Cloudflare - Akses Web & SSH Aman ke Infrastruktur Pribadi Menggunakan Cloudflare Tunnel (Berbasis Docker)

dig devvnull.me -t NS

docker network create \
    --driver=bridge \
    --subnet=172.25.0.0/16 \
    cloudflared-tunnel

mkdir -p /opt/docker-app/devvnull.me && \
    cd /opt/docker-app/devvnull.me
 
mkdir cloudflared && \
    sudo chown -R 65532:65532 cloudflared

docker run --rm -it \
    -v $PWD/cloudflared:/home/nonroot/.cloudflared \
    cloudflare/cloudflared:latest \
    tunnel login

Leave cloudflared running to download the cert automatically.
2026-01-07T09:01:06Z INF You have successfully logged in.
If you wish to copy your credentials to a server, they have been saved to:
/home/nonroot/.cloudflared/cert.pem

docker run --rm -it \
    -v $PWD/cloudflared:/home/nonroot/.cloudflared \
    cloudflare/cloudflared:latest \
    tunnel create devvnull-tunnel

Tunnel credentials written to /home/nonroot/.cloudflared/6d40d748-1ef2-4899-97f5-a33489ad43fc.json. cloudflared chose this file based on where your origin certificate was found. Keep this file secret. To revoke these credentials, delete the tunnel.
 
Created tunnel devvnull-tunnel with id 6d40d748-1ef2-4899-97f5-a33489ad43fc

2026-01-07T15:05:08Z INF Added CNAME devvnull.me which will route to this tunnel tunnelID=6d40d748-1ef2-4899-97f5-a33489ad43fc
 
2026-01-07T15:05:45Z INF Added CNAME ssh.devvnull.me which will route to this tunnel tunnelID=6d40d748-1ef2-4899-97f5-a33489ad43fc

sudo nvim cloudflared/config.yml

tunnel: devvnull-tunnel
credentials-file: /etc/cloudflared/<TUNNEL-UUID>.json
 
ingress:
  # --- Web HTTPS
  - hostname: devvnull.me
    service: http://docker-welcome-page:80
 
  # --- SSH (host KVM)
  - hostname: ssh.devvnull.me
    service: ssh://172.25.0.1:22
 
  # --- Fallback
  - service: http_status:404

sudo nvim docker-compose.yml

services:
  cloudflared_tunnel:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared_tunnel
    restart: unless-stopped
    command: tunnel --no-autoupdate run
    volumes:
      - ./cloudflared:/etc/cloudflared:ro
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"
    networks:
      - cloudflared-tunnel
 
  docker-welcome-page:
    image: ghcr.io/armandwipangestu/docker-welcome-page:1.0.2
    container_name: docker-welcome-page
    ports:
      - "80:80"
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"
    networks:
      - cloudflared-tunnel
 
networks:
  cloudflared-tunnel:
    external: true

docker compose up -d
 
docker compose ps -a

[+] up 1/3
[+] up 5/5hcr.io/armandwipangestu/docker-welcome-page:1.0.2 [⣿⣿] 132.4kB / 132.4kB Pulling                                                                                                                           3.5s 
 ✔ Image ghcr.io/armandwipangestu/docker-welcome-page:1.0.2 Pulled                                                                                                                                                   3.5s 
   ✔ 9bc53414cea7                                           Pull complete                                                                                                                                            0.9s 
   ✔ e97543ee5c71                                           Pull complete                                                                                                                                            0.6s 
 ✔ Container docker-welcome-page                            Created                                                                                                                                                  0.1s 
 ✔ Container cloudflared_tunnel                             Created                                                                                                                                                  0.1s 
 
NAME                  IMAGE                                                COMMAND                  SERVICE               CREATED          STATUS          PORTS
cloudflared_tunnel    cloudflare/cloudflared:latest                        "cloudflared --no-au…"   cloudflared_tunnel    31 seconds ago   Up 31 seconds   
docker-welcome-page   ghcr.io/armandwipangestu/docker-welcome-page:1.0.2   "/docker-entrypoint.…"   docker-welcome-page   31 seconds ago   Up 31 seconds   0.0.0.0:80->80/tcp, [::]:80->80/tcp

