Skip to content

Cloudflared

Cloudflared is a Cloudflare Tunnel agent that exposes services to the internet via Cloudflare's edge network — without opening inbound ports on the host.

Why

Traditional reverse proxy setups (Traefik with published ports) require inbound firewall rules and expose the host directly to the internet. Cloudflare Tunnel eliminates this by establishing an outbound-only connection from the cloudflared agent to Cloudflare's edge. External requests are routed through Cloudflare's network to the local service, keeping the host completely off the public internet. This is the preferred method for exposing services that need to be publicly reachable without authentication (e.g., public APIs).

Currently inactive

Cloudflared has no services to tunnel after the retirement of the hadiscover API on 2026-05-17 and is therefore paused (commented out in servers.yaml under svlazext). The compose file is retained so the tunnel can be re-enabled when a new public-facing service is added.

Compose File

Access

Cloudflared itself has no web UI. Tunnel routing rules are managed in the Cloudflare Zero Trust dashboard.

Currently Tunnelled Services

No services currently tunneled. The hadiscover API was retired on 2026-05-17.

Architecture

  • Image: cloudflare/cloudflared (official)
  • Networks: None declared in the compose file — the container currently attaches only to the project's default bridge network. When re-enabling the tunnel, attach cloudflared to the shared frontend network of the app being tunneled (so traffic can reach Traefik, which then applies its middleware chain before forwarding to the backend).
  • No dedicated UID/GID: The official image runs as the built-in nonroot user (UID 65532). No writable volumes are mounted, so there is no file ownership to manage.
  • No init container: No writable volumes means no chown is needed.
  • Tunnel mode: Token-based (TUNNEL_TOKEN). Routing rules (which hostname maps to which backend) are configured in the Cloudflare Zero Trust dashboard, not in local config files.
  • Metrics: Exposes a metrics endpoint on port 2000 (container-internal only, not published) for the health check.

Services

Container Role
cloudflared Cloudflare Tunnel agent — maintains outbound tunnel to edge

Secrets

Managed via secret.sops.env (SOPS-encrypted, decrypted to .env at deploy time):

  • TUNNEL_TOKEN — Cloudflare Tunnel authentication token (generated in Zero Trust dashboard)

First-Run Setup

  1. Create a Cloudflare Tunnel in the Zero Trust dashboard under Networks -> Connectors
  2. Make sure to select Cloudflared as the tunnel type
  3. Provide a name for the tunnel, e.g. the hostname of the machine
  4. On the 'Install and run connectors' step, copy the token hidden in the install command and click next.
  5. You will now get to the 'Route tunnel' step. Configure tunnel routing rules (e.g., api.example.comhttps://traefik with noTLSVerify enabled) and hit the Setup button.
  6. Now the tunnel should be created. Set TUNNEL_TOKEN in secret.sops.env based on the tunnel token gathered at step 1.3
  7. Deploy — cloudflared establishes the tunnel and begins proxying traffic

No TrueNAS dataset, service account, or init container is needed — this service is entirely stateless.

Upgrade Notes

No special upgrade procedures. Image updates are managed by Renovate.