Cloudflare Tunnel Setup

Last Updated: 2026-01-28
Status: Production - 17 routes active on NAS

---

Overview

Cloudflare Tunnel provides secure, public ingress for the BlueFly Agent Platform without opening firewall ports or exposing internal network infrastructure.

---

Current Configuration

Tunnel Details

• Tunnel Name: agent-webhook
• Tunnel ID: f6da7bdf-d0f8-4796-a804-afb7984bbe11
• Status: Healthy (7 hours uptime verified 2025-12-26)
• Connector Type: cloudflared
• Running On: Synology NAS (blueflynas.tailcf98b3.ts.net) - PRODUCTION
• Dashboard: https://one.dash.cloudflare.com/

Service Install Token

eyJhIjoiNDlhMGNjZDM2ZTUyYzc5MWRiMjk2MDRlN2ZlM2I3OTMiLCJ0IjoiZjZkYTdiZGYtZDBmOC00Nzk2LWE4MDQtYWZiNzk4NGJiZTExIiwicyI6ImZxdXQvdkJrdlB1UmhjL04wRHd3dWNXK3lDd3NUU1B3Yi9EMDRiTjRWVmM9In0=

Installation

Option 1: Service Install (Recommended)

sudo cloudflared service install eyJhIjoiNDlhMGNjZDM2ZTUyYzc5MWRiMjk2MDRlN2ZlM2I3OTMiLCJ0IjoiZjZkYTdiZGYtZDBmOC00Nzk2LWE4MDQtYWZiNzk4NGJiZTExIiwicyI6ImZxdXQvdkJrdlB1UmhjL04wRHd3dWNXK3lDd3NUU1B3Yi9EMDRiTjRWVmM9In0=

Option 2: Manual Run

cloudflared tunnel run --token eyJhIjoiNDlhMGNjZDM2ZTUyYzc5MWRiMjk2MDRlN2ZlM2I3OTMiLCJ0IjoiZjZkYTdiZGYtZDBmOC00Nzk2LWE4MDQtYWZiNzk4NGJiZTExIiwicyI6ImZxdXQvdkJrdlB1UmhjL04wRHd3dWNXK3lDd3NUU1B3Yi9EMDRiTjRWVmM9In0=

---

Published Routes

Current Routes (2026-01-28)

Notes:

• All routes point to blueflynas.tailcf98b3.ts.net (Synology NAS)
• Origin Config 0 = default settings
• Origin Config 1 = custom connectTimeout

Route Configuration

No CIDR routes configured yet
No hostname routes configured yet

---

Configuration Files

Local Config Location

• Config File: ~/.cloudflared/config.yml
• Credentials: ~/.cloudflared/f6da7bdf-d0f8-4796-a804-afb7984bbe11.json

Example Config (Current Production Configuration)

# ARCHITECTURE: Production on Synology NAS
#   Cloudflare Tunnel routes to NAS services via Tailscale MagicDNS
#   All services run on blueflynas.tailcf98b3.ts.net
#   Production deployment - always-on infrastructure

tunnel: f6da7bdf-d0f8-4796-a804-afb7984bbe11
credentials-file: /etc/cloudflared/f6da7bdf-d0f8-4796-a804-afb7984bbe11.json

ingress:
  # API Gateway
  - hostname: api.blueflyagents.com
    service: https://blueflynas.tailcf98b3.ts.net:3005

  # Agent Mesh Gateway
  - hostname: mesh.bluefly.internal
    service: https://blueflynas.tailcf98b3.ts.net:3005

  # NAS Web UI (with connectTimeout)
  - hostname: nas.blueflyagents.com
    service: https://blueflynas.tailcf98b3.ts.net:5001
    originRequest:
      connectTimeout: 30s
      noTLSVerify: true

  # Storage (MinIO S3)
  - hostname: storage.blueflyagents.com
    service: https://blueflynas.tailcf98b3.ts.net:9000

  # Kagent Services
  - hostname: kagent.blueflyagents.com
    service: https://blueflynas.tailcf98b3.ts.net:8080

  - hostname: controller.kagent.blueflyagents.com
    service: https://blueflynas.tailcf98b3.ts.net:8083

  # MCP Services
  - hostname: mcp.blueflyagents.com
    service: https://blueflynas.tailcf98b3.ts.net:4005

  - hostname: dashboard.mcp.blueflyagents.com
    service: https://blueflynas.tailcf98b3.ts.net:3003

