The A-Z Cloudflare Tunnel Setup in Docker container Guide

NOTE: WHEN WRITING THIS GUIDE, IT WAS BASED ON

Signing Up for a Cloudflare Service
Creating a DNS
Changing Nameservers
Adding Tunnels
Getting The Tunnel Token
Creating an API Token
Updating Your Public IP
The Consolidated docker-compose

Signing Up for a Cloudflare Service

The first step in the whole setup, is to have a Cloudflare account

Simply, open the official website from here to sign up. Just use your preferred email and password.

After that, the main dashboard will open, allowing you to add a new site, which you have already signed up for (check here to see how to get a free DNS service).

NOTE: Never use the DuckDNS service with Cloudflare as it is not supported

After that, it should open your website dashboard by default, if not, simply click on it under the Home view.

At the very bottom right side, where it says API, take note of the Zone ID and save it somewhere for later usage.

Now on the right side, click DNS Settings.

In there, click on Add record and fill in as following:

A
@
your public IP address, which you can get it easily from here. We will see later on how to make it update automatically

Leave the rest untouched and click on Save

Now scroll down till you see the part where it says Cloudflare Nameservers and take note of the 2 URLs there for later use.

Creating a DNS

Next, is to have a DNS service ready, either a paid one, or choose a free DNS service provider.

In this guide, I will go with the free DNS service from Freenom as this is what I am using in my home setup. Other DNS providers shall have similar setups which I can not cover them all in here.

Once you enter to the website, you need to check the availability of the desired URL, until you find a free one, or decide to buy a cheap one. In the guide, I will be referring to "mydomain.gk" for illustration purposes only

At the time I prepared this guide, there was a bug on their server in which you cannot just click on any of the options available, so to register, simply click on Services then choose Register a New Domain. Follow the steps in there, and make sure you choose the 12 months plan as it is the longest period offered for free.

Changing Nameservers

This is where you link your DNS address with the Cloudflare Tunnel

Now after you signed up, go to Services then choose My Domains from the drop down list, then next to your registered domain, click on Manage Domain.

In the next window, click on Management Tools then choose Nameservers and add the nameservers you took note of from the previous step

Adding Tunnels

In Cloudflare, a Tunnel is similar to a route of the main domain, or simply, think of it as the subdomains.

To create new Tunnel, go to the Cloudflare Zero Trust dashboard, and under Access, click on Tunnels

Click on Create a tunnel, enter a name for that tunnel, i.e. "My Domain"

Now the Tunnel is created, and a new page opens showing the Install connector environment options available for that created tunnel. Click on "Docker" add take note of what is in there for later use.

Click on Next

Now, here you will be having the option to start adding your subdomains and redirect them to your internal network IP address and port.

Add all your subdomains before leaving this page. DON'T CREATE SEPERATE TUNNELS FOR EACH SUBDOMAIN, ALL CAN GO IN ONE TUNNEL

To test your subdomain, simply click on it after it has been created and it should redirect you correctly. If not, make sure you followed this guide from the beginning and entered your host IP and port correctly, as I guarantee you 100% it works if you follow me as mentioned.

Getting The Tunnel Token

This token will be needed for usage in the docker-compose file in the last step in this guide

If you recall, in the previous step, a docker command line was created, and I mentioned to take note of it. Well, if you read it, you will see it looks like this

docker run cloudflare/cloudflared:latest tunnel --no-autoupdate run --token ed324rtgdwMTI5Njk5YTI1ODExTHIS ISASAMPLETOKENANDNOTTOBEUSEDATALLIiwicyI6Ik56WmtOVGd5TjJVdE56TTJaaTAwTewrrfgre45tyg4FGGHREAEU0WXpneiJ9

You just need to take the highlighted string at the very end after --token and save it somewhere for the next step. Make sure you don't include the "SPACE" at the beginning of the token string

Creating an API Token

This API token will be needed to have the public IP auto updated in the container that you will create next.

In Cloudflare home dashboard, under the API section, click on "Get you API token", or simply click here

Click on "Create Token", and from the very end, choose "Custom token" and do as in below

You shall get something similar to the below. Take note of that token and save it somewhere as it will NEVER be shown again

Updating Your Public IP

If you recall, in Cloudflare dashboard, your public IP was entered in the first step where you added a record under your DNS management part. This might change in various conditions, and need to be up-to-date after the change so you can access your domain remotly

The two main reasons for the public IP to be changed are:

A restart of the main router connected to the ISP cable
Your ISP decides to continuously change it as you did not pay extra to have a static public IP

Well, in either case, you need to have that IP updated. Rather than everytime checking your new public IP, then going to the Cloudflare's dashboard and updating it manually, there is an automatic way to do that.

