Link Search Menu Expand Document

Tunneling to protect server

Table of contents

Download cloudflared

  • Using arm64 environment
wget -O cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64
    # This gets downloads a binary file directly 
mv /root/cloudflared /usr/local/bin/ 
    # Moving the binary file to `/usr/local/bin/` path. 
  • Using amd64.deb environment
wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
dpkg -i cloudflared-linux-amd64.deb
tar -xvzf cloudflared-stable-linux-amd64.tgz
    # After unpack, a binary file will sit under this directory: `/usr/local/bin/cloudflared` 
  • Run cloudflared -v to check version.

Permission change for cloudflared

1. useradd -s /usr/sbin/nologin -r -M cloudflared
2. chown cloudflared:cloudflared /usr/local/bin/cloudflared
3. ls -la /usr/local/bin/cloudflared 
4. chmod +x /usr/local/bin/cloudflared
5. cloudflared -v 

Login to Cloudflare

  1. Run cloudflared tunnel login
  2. A new window will pop open, login to Cloudflare UI dashboard, select the domain you want to connect the tunnel to.
  3. After authenticated, a key is created in the directory /root/.cloudflared/cert.pem.

Add DNS

Option 1

  • Run cloudflared tunnel route dns [UUID] [argo.example.com]

Option 2

  • manually add the dns to CF dashboard:
[argo.example.com] => CNAME => [UUID].cfargotunnel.com

Edit config.yml file

  • Ensure you have below 3 files in the directory ~/.cloudflared

  • cert.pem
  • uuid.json
  • config.yml

  • An example config.yml
tunnel: 9**************7
credentials-file: /root/.cloudflared/9**************7.json
logfile: /var/log/cloudflared.log
loglevel: debug
transport-loglevel: debug

ingress:
  - hostname: grafana.example.com
    service: http://localhost:3000
  - hostname: argo.example.com
    service: http://localhost:8080
  - hostname: ssh.example.com
    service: ssh://localhost:22
  - service: http_status:404

Ingress rule checks

cloudflared tunnel ingress validate 
cloudflared tunnel ingress rule https://argo.example.com  

Run as tunnel

cloudflared tunnel run [argo-name-or-uuid]

Run as service

Step 1

Install cloudflared daemon

cloudflared service install
systemctl start cloudflared
    # restart, disable, stop
systemctl status cloudflared
    # showing active or inactive 
ls /etc/cloudflared 
    # you will see another `config.yml` created 

Step 2

Move all files from /root/.cloudflared => /etc/cloudflared

  • Run mv /root/.cloudflared/* /etc/cloudflared/
  • To reload: systemctl daemon-reload

Create Tunnel

cloudflared tunnel list
cloudflared tunnel create [tunnel-name]
    # To generate [UUID.json] file 

Delete Tunnel

cloudflared tunnel list
cloudflared tunnel delete [tunnel-id]
cloudflared tunnel delete -f [tunnel-id]

Remove cloudflared.service

systemctl stop cloudflared
systemctl disable cloudflared
cloudflared service uninstall
systemctl status cloudflared
systemctl daemon-reload
rm /etc/systemd/system/cloudflared.service
rm -r /etc/cloudflared

Remove cloudflared

rm -r ~/.cloudflared/
rm /usr/local/bin/cloudflared
deluser cloudflared
  • Use package:
apt-get remove cloudflared
apt-get remove cloudflared.service
  • To check if completed removed
dpkg -l cloudflared
    # To list down the available
updatedb
    # To update database of the changes 

Diagnose with cURL localhost

curl http://localhost:8000
    # To check inside the server if the localhost url working or not 

Change resolver

  • Run sudo vim /etc/resolv.conf
nameserver 1.1.1.1
options edns0
    # Comment out the local DNS resolver
    # nameserver 127.0.0.53