Using Cloudflare Tunnels to protect your Ghost blog

Learn how to use Cloudflare tunnels to protect a Ghost blog and server from direct web attacks using Cloudflare's extensive network and protection mechanisms

Using Cloudflare Tunnels to protect your Ghost blog

Before you begin

This article is the first of the Cloudflare series where I will be showing how to setup Cloudflare tunnels to protect a Ghost blog. If you're yet to setup a containerised Ghost blog using Docker and Docker-compose check out my Docker series!

  • How to configure Cloudflare Tunnels for a secure Ghost blog.
  • How to use Cloudflare Access with short lived certificates for browser based SSH connectivity.


Cloudflare relatively recently released free Tunnels as part of their broader strategy to make Zero Trust more of a reality for everyone with the use of their Cloudflare Access Product. They dubbed this "A Boring Announcement" but I think it's anything but, considering the benefits for those of us running smaller services like this blog.

Matthew Prince - CEO of Cloudflare

Given Cloudflare now runs almost 20% of the web as of November this year (2021) I thought it would be a great time to explore leveraging the new service to further protect VPS's running on the web such as this blog.

Almost 20% of the web use Cloudflare as of 20 November 2021

Cloudflare Access with Tunnels

Essentially what Cloudflare Tunnels does is allow us to have an outbound only connection to Cloudflare's edge through a lightweight connector that you deploy on your Server. What this gives us is an encrypted tunnel between our origin (server) and Cloudflare's edge network without us opening up any ports or exposing our web server ip address to the web and having to deal with the consequences such as direct or persistent attacks leaving us more time to focus on content creation.

What this means is that we can:

  • Connect a Ghost blog running in the server to Cloudflare's edge network securely.
  • Connect the Server running the Ghost blog for SSH access to Cloudflare's edge network securely.

The architecture for this one is relatively simple when compared to the docker series. All of the users accessing our blog or SSH running on our server will be routed through Cloudflare's extensive network and protection mechanisms. This means we can easily leverage Cloudflare's Access to protect our deployed applications.

Argo Tunnels that live forever
An example of a user accessing a origin to retrieve a website

The main advantage to this approach is that we don't have to bother with creating firewall rules or validating traffic from a Coudflare origin, rather we can rely on a company worth just under $68 Billion to do most of the heavy lifting for us to protect our origin (Our server) 💪.

Highly available and highly scalable Cloudflare tunnels ...
Example of how a HTTP request is routed through Cloudflare's Network through to the Cloudflare tunnel connector to the service running on your server

Share Tweet Send
You've successfully subscribed to Alex Gallacher
Great! Next, complete checkout for full access to Alex Gallacher
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.