Docker Compose<\/a> is the best option when Cloudflared and your app must run on the same Docker network. This lets Cloudflared reach the app by its service name instead of exposing the app’s port publicly.<\/p>First, create a project folder:<\/p>
mkdir cloudflared-app\ncd cloudflared-app<\/pre>Then, create a .env file for your Cloudflare Tunnel token:<\/p>
nano .env<\/pre>Add your tunnel token to the file:<\/p>
TUNNEL_TOKEN=your_cloudflare_tunnel_token<\/pre>Next, create a docker-compose.yml file:<\/p>
nano docker-compose.yml<\/pre>Add the following configuration:<\/p>
services:\napp:\nimage: your-app-image\ncontainer_name: my-app\nexpose:\n- \"8080\"\nnetworks:\n- cloudflare-tunnel\ncloudflared:\nimage: cloudflare\/cloudflared:latest\ncontainer_name: cloudflared\nrestart: unless-stopped\ncommand: tunnel --no-autoupdate run --token ${TUNNEL_TOKEN}\ndepends_on:\n- app\nnetworks:\n- cloudflare-tunnel\nnetworks:\ncloudflare-tunnel:<\/pre>Replace your-app-image with the Docker image for your application. Keep exposed instead of ports if the app only needs to be reachable by Cloudflared. This keeps the app available inside the Docker network without publishing port 8080 on the VPS.<\/p>
Start both containers:<\/p>
docker compose up -d<\/pre>Check whether the containers are running:<\/p>
docker compose ps<\/pre>Then, confirm that Cloudflared is connected to Cloudflare Tunnel:<\/p>
docker compose logs cloudflared<\/pre>After the tunnel is active, add a public hostname in Cloudflare Tunnel settings. Since both containers use the same Docker network, route the hostname to the app service name:<\/p>
app.example.com → http:\/\/app:8080<\/pre>This tells Cloudflare to forward requests from app.example.com to the app service running in Docker Compose. The application does not need a public port because Cloudflared forwards traffic through the shared Docker network.<\/p>
Why use Cloudflare Tunnel for secure remote access to Docker apps?<\/h2>
Cloudflare Tunnel lets you expose Docker apps via an outbound connection rather than opening inbound ports on your server. This gives users a public URL for the app while keeping the Docker container behind the VPS firewall.<\/p>
This setup is useful for self-hosted tools that need remote access, such as admin dashboards, automation apps, monitoring panels, internal APIs, and development environments. For example, you can expose a Dockerized app like n8n, Grafana, Portainer, code-server, or a private web app without publishing its container port to the internet.<\/p>
Cloudflare Tunnel improves remote access security in four main ways:<\/p>
\n- It avoids public port forwarding. Cloudflared connects your server to Cloudflare from the inside, so you do not need to expose ports like 8080, 3000, or 9000 publicly.<\/li>\n\n\n\n
- It hides the origin server IP. Visitors connect to Cloudflare first, while your VPS address stays separate from the public application URL.<\/li>\n\n\n\n
- It supports hostname-based routing. You can route subdomains like app.example.com, admin.example.com, or api.example.com to different Docker services running on the same server.<\/li>\n\n\n\n
- It works with Cloudflare Access. You can require login, email verification, or identity provider authentication before users reach sensitive Docker apps.<\/li>\n<\/ol>
For Docker workloads, this means Cloudflared acts as a secure bridge between Cloudflare and your containers. The application stays inside the Docker network, and Cloudflare handles the public-facing connection. This is safer than exposing a container port directly because only the tunnel, not the app itself, receives external traffic.<\/p>
How to secure Docker apps exposed with Cloudflare Tunnel<\/h2>
Cloudflare Tunnel improves Docker app security by eliminating the need for public inbound ports, but it still requires access rules, token protection, and container-level hardening. Treat Cloudflared as the public entry point to your private Docker service.<\/p>
First, keep your Docker app off public ports whenever possible. If Cloudflared and the app run on the same Docker network, use expose instead of ports in your Compose file:<\/p>
services:\napp:\nimage: your-app-image\nexpose:\n- \"8080\"<\/pre>The expose option makes the app reachable inside Docker without publishing port 8080 on the VPS. Cloudflared can still route traffic to the app through the internal Docker network:<\/p>
app.example.com → http:\/\/app:8080<\/pre>Next, protect sensitive apps with Cloudflare Access. This is especially important for admin panels, dashboards, internal APIs, and tools like Portainer, Grafana, n8n, or code-server. In Cloudflare Zero Trust, create an Access application for your public hostname and define who can open it. For example, allow only specific email addresses, company domains, or users from your identity provider.<\/p>
Store your tunnel token securely. Do not paste the token directly into public repositories, shared documents, or reusable scripts. Use a local .env file if you run Cloudflared with Docker Compose:<\/p>
TUNNEL_TOKEN=your_cloudflare_tunnel_token<\/pre>Then reference the token in your Compose file:<\/p>
