BuildWithMatija
  1. Home
  3. Blog
  5. Docker
  7. Cloudflare Tunnel + Docker: Expose Containers Without Nginx or Open Ports

Cloudflare Tunnel + Docker: Expose Containers Without Nginx or Open Ports

Skip Nginx and firewall configs — automatic SSL, DNS routing, and systemd setup

8th October 2025·Updated on:26th December 2025··
Docker
Cloudflare Tunnel + Docker: Expose Containers Without Nginx or Open Ports

🐳 Docker & DevOps Implementation Guides

Complete Docker guides with optimization techniques, deployment strategies, and automation prompts to streamline your containerization workflow.

No spam. Unsubscribe anytime.

Related Posts:

  • •Docker Certbot Auto-Renewal: SSL Setup with Nginx
  • •Vite Docker: Production Deployment with Nginx, SSL, and Compose
  • •Update Docker to Latest Version on Ubuntu
📄View markdown version
0

About the author

Author Profile: Matija Žiberna

AboutView resume
Matija Žiberna
Matija Žiberna
Role: Full-stack developer, co-founder

Self-taught full-stack developer sharing lessons from building software and startups.

I'm Matija Žiberna, a self-taught full-stack developer and co-founder passionate about building products, writing clean code, and figuring out how to turn ideas into businesses. I write about web development with Next.js, lessons from entrepreneurship, and the journey of learning by doing. My goal is to provide value through code—whether it's through tools, content, or real-world software.

You might be interested in

Docker Certbot Auto-Renewal: SSL Setup with Nginx
Docker Certbot Auto-Renewal: SSL Setup with Nginx

29th May 2025

Vite Docker: Production Deployment with Nginx, SSL, and Compose
Vite Docker: Production Deployment with Nginx, SSL, and Compose

19th August 2025

Update Docker to Latest Version on Ubuntu
Update Docker to Latest Version on Ubuntu

16th August 2025

Contents

  • 1. The Traditional Setup (and Why It’s Painful)
  • 2. What Cloudflare Tunnel Does Differently
  • 3. Prerequisites
  • 4. Run Any Container Locally
  • 5. Authenticate Cloudflare Tunnel
  • 6. Create a Named Tunnel
  • 7. Route a Subdomain to the Tunnel
  • 8. Run the Tunnel and Map It to the Container
  • 9. Make It Persistent with systemd
  • Create Config File
  • Create a systemd Service
  • 10. Verify and Test
  • 11. (Optional) Add Cloudflare Access
  • 12. Conclusion
On this page:
  • 1. The Traditional Setup (and Why It’s Painful)
  • 2. What Cloudflare Tunnel Does Differently
  • 3. Prerequisites
  • 4. Run Any Container Locally
  • 5. Authenticate Cloudflare Tunnel
Build with Matija logo

Build with Matija

Modern websites, content systems, and AI workflows built for long-term growth.

Services

  • Headless CMS Websites
  • Next.js & Headless CMS Advisory
  • AI Systems & Automation
  • Website & Content Audit

Resources

  • Case Studies
  • How I Work
  • Blog
  • CMS Hub
  • E-commerce Hub
  • Dashboard

Headless CMS

  • Payload CMS Developer
  • CMS Migration
  • Payload vs Sanity
  • Payload vs WordPress
  • Payload vs Contentful

Get in Touch

Ready to modernize your stack? Let's talk about what you're building.

Book a discovery callContact me →
© 2026Build with Matija•All rights reserved•Privacy Policy•Terms of Service
BuildWithMatija
Get In Touch

I’ve lost count of how many times I’ve had to spin up a quick self-hosted app—whether it’s n8n, a Node API, or a dashboard—and then go through the same ritual: open ports, configure Nginx, point DNS to the server, and generate a Let's Encrypt certificate. It works, but it's clunky and full of moving parts.

This week, I finally replaced all of that with Cloudflare Tunnel. No Nginx. No Let’s Encrypt. No open ports. Just a persistent, encrypted connection from your server to Cloudflare’s network, automatically routing your container to a public subdomain.

In this guide, I’ll show you exactly how to do it—using n8n as an example, though it works for any container running on any port.

1. The Traditional Setup (and Why It’s Painful)

Normally, exposing a containerized app to the public internet means:

  • Opening ports 80 and 443 on your server
  • Setting up Nginx as a reverse proxy
  • Managing SSL certificates via Let’s Encrypt
  • Manually adding a DNS record in Cloudflare or your registrar

That's a lot of work for something as simple as "make my app reachable at a subdomain." For a complete traditional setup guide, see my React Vite Docker deployment guide.

2. What Cloudflare Tunnel Does Differently

Cloudflare Tunnel flips the model.

Instead of exposing ports, your server makes a secure outbound connection to Cloudflare. Cloudflare then handles HTTPS, certificates, and routing for you—essentially becoming your reverse proxy at the edge.

