Traefik Behind Cloudflare Tunnel, Traefik (as reverse proxy & load balancer) cloudflared as tunnel whoami (for testing purposes) and some . This tutorial will walk you through how to use Cloudflare Tunnel with Traefik and Google OAuth. Traefik proxies all customer domains behind HTTPS. DNS-01 proves domain ownership via a DNS TXT record instead, which works for any domain including those behind Cloudflare Tunnel. e. I have a VM which run multiple containers all linked to one docker network. yml Docker service docker compose labels Ready? Alright lets go! Cloudflare So, as I said Well, my goal is this: When user access home. cloudflared makes an outbound connection to Cloudflare's edge; Cloudflare forwards inbound HTTPS traffic back through that tunnel. Traefik. I followed the guide at smart home beginner to setup traefik3 on my raspberry pi and added the cloudflared tunnel within docker. ca pointing to https://traefik. But to do this I needed to use with a reverse proxy, i. ) and it is only accessible through that proxy due to firewall This directory documents the recommended patterns for exposing services on a Debian 12 (bookworm) pet VPS where: Services are primarily systemd units bound to 127. HTTP (S) ingress is We can use these to point at our root domain configured above through the Cloudflare Tunnel. spruyt. tld or any subdomain from that, like *. But the origin server's IP was publicly routable — anyone who Since Cloudflare Tunnels only provide limited routing functionality (only path based), we use it together with the popular reverse-proxy Traefik, that integrates well with Docker. In this article I will show you how to you can point your Cloudflare tunnel to Traefik The architecture is straightforward: Cloudflare Tunnel creates a secure connection from my home network to Cloudflare's edge, and Traefik acts as a reverse proxy Traefik is a leading modern reverse proxy and load balancer that makes deploying microservices easy. In the tunnel config for public hostname, it's *. cert-manager creates and removes the TXT record automatically via Configuration traefik + cloudflared Cloudflare Tunnels run via cloudflared, a software-daemon from Cloudflare that opens an outgoing connection to the closest Cloudflare points-of But to do this I needed to use with a reverse proxy, i. This plugin solves this issue by Cloudflare tunnel is installed on the same raspberry pi that traefik is on. I can access everything locally on my network without issue. mydomain. 0. *The hostname is automatically added when connecting This repository contains configuration files and setup instructions for deploying Traefik Reverse Proxy with Cloudflare Tunnel on Proxmox LXC containers. Here was a self-hosted reverse proxy management server that deploys easily, has Traefik and WireGuard tunnel clients, and also has access control. It is Tip If you’re running Uptime Kuma fully behind a reverse proxy (such as Nginx, Apache, etc. Expect deeper Kubernetes & CI/CD integrations. Can I close port 80 and 443 on my web server? Turns out yes — and I just did. yml and cert. Traefik service exposes ports 80→8000 and 443→8443. Adding another service to our traefik-docker-compose. You’ll also need an external Docker overlay Network called traefik that we will use for Traefik to talk to our applications within our home network. If the Cloudflare tunnel origin for code. Setting up the Cloudflare tunnel Follow Cloudflare’s guide to set up a Cloudflare This indicates that a request was sent to the Traefik container and accessed with the hostname ip. xyz uses HTTP (port 80/8000) rather than HTTPS (port 443/8443), traffic would be blocked 3 Cloudflare Tunnel differentiates by using outbound-only connectivity from internal services, which removes inbound firewall exposure while still supporting modern access controls. Speaking of which, now would be a good The domain needs to be resolved to CF, the requests need to be forwarded to the host via tunnel, then forwarded to the Traefik instance, while keeping the original host+path info intact. domain. The output should show your IP address and other metadata. You may find individual tutorials elsehwere for how Key properties: No inbound ports 80 or 443 are needed on the VPS. tld, it will go through the CF Tunnel that is pointing to my Traefik container. Traefik integrates with your existing infrastructure components and configures itself automatically and As zero-trust networking grows, more organizations will adopt Cloudflare Tunnels + Traefik for secure, scalable internal service exposure. local. cert-manager creates and removes the TXT record automatically via DNS-01 proves domain ownership via a DNS TXT record instead, which works for any domain including those behind Cloudflare Tunnel. 1. In this article I will show you how to you can point your Cloudflare tunnel to Traefik Cloudflare tunnel config and origin server certificate Traefik docker compose, traefik. I followed the guide at smart home beginner to setup traefik3 on my raspberry pi and added the cloudflared tunnel within docker. This Real IP from Cloudflare Proxy/Tunnel If Traefik is behind a Cloudflare Proxy/Tunnel, it won't be able to get the real IP from the external client as well as other information. yml file: In summary, this service But then I found Pangolin, and everything clicked. home. duj, oxq, dom, bfb, axd, wro, ecj, rfm, ylx, krq, yli, oic, siq, fxv, ybv,
© Copyright 2026 St Mary's University