Cloudflare Argo Tunnel
Access lets you control who can reach your website. Cloudflare handles the requests based on your Access policies to evaluate user credentials. To ensure that Cloudflare proxies all traffic, lock down your origin to only accept Cloudflare IPs.
Keep on-premise applications off of the Internet by leveraging Cloudflare Argo Tunnel. Some organizations need to keep applications or tools off the internet, only allowing teams access through a VPN. With Access and Argo Tunnel, you can avoid the hassle of a VPN yet keep applications off the internet.
Using Cloudflare's Argo Tunnel to secure on-premise applications
Argo Tunnel offers an easy way to securely expose web servers to the internet without opening firewall ports and configuring ACLs (Access Control Libraries). Argo Tunnel ensures that requests route through Cloudflare before reaching the web server, so that you are certain that attack traffic is stopped by Cloudflare’s WAF and Unmetered DDoS mitigation and authenticated with Access by enabling these features on your account.
Argo Tunnel relies on the
cloudflared daemon to create a persistent connection between your web server and the Cloudflare network. Once the daemon is running and you have the Tunnel configured, you can lock down the web server to external requests to only allow connections from Cloudflare.
Argo Tunnel is free with the purchase of Argo Smart Routing. Argo Smart Routing can be purchased in the Cloudflare dashboard and costs $5/month plus 10 cents per GB. Cloudflare only charges for Argo routing; there is no charge for the count of tunnels used.
Set up Argo Tunnel
Before setting up Argo Tunnel, be sure you have the following:
- An active subscription to Argo. You can enable your subscription in the Cloudflare dashboard in the Traffic tab
To set up Argo Tunnel, begin by using Argo Smart Routing:
On your Cloudflare dashboard, select the Traffic app.
Click Enable App, and follow the instructions to set up usage-based billing.
Argo Tunnel uses Argo Smart Routing to route traffic over the fastest path within the Cloudflare network between the user and the datacenter closest to your origin.
Note: To enable Argo Smart Routing, enterprise customers must contact their Cloudflare representative.
Type this command in a terminal window to check the
$ cloudflared --versioncloudflared version 2019.2.1 (built 2019-02-28-0010 UTC)
Note: You must issue this command from the path where you installed the
.rpmpackage (Linux), or where you used Homebrew (macOS). If you did not install these packages, change to the directory where you extracted
Log in to your Cloudflare account from
Note: Use the same username and password you use to log in to the Cloudflare dashboard.
Run the following command to open a login page in your browser:
$ cloudflared tunnel login
A browser window opens at the following URL:
If the browser fails to automatically open, copy and paste the URL into your browser’s address bar.
Locate the domain that represents your server and select its name in the table.
A list of domains associated with your account displays. Argo Tunnel connects your machine to the Cloudflare network by associating it with a hostname in your Cloudflare account.
Once you select the domain,
cloudflaredautomatically installs a certificate to authenticate your machine to the Cloudflare network for the specific hostname.
cloudflaredinstalls the certificate, a success message displays in your browser, and you can start using
cloudflaredand Argo Tunnel.
Note: The certificate consists of three components bundled into a single PEM file. One of those components is the API key from the user who authenticated. If this user leaves the Cloudflare account or their permissions change, you must render that API key invalid, which causes the tunnel to fail to authenticate. You must generate a new certificate.
Tip: Sometimes firewalls or unusual network configuration can prevent
cloudflaredfrom automatically installing the certificate. If this occurs, your browser downloads the certificate as a file named
cert.pem, and displays in your browser’s download window. Move that
cert.pemfile from your designated downloads folder to the
~/.cloudflared folder. In a terminal window, copy and paste the following command to move the certificate to the
.cloudflareddirectory on your system:
$ mv cert.pem ~/.cloudflared/cert.pem
Test the configuration by typing the selected hostname in your browser address bar.
Access to the Tunnel is permitted over both HTTP and HTTPS, though you can easily redirect all HTTP traffic to HTTPS with Cloudflare.On success, the content is served from your local web server.
You can now proceed to use your on-premise application from any location without a VPN.