account: You have a Cloudflare account.
- Domain managed by Cloudflare: You own a domain that has been added to your Cloudflare account with its DNS managed by Cloudflare.
- Install
cloudflared
client: Thecloudflared
command-line tool is installed on your ServBay/macOS machine.
1. Install the cloudflared
Client
For macOS, it is recommended to use Homebrew for installation. If Homebrew is not installed, please refer to its official documentation first.
Install via Homebrew (Recommended):
bash
brew update
brew install cloudflared
1
2
2
Manual Download and Installation (for macOS ARM):
bash
# Download the binary for macOS ARM (Apple Silicon)
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-darwin-arm64.tgz | tar xz
# Move the binary to a directory in your PATH
sudo mv cloudflared /usr/local/bin/
1
2
3
4
2
3
4
Verify Installation: After installation, run the following command to verify cloudflared
is installed and check the version:
bash
cloudflared --version
# Example output: cloudflared version 2024.5.0 (built 2024-05-01)
1
2
2
The version number may differ, but as long as it displays, the installation is successful.
2. Log in to Your Cloudflare Account
Run the following in your terminal to authorize your Cloudflare account:
bash
cloudflared tunnel login
1
This command will open your browser to Cloudflare's login page. Select the account associated with your domain and authorize cloudflared
to access your account. Once authorized, a success message will be shown in your browser and you’ll be prompted in the terminal that authorization is complete—cert.pem
will be generated in the default settings directory (usually ~/.cloudflared/
).
Tunnel Configuration in Practice
Next, we’ll create a new tunnel and direct traffic to the local service running in ServBay.
Core Configuration Process
Create the Tunnel
Run the following in your terminal to create a new tunnel. You can name your tunnel something memorable, e.g.,
servbay-demo-tunnel
.bashcloudflared tunnel create servbay-demo-tunnel
1Upon success, you’ll be shown the tunnel’s ID (a UUID) and the path to its credentials file. Take note of this ID, e.g.,
a7b8c9d0-e1f2-3a4b-5c6d-7e8f9a0b1c2d
. This command will generate a JSON credentials file, such asa7b8c9d0-e1f2-3a4b-5c6d-7e8f9a0b1c2d.json
, in~/.cloudflared/
. This file contains vital authentication info—keep it safe!Configure DNS Records
To direct a specific domain’s traffic to your tunnel, you’ll need to create a CNAME record in Cloudflare DNS.
cloudflared
provides a convenient command:bashcloudflared tunnel route dns servbay-demo-tunnel servbay-demo.yourdomain.com
1Replace
servbay-demo-tunnel
with your tunnel’s name, andservbay-demo.yourdomain.com
with the subdomain you want for your local service (make sureyourdomain.com
is in your Cloudflare account).This command creates a CNAME record for
servbay-demo.yourdomain.com
in your Cloudflare DNS, pointing to<TunnelID>.cfargotunnel.com
.Write the Configuration File
cloudflared
uses a YAML file to define tunnel behavior (which services to expose and which domains to use). The default config file path is~/.cloudflared/config.yml
. Create the file if it doesn’t exist.Edit
~/.cloudflared/config.yml
as follows:yaml# tunnel: The UUID of your tunnel; replace with your actual tunnel ID tunnel: a7b8c9d0-e1f2-3a4b-5c6d-7e8f9a0b1c2d # credentials-file: The tunnel's credentials file path—usually in ~/.cloudflared/ and named after your UUID credentials-file: /Users/yourusername/.cloudflared/a7b8c9d0-e1f2-3a4b-5c6d-7e8f9a0b1c2d.json # Replace with your actual username and file path ingress: # Define which requests the tunnel matches - hostname: servbay-demo.yourdomain.com # The external domain, should match your DNS configuration service: https://servbay.local # Local ServBay service address. ServBay's default domain includes SSL. originRequest: # noTLSVerify: true # Enable if your local service uses a self-signed certificate (such as one generated by ServBay's User CA) # If your ServBay site uses a valid certificate (like Let's Encrypt via ServBay's ACME), you don't need this. # For local development, using ServBay's User CA cert with noTLSVerify: true is common. - service: http_status:404 # Default fallback rule: return 404 if none match
1
2
3
4
5
6
7
8
9
10
11
12
13
14Important Notes:
- Replace
tunnel
andcredentials-file
with your real UUID and path. - Ensure
hostname
matches the subdomain set up in step 2. service: https://servbay.local
points to the default ServBay HTTPS address. ServBay sets upservbay.local
and issues a local SSL cert via its User CA.cloudflared
forwards incoming requests to this address. If your service runs elsewhere (e.g., a Node.js app athttp://localhost:3000
), adjust accordingly.originRequest.noTLSVerify: true
disables certificate validation fromcloudflared
to your local service. Use this if your certificate is self-signed (such as ServBay User CA). If your ServBay site has a valid, trusted certificate (like via Let's Encrypt from ServBay ACME), you don't need this option.
