Exposing internal services securely via Traefik Proxy & Cloudflare Tunnel
2.8K
๐ A powerful Docker solution combining Traefik reverse proxy with Cloudflare Tunnel Expose your local services to the internet securely with automatic SSL and DNS management
๐ณ Docker Hubโ โข ๐ Documentationโ โข ๐ Quick Startโ โข ๐ฌ Discussionsโ
โ โก Core Features
|
โ ๐ก๏ธ Security & Performance
|
graph TB
A[๐ Internet] --> B[โ๏ธ Cloudflare CDN]
B --> C[๐ Cloudflare Tunnel]
C --> D[๐ Traefik Proxy]
D --> E[๐ฑ Your Services]
F[๐ค DNS API] --> G[๐ Auto DNS Records]
H[๐ Let's Encrypt] --> I[๐ SSL Certificates]
Flow Overview:
git clone https://github.com/zenkiet/traefik-tunnel-expose.git
cd traefik-tunnel-expose
# Copy example environment file
cp env.example .env
# Edit configuration
nano .env # or your preferred editor
# ===== REQUIRED =====
# Cloudflare Configuration
CF_API_TOKEN=your_cloudflare_api_token_here
CF_ZONE_ID=your_cloudflare_zone_id_here
CF_TUNNEL_ID=your_cloudflare_tunnel_id_here
CF_ACCOUNT_ID=your_cloudflare_account_id
[email protected]
# Domain Configuration
BASE_DOMAIN=yourdomain.com
HOST=127.0.0.1
# SSL Configuration (use staging for testing)
ACME_CA_SERVER=https://acme-staging-v02.api.letsencrypt.org/directory
# ๐ Start services
make dev # or make prod (for production)
# ๐ Check status
make status
# ๐ View logs
make logs
Create configuration files in conf.d/ directory:
conf.d/myapp.yml# ๐ HTTP Router and Service Configuration
http:
routers:
myapp:
rule: "Host(`myapp.yourdomain.com`)"
service: "myapp-service"
entrypoints:
- websecure
tls:
certResolver: cloudflare
middlewares:
- default-headers
- rate-limit
services:
myapp-service:
loadBalancer:
servers:
- url: "http://myapp-container:3000"
healthCheck:
path: "/health"
interval: "30s"
middlewares:
default-headers:
headers:
frameDeny: true
sslRedirect: true
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
rate-limit:
rateLimit:
burst: 100
average: 50
http:
routers:
webapp-secure:
rule: "Host(`webapp.yourdomain.com`)"
service: "webapp"
entrypoints:
- websecure
tls:
certResolver: cloudflare
middlewares:
- auth
- secure-headers
services:
webapp:
loadBalancer:
servers:
- url: "http://webapp:8080"
middlewares:
auth:
basicAuth:
users:
- "admin:$2y$12$..." # Generated with htpasswd
secure-headers:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlAllowOriginList:
- https://yourdomain.com
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
http:
routers:
db-admin:
rule: "Host(`db.yourdomain.com`)"
service: "database-admin"
entrypoints:
- websecure
tls:
certResolver: cloudflare
middlewares:
- ip-whitelist
- auth
services:
database-admin:
loadBalancer:
servers:
- url: "http://adminer:8080"
middlewares:
ip-whitelist:
ipWhiteList:
sourceRange:
- "192.168.1.0/24"
- "10.0.0.0/8"
| Scope | Resource | Permission |
|---|---|---|
| Zone | Zone:Read | Specific zones |
| Zone | DNS:Edit | Specific zones |
| Account | Cloudflare Tunnel:Edit | Specific accounts |
# ๐ฅ Install cloudflared
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o cloudflared.deb
sudo dpkg -i cloudflared.deb
# ๐ Authenticate with Cloudflare
cloudflared tunnel login
# ๐ Create tunnel
cloudflared tunnel create my-tunnel
# ๐ซ Generate tunnel token
cloudflared tunnel token my-tunnel
cloudflared tunnel token --cred-file ./credentials.json <TUNNEL_ID>
The service automatically creates DNS records, but you can manually verify:
# ๐ Check DNS records
dig myapp.yourdomain.com
nslookup myapp.yourdomain.com
# Start services
make run # Start with auto-restart
