Cloudflare Tunnel Setup

Übersicht

Mit Cloudflare Tunnel kannst du deine lokale Solar-Log Installation sicher über das Internet zugänglich machen - ohne Port-Forwarding oder öffentliche IP.

Vorteile

✅ Keine Port-Forwarding - Keine Router-Konfiguration nötig
✅ Automatisches HTTPS - SSL/TLS von Cloudflare
✅ DDoS Protection - Cloudflare's globales Netzwerk
✅ Zero Trust Security - Nur autorisierte Nutzer
✅ Kostenlos - Für private Nutzung

Voraussetzungen

1. Cloudflare Account (kostenlos)
2. Domain bei Cloudflare (z.B. karma.organic)
3. cloudflared CLI installiert

cloudflared Installation

# macOS (Homebrew)
brew install cloudflare/cloudflare/cloudflared

# Linux (Debian/Ubuntu)
wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared-linux-amd64.deb

# Verify
cloudflared --version

Einrichtung

1. Cloudflare Login

cloudflared tunnel login

Dies öffnet deinen Browser zur Authentifizierung.

2. Tunnel erstellen

# Tunnel erstellen
cloudflared tunnel create solarlog-tunnel

# Tunnel ID notieren (z.B. 162b580f-7e69-4a11-8461-77eac5bfc30e)

Die Credentials werden gespeichert unter:

~/.cloudflared/162b580f-7e69-4a11-8461-77eac5bfc30e.json

3. DNS Routes konfigurieren

# API Subdomain → Nginx Proxy (Port 8080)
cloudflared tunnel route dns solarlog-tunnel solarlog-api.karma.organic

# Dashboard Subdomain → Frontend (Port 3000)
cloudflared tunnel route dns solarlog-tunnel solarlog.karma.organic

4. Tunnel Config erstellen

Datei: deployment/cloudflare/tunnel-config.yml

# Cloudflare Tunnel Configuration for SolarLog
tunnel: 162b580f-7e69-4a11-8461-77eac5bfc30e
credentials-file: /Users/gm/.cloudflared/162b580f-7e69-4a11-8461-77eac5bfc30e.json

ingress:
  # API Endpoint (empfohlen über Nginx Proxy)
  - hostname: solarlog-api.karma.organic
    service: http://localhost:8080
    originRequest:
      noTLSVerify: true
      connectTimeout: 30s
      keepAliveTimeout: 90s
      keepAliveConnections: 100

  # Dashboard Frontend
  - hostname: solarlog.karma.organic
    service: http://localhost:3000
    originRequest:
      noTLSVerify: true
      connectTimeout: 30s
      keepAliveTimeout: 90s
      keepAliveConnections: 100

  # Catch-all für 404
  - service: http_status:404

5. Tunnel starten

# Einmalig testen
cloudflared tunnel --config deployment/cloudflare/tunnel-config.yml run solarlog-tunnel

# Als Service (automatischer Start)
cloudflared service install

Konfiguration

Ingress Rules

Die ingress Regeln definieren, wie Traffic geroutet wird:

ingress:
  # Regel 1: API über Nginx Proxy
  - hostname: solarlog-api.karma.organic
    service: http://localhost:8080  # Nginx reverse proxy

  # Regel 2: Direct Frontend Access
  - hostname: solarlog.karma.organic
    service: http://localhost:3000

  # Catch-all (immer als letztes!)
  - service: http_status:404

Origin Request Options

originRequest:
  noTLSVerify: true        # Für lokale HTTP Services
  connectTimeout: 30s      # Connection Timeout
  keepAliveTimeout: 90s    # Keep-Alive Timeout
  keepAliveConnections: 100 # Connection Pool Size
  httpHostHeader: ""       # Custom Host Header (optional)
  caPool: ""               # Custom CA Pool (optional)

URLs & Zugriff

Nach erfolgreicher Einrichtung:

Service	URL	Beschreibung
Dashboard	https://solarlog.karma.organic	Frontend UI
API	https://solarlog-api.karma.organic/api/v1	Backend API
API Docs	https://solarlog-api.karma.organic/docs	Swagger UI
Health	https://solarlog-api.karma.organic/health	Health Check

Tunnel Management

Status prüfen

# Tunnel Status
cloudflared tunnel list

# Tunnel Info
cloudflared tunnel info solarlog-tunnel

# DNS Routes
cloudflared tunnel route dns list

Logs anzeigen

# Service Logs (macOS)
tail -f /usr/local/var/log/cloudflared.log

# Service Logs (Linux)
journalctl -u cloudflared -f

Tunnel neu starten

# Service neu starten
sudo launchctl stop com.cloudflare.cloudflared
sudo launchctl start com.cloudflare.cloudflared

# Oder neu laden
cloudflared service uninstall
cloudflared service install

Tunnel löschen

# DNS Routes entfernen
cloudflared tunnel route dns delete solarlog-tunnel solarlog-api.karma.organic
cloudflared tunnel route dns delete solarlog-tunnel solarlog.karma.organic

