Tunneling to protect server
Table of contents
Download cloudflared
- Using
arm64
environment
wget -O cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64
# This gets downloads a binary file directly
mv /root/cloudflared /usr/local/bin/
# Moving the binary file to `/usr/local/bin/` path.
- Using
amd64.deb
environment
wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
dpkg -i cloudflared-linux-amd64.deb
tar -xvzf cloudflared-stable-linux-amd64.tgz
# After unpack, a binary file will sit under this directory: `/usr/local/bin/cloudflared`
- Run
cloudflared -v
to check version.
Permission change for cloudflared
1. useradd -s /usr/sbin/nologin -r -M cloudflared
2. chown cloudflared:cloudflared /usr/local/bin/cloudflared
3. ls -la /usr/local/bin/cloudflared
4. chmod +x /usr/local/bin/cloudflared
5. cloudflared -v
Login to Cloudflare
- Run
cloudflared tunnel login
- A new window will pop open, login to Cloudflare UI dashboard, select the domain you want to connect the tunnel to.
- After authenticated, a key is created in the directory
/root/.cloudflared/cert.pem
.
Add DNS
Option 1
- Run
cloudflared tunnel route dns [UUID] [argo.example.com]
Option 2
- manually add the dns to CF dashboard:
[argo.example.com] => CNAME => [UUID].cfargotunnel.com
Edit config.yml
file
-
Ensure you have below 3 files in the directory
~/.cloudflared
- cert.pem
- uuid.json
-
config.yml
- An example
config.yml
tunnel: 9**************7
credentials-file: /root/.cloudflared/9**************7.json
logfile: /var/log/cloudflared.log
loglevel: debug
transport-loglevel: debug
ingress:
- hostname: grafana.example.com
service: http://localhost:3000
- hostname: argo.example.com
service: http://localhost:8080
- hostname: ssh.example.com
service: ssh://localhost:22
- service: http_status:404
Ingress rule checks
cloudflared tunnel ingress validate
cloudflared tunnel ingress rule https://argo.example.com
Run as tunnel
cloudflared tunnel run [argo-name-or-uuid]
Run as service
Step 1
Install cloudflared daemon
cloudflared service install
systemctl start cloudflared
# restart, disable, stop
systemctl status cloudflared
# showing active or inactive
ls /etc/cloudflared
# you will see another `config.yml` created
Step 2
Move all files from /root/.cloudflared
=> /etc/cloudflared
- Run
mv /root/.cloudflared/* /etc/cloudflared/
- To reload:
systemctl daemon-reload
Create Tunnel
cloudflared tunnel list
cloudflared tunnel create [tunnel-name]
# To generate [UUID.json] file
Delete Tunnel
cloudflared tunnel list
cloudflared tunnel delete [tunnel-id]
cloudflared tunnel delete -f [tunnel-id]
Remove cloudflared.service
systemctl stop cloudflared
systemctl disable cloudflared
cloudflared service uninstall
systemctl status cloudflared
systemctl daemon-reload
rm /etc/systemd/system/cloudflared.service
rm -r /etc/cloudflared
Remove cloudflared
rm -r ~/.cloudflared/
rm /usr/local/bin/cloudflared
deluser cloudflared
- Use package:
apt-get remove cloudflared
apt-get remove cloudflared.service
- To check if completed removed
dpkg -l cloudflared
# To list down the available
updatedb
# To update database of the changes
Diagnose with cURL localhost
curl http://localhost:8000
# To check inside the server if the localhost url working or not
Change resolver
- Run
sudo vim /etc/resolv.conf
nameserver 1.1.1.1
options edns0
# Comment out the local DNS resolver
# nameserver 127.0.0.53