Cloudflare Tunnels are convenient and free

Cloudflare Tunnels are convenient and free
Photo by Christian Lue / Unsplash

In short:

  • Cloudflare tunnels securely proxy and map a domain (patrickwthomas.net) to a protocol (HTTPS) and a domain/port (localhost:8080) relative to an individual machine
  • Cloudflare tunnels proxy the domain to a local, meaning your local machine/IP is not directly exposed
  • Cloudflare handles SSL, meaning a web service hosted locally is still end-to-end secured
  • Cloudflare tunnels are extremely easy to configure

I've always wanted a simple service that would allow me to securely expose a web service on a local machine. This effectively allows me to host a web server in my own home. You can pretty easily do this by exposing the right ports in your router and assigning a domain name to your IP address, but there are several problems with this:

  1. Your IP address is now exposed, which can give malicious actors a target. This is especially dangerous since this would be possible access to your home network and personal devices.
  2. If you want to host multiple web services you have to either configure and maintain a reverse proxy through something like Nginx or remember which service maps to which port.
  3. Your IP address could change at any moment if you do not have a static IP address. There are workarounds for this (reverse DNS, automatically updating A record targets via API calls to your DNS, etc.), but all require money or configuration.
  4. SSL/HTTPS configuration would have to be done on a per-site and manual basis.

I recently discovered that Cloudflare has a service in their Zero Trust dashboard called Tunnels that solves most of those problems. It works by Cloudflare assigning a domain name of your choice (like patrickwthomas.net) to one of their proxies. Via a local Cloudflare daemon on your web server, Cloudflare then tunnels a local-relative host and port (like localhost:8080 or my.intranet.test:8000 - not necessarily limited to the host with the Cloudflare daemon) to the domain name you chose and over a protocol that you choose. This means that someone can connect to my-domain.com via HTTPS and you can configure that request to appear like an HTTP request to localhost:8000 (no SSL management required!). Tunnels feel similar to SSH tunnels except that the other end of the tunnel is managed by Cloudflare and that Cloudflare's end handles security.

This is very convenient for quickly serving web services with a basic guarantee of security and privacy for your home network. You can also approximate this with reverse SSH tunnels to a lightweight remote host, like a tiny EC2 instance, that has a reverse proxy via Nginx configured, but this is both not free and lots of configuration.

Cloudflare Tunnels are still not foolproof. A misconfiguration or security flaw of your proxied web service can still give malicious actors access to your machine or network or expose details about your home network that the proxy otherwise hides. So, the proxy and tunnel alone don't make your application secure - it just reduces the surface area of attack by obscuring where the server actually is.