CloudFlare: Argo Tunnel

Cloudflare’s lightweight Argo Tunnel daemon creates an encrypted tunnel between your origin web server and Cloudflare’s nearest data center - all without opening any public inbound ports.

After locking down all origin server ports and protocols using your firewall, any request on HTTP/S ports are dropped, including volumetric DDoS Attacks. Data Breach attempts - such as snooping of data in transit or brute force login attacks - are blocked entirely.

Argo Tunnel lets you quickly secure and encrypt application traffic to any type of infrastructure, freeing you to focus on delivering great applications. Now you can encrypt origin traffic and hide your web server IP addresses so direct attacks can’t happen.

Configure Argo Tunnel

1. Download cloudflared package from here.

# On CentOS
wget -O /tmp/cloudflared-stable-linux-amd64.rpm https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.rpm
# On Ubuntu
wget -O /tmp/cloudflared-stable-linux-amd64.deb https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb

2. Install the cloudflared package.

# On CentOS
rpm -ivh /tmp/cloudflared-stable-linux-amd64.rpm
# On Ubuntu
dpkg -i /tmp/cloudflared-stable-linux-amd64.deb

3. Once installed, verify cloudflared has installed properly by checking the version.

/usr/local/bin/cloudflared --version

Firewall Instructions

The cloudflared daemon connects to cloudflare network on port 7844/TCP. Therefore, make sure to open 7844/TCP Outbound in your Firewall.

4. The first thing you will need to do is login to your Cloudflare account from cloudflared. Run the following command and a login page should open in your browser. If the browser fails to open automatically, copy and paste the URL into your browser’s address bar and press enter.

/usr/local/bin/cloudflared tunnel login

5. Once you login, you will see a list of domains associated with your account. Locate the domain you wish to connect a tunnel to and click its name in the table row. Once you select the domain, cloudflared will automatically install a certificate to authenticate your machine to the Cloudflare network. Once cloudflared installs the certificate, you’ll see a Success message in your browser, and you can start using cloudflared and Argo Tunnel!

6. Argo Tunnel runs a virtual, encrypted tunnel from a locally running web server to the Cloudflare network. Tunnel automatically creates DNS records for you, you can choose a subdomain that doesn’t yet have anything running or configured.

/usr/local/bin/cloudflared tunnel --hostname api.yasithab.com --url http://localhost:3000

7. Argo Tunnel can install itself as a system service on Linux. Create the cloudflared directory and copy the certificate file which is already fetched.

# Create the cloudflared directory if not exist
mkdir -p /etc/cloudflared
# Copy Argo certificate into /etc/cloudflared directory
sudo cp ~/.cloudflared/cert.pem /etc/cloudflared

8. Create cloudflared configuration file /etc/cloudflared/config.yml and add the following content.

8.1. Route traffic directly to the Web Server.

hostname: api.yasithab.com
url: http://localhost:3000
logfile: /var/log/cloudflared.log

8.2. You can create a Load Balancer within Cloudflare which will direct traffic to Argo Tunnels which have been started on multiple machines or even on multiple continents. This is the recommended way to deploy high-availability tunnels in production, and allows you to use all of the powerful features provided by Cloudflare Load Balancing.

hostname: api.yasithab.com
url: http://localhost:3000
lb-pool: API-CF
logfile: /var/log/cloudflared.log

9. Install Argo as a Linux service.

sudo /usr/local/bin/cloudflared service install

10. Check whether argo tunnel is running.

sudo ps -aux | grep tunnel

References