Before you begin
This article is the first of the Cloudflare series where I will be showing how to setup Cloudflare tunnels to protect any of your web based services. In the case of this series we're going to be protecting a server running this blog on Ghost. If you're yet to setup a containerised Ghost blog using Docker and Docker-compose check out how to!
Cloudflare relatively recently released free Tunnels as part of their broader strategy to make Zero Trust more of a reality for everyone with the use of their Cloudflare Access Product. They dubbed this "A Boring Announcement" but I think it's anything but, considering the benefits for those of us running smaller services like this blog.
Given Cloudflare now runs almost 20% of the web as of November this year (2021) I thought it would be a great time to explore leveraging the new service to further protect VPS's running on the web such as this blog.
Cloudflare Access with Tunnels
Essentially what Cloudflare Tunnels does is allow us to have an outbound only connection to Cloudflare's edge through a lightweight connector that you deploy on your Server. What this gives us is an encrypted tunnel between our origin (server) and Cloudflare's edge network without us opening up any ports or exposing our web server ip address to the web. Pretty neat huh - this means we shouldn't have to deal with any direct or persistent attacks from the net, leaving us more time to focus on content creation.
What this means is that we can:
The architecture for this one is relatively simple when compared to the docker series. All of the users accessing our blog running on our server will be routed through Cloudflare's extensive network and protection mechanisms. This means we can easily leverage Cloudflare's Access to protect our deployed applications.
The main advantage to this approach is that we don't have to bother with creating firewall rules or validating traffic from a Coudflare origin, rather we can rely on a company worth just under $68 Billion to do most of the heavy lifting for us to protect our origin (Our server) 💪.