As developers, we often need to expose our local applications for testing, demos, or collaboration. Traditionally, tools like Ngrok or manual firewall configurations were used. However, Cloudflare Zero Trust Tunnels offer a modern and secure approach. This blog will guide you through using Cloudflare’s
cloudflared tool to expose a local web application using a public hostname, all while leveraging Cloudflare’s Zero Trust framework.What is Zero Trust?
Zero Trust is a security framework that assumes no user or device is trusted by default, whether inside or outside the network. Every access request is authenticated and authorized based on the identity of the requester and the specific resources they are attempting to access.
For developers, Zero Trust eliminates the need to rely on traditional perimeter-based security (e.g., VPNs or open firewalls). Instead, Cloudflare’s Zero Trust architecture allows you to expose your applications securely without exposing any ports on your local machine.
Why Use Cloudflare Zero Trust Tunnels?
Cloudflare Zero Trust Tunnels make exposing local applications over the internet secure and straightforward. With
cloudflared, you can securely connect your local machine to Cloudflare’s global network without exposing open ports. The tunnel can map to a public hostname, allowing you to share your local app with anyone, anywhere.Key Benefits for Developers:
- Simplified Secure Access: No need to configure NAT or open ports in your firewall.
- Encrypted Communication: All traffic is routed securely over HTTPS.
- Granular Access Control: Apply Cloudflare’s Zero Trust access policies to control who can access your application using identity providers like Google or GitHub.
- No Open Ports: Your application remains secure with no inbound ports exposed on your network.
Prerequisites
Before getting started, make sure you have:
- A Cloudflare account with a domain managed by Cloudflare (e.g.,
example.com). cloudflaredinstalled on your local machine. Installation instructions can be found on the official Cloudflare documentation.
Step-by-Step: Exposing Your Local Application Using Public Hostname
In this example, we’ll expose a local web application running on
localhost:8000 using a Cloudflare Zero Trust Tunnel with a public hostname.
Step 1: Authenticate Cloudflared with Cloudflare
Start by authenticating
cloudflared with your Cloudflare account. This is required to create and manage tunnels:cloudflared login
This command will open a browser window prompting you to log in to your Cloudflare account. After login, select the domain you want to use (e.g.,
example.com).Step 2: Create a Tunnel
Next, create a tunnel that will securely route traffic from Cloudflare’s edge network to your local application:
cloudflared tunnel create my-public-tunnel
This command will create a unique tunnel ID and generate a credentials file. The credentials file is saved on your local system (in
~/.cloudflared/ by default) and will be needed to manage the tunnel.Step 3: Configure the Tunnel with a Public Hostname
To map the tunnel to a public hostname and expose the local service, you need to create a configuration file.
Create or update the file
~/.cloudflared/config.yml:nano ~/.cloudflared/config.yml
Add the following configuration:
tunnel: my-public-tunnel
# The credentials file was created with the 'cloudflared tunnel create my-public-tunnel' command
credentials-file: /home/user/.cloudflared/my-public-tunnel.json
ingress:
- hostname: myapp.example.com
service: http://localhost:8000
- service: http_status:404
tunnel:The name of the tunnel created in the previous step (my-public-tunnel).credentials-file:The path to the credentials file generated when the tunnel was created. Replace/home/user/.cloudflared/my-public-tunnel.jsonwith the actual path to your credentials file.hostname:The public hostname (e.g.,myapp.example.com) that will be used to access the application.service:The local service to be exposed, in this case, an application running onlocalhost:8000.
Step 4: Set Up DNS for the Public Hostname
For the public hostname (
myapp.example.com) to resolve to your tunnel, you need to create a DNS record.You can automate this step using the following command:
cloudflared tunnel route dns my-public-tunnel myapp.example.com
This command creates a CNAME DNS record in Cloudflare that points
myapp.example.com to Cloudflare’s network, allowing external users to access your local service via the tunnel.Step 5: Start the Tunnel
With everything set up, you can start the tunnel to expose your local application:
cloudflared tunnel run my-public-tunnel
This command will establish a secure connection between your local machine and Cloudflare’s global network, making your local application accessible via the public hostname
https://myapp.example.com.Securing the Public Hostname with Cloudflare Zero Trust Access Policies
By default, your application is accessible to anyone who knows the public hostname. To secure access, you can apply Cloudflare’s Zero Trust access policies.
- In your Cloudflare dashboard, navigate to Access > Applications.
- Add a new application for
myapp.example.com. - Set up an access policy that requires users to authenticate via an identity provider (e.g., Google, GitHub) before accessing the application.
- Optionally, you can restrict access by email domain, user groups, or specific IP addresses.
Conclusion
Cloudflare Zero Trust Tunnels offer a simple and secure way for developers to expose local web applications without exposing open ports or relying on VPNs. By mapping a public hostname to your local services, you can securely share your development environment with colleagues, clients, or users. With Cloudflare’s Zero Trust architecture, you gain the flexibility to apply granular access controls, ensuring only authorized users can access your applications. The setup process is quick, secure, and leverages Cloudflare’s global network to provide fast and reliable access. For more detailed instructions, visit Cloudflare’s official documentation. Now you can securely share your local development environments for testing, demos, or collaboration without sacrificing security or convenience.