Setting up CloudFlared in docker

This is a follow up to my “Docker and cloudflared” post. I wanted to take it a step further.  I wanted for the cloudflared to come up via docker-compose or as a stack in the swarm.  Turns out it is not that hard to do so.  Just need a bit more lifting to get there with a couple more steps.  Read more to see how to.

Authenticate with cloudflare:

docker run --rm -v /docker-store/cloudflared/.cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2022.1.0 tunnel login
Please open the following URL and log in with your Cloudflare account:[CALLBACK_URL_CENSOR]

Leave cloudflared running to download the cert automatically.
You have successfully logged in.
If you wish to copy your credentials to a server, they have been saved to:

Check for the cert:

cd /docker-store/cloudflared/.cloudflared
ls -al
total 4
drwxrwxrwx. 2 root root 22 Jan 23 14:15 .
drwxr-xr-x. 3 root root 26 Jan 13 01:10 ..
-rw-------. 1 65532 65532 1934 Jan 23 14:15 cert.pem

Create a new tunnel:

docker run --rm -v /docker-store/cloudflared/.cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2022.1.2 tunnel create docker-swarm
Tunnel credentials written to /home/nonroot/.cloudflared/fda6fab5-1d8c-477d-91f8-160537e230f7.json. cloudflared chose this file based on where your origin certificate was found. Keep this file secret. To revoke these credentials, delete the tunnel.

Created tunnel docker-swarm with id fda6fab5-1d8c-477d-91f8-160537e230f7

Check to see the tunnels there are:

docker run --rm -v /docker-store/cloudflared/.cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2022.1.2 tunnel list
You can obtain more detailed information for each tunnel with `cloudflared tunnel info <name/uuid>`
ID                                   NAME           CREATED              CONNECTIONS  
fda6fab5-1d8c-477d-91f8-160537e230f7 docker-swarm   2022-01-23T19:23:23Z 2xATL, 2xIAD

Verify that a tunnel json file was made.

ls -al /docker-store/cloudflared/.cloudflared
total 12
drwxrwxrwx. 2 root root 92 Jan 23 14:23 .
drwxr-xr-x. 3 root root 26 Jan 13 01:10 ..
-rw-------. 1 65532 65532 1934 Jan 23 14:15 cert.pem
-rw-r--r--. 1 root root 1052 Jan 23 14:22 config.notyet
-rw-------. 1 65532 65532 186 Jan 23 14:23 fda6fab5-1d8c-477d-91f8-160537e230f7.json

Create the config file. It always must end with the 404 per docs.

touch /docker-store/cloudflared/.cloudflared/config.yaml
nano config.yaml
tunnel: fda6fab5-1d8c-477d-91f8-160537e230f7
credentials-file: /home/nonroot/.cloudflared/fda6fab5-1d8c-477d-91f8-160537e230f7.json
logfile: /var/log/cloudflared.log

  - hostname:
    service: http://whoami:7878
  - service: http_status:404

Register the DNS for the tunnel:

docker run --rm -v /docker-store/cloudflared/.cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2022.1.2 tunnel route dns docker-swarm

Create the yaml to launch it. Be it docker-compose or for a swarm, both are below. I am reusing the traefik_bridge network to gain access to the containers I might want to publish to the world.

touch /docker-store/cloudflared/docker-compose.yml
nano /docker-store/cloudflared/docker-compose.yml
version: "2"
    image: cloudflare/cloudflared:2022.1.2
    container_name: cloudflared
      - TZ=America/New_York
      - /docker-store/cloudflared/.cloudflared:/home/nonroot/.cloudflared/
    restart: always
    command: tunnel run
      - traefik_bridge
    external: true
docker-compose up -d
docker-compose up -d
Creating cloudflared ... done

Or stack.yaml for a swarm:

touch /docker-store/cloudflared/stack.yaml
nano /docker-store/cloudflared/stack.yaml
version: '3'

    image: "cloudflare/cloudflared:2022.1.0"
      - /docker-store/cloudflared/.cloudflared:/home/nonroot/.cloudflared/
    command: tunnel run
          - node.role==manager
      - traefik_traefik_bridge

    external: true
docker stack deploy -c stack.yaml cloudflared
Creating service cloudflared_cloudflared

Then go browse your new page: Note the IPs listed are not what your ISP provided, this is due to docker networking. To put that back in place will be another day. You can compare this same whoami container passing through traefik: