Oh, welcome to syntax on this Monday. Hasty treat. We're going to be talking about tunnels. Cloudflare tunnels, what they're used for, why they're neat, and we'll just all about getting them set up and what you might actually consider using a Cloudflare tunnel for. My name is Scott Tolinsky. I'm a developer from Denver with me as always as West Boss.
What's up, Wes? I'm excited to talk about this. We've done a show on exposing your application to the greater internet previously, and we've went through several of the options out there. You know, there's NGROC and local tunnel and whatnot.
Cloudflare tunnels is an illegal of its own because it does quite a bit more. Honestly, I think it's the best approach to these types of things in terms of running them long-term, especially if you have a local server at your house where you're not just
Oh, I have a local dev server that I want to be able to expose to somebody, but like, no, I run them. I want to run this thing full time. So I thought, like, let's do a quick little show explaining what they are, how to use them the wise and what's because they're super handy.
But before we do that, let's actually take a second to talk about Century at Century.io, perfect place to solve, find any of your bugs. I know we're doing a lot of side projects, Wes, and I know you're working on a bunch of stuff here and there. It's always important to know what's going on in your apps, whether that is performance, whether that is issues that it cropped up.
And hey, I was using some of these new GitHub tools to solve GitHub issues with natural text. It would be really kind of cool to take a century issue, create a GitHub issue for it, have GitHub solve that thing for you right away. And it's like, click, click. All right, nice and done. Here's a bug solve.
Check it out, sentry.io, forward slash syntax, sign up and get two months for free. You got to use the coupon code, hasty cheat, all lowercase, all one word. And yeah, this podcast is presented by Sentry. And just like Wes, your websites get kind of presented by CloudFlare tunnels, meaning that you can basically put a CloudFlare tunnel in front of something.
and then point a domain to it, and then you have basically an SSL into something that is self-hosted that's tunneled directly to your app. Do we first want to talk about what we might be hosting on Cloudflare tunnels, or not hosting on, but using Cloudflare tunnels to expose to the internet? Just to give people an idea.
Okay, so there's kind of like two, Cloudflare tunnels is not just like, get your dev server open to the greater area. That is a very good use case for it. I've not done that, actually.
Oh yeah, yeah, I did it. So I'll start there. When I did my receipt printer, I was running some demos on my computer where I needed people to be able to send stuff to my receipt printer, right? And that question of how do you then expose your local dev server to the greater internet without exposing your home IP address, right?
And so what I did is I ran a CloudFlare tunnel on my local machine. And what that does is it connected to a subdomain that I have, which is local.westboss.com. And then anyone who's able to visit local.westboss.com, it then pipes all the traffic directly to
It was piping it directly to my dev server, my next JS dev server, and it held up pretty well. That's a really great use case, both for if you just want someone to see something, but also like the use case I run into all the time is
I have a webhook that I need to test and the webhook needs to be exposed to the internet because the webhook has to be pinged by another server. And it doesn't know how to ping my local local host, right? Because it's not exposed to the internet. Apple Pay is another good one where Apple Pay, you must give it the explicit domain names of what it is you're working with. And if you've not approved, basically have to go into either Stripe or into Apple and say, like,
westboss.com is my domain name. And then you have to approve it and get it added to your account. And if you want to be able to test Apple Pay, you can't just do that on local host, right? You have to have a domain name for that. So in that case, I'll often expose it to that. I've used SnipCard in the past where that expects an exposed one. Anytime you're working with something that needs a web accessible URL, a Cloudflow tunnel is a great solution to that.
Yeah, yeah, I pretty much exclusively use this stuff for exposing services that are running locally to the internet. You know, think about like we have an MB server to have like a media server on. And I want to make sure that we can access that on the airplane or when we're on vacation or something like if we're somewhere and we need to download movies for the kids, it's nice to have that stuff available. Also have like my home assistant
or the access to my NAS itself instead of using Quick Connect. I have that behind a Cloudflare tunnel. So I'm often using it exactly for those types of services, the types of things you'd want to access outside of your house. Most recently for me, the audio book app, that audio book shelf app that I have made that available. And I just throw up behind the domain. You get SSL, you don't have to worry about opening ports. And it feels a lot more comfortable. Not only that, but like,
The process of getting a Clefler tunnel up on something like a Synology or NAS is trivial. It's amazing how much easier it is than some of the other... I had been using Synology's version of this, which is
Synology dot me and it does this weird reverse proxy where because maybe we should explain if so if you have something hosted at your home. That is not exposed to the greater internet because you're you're going to have like usually one IP address for your your router right or sorry for your modem and then.
If you were to visit that IP address, your router is you have to go in like forward ports and that's not necessarily really safe. So what this does is you can, you don't have to forward any ports. You don't have to deal with any routers, but it will sort of just forward the traffic on through to you. I use it for
Yeah, home assistant, I use it for my jelly fin because I want to be able to stream our content when we are on the road or we're at the cottage, but stuff is still at home. I like that quite a bit because if I have to download something, I can just log in to my Synology and download something on my fast internet here. And then you can stream it at like a lower quality on the devices on some slower internet.
So I did that, but then I also hooked it up to my coolify, which is really neat because so coolify is like kind of like a self-hosted versatile where you can just quickly spin up a whole bunch of different options. And one kind of cool thing about coolify is that you can give them
each of your boxes domain names. And if you give them publicly facing domain names, I've set up a wild card on my CloudFlare tunnels so that I can simply just, I could spin up like a syntax is cool. And then I immediately will assign a domain name to that and coolify. And then it will be web accessible for anyone. I got a question about that. So how are you pointing the DNS then? You're pointing the DNS.
Yes. So let's talk about how you do that. So the way that you set up Cloudflare Tunnels is there's kind of two ways. You can do it locally with the Cloudflared CLI. And that's the way I initially get into it. And that's the way they give you a quick start. You can type a couple of commands and immediately have a thing running. But I'm going to tell you don't do that because that's not great long-term in switching to the other approach, which is
Remotely managed is the best approach so what you do is you get the cloud flared Damon or Damon how do you say that i think we've got to i think we determined it was demon.
You get the Cloudflare demon running on the box that if it's your local server. In my case, I ran it in a Docker container on my Synology, but then you expose it to the network on the Synology, or you can just run it directly on your MacBook Pro. And then that demon
is always running on your machine. And then you simply just go into the CloudFlare tunnels UI, and you can start setting up routes. And all I have to do is say, star. I'm pretty sure it's like star.coolify.westboss.com.
And then any applications that hit that route are passed to Coolify and then cool at that point, Coolify picks it up and they have their own proxying set up so that it'll say, oh, well, someone's requesting it on this URL, pass it to this one.
Interesting. I've always just done for Coolify, and this is kind of a pain. It's just created a second DNS record for any subdomain or any subdomain pointing to the IP of Coolify to get that custom domain going. Interesting. I like the wild cut approach. That seems like way more flexible.
It also depends on if you're hosting Coolify on like a, like a head snare box that is like the IP address is already out there. Or if you are like, I'm running Coolify on my local server, just in my house. So I don't have an IP address. Well, I do have an IP address, but you should not be giving that IP address out because
Generally, it's not a good idea for anyone to know the IP address of your server because they can go directly to that and give you a DDoS. Now, you can obviously firewall it and only allow in certain IP addresses, but it's generally better to sort of mask that with something like a Cloudflare where it will proxy all of the traffic for you. Yeah.
I like raising my hand now. The audio listeners, I raise my hand sometimes so we don't talk over West. But you don't have to have a C-name for these or what? Because I have to have a C-name for each subdomain that I have, even if it's CloudFlare tunnel. Yeah. The kind of cool thing is that if your domain name is set up with CloudFlare, then CloudFlare takes care of all the DNS. Because CloudFlare is the DNS provider, so when a request comes to your server,
Cloudflare, as long as you're proxying it, which is orange clouding, Cloudflare will know what to do with that request and send it to the right, whether it's a cached asset or if it's actually a tunnel that it needs to then forward on to you.
Yeah, it's, it's, it's really nice. And you can just quickly go and you can either add like a one off, you say basically like jelly fin dot boss family dot net. And then that will you say, okay, when somebody visits this URL, then point them to local host colon four two six five, you know, or four four nine eight.
And what that does is it will proxy it through to the port. And then you also have the benefit of not having to fuss with having ports in your URLs. It's just like a nice clean URL. You can also do like subdomains as well. Like you could do like scottalinsky.com forward slash jelly fin or forward slash new blog. However, I find that when you do like subdomains, then you have to get into like application specific
properties that is like, you know, like when you try host a reactors felt app on a like a forward slash, then you have to tell the router itself what the base name is. And then it's a bit of a pain. Yeah. For people looking for this, it's under on Cloudflare and their dashboard. It's under zero trust, by the way. It's not like under Cloudflare tunnels on the sidebar. It's under zero trust, which then has a lot of other features. What's shocking about zero trust is that there's no dark theme for zero trust. So even if you're dark mode, you go to zero trust and it's light mode.
