Skip to main content
d.frishchin:~$
← cd ../blog
infra2026.06.187 min read

Why I retired every public port for Cloudflare Tunnels

The safest open port is the one that does not exist. After years of maintaining reverse proxies and rotating certificates by hand, I moved every service behind Cloudflare Tunnels — and closed all inbound firewall rules for good.

A tunnel establishes an outbound-only connection from the origin to the edge. There is nothing to port-scan, nothing to expose, and no certificate to forget. Access policies then gate each route by identity before a request ever reaches your box.

config.yml
tunnel: prod-edge
credentials-file: /etc/cf/prod.json
ingress:
  - hostname: grafana.internal.dev
    service: http://localhost:3000
  - hostname: api.internal.dev
    service: http://localhost:8080
  - service: http_status:404

The origins bind only to localhost. Every request is authenticated at the edge, logged, and streamed into Loki for audit. What used to be a dozen attack surfaces is now one outbound connection.

#cloudflare#zero-trust#networking