How to Protect Your Origin Server with Cloudflare Argo Tunnel

default image

As a fellow technology enthusiast, I know you want to keep your infrastructure locked down tight. You‘ve likely spent countless hours architecting, optimizing, and securing your stack. The last thing you want is for an attacker to bypass your CDN and start hammering on your origin server directly.

Unfortunately, it‘s not too difficult for a determined adversary to uncover the IP addresses of origin servers behind Cloudflare. I‘ve done it myself on bug bounty assessments – as I explained in this post and this one, it just takes a few tricks.

So how do we stop this? How can we sleep better at night knowing our babies (our servers) are safe from prying eyes?

Enter Cloudflare Argo Tunnel – an elegant solution to front the origin with Cloudflare‘s network. I‘m excited to show you how to set it up today.

Why Should You Care?

Before we dig in, let‘s talk about why origin protection matters in the first place.

There are two main risks when your origin IP is exposed:

1. DDoS attacks

Anyone can start flooding junk traffic directly to your server. Since it‘s bypassing Cloudflare, your WAF and DDoS mitigation won‘t kick in. You‘ll likely face service disruptions or even a complete outage. No fun.

2. Exploits

Attackers can scan for vulnerabilities and attempt exploits directly on the origin. This bypasses Cloudflare‘s threat intelligence and WAF rules designed to block common attack patterns.

So in summary, leaked origins put your infrastructure at risk. The threats are real, but thankfully the solution is straightforward…

Introducing Cloudflare Argo Tunnel

Argo Tunnel is a Cloudflare daemon that creates an encrypted tunnel from your origin to the Cloudflare edge. All traffic to your infrastructure is forced through Cloudflare first.

The key benefits are:

  • Obfuscation – Your origin IP is never exposed or logged in Cloudflare
  • Encryption – Traffic is secured over a TLS tunnel
  • Reliability – Leverages Cloudflare‘s Anycast network with failover
  • Simplicity – No ACLs or firewall rules to manage

And the best part? You can enable Argo Tunnel on Cloudflare‘s free plan! The only additional cost is a low monthly subscription starting at $5 per month.

Step 1: Install the Daemon

Let‘s get your server ready with the Argo Tunnel daemon. Log in and run:

dpkg -i cloudflared-stable-linux-amd64.deb

To verify it installed properly:

cloudflared --version

You should see the version number printed out.

Step 2: Authenticate with Cloudflare

Next we need to tie our origin server to our Cloudflare account:

cloudflared tunnel login

It will prompt you to open a browser and log into your Cloudflare account. Complete the login and the daemon will download an authentication certificate.

Step 3: Initiate the Tunnel

Almost there! Now we can initiate the tunnel to Cloudflare‘s network:

cloudflared tunnel --hostname http://localhost:80

Replace with your site‘s hostname. This will tunnel traffic from Cloudflare to your origin server.

Within about a minute, you should see it connect successfully. Try accessing your origin IP directly – you should now get a connection refused error. Your server is now hidden from the public internet!

Going Beyond the Basics

Let‘s explore a few more advanced tuning and configuration options:

Run at startup

cloudflared service install

This will run the Argo Tunnel daemon whenever your server boots up.

Multiple tunnels

You can have multiple Argo Tunnel connections from a single server to tunnel different ports and protocols.

For example, to tunnel SSH traffic:

cloudflared tunnel --hostname --url ssh://localhost:22

Custom hostnames

Point each tunnel at your actual domain name instead of arbitrary hostnames:

cloudflared tunnel --hostname http://localhost


Get visibility into tunnel connections and traffic with Prometheus metrics exposed on port 4040.

There are many more configuration options available – check out the docs to customize Argo Tunnel to your needs.

Wrapping Up

I hope this tutorial helped illuminate how Argo Tunnel can simplify locking down your origin infrastructure. The days of worrying about exposed servers are over!

Here are a few key takeaways as you move forward:

  • Check if your origins are currently exposed and consider enabling Argo Tunnel.
  • For complete protection, tunnel all TCP/UDP protocols (HTTP, SSH, databases, etc.)
  • Monitor tunnel uptime and traffic metrics to catch issues early.
  • Keep Argo Tunnel and the daemon updated to benefit from latest enhancements.

Cloudflare Argo Tunnel provides a lightweight, flexible way to hide your infrastructure from attackers. I‘m excited to see them continue innovating on origin protection and other security solutions.

Let me know if you have any other questions! I enjoy discussing this stuff. And as always, stay safe out there.

Written by