- Replace
Starting the Tunnel Service
Once configured, start your cloudflared
tunnel with:
bash
cloudflared tunnel run servbay-demo-tunnel
1
Replace servbay-demo-tunnel
with your tunnel’s name.
cloudflared
will connect to the Cloudflare network and establish the tunnel. Logs and status will appear in the terminal. The tunnel stays active as long as this command runs in the foreground. For background/daemon operation, you may configure it as a system service (methods vary, e.g., using launchctl
on macOS, but details are outside this document’s scope).
Service Verification
Once the tunnel is up, you (and anyone you share the link with) can access your local ServBay service from the internet using the configured domain.
Visit the Configured Domain: In your browser, navigate to the domain configured in step 2, e.g.,
https://servbay-demo.yourdomain.com
.Verification Checklist:
- Your site should load and display identically to
https://servbay.local
accessed locally. - The browser's address bar should show a valid SSL certificate—this cert is issued by Cloudflare (not your local ServBay cert, which is used only between
cloudflared
and ServBay). - Use developer tools to check HTTP response headers; you should see
CF-RAY
and other Cloudflare headers, indicating the traffic passed through Cloudflare.
- Your site should load and display identically to
Advanced Configuration Tips
Multi-Service Routing
You can define multiple rules in the ingress
section of config.yml
to route traffic to different local services in ServBay (e.g., distinct sites or back-end APIs) based on hostname.
yaml
ingress:
- hostname: api.yourdomain.com
service: http://localhost:8080 # Suppose your API runs on local port 8080
- hostname: app.yourdomain.com
service: https://servbay.local # Your main website
- service: http_status:404
1
2
3
4
5
6
2
3
4
5
6
Traffic Monitoring and Logs
cloudflared
offers helpful commands for tunnel monitoring and debugging:
- View Live Metrics:bash
cloudflared tunnel info servbay-demo-tunnel
1 - Get Detailed Logs: The
cloudflared tunnel run
command outputs logs directly in the terminal. You can also set log levels or output to a file if desired.
Integrating Cloudflare Access
For an extra security layer, combine Cloudflare Access to add authentication and authorization to your tunnel-exposed services. Cloudflare Access is part of the Zero Trust platform, offering finer-grained access control than traditional VPNs—typically configured in the Cloudflare Dashboard.
Troubleshooting
If you encounter issues during setup or use, refer to these common symptoms and solutions:
Symptom | Solution |
---|---|
502 Bad Gateway on domain access | Ensure your ServBay service is running and accessible (e.g., check via your browser at https://servbay.local or another address).Verify your config.yml service address and port.If using HTTPS locally without noTLSVerify: true , check your cert validity or enable noTLSVerify . |
DNS resolution error; cannot access domain | Make sure you’ve added the correct CNAME record pointing to <TunnelID>.cfargotunnel.com in Cloudflare DNS. Use dig or nslookup to verify DNS. |
Certificate error when accessing domain | If the issue is with the Cloudflare certificate, check that your config.yml hostname matches the accessed domain.If the error comes from cloudflared connecting to your local service, ensure the address is correct and enable originRequest.noTLSVerify: true if necessary. |
cloudflared tunnel run throws errors | Check that ~/.cloudflared/config.yml exists and is formatted correctly (YAML).Verify tunnel and credentials-file settings (UUID and path).Ensure cloudflared has permission to the credential and config files. |
Slow access or unstable connection | Check your local network connection. Cloudflare Tunnel uses QUIC; ensure your network allows QUIC protocol. Consider your Cloudflare region settings or contact Cloudflare support. |
Summary of Advantages
By integrating Cloudflare Tunnel with ServBay, developers can:
- Securely share local work: Easily present sites or apps in development to clients or team members.
- Test external callbacks/webhooks: Run tests for APIs or webhooks that require public access.
- Gain enterprise-grade security: Enjoy Cloudflare's DDoS protection, WAF, and other features safeguarding your local services.
- Simplify network configs: Eliminate complex port forwarding and firewall woes.
- Leverage Cloudflare’s global network: Improve speed and reliability via Anycast.
ServBay’s robust local development environment, paired with Cloudflare Tunnel’s secure exposure, offers an efficient and safe workflow for developers.
Conclusion
This document provided a step-by-step guide for installing and configuring cloudflared
in ServBay, creating and running a Cloudflare Tunnel to securely expose your local web service to the internet. By following these steps, you can fully leverage ServBay's multi-tech-stack support and Cloudflare Tunnel's security, dramatically improving your development and collaboration efficiency. Remember, Cloudflare Tunnel is part of Cloudflare's Zero Trust platform—consider exploring features like Cloudflare Access for advanced access control and security.