cloudflared Argo Tunnel with Docker
It’s a bit hard to use Cloudflare’s Argo Tunnel with Docker when you don’t have any configuration in place already, I’m trying to break down the steps here.
create a volume:
First start by creating a docker volume to hold the configuration data:
docker volume create cloudflared
now the annoying thing comes to play, fix the permissions for the volume. I guess and hope there’s a better way but I just don’t know of any other. Get the path of the docker volume, you can use
docker volume inspect cloudflared for this to get the path, usually it’s in
sudo chown -R 65532:65532 /var/lib/docker/volumes/cloudflared/_data
login and fetch the certificate:
let’s use a temporary container with the created volume to login to Cloudflare for authorization.
Note: I use the docker image with the 2021.3.2 tag, this will probably be outdated in a couple of days, so make sure to check the docker hub.
docker run -it --rm -v cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2021.3.2 tunnel login
create the tunnel:
docker run -it --rm -v cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2021.3.2 tunnel create my-tunnel
It’ll give you some
.json file path where the credentials are stored in and the UUID of the tunnel, it’s also part of the JSON filename.
create config file:
I guess the best place to on how to create the right configuration file would be the cloudflare documentation page, I’ll include some example here.
Create a file
tunnel: 9eef6f07-0e12-4cc3-8fb0-6e768ea1c51f credentials-file: /home/nonroot/.cloudflared/9eef6f07-0e12-4cc3-8fb0-6e768ea1c51f.json ingress: - hostname: my-awesome.example.com service: http://localhost:4567 - service: http://localhost:404
this will route traffic destined for
localhost:4567. A fallback is always required, in this case it’s
localhost:404 to return a not found page by
please save the config file to the docker volume as well, for example into:
maybe you have to update the permissions again like described above.
route traffic / create DNS entry:
you can create the CNAME DNS entry manually but also via cloudflared automatically, just like this:
docker run -v cloudflared:/home/nonroot/.cloudflared cloudflare/cloudflared:2021.3.2 tunnel route dns my-tunnel my-awesome.example.com
first, specify the tunnel name (
my-tunnel), then the hostname.
(optional) delete cert.pem file:
for a bit more safety and security you can also delete the generated
cert.pem file, this will prevent you from creating more cloudflare resources but your tunnel will keep working with the .json file. You can still create new DNS entries for example but they would need to be done through the dashboard then.
sudo rm /var/lib/docker/volumes/cloudflared/_data/cert.pem