Cloudflare Tunnel Setup

Cloudflare Tunnel (cloudflared) creates an outbound-only connection from your origin to Cloudflare's edge. No inbound firewall rules needed.

Create a tunnel

# Authenticate (opens browser)
cloudflared tunnel login

# Create tunnel
cloudflared tunnel create my-cluster

# List tunnels
cloudflared tunnel list

This creates a credential file at ~/.cloudflared/<UUID>.json.

Config file

~/.cloudflared/config.yaml
tunnel: <TUNNEL-UUID>
credentials-file: /home/user/.cloudflared/<TUNNEL-UUID>.json

ingress:
  - hostname: api.huynhthientung.com
    service: http://localhost:8080
  - hostname: grafana.huynhthientung.com
    service: http://localhost:3000
  - service: http_status:404    # catch-all

Route DNS

cloudflared tunnel route dns my-cluster api.huynhthientung.com

This creates a CNAME api.huynhthientung.com → <UUID>.cfargotunnel.com in your Cloudflare zone, proxied (orange cloud).

Run the tunnel

# Foreground
cloudflared tunnel run my-cluster

# As a systemd service
cloudflared service install
systemctl enable --now cloudflared

Verify

cloudflared tunnel info my-cluster

Check the connection count — should show active connections from your origin to Cloudflare PoPs.

Create a tunnel​

Config file​

Route DNS​

Run the tunnel​

Verify​

Create a tunnel

Config file

Route DNS

Run the tunnel

Verify