# Tunnel löschen
cloudflared tunnel delete solarlog-tunnel

Security

Access Control (Zero Trust)

Schütze deine Endpoints mit Cloudflare Access:

1. Gehe zu Cloudflare Dashboard → Zero Trust → Access
2. Erstelle eine Application:

   Name: Solar-Log Dashboard
   Domain: solarlog.karma.organic
   

3. Füge eine Policy hinzu:

   Name: Allow Email
   Action: Allow
   Include: Emails ending in @yourdomain.com
   

IP Restrictions

# In tunnel-config.yml
ingress:
  - hostname: solarlog-api.karma.organic
    service: http://localhost:8080
    originRequest:
      # Nur von spezifischen IPs erlauben
      ipRules:
        - "192.168.1.0/24"
        - "10.0.0.0/8"

Rate Limiting

Konfiguriere in Cloudflare Dashboard: 1. Rules → Rate Limiting 2. Neue Rule erstellen:

If: Hostname equals solarlog-api.karma.organic
Then: Rate limit requests exceeding 100 requests per minute

Troubleshooting

Tunnel verbindet nicht

# Config validieren
cloudflared tunnel --config deployment/cloudflare/tunnel-config.yml validate

# Verbose Mode
cloudflared tunnel --config deployment/cloudflare/tunnel-config.yml --loglevel debug run solarlog-tunnel

DNS nicht erreichbar

# DNS Check
nslookup solarlog-api.karma.organic
dig solarlog-api.karma.organic

# Warte 5-10 Minuten nach DNS Änderungen

502 Bad Gateway

Prüfe ob lokaler Service läuft:

# Backend Test
curl http://localhost:8080/health

# Docker Services
docker compose ps

Credentials Fehler

# Credentials neu erstellen
cloudflared tunnel login
cloudflared tunnel token solarlog-tunnel

# Config prüfen
cat deployment/cloudflare/tunnel-config.yml

Best Practices

1. Nginx als Proxy verwenden

Empfohlen: Tunnel → Nginx (8080) → Services

Vorteile: - Zentrale CORS Konfiguration - Request Logging - Load Balancing - Caching

2. Separate Tunnels für Produktion

# Development Tunnel
cloudflared tunnel create solarlog-dev

# Production Tunnel
cloudflared tunnel create solarlog-prod

3. Monitoring aktivieren

# In tunnel-config.yml
metrics: localhost:9126  # Prometheus Metrics Endpoint

Metrics abrufen:

curl http://localhost:9126/metrics

4. Automatic Restarts

macOS (launchd):

cloudflared service install
# Startet automatisch bei System-Boot

Linux (systemd):

sudo cloudflared service install
sudo systemctl enable cloudflared
sudo systemctl start cloudflared

5. Health Checks

ingress:
  - hostname: solarlog-api.karma.organic
    service: http://localhost:8080
    originRequest:
      # Health Check aktivieren
      httpHostHeader: "solarlog-api.karma.organic"

Performance

Connection Pooling

originRequest:
  keepAliveConnections: 100  # Connection Pool
  keepAliveTimeout: 90s      # Reuse Connections
  tcpKeepAlive: 30s          # TCP Keep-Alive

Compression

Cloudflare komprimiert automatisch: - Gzip für Text/HTML/CSS/JS - Brotli für moderne Browser

Caching

Aktiviere in Cloudflare Dashboard: 1. Rules → Page Rules 2. Neue Rule: solarlog.karma.organic/static/* 3. Cache Level: Standard 4. Edge Cache TTL: 1 month

Monitoring

Cloudflare Analytics

Dashboard → Analytics: - Request Count - Bandwidth - Status Codes - Geolocation

Custom Metrics

# Prometheus Metrics
curl http://localhost:9126/metrics | grep cloudflared

# Grafana Dashboard importieren
# Dashboard ID: 12345 (Cloudflare Tunnel)

Kosten

Cloudflare Tunnel ist kostenlos für: - Unlimited Bandbreite - Unlimited Requests - Standard DDoS Protection - Basic Analytics

Enterprise Features (kostenpflichtig): - Advanced DDoS Protection - WAF (Web Application Firewall) - Load Balancing - Custom SSL Certificates

Nächste Schritte

• Docker Deployment
• Production Security
• Monitoring Setup