You will be using a docker container that checks your IP every 5 minutes, and if it is changed, it will update it with the new vaule, otherwise, it will sleep for another 5 minutes.

But first, you need to create the configuration folder and file for that container. By the way, this container support various other DNS service providers, in which you can add them in the configuraiton file by following their guide on the container's github page. I will be only covering the Cloudflare part here.

Now, open your docker "$PERSIST" folder and create a folder named "ddns-updater". In that folder, create two files. One to stay as empty, and is named as "updates.json", and another named "config.json", or simply download the sample file from here

In the "config.json" file, add the below lines

{
  "settings": [
    {
      "provider": "cloudflare",
      "zone_identifier": "ZONE_ID",
      "domain": "MYDOMAIN.GK",
      "host": "@",
      "ttl": 600,
      "proxied": true,
      "token": "API_TOKEN",
      "ip_version": "ipv4"
    }
  ]
}

Make sure to update the following to match yours:

ZONE_ID which you took note in first steps
MYDOMAIN.GK to match you own website address you added in the first step at the Cloudflare's home dashboard
API_TOKEN which you have generated in the previous step

Save the file. Now, for some reason, you need to change the permissions of the created folder and its contents so the container will be able to have write access once created.

Considering that "UID=1000" and "GID=100", SSH into your host machine in which you will create the contianer and exceute the following commands

chown -R UID:GID /docker/ddns-updater

The Consolidated docker-compose

This part is where we start off with creating the Cloudflare Tunnel docker-compose file, along with the ddns updater container to have the public IP auto-updated in case of the ISP changed it suddenly for some reason

You can simply download the sample file from here, or manually create one as below

Make sure you upodate the following to match your setup:

$TUNNEL_TOKEN that you have taken note from the docker command after you created your tunnel above
$PERSIST to match your docker folder, i.e. "/some_folder/docker"
$TZ to be your local time zone, check here for details
PUID to match you docker user id, i.e. "1000"
PGID to match you docker group id, i.e. "100"
$PUSHOVER_API and @$PUSHOVER_USER_KEY, or change the whole SHOUTRRR_ADDRESSES if you use something else

#
####################################################
#                                                  #
#              -------CloudFlare-------            #
#                                                  #
####################################################
#
  cloudflared:
    container_name: cloudflared
    restart: always
    hostname: cloudflared
    user: root
    environment:
      - NO_AUTOUPDATE=true
      - TUNNEL_TOKEN=$TUNNEL_TOKEN
    command: 'tunnel --no-autoupdate run' # 'tunnel --config /etc/tunnel/config.yml run' 
    image: 'cloudflare/cloudflared:latest'
#
####################################################
#                                                  #
#             -------DDNS-Updater-------           #
#                                                  #
####################################################
#
  ddns-updater:
    container_name: ddns-updater
    restart: always
    hostname: ddns-updater
    environment:
      - TZ=$TZ
      - PUID=$PUID
      - PGID=$PGID
      - PERIOD=5m
      - UPDATE_COOLDOWN_PERIOD=5m
      - PUBLICIP_FETCHERS=all
      - PUBLICIP_HTTP_PROVIDERS=all
      - PUBLICIPV4_HTTP_PROVIDERS=all
      - PUBLICIPV6_HTTP_PROVIDERS=all
      - PUBLICIP_DNS_PROVIDERS=all
      - PUBLICIP_DNS_TIMEOUT=3s
      - HTTP_TIMEOUT=10s
      - LISTENING_PORT=8000
      - HEALTH_SERVER_ADDRESS=127.0.0.1:9999
      - ROOT_URL=/
      - BACKUP_PERIOD=24h # 0 to disable
      - BACKUP_DIRECTORY=/updater/data
      - LOG_LEVEL=info
      - LOG_CALLER=hidden
      - SHOUTRRR_ADDRESSES=pushover://shoutrrr:$PUSHOVER_API@$PUSHOVER_USER_KEY
    volumes:
      - $PERSIST/ddns-updater:/updater/data
    ports:
      - 8002:8000/tcp
    user: $PUID:$PGID
    image: 'qmcgaw/ddns-updater:latest'
#

Now if you try to access your local ip address with port 8002, you should get something like this

NOTE: if you want to have access to Cloudflare via Authelia, you can refer my guide from here

License

This document guide is licensed under the CC0 1.0 Universal license. The terms of the license are detailed in LICENSE

sultaz / docker-cloudflare-setup