Add Cloudflare Tunnel integration#39
Open
riccjohn wants to merge 2 commits into
Open
Conversation
- Add cloudflared Docker service (remote-managed tunnel, token-based auth) - Add forwardedHeaders.trustedIPs to Traefik websecure entrypoint for correct client IP propagation from Cloudflare's edge - Document CLOUDFLARE_TUNNEL_TOKEN in .env.example - Add Cloudflare Tunnel setup section to README (dashboard steps for tunnel, public hostname, Access policy) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…gnore .light/ - Pin cloudflared image to 2026.5.1 instead of latest - Add Cloudflare IPv6 edge ranges to traefik forwardedHeaders trustedIPs - Fix README: update Cloudflare dashboard URLs to dash.cloudflare.com, add Origin server name field to public hostname table - Add .light/ to .gitignore and remove all tracked session artifacts Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
cloudflaredDocker service for remote-managed Cloudflare Tunnel (token-based, no local config files)forwardedHeaders.trustedIPsto Traefik'swebsecureentrypoint so real client IPs are correctly propagated from Cloudflare's edgeCLOUDFLARE_TUNNEL_TOKENin.env.example(keeps Cloudflare vars together)README.mdwith all four manual dashboard stepsDetails
cloudflaredforwards inbound tunnel traffic to Traefik (https://traefik), so all existing label-based routing is unchanged. LAN access continues to work via the wildcard A record — the tunnel CNAME only applies when resolved via Cloudflare's public DNS.The
forwardedHeaders.trustedIPsblock includes all published Cloudflare IPv4 ranges plus127.0.0.1/32and172.16.0.0/12(Docker bridge).Test Plan
./scripts/lint-config.shexits clean —CLOUDFLARE_TUNNEL_TOKENcorrectly wired indocker-compose.ymland.env.exampleCLOUDFLARE_TUNNEL_TOKEN=<token>to.env, thendocker compose up -d cloudflared— confirm container starts and connectshomepage.woggles.workaccessible externally after completing Cloudflare dashboard steps (tunnel public hostname + Access policy)🤖 Generated with Claude Code