Using Traefik with Cloudflare Tunnels · Matt Dyson
A complete guide to building a zero-port-forwarding homelab setup using Traefik, Cloudflare Tunnels, and automated DNS management—expose Docker services externally with OAuth protection while keeping your network locked down.
Read Original Summary used for search
TLDR
• Cloudflare Tunnel eliminates the need for router port forwarding while still exposing services externally—all traffic routes through Cloudflare's network
• Traefik acts as the reverse proxy reading Docker labels, with automatic SSL via ACME DNS-01 challenge (works even before external access is configured)
• Cloudflare Companion automates DNS record creation by watching Docker labels—add traefik.constraint=proxy-public to any service and it automatically gets a CNAME record
• Google OAuth integration via traefik-forward-auth middleware provides authentication for protected services without managing separate credentials
• The architecture supports both internal-only and externally-accessible services on the same infrastructure, with fault tolerance through Docker Swarm
In Detail
The author documents their complete homelab infrastructure setup that solves a common problem: exposing Docker services externally without opening router ports while maintaining security and automation. The core architecture uses Cloudflare Tunnel as the entry point (eliminating port forwarding), Traefik as the reverse proxy, and several helper services to automate DNS management and authentication.
The key innovation is the integration of Cloudflare Companion, which watches Docker service labels and automatically creates DNS records in Cloudflare. Services marked with traefik.constraint=proxy-public get CNAME records pointing to the tunnel, while internal services remain accessible only on the local network. Traefik handles SSL certificates automatically using ACME DNS-01 challenge, which works immediately even before external access is configured. The setup uses traefik-forward-auth as middleware to add Google OAuth protection to any service with a single label, avoiding the need for separate authentication systems.
The implementation requires Docker Swarm for orchestration, internal DNS (using Blocky or Pi-hole), and a Cloudflare account with API access. The author provides complete Docker Compose configurations showing how all components interconnect—the tunnel connects to Traefik, which routes to applications, while Companion manages DNS and forward-auth handles authentication. The only acknowledged limitation is that Traefik represents a single point of failure, causing brief downtime during restarts, which the author accepts for their use case. The guide includes working configurations for all components and demonstrates the complete flow from external user through Cloudflare to internal application.