Set up a website using Cloudflare Tunnel (Cloudflare's internal network tunneling) 使用 Cloudflare Tunnel 架設網站(Cloudflare 內網穿透)
This article covers how to use Cloudflare’s Zero Trust feature to publish a server hosted in a local network environment to the public internet.
Author’s Environment
- Server: Windows Hyper-V VM
- OS: Debian 13
Cloudflare Setup
The most basic requirement is that you must own a domain and have it managed through Cloudflare.
Set the DNS Hosts to Those Provided by Cloudflare
Using Chunghwa Telecom HiNet’s DNS service as an example: add the nameservers specified by Cloudflare to the domain registrar’s (HiNet) DNS host configuration page.
Start Configuring Cloudflare Zero Trust
Navigate to the Zero Trust settings page from the left-hand menu, or click Access and then enter the Zero Trust settings page.
Connect the Host to Cloudflare
Follow the setup by navigating to: Left sidebar → Networks → Connectors → Create a tunnel → Cloudflared.
Select the corresponding installation command based on the device’s operating system. On Debian, the dashboard provides a command similar to the one below — it downloads the cloudflared package and registers it as a service using your unique tunnel token:
curl -L --output cloudflared.deb \
https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared.deb
sudo cloudflared service install <YOUR-TUNNEL-TOKEN>The connector only makes outbound connections to Cloudflare’s edge, so you never have to open inbound ports (80/443) or own a public, static IP.
Verify the Connector
Confirm the daemon is running as a system service:
sudo systemctl status cloudflaredBack in the dashboard, the tunnel’s status changes to Connected / Healthy once the connector registers.
Add a Public Hostname
This is where you map a hostname to your local service. Open the tunnel and go to the Public Hostnames tab, then Add a public hostname:
- Domain / Subdomain: pick your domain and an optional subdomain (for example
www.example.com, or leave the subdomain empty for the apex domain). - Service → Type:
HTTP(useHTTPSif your local server already serves TLS). - Service → URL: the address of your local web server, e.g.
localhost:80.
When you save, Cloudflare automatically creates the DNS record — a proxied CNAME pointing at the tunnel — so you do not need to add it by hand.
Verify
Open https://your-domain.com in a browser. The request now travels visitor → Cloudflare edge → tunnel → your local server, served over Cloudflare’s TLS certificate.
(Recommended) Protect It with Access
If the site is not meant to be fully public, create a Zero Trust Access application for the hostname and attach a policy (for example, allow only specific email addresses) so visitors must authenticate before reaching your server.
Why Use Cloudflare Tunnel?
- No exposed ports — the connection is outbound-only; you never forward 80/443 on your router.
- No public IP required — it works behind CGNAT or a dynamic IP.
- Origin IP stays hidden — clients only ever see Cloudflare’s edge.
- Free, automatic TLS — Cloudflare terminates HTTPS for you.
本文主要介紹如何利用 Cloudflare 的 Zero Trust 功能,將架設在內網環境的伺服器安全地發布至公共網路上。
作者環境
- 伺服器:Windows Hyper-V 虛擬機器
- 作業系統:Debian 13
Cloudflare 設定
最基本的要求是您必須擁有一個網域,並且已將其託管在 Cloudflare 上。
將 DNS 主機設定為 Cloudflare 提供的伺服器
以中華電信 HiNet DNS 服務為例,將 Cloudflare 指定的 Nameservers 填入網域商(HiNet)的 DNS 主機設定頁面。
開始設定 Cloudflare Zero Trust
從左側選單導航至 Zero Trust 設定頁面,或點選 Access 後進入 Zero Trust 設定頁面。
將主機連接至 Cloudflare
依照以下路徑進行設定:左側導航欄 → Networks → Connectors → Create a tunnel → Cloudflared。
根據裝置的作業系統選擇對應的安裝指令。在 Debian 上,儀表板會提供類似下方的指令 —— 它會下載 cloudflared 套件,並使用你專屬的 Tunnel Token 將其註冊為系統服務:
curl -L --output cloudflared.deb \
https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared.deb
sudo cloudflared service install <你的-TUNNEL-TOKEN>連接器只會對 Cloudflare 邊緣建立**對外(outbound)**連線,因此你完全不需要開放對內的埠(80/443),也不需要擁有公開的固定 IP。
確認連接器狀態
確認 daemon 已以系統服務的形式運行:
sudo systemctl status cloudflared回到儀表板,當連接器註冊成功後,該 Tunnel 的狀態會變為 Connected/Healthy。
新增 Public Hostname(公開主機名稱)
這一步就是把主機名稱對應到你的本地服務。打開該 Tunnel,切換到 Public Hostnames 分頁,然後點選 Add a public hostname:
- Domain/Subdomain: 選擇你的網域與選用的子網域(例如
www.example.com,若要使用根網域則子網域留空)。 - Service → Type: 選
HTTP(若本地伺服器本身已提供 TLS,則選HTTPS)。 - Service → URL: 你本地網頁伺服器的位址,例如
localhost:80。
儲存後,Cloudflare 會自動建立 DNS 紀錄(一筆指向該 Tunnel、已啟用 Proxy 的 CNAME),你不需要手動新增。
驗證
在瀏覽器開啟 https://你的網域.com。此時請求的路徑為 訪客 → Cloudflare 邊緣 → Tunnel → 你的本地伺服器,並透過 Cloudflare 的 TLS 憑證對外提供服務。
(建議)以 Access 保護
如果這個網站並非要完全公開,可以為該主機名稱建立一個 Zero Trust Access 應用程式並掛上存取政策(例如只允許特定 Email),讓訪客必須先通過驗證才能連到你的伺服器。
為什麼要用 Cloudflare Tunnel?
- 不需開放任何埠 —— 連線是對外單向的,路由器上完全不用轉發 80/443。
- 不需要公開 IP —— 在 CGNAT 或浮動 IP 環境下也能運作。
- 隱藏來源 IP —— 客戶端只會看到 Cloudflare 的邊緣節點。
- 免費且自動的 TLS —— 由 Cloudflare 為你終結 HTTPS。