This is a follow up to my “Docker and cloudflared” post. I wanted to take it a step further. I wanted for the cloudflared to come up via docker-compose or as a stack in the swarm. Turns out it is not that hard to do so. Just need a bit more lifting to get there with a couple more steps. Read more to see how to.
Authenticate with cloudflare
1
2
3
4
5
6
7
8
9
| # docker run --rm -v /docker-store/cloudflared/.cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2022.1.0 tunnel login
Please open the following URL and log in with your Cloudflare account:
https://dash.cloudflare.com/argotunnel?callback=[CALLBACK_URL_CENSOR]
Leave cloudflared running to download the cert automatically.
You have successfully logged in.
If you wish to copy your credentials to a server, they have been saved to:
/home/nonroot/.cloudflared/cert.pem
|
Check for the cert
1
2
3
4
5
6
| # cd /docker-store/cloudflared/.cloudflared
# ls -al
total 4
drwxrwxrwx. 2 root root 22 Jan 23 14:15 .
drwxr-xr-x. 3 root root 26 Jan 13 01:10 ..
-rw-------. 1 65532 65532 1934 Jan 23 14:15 cert.pem
|
Create a new tunnel
1
2
3
4
| # docker run --rm -v /docker-store/cloudflared/.cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2022.1.2 tunnel create docker-swarm
Tunnel credentials written to /home/nonroot/.cloudflared/fda6fab5-1d8c-477d-91f8-160537e230f7.json. cloudflared chose this file based on where your origin certificate was found. Keep this file secret. To revoke these credentials, delete the tunnel.
Created tunnel docker-swarm with id fda6fab5-1d8c-477d-91f8-160537e230f7
|
Check to see the tunnels there are
1
2
3
4
| docker run --rm -v /docker-store/cloudflared/.cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2022.1.2 tunnel list
You can obtain more detailed information for each tunnel with `cloudflared tunnel info <name/uuid>`
ID NAME CREATED CONNECTIONS
fda6fab5-1d8c-477d-91f8-160537e230f7 docker-swarm 2022-01-23T19:23:23Z 2xATL, 2xIAD
|
Verify that a tunnel json file was made
1
2
3
4
5
6
7
| # ls -al /docker-store/cloudflared/.cloudflared
total 12
drwxrwxrwx. 2 root root 92 Jan 23 14:23 .
drwxr-xr-x. 3 root root 26 Jan 13 01:10 ..
-rw-------. 1 65532 65532 1934 Jan 23 14:15 cert.pem
-rw-r--r--. 1 root root 1052 Jan 23 14:22 config.notyet
-rw-------. 1 65532 65532 186 Jan 23 14:23 fda6fab5-1d8c-477d-91f8-160537e230f7.json
|
Create the config file
It always must end with the 404 per docs.
1
2
| # touch /docker-store/cloudflared/.cloudflared/config.yaml
# nano config.yaml
|
1
2
3
4
5
6
7
8
| tunnel: fda6fab5-1d8c-477d-91f8-160537e230f7
credentials-file: /home/nonroot/.cloudflared/fda6fab5-1d8c-477d-91f8-160537e230f7.json
logfile: /var/log/cloudflared.log
ingress:
- hostname: whoami.mindlesstux.com
service: http://whoami:7878
- service: http_status:404
|
Register the DNS for the tunnel:
1
| # docker run --rm -v /docker-store/cloudflared/.cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2022.1.2 tunnel route dns docker-swarm whoami.mindlesstux.com
|
Create the yaml to launch it. Be it docker-compose or for a swarm, both are below. I am reusing the traefik_bridge network to gain access to the containers I might want to publish to the world.
1
2
| touch /docker-store/cloudflared/docker-compose.yml
nano /docker-store/cloudflared/docker-compose.yml
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| ---
version: "2"
services:
cloudflared:
image: cloudflare/cloudflared:2022.1.2
container_name: cloudflared
environment:
- TZ=America/New_York
volumes:
- /docker-store/cloudflared/.cloudflared:/home/nonroot/.cloudflared/
restart: always
command: tunnel run
networks:
- traefik_bridge
networks:
traefik_bridge:
external: true
|
1
2
| # docker-compose up -d
Creating cloudflared ... done
|
Or stack.yaml for a swarm:
1
2
| # touch /docker-store/cloudflared/stack.yaml
# nano /docker-store/cloudflared/stack.yaml
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| ---
version: '3'
services:
cloudflared:
image: "cloudflare/cloudflared:2022.1.0"
volumes:
- /docker-store/cloudflared/.cloudflared:/home/nonroot/.cloudflared/
command: tunnel run
deploy:
placement:
constraints:
- node.role==manager
networks:
- traefik_traefik_bridge
networks:
traefik_traefik_bridge:
external: true
|
1
2
| # docker stack deploy -c stack.yaml cloudflared
Creating service cloudflared_cloudflared
|
Then go browse your new page: https://whoami.mindlesstux.com/ Note the IPs listed are not what your ISP provided, this is due to docker networking. To put that back in place will be another day. You can compare this same whoami container passing through traefik: https://whoami.dacentec.mindlesstux.com/