Sign in Subscribe
8 min read Self-Hosted

Cloudflare Tunnels, Traefik and self-hosted services

In my case in addition to this blog, there are several services we consume outside of our local network like audiobookshelf for listening to audio books, mealie for recipe access via the phone when cooking (no Wi-Fi in our house) and immich for backing up photos from our phone.
Cloudflare Tunnels, Traefik and self-hosted services
Photo by Dawit / Unsplash

I am a big advocate of data sovereignty - having full control over your data. One of the ways you can accomplish this is to host your digital services in your own home lab. This instance of Ghost for example is self-hosted - running in a docker container and exposed to the outside world via a reverse proxy. Putting this together isn't always an easy journey and that is part of the fun. Fortunately, between forums, GitHub, reddit and now ChatGPT there are a LOT of resources to help. I know that I have availed myself of all of them to my benefit and today I want to give back. What follows is a guide on how to put together a very specific setup that a LOT of people seem to be struggling with.

Background

In my case in addition to this blog, there are several services we consume outside of our local network like audiobookshelf for listening to audio books, mealie for recipe access via the phone when cooking (no Wi-Fi in our house) and immich for backing up photos from our phone. All of these are hosted on a dedicated Ubuntu server via docker containers with storage on an UnRaid NAS.

For quite a while I used Nginx Proxy Manager as my reverse proxy solution and overall, it worked well and was easy to configure with a nice UI. Unfortunately, in my experience it was bit of a black box and when things did not work, trying to figure out what was wrong, like why did one proxy host work and another didn't with the exact same setup, became quite frustrating. So, I decided to find an alternative and after a bit of research I landed on Traefik. It promised easy discovery via docker labels, easy routing, load balancing and a lot of other features that I don't need now but might want in the future.

Needless to say, the switch did NOT go easy. That isn't the fault of Traefik, per se, more so that what I was trying to do with it, that was pretty easy in NPM, wasn't as straight forward as I thought. No worries - I did prevail and now I can shine a light on what worked for me, so you don't have to pull your hair out over a few days.....

For the purposes of this guide, I am going to make some assumptions -

  • You know what Cloudflare is and have some experience in setting up domains, DNS records and certificates.
  • You have a basic working knowledge of Docker and docker compose.
  • You have some sort of home lab server set up with a service or services that you want to access via the internet.

I am going to cover the setup across three areas:

  • Cloudflare tunnel config and origin server certificate
  • Traefik docker compose, traefik.yml and cert.yml
  • Docker service docker compose labels

Ready? Alright lets go!

Cloudflare

So, as I said earlier you should already have a Cloudflare account, a domain and subdomains that you will use to access your services from.

So let's assume you have Cloudflare managing a domain - like myselfhosted.com and you want to access audiobookshelf on the go. Typically, you would need a static IP address to point the domain to and you would have to configure your firewall and router to pass traffic over certain ports to the internal audiobookshelf server. Trouble is, for a lot of us a static IP isn't available and opening up ports on your router and firewall represents a security risk that you may not or cannot in some cases take. The answer is a Cloudflare tunnel - no static IP required, no ports to open and easy configuration.

I am not going to cover setting up a tunnel - there are a LOT of resources for that both with Cloudflare itself and on the net. What I am going to cover is what you need setup to make this work including the config file.


Going back to our example of myselfhosted.com we should have:

  • a cname for myselfhosted.com with a target of our cloudlfare tunnel id
    • Example: Type: CNAME Name: myselfhosted.com Target: tunnelidnumber.cfargotunnel.com
    • enable the Proxy: proxied and leave the TTL to auto
  • a cname for our service like audio with a target of myselfhosted.com
    • Example: Type: CNAME Name: audio Target: myselfhosted.com
    • enable the Proxy: proxied and leave the TTL to auto
  • cloudflared installed on our server via docker compose 
cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: CLOUDFLARED
    restart: unless-stopped
    command: tunnel run "replacewithyourtunnelid"
    volumes:
      - /cloudflared:/home/nonroot/.cloudflared
  • a config file with an ingress rule pointing to the lan ip address and port 443 of our traefik container:
tunnel: yourtunnelid
credentials-file: /home/nonroot/.cloudflared/yourtunnelid.json

# NOTE: You should only have one ingress tag, so if you uncomment one block comment the others

# forward all traffic to Reverse Proxy w/ SSL and no TLS Verify
ingress:
  - service: https://192.168.0.171:443
    originRequest:
      originServerName: myselfhosted.com
      noTLSVerify: true

#forward all traffic to Reverse Proxy w/ SSL 
#ingress:
#  - service: https://192.168.0.171:443
#    originRequest:

# forward all traffic to reverse proxy over http
#ingress:
#  - service: http://192.168.0.171:1180

Origin Server certificates

You probably already have these IF you are using a similar setup. If not - it is easy to setup via these instructions - https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/

Follow the steps to use the pem format and paste the certificate and key data into a text editor creating a file for each:

  • mydomain.crt
  • mydomain.key

We will put these in a specific directory when we setup Traefik.

Now we have Cloudflare setup, and ready to send requests originating from audio.myselfhosted.com to Traefik! Time to get Traefik set up.

Traefik

Ok so now is the part where I admit I got my ass kicked. I spent some serious quality time with searxng and ChatGPT on this one in addition to a Traefik forum post (which still has no replies). In fact I can safely say that there are probably some things in this docker compose file which I do NOT need as it was originally configured to use Let's Encrypt to issue certs for the sub domains which did NOT work and was not needed. That said the compose file works and I'm not yet inclined to comment out parts that may no longer be needed. (lines 16 & 17 I am looking at you!) I'll save that cleanup for another day.....

Here is my working version of a traefik docker compose file: (scrubbed of personal data of course)

services:
  traefik:
    image: traefik:v3.2.3
    container_name: TRAEFIK
    command:
      - "--configFile=/etc/traefik/traefik.yml"  # Point to the external traefik.yml
    ports:
      - 80:80
      - 443:443
      - 8079:8080  # Web UI port
    environment:
      - [email protected]
      - CF_API_TOKEN=MYAPISTRING  # Cloudflare API Token
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt  # Persistent storage for certificates
      - ./certs:/etc/traefik/certs  # Mount the directory containing your Cloudflare certificates
      - ./traefik.yml:/etc/traefik/traefik.yml  # Mount the custom traefik.yml config
      - ./accessslogs:/var/log/traefik  # Mount host directory for logs
    networks:
      - proxy
  
networks:
  proxy:  # Define the internal network
    driver: bridge  # Default network driver

now for the traefik.yml:

################################################################
# Global configuration
################################################################
global:
  checkNewVersion: true
  sendAnonymousUsage: true

################################################################
# EntryPoints configuration
################################################################
entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: "websecure"
          scheme: "https"

  websecure:
    address: ":443"

################################################################
# Traefik logs configuration
################################################################
log:
  level: DEBUG

################################################################
# API and dashboard configuration
################################################################
api:
  insecure: true  # Enable insecure API for monitoring
  dashboard: true  # Enable Dashboard (set to false to disable it)

################################################################
# Access logs configuration
################################################################

# Enable access logs
# By default it will write to stdout and produce logs in the textual
# Common Log Format (CLF), extended with additional fields.
#
# Optional
#
accessLog:
  filePath: /var/log/traefik/access.log
  format: json

################################################################
# Providers configuration
################################################################
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"  # Docker socket
    exposedByDefault: false  # Do not expose containers by default
    defaultRule: "Host(`{{ .Name }}`)"  # Default rule for container names

  file:
    directory: "/etc/traefik"  # Directory to watch for certificates (dynamic config)
    watch: true  # Watch for changes in dynamic config

So, what is happening here:

  • Under entrypoints we are setting two -
    • one for http called web at port 80 which redirects to
    • one for https called websecure so any requests to an http address go to https on port 443
  • Under logs I had this set to DEBUG while trouble shooting and then moved it to ERROR for normal running
  • Under API and dashboard we are enabling them both by setting them to true
  • More trouble shooting insight by enabling the access log
  • Providers - two
    • docker via the socket
      • set enabledbydefult as false so ONLY containers with labels will be exposed
      • set a default name rule for containers
    • file via a directory so we can have a dynamic config file and most importantly a place for our origin certificates

Now we need to configure the certs for traefik with another yaml file and place those two files we created earlier domain.crt and domain.key

Here is the certs.yml

# Dynamic configuration (certs.yml or dynamic.yml)
tls:
  stores:
    default:
      defaultCertificate:
        certFile: "/etc/traefik/certs/cloudflare-origin.pem"
        keyFile: "/etc/traefik/certs/cloudflare-origin.key"
  certificates:
    - certFile: "/etc/traefik/certs/cloudflare-origin.pem"
      keyFile: "/etc/traefik/certs/cloudflare-origin.key"

In my example my certificate files are names cloudflare-origin .pem and .key and I am explicitly telling traefik that these are the default certificates to use for tls. This might be overkill but as I mentioned before I originally was trying to use letsencrypt for the subdomains and got into a loop where traefik kept providing the worng certificate. This fixed that and is my working configuration. This is one more area where I need to do some comment and test cleanup - on another day. 😄

So now we SHOULD have access to traefik at the host ip:8079 and be greeted with a nice big dashboard with:

  • 3 http entry points :8080, :80 and :443
  • 3 http routers api@internal, dashboard@internal and web-to-websecure@internal
  • 3 http services api@internal, dashboard@internal and noop@internal

Time to add a service!

Docker Service Labels

Ok we are on the home stretch and this is where it gets fun and easy. Adding a service to be exposed via the traefik reverse proxy is simple using labels in the docker compose file for the service we want to expose:

   labels:
      - traefik.enable=true
      - traefik.http.routers.audio.rule=Host(`audio.myselfhosted.com`)
      - traefik.http.routers.audio.entrypoints=websecure
      - traefik.http.routers.audio.tls=true

AND (don't forget this part or it will drive you crazy with a big hand slap at the end) we need to ADD this service to the same network we created earlier using:

networks:
      - proxy  # Use only the Traefik network

and then make sure this is added to the stack (or at end if a single service)

networks:
  proxy:  # Reference the existing Traefik network
    external: true

Assuming you got everything right 😏 after recreating the docker container for the service you added (docker compose down and docker compose up -d) you SHOULD now see the audio.myselfhosted.com entry in the Traefik dashboard and you should now be able to browse to https://audio.myselfhsoted.com

Congratulations! Now for every service you want to expose - you simply and the cname, modify the service with the correct labels and add the service to the proxy network.

Conclusion

I hope anyone out there searching for Cloudflare tunnel, origin server certificate and traefik is able to find and profit from this guide. Almost every solution I found used two of three of these pieces with a lot using Cloudflare DDNS and origin certificates but no tunnel etc. While it seems straight forward now (writing this post REALLY helped cement it all together for me) the learning curve for Traefik and the lack of a good docker compose example that mirrored my needs threw me for a pretty big loop. In the end that is part of the fun - learning by doing.

Published by:

Chris Almida

You might also like...

22
Mar
but wait there's more!

but wait there's more!

So why am I doing this? Why go through all this trouble to self-host and rebuild a media server stack from scratch? Well, let's back up a bit and I'll show you how I got here.
3 min read
21
Mar
Foundations of Sovereign Self-Hosting

Foundations of Sovereign Self-Hosting

This guide is geared toward newcomers who want to take control of their own media experience with a sovereign, self-hosted setup.
3 min read
24
Jan
Why Self-Hosting?

Why Self-Hosting?

Now that I have relaunched lifeonbtc as Living Sovereign by Chris Almida, I want to expand upon the why behind self-hosting from my perspective and how it relates to Living Sovereign.
3 min read