I wanted to set up Cloudflared, but I couldn’t find anything about setting it up in docker, especially without the Zero Trust dashboard (because it kept refusing my credit card for some reason). So here it is!
I am aiming to set up one tunnel per container, which I think is better and easier to manage than multiple tunnels in one Cloudflared instance.
Linking Cloudflared with your domain
firstly you need to create the
./cloudflared directory before running any docker commands, because on container start up It’s going to create the directory as root, and Cloudflared runs as the distroless
nonroot(id 65532) user, so you will just end up with permission problems.
this is assuming your subid and subgid ranges are
User name spaces remapping
for some reason, docker in UserNS mode uses different IDs, even though I am using the same subuid/subgid.
Open the link in your browser and select which domain you would like to use, and then it will generate the origin certificate.
Create a new cloudflared tunnel
We switched from
/etc/cloudflared because tunnel files are generated in the
We overrode the default certificate location in the compose file using the
Now you will find in
cert.pem file and a
.json file, the name of the file is your Tunnel ID.
Copy the tunnels ID and replace
YOUR_TUNNEL_ID with it in the following steps.
Configuring the tunnel
config.yml file inside the
This is a basic configuration for a WordPress site inside the same docker network as Cloudflared, running on port 80.
You could further customize the configuration to your liking.
here are the details about it.
But this would be enough for most setups.
Start it up!
Make sure cloudflared is running in the same network as your other container if you are using DNS hostnames, and it should just work!
CNAME record to your domains pointing to
YOUR_TUNNEL_ID.cfargotunnel.com, and make sure to enable Cloudflares proxy (the cloud needs to be orange).
if you see this error
Currently, This has no effect, as Cloudflared still doesn’t support ICMP over QUIC anyway.
I tried fixing it by setting
net.ipv4.ping_group_range = 0 2147483647, but it still didn’t work, so just ignore it for now.
If you have a solution, write it in the comments!