The benefits:

  • No public ports
  • No Nginx
  • Automatic SSL
  • Built-in DDoS and access control through Cloudflare

All you need is the Cloudflare account that manages your domain and a small CLI agent (cloudflared).

3. Prerequisites

Make sure you have:

  • A Cloudflare-managed domain (e.g., example.com)
  • A server (Ubuntu 22.04 or later)
  • Docker installed
  • Cloudflare Tunnel CLI (cloudflared)

Install cloudflared for Ubuntu 22.04 (Jammy → Bullseye base):

bash
sudo mkdir -p --mode=0755 /usr/share/keyrings
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared bullseye main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
sudo apt-get update && sudo apt-get install cloudflared -y

4. Run Any Container Locally

For the example, let’s use n8n, which runs on port 5678:

bash
docker volume create n8n_data

docker run -d \
  --name n8n \
  -p 5678:5678 \
  -e GENERIC_TIMEZONE="CET" \
  -e TZ="CET" \
  -e N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS=true \
  -e N8N_RUNNERS_ENABLED=true \
  -e WEBHOOK_URL="https://app.example.com/" \
  -v n8n_data:/home/node/.n8n \
  docker.n8n.io/n8nio/n8n

You can replace this with any container that listens on a port—Grafana (3000), a Node app (8080), etc.

5. Authenticate Cloudflare Tunnel

First, log in to Cloudflare from your server:

bash
cloudflared login

This opens your browser, asks you to pick your domain, and then saves credentials to:

code
~/.cloudflared/cert.pem

6. Create a Named Tunnel

Now create a tunnel and name it (for example, docker-tunnel):

bash
cloudflared tunnel create docker-tunnel

You’ll see output like:

code
Created tunnel docker-tunnel with id c101ebf4-e2d3-49b9-8735-c0e48ebf6a56

This also generates a credentials file, usually at:

code
~/.cloudflared/<tunnel-id>.json

7. Route a Subdomain to the Tunnel

You can create a public subdomain in Cloudflare automatically:

bash
cloudflared tunnel route dns docker-tunnel app.example.com

Cloudflare adds a CNAME record pointing to the tunnel—no manual DNS setup required.

8. Run the Tunnel and Map It to the Container

Let’s connect the subdomain to your local port:

bash
cloudflared tunnel --url http://localhost:5678 run docker-tunnel

You’ll see Cloudflare establish several secure connections to its edge servers. After a few seconds, your app will be available at:

code
https://app.example.com

9. Make It Persistent with systemd

To keep the tunnel alive after you close the SSH session (and on reboot), use a config file and a systemd service.

Create Config File

File: ~/.cloudflared/config.yml

yaml
tunnel: docker-tunnel
credentials-file: /home/matija/.cloudflared/c101ebf4-e2d3-49b9-8735-c0e48ebf6a56.json
ingress:
  - hostname: app.example.com
    service: http://localhost:5678
  - service: http_status:404

Create a systemd Service

File: /etc/systemd/system/cloudflared-docker.service

ini
[Unit]
Description=Cloudflare Tunnel for Docker App
After=network.target

[Service]
User=matija
ExecStart=/usr/bin/cloudflared --config /home/matija/.cloudflared/config.yml tunnel run docker-tunnel
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

Enable and start it:

bash
sudo systemctl daemon-reload
sudo systemctl enable --now cloudflared-docker.service

Check it’s active:

bash
sudo systemctl status cloudflared-docker

Now your tunnel reconnects automatically after reboot or crash.

10. Verify and Test

Visit your domain:

code
https://app.example.com

Check Cloudflare DNS — you’ll see a CNAME like:

code
app.example.com → <tunnel-id>.cfargotunnel.com

No ports are open on your server. Cloudflare terminates HTTPS and securely forwards traffic to your container.

11. (Optional) Add Cloudflare Access

For production, you can protect your exposed container with Cloudflare Access (Zero Trust). From the Cloudflare dashboard:

  • Go to Zero Trust → Access → Applications
  • Add your subdomain (e.g., app.example.com)
  • Require Google, GitHub, or email login before granting access

You now have SSO-level protection in front of any local app—no code changes required.

12. Conclusion

Instead of juggling Nginx configs, DNS records, and SSL renewals, Cloudflare Tunnel gives you a single, elegant workflow:

  • Run your Docker container locally
  • Connect it securely to Cloudflare
  • Let Cloudflare handle HTTPS and DNS automatically
  • Keep it persistent with a systemd service

This setup is fast, secure, and production-ready—and it works for any container on any port.

If you've been doing the old Nginx + Certbot dance for every new side project, this will feel like cheating (in the best way possible). For migrating existing Docker setups, check out my guide on migrating Docker containers between VPS.

To optimize your container environment further, learn when to use env_file vs environment variables and how to safely remove Docker volumes.

Thanks, Matija