Hosting apps on-prem using Cloudflare Tunnels

Host apps on your own kit - and expose them to the internet - safely!
CloudflareOn-prem hosting
Hosting apps on-prem using Cloudflare Tunnels
March 2025

Recently our organisation was given access to some hardware for experimentation and evaluation. In order to check it out we needed to install some of our own software on that machine - a web application. We needed this application to properly evaluate the hardware.

The trouble was, the sandbox environment that we were given access to wasn't publicly addressable, and so we weren't able to get a public IP address or domain name for it. We needed several users to be testing at once, so logging on to the server and using the localhost address wasn't a practical option.

So with no inbound access - how could we possibly host a public-facing web application on it? Read on to find out...

Cloudflare Tunnels

Cloudflare Tunnels solve exactly this problem. They provide a secure way to connect resources to Cloudflare without a publicly routable IP address.

A lightweight daemon called cloudflared is installed your infrastructure, which calls outwards to Cloudflare. Using that connection, Cloudflare is able to securely transfer data to and from your application.

In addition to that, Cloudflare will give you a DNS record and protect the true origin of your server. Amazing!

Setup

  1. Log in to your Cloudflare account and follow instructions to set up a new Tunnel under the Zero Trust feature.
  2. Follow the instructions to run the cloudflared docker container. I hosted mine alongside some other containers in my docker-compose.yml
docker-compose.yml
services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    restart: unless-stopped
    command: tunnel --no-autoupdate run --token ${your-token}

My web app was hosted on port 8000, so I configured a hostname on my tunnel to point at localhost:8000

And that is all you need to do! Your web app will be available at https://your-app.your-domain.com for as long as your cloudflared container is running.

Additional Security

One final step was to make sure that this domain name was only accessible to the people who need it - i.e the people within my organisation.

Within the Zero Trust -> Access feature, create yourself an Application to represent your app. Under 'Policies', create a new Policy and configure a rule to ensure that only people from a certain IP range can access your application.

Policies can be configured with a wide variety of restrictions - go and explore!

Hope this helps

Read next

VW Golf dashboard with a start-stop system failure warning light illuminated
Apr 2026

Troubleshooting the start-stop system failure on my VW Golf - Part 1

Usually I write these blog posts after I've fixed the problem - but this time I'm writing it as I go. Join me as I gather information and build a list of ideas.

AutomotiveDebugging
Read post →
Abstract illustration of a fast simple hosting setup
Mar 2026

How I manage content on this website

Learn how this blog site is put together - with minimal dependencies and bloat

ArchitectureHostingNuxtContent Management
Read post →
A smartphone camera lens surrounded by abstract binary data streams and TIFF file grid patterns
Mar 2026

Generating TIFF files on an Android device

No library was up to the job, so I read the spec and wrote my own TIFF encoder.

AndroidKotlinTIFFImage Processing
Read post →
View all posts →