You don't trust people that use dark mode. They're hackers. They're hackers. One thing that's really cool about these things also that we haven't mentioned is that you can give a lock to some of these routes. Let's say you want this to be available.
You know, this makes less sense for something like Home Assistant where you're giving it a URL in the creds and it's locking into that service. But if I have a service that's a web UI that I'm only ever visiting from the web, you can put a lock on that, which means that only certain CloudFlare accounts specifically can access that information. And so what happens when I visit those URLs, CloudFlare actually steps in with its own login page and says,
you must log into CloudFlare to access this. Then once I do that, I might still get another login screen from the service itself. Even though you are exposing this functionality to the web, it does give a nice bit of protection there in terms of who's even able to even hit the site in general, not just try to log in.
So CloudFlare's whole zero trust thing is like this massive product that's, it's meant for enterprise, which is we have stuff that is hosted and it needs to be accessible via the entire internet. However, like, you know, it's annoying that you have to set up the VPN and like,
Oh, are you on the VPN before you can reach that? You don't have to do that. You can simply just make access rules to say, all right, anybody with this domain is able to access it, or you can hook up to any of the single sign-on providers, or you can simply just give somebody a code, right? That's one thing is if you do want to expose your local dev server to the internet,
You probably don't want anyone just like finding that while you're working on it, because there could be sensitive stuff on there. So you could just put like a pin code in front of it. And if you do need someone to be able to access it, it's kind of annoying. Because if that's the case, then you have to write some rules for the webhooks to be able to go through. But you can lock this stuff down as much as you want. Even if, like Scott says, even if your applications themselves already have
like a login, right? Because at some point, there's gonna be some sort of security flaw for these applications. At some point, there's gonna be some security flaw in my photo back app software. Or home assistant. I don't wanna get anybody access to my home assistant. That's for sure. You got cameras in there, right? I don't have cameras in mind, but yes. I don't want to be messed with my lights.
Yeah, or even simply know when you are home, right? They could see your all that info. So yeah, you could, you could lock that down a little further to get access to it. So it's, it's a really cool product. I'm, it's really amazing that it at a very low level, just like a guy like me can use it to give cool domain names to my servers. And then it spans all the way to like enterprise network IT of
locking things down and doing custom routing. Yeah, I know. It's a cool product that works well, but it feels secure when you use it. I think for me personally, when I first started looking into making things like my MB server available off-network.
And it freaked me out. I'm going to be honest with you, because once you get into opening ports and I'm not as much of a network admin that I know that I'm making the right choices on everything. So being able to use CloudFlare tunnels to me has been really just a big, nice little boost for me, feeling more secure about what I'm doing here. So yeah, it's a cool product.
You should see, when I log into my Synology, it shows you when people are trying to log in. And it's probably, I don't know, like a hundred a day, log in attempts. Yeah, yeah, it's nuts.
I don't think mine is. There's just bots out there. If you do a search, just everybody's, yeah, there's just bots out there looking for Synology login pages and looking for unsecured, you know, there's bots everywhere. And they will try admin admin and admin puppy and all these things, which is pretty wild. And obviously they never get in because I have like two factor authentication and whatnot, but I kind of would like them to not
even try because like, you know that our request is coming into my home and trying to access it, you know?
I know that freaks me out. And if you have like the tunnel lock to make sure that somebody has to hit a lock and before they hit that, then they're not even getting to your home. And that to me feels great. Yeah, that whole Synology thing is freaky to me as well. But yeah, that's like one of the services. If I could have three FA on it, four FA, just give me like all the FA's, I would do it for Disney. Yeah, I don't need the inconvenience. It does not matter to me.
I just don't want somebody getting into my naz and deleting all my stuff.
Yeah. Yeah. All right. I think that's all we have. Certainly check them out. Grab a CloudFlare tunnel, try to get a set up like a local dot whatever, even buy like a whole new domain name. There's an excuse for you can buy a new domain name, but buy a domain name for your projects. And then just try set up like a local one. You can also just proxy other applications as well, right? It doesn't have to be something locally hosted. It could be an actual application that's on
On a server somewhere as well. Yeah, don't you just have that you would just have to have Club Flair Demon running. That's that's the only thing. Yeah, you have to have that running on your box. Yep, word. Cool. Well, I hope you found this interesting and let us know what you're hosting on Club Flutter tunnels if you use something different like something else or you're just not convinced. Let us know in the comments down below smash that subscribe button all that good stuff and we'll see you in the next one. Peace.