Can I use cloudflared in a docker-compose.yml?

I’m wondering how i can run cloudflared in a docker network, using docker-compose.yml because it’s much easier to manage and transfer to other servers than “docker run xxxxxx”.

For example, I create a docker network called “wordpress”, then i add both the docker containers to it, in the docker-compose.yml

version: "3.9"
services:
  wordpress:
    container_name: wordpress
    image: wordpress:latest
    restart: unless-stopped
    volumes:
      - ./wordpress:/app/data
networks:
  default:
    external:
      name: wordpress

so, i want to create a similar config for cloudflared, in this way if the token is leaked or my Cloudflare is hacked, only that docker networks are accessible, and not my whole LAN. Also I like the idea to don’t expose the ports on my server

But the documentation only mentions the command “docker run”

How can I add the token in docker-compose.yml? Like this?

version: "3.9"
services:
  tunnel:
    container_name: cloudflared-tunnel
    restart: unless-stopped
    command: tunnel run --token MY_TOKEN
    volumes:
      - ./tunnel:/etc/cloudflared
networks:
  default:
    external:
      name: wordpress

but then in the route tunnel config page, i can add the URL as https://wordpress:443 or i need to assign a static ip to each container?

You got it pretty much right, I think it would be something like this:
Note: I have not tested this, I just drafted it.

version: "3.9"
services:
  wordpress:
    container_name: wordpress
    image: wordpress:latest
    restart: unless-stopped
    volumes:
      - ./wordpress:/app/data

  tunnel:
    container_name: cloudflared-tunnel
    image: cloudflare/cloudflared
    restart: unless-stopped
    command: tunnel run
    environment:
      - TUNNEL_TOKEN=mytokengoeshere

networks:
  default:
    external:
      name: wordpress

(You can also use tunnel run --token but that’s considered less secure since the token is leaked plainly as part of the commandline to any other process on the machine. Up to you.)

Then on the Zero Trust dashboard you would set the ingress to https://wordpress:443 - a static IP is NOT required.

Since the cloudflared process runs within the wordpress network as part of the deployment, it wouldn’t be able to access network resources of other Docker networks, which is what you wanted.

I cover these ideas on the README for my custom cloudflared image, though you can also use the official image with the same examples: GitHub - Erisa/cloudflared-docker: Simple Alpine-built scratch-runtime Dockerfile for cloudflared, with support for multiple architectures.

2 Likes

Thanks for your example, in that way it’s even better, a tunnel for each application (i was thinking a single cloudflared joined to multiple docker networks, but in long term it will become an unmanageable mess)

Later i’ll try it

1 Like