Cloudflare Tunnel Docker: expose local services securely

Opening ports on a firewall is operationally reckless. Cloudflare Tunnel eliminates inbound port exposure entirely by establishing an outbound-only connection from your infrastructure to Cloudflare's edge network. Pair it with Docker and you get a portable, reproducible ingress layer that works identically on a Raspberry Pi, a home lab NAS, or a production VPS.

Why use Cloudflare Tunnel with Docker?

Traditional setups — Nginx + Let's Encrypt + port forwarding + DDNS — involve five moving pieces that each introduce failure modes. Cloudflare Tunnel collapses this stack into a single container. The Docker angle makes the tunnel portable (same docker-compose.yml on any host), isolated, reproducible, and restartable via Docker's restart policies.

How to run Cloudflare Tunnel in Docker

1. Create a tunnel in the Cloudflare Zero Trust dashboard and copy the token. 2. Create your docker-compose.yml with the cloudflared service using TUNNEL_TOKEN environment variable, restart: unless-stopped, and --no-autoupdate flag. 3. Route multiple services through one tunnel by mapping public hostnames to internal Docker service names in the Cloudflare dashboard. 4. Add Docker health checks and a CodeWords monitoring workflow that alerts via Slack if any service becomes unreachable.

Common issues and fixes

Tunnel shows Inactive: token mismatch. 503 errors: containers not on the same Docker network. High memory: set --protocol http2. Build your first tunnel monitor on CodeWords →