Preface

The free CDN solution for individuals provided by Cloudflare works well everywhere except China. However, Cloudflare normally only accepts secondary domain names to be accessed as NS, and the public IP address needs to be specified when setting up through DNS (dynamic public IP is not affected, the A record of Cloudflare DNS setting can be updated in real time through the API; whether there are 80 and 443 ports is not important, non-standard source ports can be set through Origin Rules), which is very unfriendly to friends who do not have a public IP (most home broadband).

However, if I don’t have a public IP and HTTPS port 443, can I still use Cloudflare for free?

Of course not. That is under normal circumstances. So how can you get free cloudflare under abnormal circumstances? This depends on cloudflare's tunnel technology. In fact, the so-called tunnel is to install a "connector" in the "local" network of your site, so as to directly connect your local network and cloudflare logically, which is the same as the previous VPN principle. In this way, cloudflare can directly access the site in your local network, thus avoiding the various unfavorable network conditions mentioned above: no matter whether there is a public IP, no matter whether there is a 443 port, no matter which domestic operator's home broadband or cloud provider's cloud host you use, you can directly use cloudflare to build a website.

deploy

(Optional) Activate Zero Trust's Free plan

If you have not used the Zero Trust function before, you need to initialize it for the first time. Click Zero Trust in the red box in the figure below:

You can fill in the Team name in the red box below at will:

Choose the Free plan:

Add payment method, dual currency credit card is recommended:

Fill in the credit card information (only for verification, no payment will be deducted) and complete the configuration

Create a tunnel

Click the Create a tunnel button in the red box below:

I plan to deploy this tunnel on a lightweight server on Tencent Cloud, so I name the tunnel tencentcloud and click the save tunnel button in the red box in the lower right corner:

Choose a deployment method

Cloudflare's tunnel supports multiple environments: Windows, Mac, Debian, Red Hat and Docker. You can choose according to your actual situation. I chose the Docker method. In fact, the Debian method is also OK. My Tencent Cloud lightweight server is Debian. However, the Docker method is cleaner and easier to maintain, so it is my preferred method:

Copy the command in the red box in the above picture first. This command is incomplete and needs to be supplemented. Please refer to the next section for the complete command.

Create a Docker version of the CloudFlare connector on Tencent Cloud Lightweight Server

As a rule, create the directory that needs to be mapped to the container on the Tencent Cloud lightweight server.

mkdir -p /docker/cloudflare/data

Create a Docker version connector:

docker run --name cloudflare -d --restart=always \ -v /docker/cloudflare/data:/etc/cloudflared \ cloudflare/cloudflared:latest tunnel --no-autoupdate run --token xxxxxx

Please note that the command above has the first and second lines compared to the one copied from cloudflare. If the -v parameter in the second line is not added, the status of my cloudflare connector will be abnormal. The normal status of the connector is as follows:

Configure the domain name and application URL

On the Tunnel interface, select configure in the red box on the far right of tencentcloud that you just created:

Select: "Public Hostname" - "Public hostnames":

The following interface appears:

The 4 red boxes are what we need to fill in. Assume that our domain name on Cloudflare is example.com, and the host we want to add is www. The corresponding intranet IP address of Tencent Cloud Server is 10.0.0.3 (do not use the public IP of the cloud server directly, because the public IP of the cloud server is achieved through mapping. The server itself is a private address. Do not use 127.0.0.1, so you can only use the intranet IP address of the server), and the site port is 80. Then fill in the information as follows:
Subdomain:www
Domain:example.com
Type: http
URL:10.0.0.3:80

Type uses the http protocol because cloudflare will automatically provide https access to the outside world.

If the Docker version of the connector is installed on the home broadband intranet, the URL can directly use the intranet address and port of the intranet site.

In fact, the result of this configuration is that there is an additional CNAME record with the host name www in the DNS of this domain name, and its record value is the tunnel ID of the tunnel:

You can add multiple applications in the same way.
Note: If the application specified by the URL above is bound to a host name, for example, the application is nginx, and the site specifies server_name, then you need to add the corresponding domain name in nginx's server_name according to the previously configured domain name. In the above example, it is www.example.com, otherwise it cannot be accessed normally.

access

Direct usehttps://www.example.comYou can access the intranet application. Of course, the application published by cloudflare will be slower when accessed directly from China. I will discuss the speed optimization in other articles later. But in general, if the main users are domestic users and have high requirements for experience, it is better to prepare a case. I now have two domain names, one for record, mainly for domestic users to access, because I need to use Tencent Cloud's CDN; the other domain name is placed on cloudflare, mainly for overseas access, which can be regarded as two ways to back up each other.