- Introduction
- References
- Prerequisites
- Argo Tunnel Setup
- Traefik Setup
- Add Addtional Routes
- Kubernetes Setup
This gist aims to walk you through the process of setting up reverse-proxy via Cloudflare Argo Tunnel and Traefik on your VPS.
- VPS (Ubunutu 22.04 recommended | 1VCPU 1G RAM >=10G SSD)
- Cloudflare Account (https://dash.cloudflare.com/sign-up)
Before you start, make sure you:
-Add a website to Cloudflare. -Change your domain nameservers to Cloudflare.
First, download cloudflared on your machine. Visit the downloads page to find the right package for your OS.
# debian install
$ wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && dpkg -i cloudflared-linux-amd64.deb
# rpm install
$ wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm$ cloudflared tunnel loginRunning this command will:
- Open a browser window and prompt you to log in to your Cloudflare account. After logging in to your account, select your hostname.
- Generate an account certificate, the
cert.pemfile, in the default cloudflared directory at/etc/cloudflared.
$ sudo -i
$ cloudflared tunnel create <NAME>Running this command will:
- Create a tunnel by establishing a persistent relationship between the name you provide and a UUID for your tunnel. At this point, no connection is active within the tunnel yet.
- Generate a tunnel credentials file in the default cloudflared directory.
- Create a subdomain of .cfargotunnel.com. From the output of the command, take note of the tunnel’s UUID and the path to your tunnel’s credentials file.
Confirm that the tunnel has been successfully created by running:
$ cloudflared tunnel listCreate a configuration file in your /root/.cloudflared directory using any text editor. This file will configure the tunnel to route traffic from a given origin to the hostname of your choice.
# /etc/cloudflared/config.yml
tunnel: <UUID>
credentials-file: /root/.cloudflared/<UUID>.json
ingress:
- service: https://<PUBLIC_IP_OF_YOUR_VPS>
originRequest:
originServer: <DOMAIN_OF_YOUR_VPS e.g example.com>
noTLSVerify: true
Install the cloudflared service.
$ cloudflared service installEnable and start the service.
$ systemctl enable cloudflared --now(Optional) View the status of the service.
$ systemctl status cloudflaredYour tunnel configuration is complete! If you want to get information on the tunnel you just created, you can run:
$ cloudflared tunnel info <TUNNEL UUID><TUNNEL UUID>.cfargotunnel.com
Make sure the Proxy status is set to Proxied
# Install Docker
$ sudo wget -qO- https://get.docker.com/ | sh
$ sudo usermod -aG docker $USER
$ newgrp docker
$ sudo systemctl enable docker --now
# Install Docker-Compose
$ sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
$ sudo chmod +x /usr/local/bin/docker-compose
$ sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-composeTo get started creating an API Token, log in to the Cloudflare dashboard and go to User Profile -> API Tokens or click here. From the API Token home screen select Use template and the Edit zone DNS template.
In Zone Resources, select the zone (domain) you would like to include -> Continue to summary -> Save the token for later use.
# /etc/traefik/docker-compose.yml
version: "3.4"
services:
traefik:
image: traefik
container_name: traefik
restart: unless-stopped
environment:
CF_DNS_API_TOKEN: <YOUR_API_TOKEN_GOES_HERE>
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- /etc/localtime:/etc/localtime
- /etc/traefik:/etc/traefikCreate default config directory
$ sudo -i
$ mkdir -p /etc/traefik
$ mkdir -p /etc/traefik/certs
$ touch /var/log/traefik.logEdit /etc/traefik/traefik.yml
# /etc/traefik/traefik.yml
---
log:
filePath: "/var/log/traefik.log"
level: DEBUG
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
file:
directory: /etc/traefik
watch: true
tls:
options:
default:
minVersion: VersionTLS12
preferServerCipherSuites: true
stores:
default:
defaultCertificate:
certFile: /etc/traefik/certs/<YOUR_DOMAIN>.pem
keyFile: /etc/traefik/certs/<YOUR_DOMAIN>.key
pilot:
dashboard: false
http:
routers:
main:
rule: "Host(`<YOUR_DOMAIN>`) && PathPrefix(`/`)"
service: main
middlewares:
- default-headers
- https-redirect
tls:
domains:
- main: "<YOUR_DOMAIN>"
entryPoints:
- https
<OTHER_CUSTOM_ROUTES_GOES_HERE>
services:
main:
loadBalancer:
servers:
- url: "http://<YOUR_VPS_PUBLIC_IP>:<INTERNAL_SERVICE_PORT>" # e.g xx.xx.xx.xx:8080
<OTHER_CUSTOM_SERVICE_GOES_HERE>
middlewares:
https-redirect:
redirectScheme:
scheme: https
default-headers:
headers:
accessControlAllowMethods: ["GET", "POST", "OPTIONS"]
accessControlMaxAge: 100
accessControlAllowHeaders: "*"
addVaryHeader: "true"
frameDeny: true
sslRedirect: true
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customRequestHeaders:
X-Forwarded-Proto: https
secured:
chain:
middlewares:
- default-whitelist
- default-headers$ docker-compose up -d --force-recreateLog in to the Cloudflare dashboard and navigate to DNS -> Add record:
- Select
CNAMEas the type - Put you domain that points to the tunnel
- Toggle the
Proxy Statusto theProxiedstate
e.g.
In the /etc/traefik/traefik.yml file, follow the default config pattern and add additional routes and services.