Home

Integrations

Cloudflare Tunnel

Publish services on localhost to the public internet through an encrypted Cloudflare outbound connection — no port forwarding, no static IP, automatic TLS.

Overview

KillTheHost integrates with Cloudflare Tunnel so you can host websites, APIs, and the control panel without exposing router ports. The tunnel runs as cloudflared on the host and forwards inbound traffic to containers managed by STAX-MNGR or services running on the loopback interface.

Prerequisites

  • A domain added to Cloudflare with nameservers delegated to Cloudflare.
  • A Cloudflare account with Zero Trust enabled (free tier is sufficient).
  • Admin/sudo access on the host to install the cloudflared daemon.

Install cloudflared

Linux (Debian/Ubuntu)

bash
$curl -L --output cloudflared.deb \
   https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
$sudo dpkg -i cloudflared.deb
$cloudflared --version

macOS

zsh
$brew install cloudflared
$cloudflared --version

Windows

Download the MSI installer from the cloudflared releases page and run it as administrator. After installation, open a new PowerShell window.

Authenticate & create tunnel

Authenticate cloudflared with your Cloudflare account. This opens a browser window where you select the zone the tunnel will live in.

bash
$cloudflared tunnel login

Then create the tunnel and note the UUID that is returned.

bash
$cloudflared tunnel create killthehost
Tunnel created: 87d3a1f6-0b7e-4a91-8c4d-bd0e5e9a6f2c

Route hostnames

Create a config file at $HOME/.cloudflared/config.yml that maps hostnames to local services.

config.yml
tunnel: 87d3a1f6-0b7e-4a91-8c4d-bd0e5e9a6f2c
credentials-file: /home/you/.cloudflared/87d3a1f6-0b7e-4a91-8c4d-bd0e5e9a6f2c.json
ingress:
  - hostname: app.example.com
    service: http://localhost:8080
  - hostname: api.example.com
    service: http://localhost:3000
  - hostname: panel.example.com
    service: http://localhost:5000
  - service: http_status:404

Register each hostname as a public DNS record pointing at the tunnel.

bash
$cloudflared tunnel route dns killthehost app.example.com
$cloudflared tunnel route dns killthehost api.example.com
$cloudflared tunnel route dns killthehost panel.example.com

Run as a service

Install cloudflared as a system service so it starts automatically at boot.

bash
# Linux (systemd)
$sudo cloudflared service install
$sudo systemctl status cloudflared
# macOS
$sudo cloudflared service install

Verify the tunnel

Check tunnel health from the CLI or from the KillTheHost panel Tunnels tab, which polls the Cloudflare API every 30 seconds.

bash
$cloudflared tunnel info killthehost
$killthehost tunnel status

Once the status is healthy, open one of your hostnames in a browser. Traffic terminates TLS at the Cloudflare edge and is forwarded over the encrypted outbound connection to the service on your host.

Previous

MAIL-SRVR

Next

Domain Sync