head in the clouds
its taken me a while but i finally looked into using cloudflare tunnels for a few things. i just never felt the need to use the tunnels to run things since it felt like an extra useless layer. the concept didnt seem too crazy, make a tunnel into your network to resolve things from a public address so you dont have exposed ports, and at the same time you let them worry about ddos attacks and all that. you can set up auth front ends but seems a little overkill(to me currently anyway.. but as i just detailed that can change). im still kinda sketch about relying on another service for thing but ill have to get over that.
a lot of the guides out there cover doing subdomains in the tunnel gui on the cloudflare zero trust page, but i want to publish my root level domains and not just route them to different places. i ended up getting that working, though im not 100% sure its correct but hey, its working... ssl certs are showing as signed by cloudflare and its loading up the page. i still need to take a peek at the logs in my proxy though to see what the traffic looks like there.
in addition to all that i wanted to make sure that the cloudflare tunnel container only had access to my proxy container, called SWAG from linuxserver.io which was also running in docker, so I had to do a bit of research on docker networks.
anyway...
setup
so my docker setup seems pretty basic to me. its just a single nginx proxy container that then passes to whatever in my network defined by the different .conf files i have. I have a few root domains and then also some sub domains going through proxy configs. i wanted to keep all communication all through the tunnel localized to itself. im not sure how secure this is but it made sense to me. i first set up a docker bridge network separate from the default one that all of my other containers were on. to test this i first created a bridge network and then attached a basic container to it, entered the container and then tried to poke around in the network, ping, curl, and a few other things to see what i could hit and i got nothing. so i attached another container to the bridge network and i was then able to communicate with it.
so here is that setup
list networks
docker network ls
show details of a network, with this command you can also see the connected containers
docker network inspect bridge
create "external" network in docker with the name tunnels using the bridge driver
docker network create --driver bridge tunnels
connect a container to the new network temporarily, you can also replace connect with disconnect
docker network connect tunnels containerName
edit compose file to set container to the new network. this is basically just adding the networks definition and the name of the network that is in your "networks" definition.
subscribe to see the example compose file, setting up swag to work with the tunnel, and how to pass the real ip through the proxy.