Running Multiple Cloudflare Service Instances on a Single Machine
I recently tried to host two Cloudflare domains on my server: one that needs to be publicly accessible, and another that keeps private, (e.g., through Tailscale). Here are some notes from the setup.
Note: This tutorial involves stopping the currently running cloudflared process, which may lead to service downtime. Please proceed with caution and run the commands at your own risk.
Backup the Existing Certificate
If you already have an existing cloudflared setup with the default
configuration files, rename the current certificate to avoid overwriting
it:
mv /root/.cloudflared/cert.pem /root/.cloudflared/cert_orig.pem
Authenticate and Install a New Account Certificate
Authenticate cloudflared and install a new certificate on the server:
cloudflared tunnel login
If successful, you'll be prompted to select a domain and install the
corresponding certificate at /root/.cloudflared/cert.pem:
Please open the following URL and log in with your Cloudflare account: <callback url> Leave cloudflared running to download the cert automatically. You have successfully logged in. If you wish to copy your credentials to a server, they have been saved to: /root/.cloudflared/cert.pem
Since this is our second certificate, rename it for clarity:
mv /root/.cloudflared/cert.pem /root/.cloudflared/cert_test.pem
Create a New Tunnel and Config
Create a new Cloudflare tunnel:
cloudflared tunnel create test
Example output:
Tunnel credentials written to /root/.cloudflared/36216cb7-d0b4-4572-9fdf-c03d62b41778.json. cloudflared chose this file based on where your origin certificate was found. Keep this file secret. To revoke these credentials, delete the tunnel. Created tunnel test with id 36216cb7-d0b4-4572-9fdf-c03d62b41778
Now, create a configuration file for the test instance:
cat <<EOF > /etc/cloudflared/config_test.yml
tunnel: 36216cb7-d0b4-4572-9fdf-c03d62b41778
credentials-file: /root/.cloudflared/36216cb7-d0b4-4572-9fdf-c03d62b41778.json
origincert: /root/.cloudflared/cert_test.pem
# Additional configurations can go here...
EOF
Service Downtime (Hold Tight!)
At this stage, we need to stop the running Cloudflare service and rename the existing configurations. This will temporarily disrupt the service, so proceed when ready.
First, stop the current Cloudflare service:
systemctl stop cloudflared.service
Now, remove the old systemd service file:
rm /etc/systemd/system/cloudflared.service
And rename the existing config:
mv /etc/cloudflared/config.yml /etc/cloudflared/config_orig.yml
Now, define a new systemd service file for the original instance:
cat <<EOF > /etc/systemd/system/cloudflared_orig.service
[Unit]
Description=cloudflared (orig)
After=network.target
[Service]
TimeoutStartSec=0
Type=notify
ExecStart=/usr/bin/cloudflared --no-autoupdate --config /etc/cloudflared/config_orig.yml tunnel run
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
EOF
And a separate systemd service for the test instance:
cat <<EOF > /etc/systemd/system/cloudflared_test.service
[Unit]
Description=cloudflared (test)
After=network.target
[Service]
TimeoutStartSec=0
Type=notify
ExecStart=/usr/bin/cloudflared --no-autoupdate --config /etc/cloudflared/config_test.yml tunnel run
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
EOF
Start Everything Up Again
Reload systemd, enable the services, and start them:
systemctl daemon-reload systemctl enable --now cloudflared_orig.service systemctl enable --now cloudflared_test.service
Check if both services are running:
systemctl status cloudflared_orig.service systemctl status cloudflared_test.service
Your machine is now successfully running multiple Cloudflare instances and tunnels independently. Enjoy your setup!