Setup with Cloudflare Zero Trust

Learn how to secure your oryelle instance with Cloudflare Zero Trust, a modern security solution that provides robust protection without the complexity of traditional VPN setups.

Key Benefits:

• Enhanced Security: Your application remains hidden from the public internet with no exposed ports or public IP addresses
• Simplified Network Configuration: Outbound-only connections eliminate complex firewall rules
• Enterprise-Grade Protection: Get automatic SSL/TLS encryption and advanced DDoS mitigation
• Zero Trust Architecture: Every request is authenticated and authorized based on identity
• Modern Access Control: Replace legacy VPN systems with seamless, identity-based access management
• Fine-Grained Permissions: Control access based on user identity, device posture, location and more
• Comprehensive Visibility: Gain detailed insights through extensive logging and monitoring capabilities
• Reduced Attack Surface: Minimize potential vulnerabilities by eliminating direct exposure to the internet

Prerequisites

info

Note: The Cloudflare Zero Trust dashboard interface evolves frequently. If you cannot find specific settings mentioned in this guide at their described locations, please consult Cloudflare's official documentation for the most up-to-date navigation paths. We strive to keep this guide current but interface changes may occur between updates.

Before you begin, ensure you have:

1. A docker compose and a config file for your oryelle setup (refer to our starting guides)

2. A Cloudflare account with Zero Trust enabled

   • Sign up at cloudflare.com if you don't have an account
   • Enable Zero Trust

3. A Cloudflare Tunnel API Token

   • Go to your Zero Trust Dashboard
   • Create a new tunnel and save the token (you don't need to specify the http address of the target application yet)

4. Basic familiarity with:

   • Docker and Docker Compose
   • Command line interface

For detailed instructions on setting up Cloudflare Tunnels and configuring Zero Trust applications, we recommend reviewing:

• Cloudflare Tunnel Quick Start Guide
• Zero Trust Application Setup
• Access Policies Configuration

Adding Cloudflared to the Docker File

To integrate Cloudflare Tunnel with your existing oryelle setup, you'll need a Docker Compose file with a proxy service (like Traefik) that:

1. Listens on port 80 for HTTP requests
2. Is named "proxy" in the services configuration
3. Shares a network with the Cloudflare Tunnel service

While this guide uses Traefik as the proxy, the same principles apply to other reverse proxies like Nginx or Caddy. Just ensure you maintain the port and service name requirements, or adjust the subsequent configuration steps accordingly.

Here's how to add the Cloudflare Tunnel service to your Docker Compose file:

docker-compose.yml

services:
    tunnel:
        container_name: tunnel
        image: cloudflare/cloudflared:latest
        restart: always
        command: tunnel --no-autoupdate run --token ${CLOUDFLARE_TUNNEL_TOKEN}
        environment:
        - CLOUDFLARE_TUNNEL_TOKEN=${CLOUDFLARE_TUNNEL_TOKEN}
        networks:
        - tunnel_network
    proxy: # This is important
        container_name: proxy # This is important
        image: traefik:v2.10
        command:
        - "--entrypoints.web.address=:80" # This is important
         ... other options
        networks:
        - tunnel_network # This is important - needs to be in the same network as the tunnel service
         ... other networks
        volumes:
        - /var/run/docker.sock:/var/run/docker.sock:ro

... Rest of your docker compose file

Providing the Cloudflare Tunnel Token

The Cloudflare Tunnel token needs to be provided to the container. There are two main approaches:

1. Using a .env file:

   .env

   CLOUDFLARE_TUNNEL_TOKEN=your-tunnel-token-here

2. Using a secrets management solution (recommended for production):

   • Docker Swarm secrets
   • HashiCorp Vault
   • Cloud provider secret stores (AWS Secrets Manager, GCP Secret Manager, etc.)

For development environments, the .env file approach is acceptable. For production deployments, we strongly recommend using a dedicated secrets management solution to securely handle sensitive credentials.

Configuring the Tunnel Service

1. Navigate to the Cloudflare Zero Trust Dashboard
2. Go to Tunnel > Select your tunnel
3. Add a public hostname:
   • Path: leave empty
   • Type: HTTP
   • URL: proxy:80 (or <your-proxy-name>:<port> if you used different values)
   • Domain & Subdomain: Your desired public hostname (e.g., oryelle.yourdomain.com)

This configuration tells Cloudflare to route traffic from your public hostname through the tunnel to your proxy container, which then handles routing to the appropriate oryelle services.