command: tunnel --no-autoupdate run --token ${TUNNEL_TOKEN}<\/pre>Rotate the tunnel token if it is exposed, shared with the wrong user, or stored in a place you no longer control. After rotating the token in Cloudflare, update the value on your VPS and restart the Cloudflared container:<\/p>
docker compose restart cloudflared<\/pre>You should also limit each public hostname to the correct internal service. For example, route app.example.com only to the app container and admin.example.com only to the admin container. Avoid using broad fallback routes that send unknown requests to sensitive services.<\/p>
Finally, monitor the tunnel and container logs regularly:<\/p>
docker compose logs cloudflared<\/pre>Look for repeated connection failures, unexpected hostname requests, or routing errors. These logs help confirm that Cloudflared is connected, the public hostname points to the correct Docker service, and the app remains reachable only through the tunnel.<\/p>
What to do after exposing your Docker app securely<\/h2>
After your Docker app is available through Cloudflare Tunnel, strengthen the setup before using it for regular remote access. The tunnel eliminates the need for inbound public ports, but you still need to manage authentication, updates, monitoring, and backups.<\/p>
Start by adding a Cloudflare Access policy to every sensitive hostname. Public apps, documentation sites, or demo pages may stay open, but admin panels and internal tools should require authentication. For example, protect admin.example.com with an email allowlist, company domain rule, or identity provider login.<\/p>
Next, confirm that the app port is not exposed publicly on the VPS. If you use Docker Compose, prefer expose instead of ports for services that only Cloudflared needs to reach:<\/p>
services:\napp:\nimage: your-app-image\nexpose:\n- \"8080\"<\/pre>Then, check your active firewall rules and make sure ports like 8080, 3000, or 9000 are not open unless another service needs them:<\/p>
ufw status<\/pre>Keep Cloudflared up to date so your tunnel receives the latest fixes. If you use the official Docker image, pull the newest version and recreate the container:<\/p>
docker compose pull cloudflared\ndocker compose up -d cloudflared<\/pre>Monitor the tunnel regularly from both Cloudflare and your VPS. In Cloudflare Zero Trust, check whether the tunnel status is healthy. On the VPS, review Cloudflared logs when the app becomes unreachable:<\/p>
docker compose logs cloudflared<\/pre>Finally, document your tunnel configuration. Record which public hostname points to which Docker service, which ports are used internally, where the tunnel token is stored, and which Access policies protect each app. This makes future updates safer, especially when you add more Docker apps behind the same Cloudflare Tunnel.<\/p>
<\/p>\n","protected":false},"excerpt":{"rendered":"
To expose Docker apps securely with Cloudflare Tunnel, create a Cloudflare Tunnel, run Cloudflared in Docker with the tunnel token, and route a public hostname to your app’s internal Docker port. This lets users access the app through Cloudflare without opening inbound ports on your VPS. This setup is useful for remote access to self-hosted […]<\/p>\n
Read More…<\/a><\/p>\n","protected":false},"author":342,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"How to set up Cloudflared with Docker","rank_math_description":"Learn how to run Cloudflared in Docker, create a Cloudflare Tunnel, route a public hostname, and expose Docker apps securely without opening ports.","rank_math_focus_keyword":"cloudflared docker","footnotes":""},"categories":[22639],"tags":[],"class_list":["post-130080","post","type-post","status-publish","format-standard","hentry","category-vps"],"hreflangs":[{"locale":"en-US","link":"https:\/\/www.hostinger.com\/tutorials\/how-to-set-up-cloudflared-with-docker","default":1},{"locale":"en-PH","link":"https:\/\/www.hostinger.com\/ph\/tutorials\/how-to-set-up-cloudflared-with-docker","default":0},{"locale":"en-MY","link":"https:\/\/www.hostinger.com\/my\/tutorials\/how-to-set-up-cloudflared-with-docker","default":0},{"locale":"en-UK","link":"https:\/\/www.hostinger.com\/uk\/tutorials\/how-to-set-up-cloudflared-with-docker","default":0},{"locale":"en-IN","link":"https:\/\/www.hostinger.com\/in\/tutorials\/how-to-set-up-cloudflared-with-docker","default":0},{"locale":"en-CA","link":"https:\/\/www.hostinger.com\/ca\/tutorials\/how-to-set-up-cloudflared-with-docker","default":0},{"locale":"en-AU","link":"https:\/\/www.hostinger.com\/au\/tutorials\/how-to-set-up-cloudflared-with-docker","default":0},{"locale":"en-NG","link":"https:\/\/www.hostinger.com\/ng\/tutorials\/how-to-set-up-cloudflared-with-docker","default":0}],"_links":{"self":[{"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/posts\/130080","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/users\/342"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/comments?post=130080"}],"version-history":[{"count":0,"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/posts\/130080\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/media?parent=130080"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/categories?post=130080"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/tags?post=130080"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}