logo
Enough of Nginx Reverse Proxy

Enough of Nginx Reverse Proxy

Introducing

What Cloudflare Tunnel Actually Does

Cloudflare Tunnel (powered by cloudflared) creates a secure outbound connection from your server to Cloudflare. No ports 80 or 443 exposed. No firewall headaches. No public IP required.

Fundamentally, it provides:

  • Reverse proxying from Cloudflare → your local app
  • Automatic HTTPS with Cloudflare’s certificates
  • Origin protection (your server IP stays hidden)
  • Zero maintenance TLS
  • No open inbound ports

These features overlap directly with what many people use Nginx for, which is why Tunnel can replace Nginx in certain setups.

How To Use

Create a Tunnel

  1. Log in to Cloudflare One and navigate to Networks > Connectors > Cloudflare Tunnels.

  2. Select Create a Tunnel.

  3. Choose Cloudflared as the connector type and click Next.

  4. Enter a name for your tunnel. We recommend selecting a name that reflects the resources you plan to connect (e.g., enterprise-VPC-01).

  5. Click Save Tunnel.

  6. Next, you will need to install cloudflared and run it. To do so, check that the environment under "Choose an environment" reflects the operating system on your machine, then copy the command in the box below and paste it into a terminal window. Run the command.

Once the command has finished running, your connector will appear in Cloudflare One.

ocean

And your domain (if it is added to Cloudflare DNS) will show a newly created CNAME:

cloudflare-dns

Next, you’ll need to install cloudflared and run it. To do this:

  1. Ensure the environment under "Choose an environment" matches your machine's operating system.
  2. Copy the command provided in the box and paste it into your terminal.
  3. Run the command.

Once the command completes, your connector will appear in Cloudflare One.

Publish an application

Before you publish an application through your tunnel, you must:

Follow these steps to publish an application to the Internet:

  1. Go to the Published application routes tab.

  2. Enter a subdomain and select a Domain from the dropdown menu. Specify any subdomain or path information.

NOTE

If you add a multi-level subdomain (more than one level of subdomain), you must order an Advanced Certificate for the hostname.

  1. Under Service, choose a service type and specify its URL. For example:
Type: HTTP
URL: localhost:8000
Under Additional application settings, specify any parameters you would like to add to your tunnel configuration.

NOTE

This can be your local application URL, for example localhost:3000 for your React web app. Select Complete setup.

Anyone on the Internet can now access the application at the specified hostname. To allow or block specific users, create an Access application.

TL;DR — Cloudflare Tunnel vs Nginx

  • Looking to expose a private app without opening ports? Cloudflare Tunnel gives automatic HTTPS, hides your origin IP, and requires no public IP or firewall changes.
  • It can replace an Nginx reverse proxy for many home‑lab and small‑team deployments.
  • You still might want Nginx if you need heavy on‑box features (e.g., advanced rewrites, on‑prem caching, Lua, complex request routing at the origin).

Benefits at a glance

  • No open inbound ports (no 80/443 on your router)
  • Automatic TLS and certificate rotation handled by Cloudflare
  • Origin IP protection — your server stays private
  • Quick setup with cloudflared
  • Easy custom domains and subpaths via Cloudflare DNS and routes

When you still need Nginx

Cloudflare Tunnel is not a one‑size‑fits‑all. Consider keeping Nginx if you rely on:

  • Advanced on‑origin routing or URL rewrites, heavy use of map, sub_filter, or custom modules
  • On‑prem caching and fine‑grained cache controls at the origin
  • Local service mesh needs or bespoke TCP/UDP proxying patterns
  • Self‑contained edge logic on the box (Lua/OpenResty, complex auth that must live on origin)

You can also run both: terminate Cloudflare Tunnel at your host and forward to an internal Nginx instance for specialized behaviors.

FAQs

Does Cloudflare Tunnel completely replace Nginx?

For many simple reverse‑proxy use cases, yes. If you rely on advanced Nginx features (rewrites, modules, on‑origin caching), you may still run Nginx behind the tunnel.

Is Cloudflare Tunnel secure?

Yes — it’s an outbound‑only, encrypted connection from your host to Cloudflare. No inbound ports are opened, and TLS is managed automatically.

Is it free?

Cloudflare offers a generous free tier suitable for personal projects and small apps. Check current limits and pricing on Cloudflare’s site.

Can I use it with Docker or Kubernetes?

Yes. Run cloudflared as a sidecar/container and route to services via internal addresses (for example, http://service-name:port).

What about performance?

Latency is usually minimal for typical web apps. If you need on‑box optimizations (local caching/compression logic), keep Nginx behind the tunnel.