My Cloudflare Zero Trust Tunnel Setup Guide

Welcome to my guide! In this tutorial, I'll be sharing how I employ a Zero Trust architecture to secure my self-hosted website, nathangisvold.com, located on my Proxmox homelab server. I've designed my system with a dual-VM setup: one VM hosts the website via Apache, while the other is dedicated exclusively to running Docker containers.

This approach allows me to significantly enhance my server's security. By leveraging Cloudflare's Zero Trust model, I avoid the need to expose my home lab through open ports—a common vulnerability in many setups. Moreover, Cloudflare brings with it a suite of security advantages, further hardening my system against potential threats.

So, if you're looking to maximize your own website's security without compromising on functionality, you're in the right place. Let's dive in and get started on this journey to robust, scalable, and secure web hosting.

1. Setting up Docker and Docker Compose

If you have not installed Docker and Docker Compose on your Ubuntu server, you can install it by running:

        curl -fsSL https://get.docker.com -o get-docker.sh
        sudo sh get-docker.sh
        

For Docker Compose:

        sudo apt-get install curl libssl-dev libffi-dev python3 python3-pip
        sudo pip3 install docker-compose
        

2. Setting up Cloudflare

Go to Cloudflare's website and create a new account if you don't already have one. Once your account is set up, add your website to Cloudflare. Cloudflare will provide you with new nameservers to use, replace your current nameservers with these new ones in your domain registrar's dashboard.

3. Downloading and configuring Cloudflared

First, you need to install Cloudflared. In Docker, create a Dockerfile and include these lines:

        FROM ubuntu:latest
        RUN apt-get update && apt-get install -y wget
        RUN wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb
        RUN dpkg -i cloudflared-stable-linux-amd64.deb
        ENTRYPOINT ["cloudflared"]
        CMD ["--help"]
        

Build the Docker image:

docker build -t cloudflared .

Run the Cloudflared container:

docker run -it --rm --net host cloudflared

4. Authenticate Cloudflared

You need to authenticate cloudflared on your machine to link with your Cloudflare account:

docker run -it --rm -v $PWD:/etc/cloudflared cloudflared login

5. Configure Cloudflared to create a tunnel

Create a config file, config.yml, in your home directory (/etc/cloudflared/) and add:

        hostname: your-domain.com
        url: http://your-ubuntu-server-ip:your-apache-port
        logfile: /var/log/cloudflared.log
        credentials-file: /etc/cloudflared/cert.pem
        

6. Create Docker Compose file

In order to manage your Docker application, create a docker-compose.yml file and add:

        version: "3.9"
        services:
          cloudflared:
            image: cloudflared
            restart: always
            volumes:
              - ./config.yml:/etc/cloudflared/config.yml
              - ./cert.pem:/etc/cloudflared/cert.pem
            network_mode: host
        

7. Start your Docker container

Run the following command to start your Docker container:

docker-compose up -d

Check the logs of your Docker container to see if everything is working correctly:

docker logs -f cloudflared

Your Apache web server should now be accessible from the internet via your Cloudflare tunnel. Remember to update your DNS settings to point your domain to Cloudflare's servers, otherwise, the tunnel won't work.

Please note that these commands are for an Ubuntu-based Linux system and you will need to adjust these commands if you're using a different Linux distribution.

Moreover, you should consider this guide as a basic setup, and for production environments, it's recommended to take additional security measures.

<< Back Home