Cloudflare Tunnel: Share a Local App Safely

Before You Study (5 mins)

Lesson focus: Lesson 06 packaged your app into a container that runs the same anywhere. But "anywhere" still meant your laptop — and localhost:3000 only exists in your local network. Today we cross that wall: your container becomes reachable from the public internet, by anyone, on a real https:// URL, without buying hosting and without opening any inbound port on your home router. The technology is Cloudflare Tunnel (cloudflared), and the engineering principle behind it — outbound-only connections — is one of the safest patterns in modern networking.

What you should have ready:

• Your Docker container from Lesson 06 actually running locally on localhost:3000
• A free Cloudflare account (no credit card needed for what we'll do)
• Terminal fluency from Lesson 04
• About 45 minutes
• (Optional) A domain name you own — for the "stable URL" upgrade in the bonus challenge

The Concept

The traditional way to make a server on your home network reachable from the internet is port forwarding: you tell your home router "any traffic that arrives at my public IP on port 8080, send it to this internal machine on port 3000." This works, but it has three real problems:

1. It punches a hole in your firewall. Anyone on the internet can scan your IP, find the open port, and start probing for vulnerabilities.
2. Your IP usually changes. Most home internet providers use dynamic IPs; the address you set up today may not be your address tomorrow.
3. There is no TLS / https:// by default. Your traffic is unencrypted unless you also set up a certificate, which adds infrastructure most beginners skip.

Cloudflare Tunnel inverts the model. Instead of opening an inbound port, your container initiates an outbound connection to Cloudflare's network and holds it open. When a request arrives at Cloudflare's edge for your URL, it travels back through that already-open tunnel to your container. Three things become true at once:

• No inbound port is ever opened on your router. Attackers cannot scan and connect to a port you never exposed.
• Cloudflare terminates TLS — your URL automatically gets HTTPS with a valid certificate, no manual setup.
• Cloudflare's global edge network caches and protects your origin — you get DDoS protection, fast routing from any country, and TLS for free.

This is called a reverse proxy with outbound origin connection. The same architecture pattern is used by Tailscale, ngrok, and (for production at scale) AWS PrivateLink and GCP Private Service Connect. Cloudflare's flavor is free for personal projects.

There are two flavors of cloudflared tunnels you'll meet:

Today we'll set up a quick tunnel — one command, instant public URL. The named tunnel + custom domain upgrade is the bonus challenge.

The same Cloudflare network that fronts your hobby tunnel also fronts ABCsteps itself, this very page, and a meaningful slice of the internet. The infrastructure you're using today is the same infrastructure billion-user companies rely on. Free at this scale because Cloudflare's marginal cost on your tiny project is genuinely zero.

Quick Concepts

What We Will Build

By the end of this lesson, you will have done these specific things:

1. Verified your Docker container from Lesson 06 is running locally with docker ps — confirmed http://localhost:3000 loads your game.
2. Installed cloudflared for your operating system. On macOS: brew install cloudflared. On Linux: download the .deb or .rpm from Cloudflare's docs and install. On Windows: use the .msi installer or winget install cloudflare.cloudflared.
3. Verified the install with cloudflared --version.
4. Started a quick tunnel:
   bash

   Copy

   cloudflared tunnel --url http://localhost:3000
   

   Watched the terminal print a URL like https://chunky-river-1234.trycloudflare.com.
5. Opened the URL on your phone over mobile data (not on your home WiFi). Confirmed your game loads — your phone is now talking, over the internet, to a container on your laptop.
6. Sent the URL to a friend via WhatsApp. Watched them load it from somewhere else in the world.
7. Stopped the tunnel with Ctrl+C and observed: the URL stops resolving immediately. There is no orphaned exposure.
8. Inspected what happened in the Cloudflare dashboard at one.dash.cloudflare.com. The "Networks → Tunnels" view shows your tunnel was active.

The single command in step 4 is the entire core of this lesson. Everything else is verifying and understanding what just happened.

Think About

Before studying, consider:

1. The router on your home internet has a single setting somewhere called "port forwarding." It is the most-misconfigured page in residential networking and the cause of most home-network security breaches. What does Cloudflare Tunnel save you from having to touch?
2. If a tunnel can serve your game to anyone on the internet, what would attacking a Cloudflare-tunneled service look like? Where is the actual attack surface? (Hint: not your router. Your application's own bugs.)

By the End

After this lesson, you'll:

• ✅ Have cloudflared installed and verified
• ✅ Have served your container at a real https:// URL on the public internet
• ✅ Have tested the URL from a network outside your home (mobile data)
• ✅ Have shared a working link with someone who is not in the same building as you
• ✅ Understand why outbound-tunnel architectures are safer than inbound port-forwarding
• ✅ Be ready for the "named tunnel + custom domain" upgrade when you want a permanent URL

Your container just left the house. Without leaving the house. 📡

What We Learned

• Cloudflare Tunnel inverts the hosting model. Your container initiates an outbound connection to Cloudflare's network instead of accepting inbound connections. The result: a public URL with TLS, with no inbound port open on your router.
• Three benefits land at once: no firewall hole, automatic HTTPS via Cloudflare-managed certificates, and global edge routing with built-in DDoS protection.
• Quick tunnels give you an ephemeral URL with one command. Named tunnels give you a stable URL on a domain you own.
• The same architecture pattern — outbound-only origin connections — is used by Tailscale, ngrok, AWS PrivateLink, and most modern zero-trust networking.
• Stopping the tunnel kills the exposure instantly. No orphaned ports, no half-open routes. The connection lives only as long as cloudflared is running.

