This guide creates a named Cloudflare Tunnel and routes demo.everydayoffice.au to your app without opening inbound ports.
Prerequisites
- Cloudflare account with everydayoffice.au zone
- API Token with Zone:DNS edit and Account:Cloudflare Tunnel permissions, or ability to run cloudflared login
- A Linux host (DigitalOcean droplet) to run the tunnel daemon
Quick Steps
1) Install cloudflared on the server:
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/ $(. /etc/os-release && echo $VERSION_CODENAME) main" | sudo tee /etc/apt/sources.list.d/cloudflare.list
sudo apt update && sudo apt install -y cloudflared
2) Authenticate (interactive, opens browser). On headless servers, copy the URL to a local browser:
3) Create a named tunnel and capture the tunnel ID:
cloudflared tunnel create rmm-psa-app
# Output shows a Tunnel ID; also writes credentials file in /root/.cloudflared/
4) Configure ingress (edit /etc/cloudflared/config.yml):
# /etc/cloudflared/config.yml
# Replace <TUNNEL_ID> with the ID printed in step 3
# Replace <LOCAL_PORT> with your backend port (e.g., 3000) or a local HTTP router
tunnel: <TUNNEL_ID>
credentials-file: /root/.cloudflared/<TUNNEL_ID>.json
ingress:
- hostname: demo.everydayoffice.au
service: http://localhost:3000
- service: http_status:404
5) Create the DNS route (CNAME) automatically:
cloudflared tunnel route dns rmm-psa-app demo.everydayoffice.au
6) Run as a service:
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
systemctl status cloudflared
Notes
- For a frontend+backend split, point the tunnel to a local reverse proxy (Nginx or Caddy) and route paths/hosts accordingly.
- To update, edit /etc/cloudflared/config.yml then sudo systemctl restart cloudflared.
- The tunnel keeps outbound-only connections; no inbound firewall openings required.
1.14.0