  # Agent Router
  - hostname: router.bluefly.internal
    service: https://blueflynas.tailcf98b3.ts.net:4000

  # NPM Registry
  - hostname: npm.blueflyagents.com
    service: https://blueflynas.tailcf98b3.ts.net:4873

  # Agents Service
  - hostname: agents.blueflyagents.com
    service: https://blueflynas.tailcf98b3.ts.net:3001

  # Agent Tracer
  - hostname: tracer.bluefly.internal
    service: https://blueflynas.tailcf98b3.ts.net:3006

  # Agent Brain (Qdrant)
  - hostname: brain.bluefly.internal
    service: https://blueflynas.tailcf98b3.ts.net:6333

  # Compliance Engine
  - hostname: compliance.bluefly.internal
    service: https://blueflynas.tailcf98b3.ts.net:3010

  # Workflow Engine
  - hostname: workflow.bluefly.internal
    service: https://blueflynas.tailcf98b3.ts.net:3015

  # Studio Service
  - hostname: studio.actprotectiveservices.com
    service: https://blueflynas.tailcf98b3.ts.net:0000

  # Catch-all (must be last)
  - service: http_status:404

---

How It Works

GitLab SaaS / External Clients
   HTTPS POST
Cloudflare DNS (mesh.bluefly.internal, api.blueflyagents.com)
  
Cloudflare Edge (TLS, WAF, DDoS protection)
   (OUTBOUND tunnel from always-on infrastructure)
cloudflared (running on GL-iNet router or Vast.ai instance)
  
http://agent-mesh.tailcf98b3.ts.net:3005 (Agent-Mesh Service - always-on)

CRITICAL: Agents MUST work without home computer. Cloudflare Tunnel is migrating to always-on infrastructure (GL-iNet router or Vast.ai instance). Agent-mesh service is migrating to always-on infrastructure (Vast.ai or dedicated server).

Key Properties:

• cloudflared makes OUTBOUND connection to Cloudflare
• No inbound ports opened on network
• No router/NAT/port forwarding involved
• Domain never resolves to your public IP
• Works from anywhere (home, hotel, coffee shop, LTE, Starlink)

---

Verification

Check Tunnel Status

cloudflared tunnel list

Expected Output:

NAME           ID                                    STATUS
agent-webhook  f6da7bdf-d0f8-4796-a804-afb7984bbe11 HEALTHY

Check Tunnel Info

cloudflared tunnel info agent-webhook

Test Routes

# Test GitLab webhook endpoint
curl https://api.blueflyagents.com/health

# Test NAS access
curl https://nas.blueflyagents.com

Verify DNS

# Should resolve to Cloudflare (not your home IP)
dig api.blueflyagents.com
dig nas.blueflyagents.com

---

Troubleshooting

Tunnel Not Connecting

1. Check cloudflared is running: ps aux | grep cloudflared
2. Check tunnel status: cloudflared tunnel list
3. Verify credentials file exists
4. Check Cloudflare Dashboard for tunnel status

Routes Not Working

1. Verify routes in Cloudflare Dashboard
2. Check service URLs are correct (localhost:3847, not localhost:3000)
3. Verify services are running on correct ports
4. Check Cloudflare Dashboard Tunnels Routes

Service URL Issues

Common Error: Service URL points to wrong port or hostname

Fix: Update in Cloudflare Dashboard:

1. Go to https://one.dash.cloudflare.com/
2. Navigate to Tunnels agent-webhook
3. Edit routes
4. Update service URL to correct value (e.g., http://localhost:3847)

---

Security Best Practices

1. Service URL Uses Tailscale MagicDNS: Routes to agent-mesh.tailcf98b3.ts.net:3005 (always-on infrastructure)
2. No Port Forwarding: Cloudflare Tunnel eliminates need for port forwarding
3. TLS Termination: Cloudflare handles TLS, service can use HTTP
4. WAF Protection: Cloudflare provides WAF and DDoS protection
5. Access Control: Use Cloudflare Access for additional security if needed

---

Adding New Routes

Via Cloudflare Dashboard

1. Go to https://one.dash.cloudflare.com/
2. Navigate to Tunnels agent-webhook
3. Click "Configure" "Public Hostnames"
4. Add new route:
   • Subdomain: Your subdomain
   • Domain: blueflyagents.com
   • Service: http://localhost:PORT or https://IP:PORT

Via Config File

Edit ~/.cloudflared/config.yml:

ingress:
  - hostname: new-service.blueflyagents.com
    service: http://localhost:PORT
  # ... existing routes ...

Then restart tunnel:

cloudflared tunnel run agent-webhook

---

Related Documentation

• Webhook System - GitLab webhook architecture
• Cloudflare README - Cloudflare documentation index
• Network Overview - Network architecture
• Network Inventory - Complete inventory