Commands We Used

# Install cloudflared
brew install cloudflared                          # macOS
sudo apt install cloudflared                      # Debian / Ubuntu (after adding Cloudflare's repo)
winget install cloudflare.cloudflared             # Windows

# Verify the install
cloudflared --version

# Quick tunnel — ephemeral URL, no Cloudflare account needed
cloudflared tunnel --url http://localhost:3000

# What happens behind the scenes:
# 1. cloudflared opens an outbound TLS connection to Cloudflare's edge
# 2. Cloudflare gives you back a *.trycloudflare.com hostname
# 3. Public requests to that hostname travel back through the open connection

# Inspect a running tunnel
ps aux | grep cloudflared

# Stop the tunnel cleanly
Ctrl+C   # in the terminal running cloudflared

For a named tunnel (the bonus path — stable URL, custom domain):

# 1. Authenticate cloudflared with your Cloudflare account (one-time)
cloudflared tunnel login                          # opens a browser

# 2. Create a named tunnel
cloudflared tunnel create snake-game

# 3. Route DNS for your domain to this tunnel
cloudflared tunnel route dns snake-game game.example.com

# 4. Run the named tunnel
cloudflared tunnel --name snake-game --url http://localhost:3000
# Now https://game.example.com serves your container, persistently

Why It Matters

Cloudflare Tunnel is the cleanest example I know of a recurring pattern in modern infrastructure: make safety the default by inverting the connection direction. Once you internalize "outbound connection from origin" as a primitive, you start to recognize it everywhere — in zero-trust networking products, in service-mesh designs, in the way SaaS database connectors work, in how CI/CD agents reach back to their control plane.

For a learner shipping a personal project, the pragmatic value is sharper:

• You get a real public URL in 30 seconds, with HTTPS, for free.
• You don't accidentally expose your home network — the tunnel cannot expose anything that wasn't already in the container.
• You can rehearse the full "ship to production" flow on Day 7 of learning, instead of Day 70 when you finally figure out cloud hosting accounts.

What this lesson did not cover but you'll meet:

• Named tunnels with custom domains — the bonus challenge above. The right next step the moment you want a URL you can put on a CV or share more than once.
• Cloudflare Access — adding authentication in front of your tunnel so only specific people can reach the URL. Useful for staging environments and admin dashboards.
• Performance: Cloudflare caching and Workers — once your app is behind Cloudflare, you can put static assets on the edge cache and even run code at the edge, both for free at small scale.
• The trade-offs — Cloudflare sees your traffic. For most applications that's an acceptable trust boundary; for some regulated workloads it isn't. Like every infrastructure decision, the question is what you trade for what.

For production-scale hosting that doesn't depend on your laptop being on, you'll graduate to Cloudflare Pages (static sites — exactly what abcsteps.com runs on), Workers (server-side code at the edge), or a managed VPS. The mental model is the same; the persistence and capacity scale up.

Checklist

• I installed cloudflared and verified the version
• My Docker container from Lesson 06 was running on localhost:3000
• I started a quick tunnel with one command
• I copied the *.trycloudflare.com URL and opened it on my phone over mobile data
• I sent the URL to a friend; they confirmed it loaded
• I stopped the tunnel with Ctrl+C and verified the URL stops resolving
• I can describe what "outbound-only origin connection" means in my own words

Quick Quiz

Q1: Why is a Cloudflare Tunnel safer than port forwarding on your home router?

• A) It's encrypted with quantum cryptography
• B) The connection is outbound-only — no inbound ports are opened on your router ✓
• C) It uses an obscure port number that hackers don't know

Q2: What does Cloudflare provide automatically when your tunnel is up?

• A) A free domain name
• B) TLS / HTTPS termination with a valid certificate ✓
• C) A backup of your container

Q3: What's the difference between a quick tunnel and a named tunnel?

• A) Quick tunnels are slower
• B) Quick tunnels give an ephemeral random URL; named tunnels give a stable URL on a domain you own ✓
• C) Named tunnels cost money

Q4: When you stop cloudflared with Ctrl+C, what happens to the public URL?

• A) It keeps serving for 24 hours then expires
• B) It stops resolving immediately — no orphaned exposure ✓
• C) It permanently belongs to your account

Bonus Challenge

Upgrade to a named tunnel with your own domain. If you don't have a domain, register a cheap one at Cloudflare Registrar (about $9/year for a .com). Then:

1. Run cloudflared tunnel login — authenticates the CLI with your Cloudflare account.
2. Run cloudflared tunnel create snake-game — creates a persistent tunnel.
3. Run cloudflared tunnel route dns snake-game game.yourdomain.com — Cloudflare auto-creates the DNS record.
4. Run cloudflared tunnel --name snake-game --url http://localhost:3000 — your game now lives at https://game.yourdomain.com with a permanent URL.

Once you've done this, your snake game has a URL that fits on a business card. That feels qualitatively different from a random trycloudflare.com link, and the workflow is identical for any container you'll ever run.

Next Lesson

Lesson 08: The Language Every App Speaks — JSON

You'll learn: Your app is now globally accessible. The next thing every networked app does is send and receive structured data — and the format almost everyone agrees on is JSON. Six data types, real gotchas, why it beat XML.

Your laptop is now a webserver visible from any phone in the world. 📡