make dev # Development mode
make prod # Production mode
# Control services
make stop # Stop all services
make restart # Zero-downtime restart
make update # Update to latest images
# View service status
make status # Comprehensive status overview
make health-check # Full health diagnostics
# Log management
make logs # Live logs with timestamps
make logs-traefik # Traefik-specific logs
make logs-errors # Error logs only
# Quality assurance
make test # Run test suite
make lint # Validate configurations
make security-scan # Security vulnerability scan
# Development tools
make shell # Enter container shell
make info # Image information
# Cleanup operations
make clean # Clean containers & resources
make clean-all # Deep cleanup with cache
make clean-logs # Remove old log files
# Build and deployment
make build # Build Docker image
make push # Push to registry
make release VERSION=v1.0.0 # Create versioned release
# Pipeline execution
make ci # Complete CI pipeline
make cd # Complete CD pipeline
# Start services
make run # Start with auto-restart
make dev # Development mode
make prod # Production mode
# Control services
make stop # Stop all services
make restart # Zero-downtime restart
make update # Update to latest images
Create config/traefik-dynamic.yml for advanced settings:
# ๐ TLS Configuration
tls:
options:
default:
sslProtocols:
- "TLSv1.2"
- "TLSv1.3"
cipherSuites:
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
# ๐ Global Middlewares
http:
middlewares:
secure-headers:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
referrerPolicy: "same-origin"
services:
traefik-tunnel:
deploy:
resources:
limits:
cpus: '2.0'
memory: 1G
reservations:
cpus: '0.5'
memory: 256M
healthcheck:
test: ["CMD", "traefik", "healthcheck"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
# ๐ฏ Latest version
docker pull zenkiet/traefik-tunnel-expose:latest
# ๐ท๏ธ Specific version
docker pull zenkiet/traefik-tunnel-expose:v1.0.0
# ๐ Check image info
docker inspect zenkiet/traefik-tunnel-expose:latest
docker run -d \
--name traefik-tunnel \
--restart unless-stopped \
-p 80:80 \
-p 443:443 \
-p 8080:8080 \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v ./data:/data \
-v ./config:/etc/traefik \
-e CF_API_TOKEN=your_token \
-e CF_ZONE_ID=your_zone_id \
zenkiet/traefik-tunnel-expose:latest
We welcome contributions! Here's how you can help:
# ๐ด Fork and clone
git clone https://github.com/your-username/traefik-tunnel-expose.git
cd traefik-tunnel-expose
# ๐ฟ Create feature branch
git checkout -b feature/amazing-feature
# ๐ง Make changes and test
docker-compose up -d
# โ
Commit changes
git commit -m "โจ Add amazing feature"
# ๐ Push and create PR
git push origin feature/amazing-feature
We use Conventional Commitsโ :
โจ feat: New features๐ fix: Bug fixes๐ docs: Documentation๐จ style: Code formattingโป๏ธ refactor: Code restructuringโก perf: Performance improvementsโ
test: Testing๐ง chore: MaintenanceThis project is licensed under the MIT License - see the LICENSEโ file for details.
MIT License
Copyright (c) 2025 ZenKiet
This project wouldn't be possible without these amazing technologies:
Traefik Reverse Proxy |
Cloudflare Tunnel & Security |
Alpine Linux Lightweight OS |
Docker Containerization |
โญ If this project helped you, please consider giving it a star! โญ
Made with โค๏ธ by ZenKietโ
Content type
Image
Digest
sha256:c7ae4e335โฆ
Size
112 MB
Last updated
4 months ago
docker pull zenkiet/traefik-tunnel-expose:debian-latest