Guide: Securely Exposing Local Services in ServBay Using Cloudflare Tunnel

Cloudflare Tunnel (formerly known as Argo Tunnel) is a Zero Trust network service offered by Cloudflare that allows you to securely expose locally running web services, SSH, or other applications to the internet—without opening public ports or configuring complex firewall rules. This guide details how to use the cloudflared client tool within ServBay's powerful local web development environment to establish a secure tunnel, enabling internet access to your local ServBay services.

Key Benefits:

• Enhanced Security: Leverage Cloudflare's global network security features, including DDoS protection and WAF (Web Application Firewall).
• Simplified Network Configuration: No need to deal with port forwarding, NAT, or firewall rules.
• Zero Trust Model: Connections are outbound, reducing attack surface exposure.
• Cloudflare Integration: Benefit from Cloudflare's caching, optimization, analytics, and other features.

Overview

ServBay provides developers with an integrated, easy-to-manage local development environment supporting multiple languages (PHP, Node.js, Python, Go, Java, Ruby, Rust, etc.), databases (MySQL, PostgreSQL, MongoDB, Redis, etc.), and web servers (Caddy, Nginx, Apache). By default, sites or applications you develop in ServBay are only accessible locally. By combining Cloudflare Tunnel, you can seamlessly share development progress with teammates or temporarily/long-term expose local services to external users, while enjoying Cloudflare's enterprise-level security and performance benefits.

Technical Principle

Cloudflare Tunnel works by running the cloudflared client on your local network (the machine running ServBay), which proactively establishes one or more encrypted, QUIC-based connections to the nearest Cloudflare edge node. These are outbound connections, so you don't need to configure any inbound rules on your router or firewall. When users access your service via the domain associated with the tunnel, traffic first reaches Cloudflare's edge, then is securely relayed via the tunnel to your local cloudflared client, which forwards the request to your local service running in ServBay (for example, at https://servbay.local or http://localhost:8000). The response is then returned along the same secure path.

Prerequisites

Before starting configuration, ensure you meet these requirements:

1. ServBay is installed and running: Your ServBay environment is properly set up, and the local website or service you wish to expose is running within ServBay. For example, the default local domain servbay.local should be accessible.
2. Cloudflare account: You have a Cloudflare account.
3. Domain managed by Cloudflare: You own a domain that has been added to your Cloudflare account with its DNS managed by Cloudflare.
4. Install cloudflared client: The cloudflared command-line tool is installed on your ServBay/macOS machine.

1. Install the cloudflared Client

For macOS, it is recommended to use Homebrew for installation. If Homebrew is not installed, please refer to its official documentation first.

Install via Homebrew (Recommended):

brew update
brew install cloudflared

Manual Download and Installation (for macOS ARM):

# Download the binary for macOS ARM (Apple Silicon)
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-darwin-arm64.tgz | tar xz
# Move the binary to a directory in your PATH
sudo mv cloudflared /usr/local/bin/

Verify Installation: After installation, run the following command to verify cloudflared is installed and check the version:

cloudflared --version
# Example output: cloudflared version 2024.5.0 (built 2024-05-01)

The version number may differ, but as long as it displays, the installation is successful.

2. Log in to Your Cloudflare Account

Run the following in your terminal to authorize your Cloudflare account:

cloudflared tunnel login

This command will open your browser to Cloudflare's login page. Select the account associated with your domain and authorize cloudflared to access your account. Once authorized, a success message will be shown in your browser and you’ll be prompted in the terminal that authorization is complete—cert.pem will be generated in the default settings directory (usually ~/.cloudflared/).

Tunnel Configuration in Practice

Next, we’ll create a new tunnel and direct traffic to the local service running in ServBay.

Core Configuration Process

1. Create the Tunnel

   Run the following in your terminal to create a new tunnel. You can name your tunnel something memorable, e.g., servbay-demo-tunnel.

   cloudflared tunnel create servbay-demo-tunnel

   Upon success, you’ll be shown the tunnel’s ID (a UUID) and the path to its credentials file. Take note of this ID, e.g., a7b8c9d0-e1f2-3a4b-5c6d-7e8f9a0b1c2d. This command will generate a JSON credentials file, such as a7b8c9d0-e1f2-3a4b-5c6d-7e8f9a0b1c2d.json, in ~/.cloudflared/. This file contains vital authentication info—keep it safe!

2. Configure DNS Records

   To direct a specific domain’s traffic to your tunnel, you’ll need to create a CNAME record in Cloudflare DNS. cloudflared provides a convenient command:

   cloudflared tunnel route dns servbay-demo-tunnel servbay-demo.yourdomain.com

   Replace servbay-demo-tunnel with your tunnel’s name, and servbay-demo.yourdomain.com with the subdomain you want for your local service (make sure yourdomain.com is in your Cloudflare account).

   This command creates a CNAME record for servbay-demo.yourdomain.com in your Cloudflare DNS, pointing to <TunnelID>.cfargotunnel.com.

3. Write the Configuration File

   cloudflared uses a YAML file to define tunnel behavior (which services to expose and which domains to use). The default config file path is ~/.cloudflared/config.yml. Create the file if it doesn’t exist.

   Edit ~/.cloudflared/config.yml as follows:

   # tunnel: The UUID of your tunnel; replace with your actual tunnel ID
   tunnel: a7b8c9d0-e1f2-3a4b-5c6d-7e8f9a0b1c2d
   # credentials-file: The tunnel's credentials file path—usually in ~/.cloudflared/ and named after your UUID
   credentials-file: /Users/yourusername/.cloudflared/a7b8c9d0-e1f2-3a4b-5c6d-7e8f9a0b1c2d.json # Replace with your actual username and file path
   
   ingress:
     # Define which requests the tunnel matches
     - hostname: servbay-demo.yourdomain.com # The external domain, should match your DNS configuration
       service: https://servbay.local # Local ServBay service address. ServBay's default domain includes SSL.
       originRequest:
         # noTLSVerify: true # Enable if your local service uses a self-signed certificate (such as one generated by ServBay's User CA)
         # If your ServBay site uses a valid certificate (like Let's Encrypt via ServBay's ACME), you don't need this.
         # For local development, using ServBay's User CA cert with noTLSVerify: true is common.
     - service: http_status:404 # Default fallback rule: return 404 if none match

   Important Notes:

   • Replace tunnel and credentials-file with your real UUID and path.
   • Ensure hostname matches the subdomain set up in step 2.
   • service: https://servbay.local points to the default ServBay HTTPS address. ServBay sets up servbay.local and issues a local SSL cert via its User CA. cloudflared forwards incoming requests to this address. If your service runs elsewhere (e.g., a Node.js app at http://localhost:3000), adjust accordingly.
   • originRequest.noTLSVerify: true disables certificate validation from cloudflared to your local service. Use this if your certificate is self-signed (such as ServBay User CA). If your ServBay site has a valid, trusted certificate (like via Let's Encrypt from ServBay ACME), you don't need this option.

Starting the Tunnel Service

Once configured, start your cloudflared tunnel with:

cloudflared tunnel run servbay-demo-tunnel

Replace servbay-demo-tunnel with your tunnel’s name.

cloudflared will connect to the Cloudflare network and establish the tunnel. Logs and status will appear in the terminal. The tunnel stays active as long as this command runs in the foreground. For background/daemon operation, you may configure it as a system service (methods vary, e.g., using launchctl on macOS, but details are outside this document’s scope).

Service Verification

Once the tunnel is up, you (and anyone you share the link with) can access your local ServBay service from the internet using the configured domain.

1. Visit the Configured Domain: In your browser, navigate to the domain configured in step 2, e.g., https://servbay-demo.yourdomain.com.

2. Verification Checklist:

   • Your site should load and display identically to https://servbay.local accessed locally.
   • The browser's address bar should show a valid SSL certificate—this cert is issued by Cloudflare (not your local ServBay cert, which is used only between cloudflared and ServBay).
   • Use developer tools to check HTTP response headers; you should see CF-RAY and other Cloudflare headers, indicating the traffic passed through Cloudflare.

Advanced Configuration Tips

Multi-Service Routing

You can define multiple rules in the ingress section of config.yml to route traffic to different local services in ServBay (e.g., distinct sites or back-end APIs) based on hostname.

ingress:
  - hostname: api.yourdomain.com
    service: http://localhost:8080 # Suppose your API runs on local port 8080
  - hostname: app.yourdomain.com
    service: https://servbay.local # Your main website
  - service: http_status:404

Traffic Monitoring and Logs

cloudflared offers helpful commands for tunnel monitoring and debugging:

• View Live Metrics:

  cloudflared tunnel info servbay-demo-tunnel

• Get Detailed Logs: The cloudflared tunnel run command outputs logs directly in the terminal. You can also set log levels or output to a file if desired.

Integrating Cloudflare Access

For an extra security layer, combine Cloudflare Access to add authentication and authorization to your tunnel-exposed services. Cloudflare Access is part of the Zero Trust platform, offering finer-grained access control than traditional VPNs—typically configured in the Cloudflare Dashboard.

Troubleshooting

If you encounter issues during setup or use, refer to these common symptoms and solutions:

Symptom	Solution
502 Bad Gateway on domain access	Ensure your ServBay service is running and accessible (e.g., check via your browser at https://servbay.local or another address). Verify your config.yml service address and port. If using HTTPS locally without noTLSVerify: true, check your cert validity or enable noTLSVerify.
DNS resolution error; cannot access domain	Make sure you’ve added the correct CNAME record pointing to <TunnelID>.cfargotunnel.com in Cloudflare DNS. Use dig or nslookup to verify DNS.
Certificate error when accessing domain	If the issue is with the Cloudflare certificate, check that your config.yml hostname matches the accessed domain. If the error comes from cloudflared connecting to your local service, ensure the address is correct and enable originRequest.noTLSVerify: true if necessary.
cloudflared tunnel run throws errors	Check that ~/.cloudflared/config.yml exists and is formatted correctly (YAML). Verify tunnel and credentials-file settings (UUID and path). Ensure cloudflared has permission to the credential and config files.
Slow access or unstable connection	Check your local network connection. Cloudflare Tunnel uses QUIC; ensure your network allows QUIC protocol. Consider your Cloudflare region settings or contact Cloudflare support.

Summary of Advantages

By integrating Cloudflare Tunnel with ServBay, developers can:

• Securely share local work: Easily present sites or apps in development to clients or team members.
• Test external callbacks/webhooks: Run tests for APIs or webhooks that require public access.
• Gain enterprise-grade security: Enjoy Cloudflare's DDoS protection, WAF, and other features safeguarding your local services.
• Simplify network configs: Eliminate complex port forwarding and firewall woes.
• Leverage Cloudflare’s global network: Improve speed and reliability via Anycast.

ServBay’s robust local development environment, paired with Cloudflare Tunnel’s secure exposure, offers an efficient and safe workflow for developers.

Conclusion

This document provided a step-by-step guide for installing and configuring cloudflared in ServBay, creating and running a Cloudflare Tunnel to securely expose your local web service to the internet. By following these steps, you can fully leverage ServBay's multi-tech-stack support and Cloudflare Tunnel's security, dramatically improving your development and collaboration efficiency. Remember, Cloudflare Tunnel is part of Cloudflare's Zero Trust platform—consider exploring features like Cloudflare Access for advanced access control and security.