American Cloud & Cloudflare Tunnels
Last updated: November 8, 2024
Introduction
This article explores using Cloudflare Tunnels to simplify application deployment, using a NextJS app with MongoDB as a practical example scenario.
Key Problem
Traditionally, exposing applications requires handling multiple complex tasks:
- Configuring firewalls
- Setting up reverse proxies
- Managing DNS
- Obtaining SSL certificates
- Implementing access controls
This creates security risks through misconfiguration.
Benefits of Tunnels
- No exposing of inbound ports needed
- No reverse proxy required
- No need to manage DNS records
- Built-in encryption
- Granular access rules
- Simplified setup versus traditional networking approaches
Implementation Steps
Initial Setup
- Create a Cloudflare account with Zero Trust features
- Configure at least one domain in Cloudflare
- Create a Cloudflared tunnel and note the authentication token
- Update docker-compose configuration
Docker Configuration
The guide provides a complete docker-compose.yaml example with four services:
- nextjs-app
- mongo
- mongo-express
- cloudflared
All containers connect via a custom bridge network with no exposed ports.
Access Control
- Public Hostname: Route app.mydomain.com to nextjs-app:3000
- Restricted Hostname: Route mongo-express.mydomain.com to mongo-express:8081
- Create Access Group restricting mongo-express to emails ending in @mydomain.com
Advanced: Automated Deployments
The article extends the setup with watchtower for automatic container updates triggered by CI/CD pipelines. When code is pushed, a GitHub Actions or GitLab CI workflow builds a new image and sends an HTTP request to watchtower, automatically rebuilding the application.
[ On this page ]