docker compose logs -f cloudflared_tunnel

cloudflared_tunnel  | 2026-01-07T15:36:26Z INF Starting tunnel tunnelID=6d40d748-1ef2-4899-97f5-a33489ad43fc
cloudflared_tunnel  | 2026-01-07T15:36:26Z INF Version 2025.11.1 (Checksum cf95c90f5f6d6c87296bbab3b5a967ef580b017357353bfc1777ed5451ff9805)
cloudflared_tunnel  | 2026-01-07T15:36:26Z INF GOOS: linux, GOVersion: go1.24.9, GoArch: amd64
cloudflared_tunnel  | 2026-01-07T15:36:26Z INF Settings: map[cred-file:/etc/cloudflared/6d40d748-1ef2-4899-97f5-a33489ad43fc.json credentials-file:/etc/cloudflared/6d40d748-1ef2-4899-97f5-a33489ad43fc.json no-autoupdate:true]
cloudflared_tunnel  | 2026-01-07T15:36:26Z INF Generated Connector ID: 07ea2563-0952-40ac-821a-2d942e066170
cloudflared_tunnel  | 2026-01-07T15:36:26Z INF Initial protocol quic
cloudflared_tunnel  | 2026-01-07T15:36:26Z INF ICMP proxy will use 172.25.0.3 as source for IPv4
cloudflared_tunnel  | 2026-01-07T15:36:26Z INF ICMP proxy will use ::1 in zone lo as source for IPv6
cloudflared_tunnel  | 2026-01-07T15:36:27Z INF ICMP proxy will use 172.25.0.3 as source for IPv4
cloudflared_tunnel  | 2026-01-07T15:36:27Z INF ICMP proxy will use ::1 in zone lo as source for IPv6
cloudflared_tunnel  | 2026-01-07T15:36:27Z INF Starting metrics server on [::]:20241/metrics
cloudflared_tunnel  | 2026-01-07T15:36:27Z INF Tunnel connection curve preferences: [X25519MLKEM768 CurveP256] connIndex=0 event=0 ip=198.41.200.63
cloudflared_tunnel  | 2026/01/07 15:36:27 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
cloudflared_tunnel  | 2026-01-07T15:36:27Z INF Registered tunnel connection connIndex=0 connection=d0ea08a2-dc82-412c-b4e5-c7883cbf8c88 event=0 ip=198.41.200.63 location=sin13 protocol=quic
cloudflared_tunnel  | 2026-01-07T15:36:27Z INF Tunnel connection curve preferences: [X25519MLKEM768 CurveP256] connIndex=1 event=0 ip=198.41.192.67
cloudflared_tunnel  | 2026-01-07T15:36:28Z INF Registered tunnel connection connIndex=1 connection=ab21325c-65d0-4ac8-b6de-76c0c3fe76f4 event=0 ip=198.41.192.67 location=sin06 protocol=quic
cloudflared_tunnel  | 2026-01-07T15:36:28Z INF Tunnel connection curve preferences: [X25519MLKEM768 CurveP256] connIndex=2 event=0 ip=198.41.192.57
cloudflared_tunnel  | 2026-01-07T15:36:29Z INF Registered tunnel connection connIndex=2 connection=ca6da423-76c1-4424-9e58-45796454119a event=0 ip=198.41.192.57 location=sin09 protocol=quic
cloudflared_tunnel  | 2026-01-07T15:36:29Z INF Tunnel connection curve preferences: [X25519MLKEM768 CurveP256] connIndex=3 event=0 ip=198.41.200.43
cloudflared_tunnel  | 2026-01-07T15:36:30Z INF Registered tunnel connection connIndex=3 connection=dacbabe4-b00c-4ef1-8141-91e40b25620b event=0 ip=198.41.200.43 location=sin11 protocol=quic

Service token name (Required): headless-client
Service Token Duration (Required): 1 year

- Basic Information:
    - Policy name (Required): Allow SSH Connection with Service Token
    - Action (Required): Service Auth
    - Session duration: 24 hours
 
- Add rules:
    - Selector: Service Token
    - Value: headless-client

- Basic Information:
    - Policy name (Required): Allow SSH Connection with Email Verification
    - Action (Required): Allow
    - Session duration: 24 hours
 
- Add rules:
    - Selector: Emails
    - Value: your-email@domain.com

- Basic Information:
    - Application name (Required): devvnull.me SSH
    - Session Duration (Required): 24 hours
    - Public hostname:
        - Input method: Default
        - Subdomain: ssh
        - Domain: devvnull.me
        - Path: kosong
 
- Access policies:
    - Pilih existing policies:
        - Allow SSH Connection with Service Token
        - Allow SSH Connection with Email Verification

ssh-keygen -t ed25519 -f ~/.ssh/devvnull.me

cat ~/.ssh/authorized_keys
 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICK72PwHf0X9btH2ijYCmlx7jzulr0j5viVqBCm/Y9YA devnull@devnull

sudo nvim /etc/ssh/sshd_config

sudo systemctl restart ssh

nvim ~/.ssh/config

Host devvnull.me
  HostName ssh.devvnull.me
  User devnull
 
  IdentityFile ~/.ssh/devvnull.me
  IdentitiesOnly yes
 
  ProxyCommand cloudflared access ssh --hostname %h --id $CF_ACCESS_CLIENT_ID --secret $CF_ACCESS_CLIENT_SECRET

curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
 
echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared noble main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 
sudo apt update && sudo apt install cloudflared

export CF_ACCESS_CLIENT_ID="your-client-id"
export CF_ACCESS_CLIENT_SECRET="your-client-secret"
 
ssh devvnull.me

ssh -o ProxyCommand="cloudflared access ssh --hostname ssh.devvnull.me" devnull@ssh.devvnull.me

A browser window should have opened at the following URL:
 
https://ssh.devvnull.me/cdn-cgi/access/cli?aud=32cf2e2a14bccd667d8e508a9bfb6fd822399debe130f533ae176ee9f5aa3b7d&edge_token_transfer=true&redirect_url=https%3A%2F%2Fssh.devvnull.me%3Faud%3D32cf2e2a14bccd667d8e508a9bfb6fd822399debe130f533ae176ee9f5aa3b7d%26token%3Dq2l9u_F-OWkOt0hdtaj9zJ7yTG2qeqi2g6laXs1Oqn4%253D&send_org_token=true&token=q2l9u_F-OWkOt0hdtaj9zJ7yTG2qeqi2g6laXs1Oqn4%3D
 
If the browser failed to open, please visit the URL above directly in your browser.