Zero-Trust on recca0120 技術筆記https://recca0120.github.io/tags/zero-trust/Recent content in Zero-Trust on recca0120 技術筆記Hugo -- gohugo.iozh-hant-twTue, 14 Apr 2026 20:00:00 +08002026 年用 Cloudflare Tunnel:不開 port、不買 IP,把本機服務推上公網https://recca0120.github.io/2026/04/14/cloudflare-tunnel-2026/Tue, 14 Apr 2026 20:00:00 +0800https://recca0120.github.io/2026/04/14/cloudflare-tunnel-2026/<img src="https://recca0120.github.io/" alt="Featured image of post 2026 年用 Cloudflare Tunnel:不開 port、不買 IP,把本機服務推上公網" /><p>家裡跑了一個 side project,想讓客戶能看到 demo;公司 NUC 跑了內部工具,想在外面也能連進去。傳統做法是去買一個靜態 IP、在 router 上開 port forwarding、再自己搞 Let&rsquo;s Encrypt 憑證——這些步驟 2026 年都可以跳過。</p> <p>Cloudflare Tunnel(cloudflared)幫你做完所有髒活:從本機<strong>主動連出去</strong>到 Cloudflare 邊緣節點,所有進來的流量走這條連線回你家。不用開 port、不用公網 IP、免費拿到 Cloudflare 的 DDoS 防護跟 WAF。</p> <h2 id="為什麼是-cloudflare-tunnel"><a href="#%e7%82%ba%e4%bb%80%e9%ba%bc%e6%98%af-cloudflare-tunnel" class="header-anchor"></a>為什麼是 Cloudflare Tunnel </h2><p>市面上類似工具不少,三個主流取向不太一樣:</p> <table> <thead> <tr> <th>工具</th> <th>自訂網域</th> <th>身份驗證</th> <th>自架 relay</th> <th>TCP 支援</th> <th>免費上限</th> </tr> </thead> <tbody> <tr> <td>Cloudflare Tunnel</td> <td>✅ 免費</td> <td>✅ 內建 Access</td> <td>❌ CF 代管</td> <td>✅</td> <td>很寬鬆</td> </tr> <tr> <td>ngrok</td> <td>付費才有</td> <td>付費加購</td> <td>❌</td> <td>付費</td> <td>有連線數限制</td> </tr> <tr> <td>Tailscale Funnel</td> <td>有限</td> <td>❌</td> <td>P2P</td> <td>❌ 僅 HTTPS</td> <td>只開 3 個 port</td> </tr> <tr> <td>frp</td> <td>看你自己</td> <td>自己接</td> <td>✅ 要自架</td> <td>✅</td> <td>看你機器</td> </tr> </tbody> </table> <p><strong>Tunnel 最大的差異</strong>:它不只是「把流量導進來」,而是把你家服務接上 Cloudflare 整個 Zero Trust 平台——可以直接套 Access 做 SSO、email OTP、走 WAF 擋攻擊、要 SSH 的話用瀏覽器就能連。這些對 ngrok 是付費功能,對 Tailscale Funnel 是沒這東西。</p> <h2 id="2026-年推薦流程zero-trust-dashboard"><a href="#2026-%e5%b9%b4%e6%8e%a8%e8%96%a6%e6%b5%81%e7%a8%8bzero-trust-dashboard" class="header-anchor"></a>2026 年推薦流程:Zero Trust Dashboard </h2><p>過去用 <code>cloudflared</code> 多半靠 <code>config.yml</code> 本機設定。2026 年 Cloudflare 把主力推到 <strong>remotely-managed tunnels</strong>——設定在雲端 dashboard,本機 cloudflared 只拿一個 token 跑起來。好處是多台機器共用、改 ingress 不用重啟、多個 replica 自動 HA。</p> <p>進入 <a class="link" href="https://one.dash.cloudflare.com" target="_blank" rel="noopener" >one.dash.cloudflare.com</a> → <strong>Networks → Tunnels → Create a tunnel → Cloudflared</strong>,取個名字之後複製安裝指令。</p> <h2 id="安裝-cloudflared"><a href="#%e5%ae%89%e8%a3%9d-cloudflared" class="header-anchor"></a>安裝 cloudflared </h2><p><strong>macOS</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">brew install cloudflared </span></span></code></pre></td></tr></table> </div> </div><p><strong>Linux(Debian/Ubuntu)</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl -L https://pkg.cloudflare.com/install.sh <span class="p">|</span> sudo bash </span></span><span class="line"><span class="cl">sudo apt install cloudflared </span></span></code></pre></td></tr></table> </div> </div><p><strong>Docker</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker run -d --name cf-tunnel --restart unless-stopped <span class="se">\ </span></span></span><span class="line"><span class="cl"> cloudflare/cloudflared:latest <span class="se">\ </span></span></span><span class="line"><span class="cl"> tunnel --no-autoupdate run --token eyJhbGci... </span></span></code></pre></td></tr></table> </div> </div><p>裝好之後,把 dashboard 給你的 token 塞進去:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo cloudflared service install eyJhbGci...TOKEN... </span></span></code></pre></td></tr></table> </div> </div><p>這條指令會建 systemd service(Linux)或 launchd plist(macOS),開機自動跑,當機自動重啟。回 dashboard 看 tunnel 狀態,綠燈 <strong>Healthy</strong> 就成了。</p> <h2 id="把-localhost3000-推到-fooexamplecom"><a href="#%e6%8a%8a-localhost3000-%e6%8e%a8%e5%88%b0-fooexamplecom" class="header-anchor"></a>把 localhost:3000 推到 foo.example.com </h2><p>前提:<code>example.com</code> 已經把 DNS 指到 Cloudflare(Name servers 換成 Cloudflare 那對)。</p> <p>回到 tunnel 設定頁,切到 <strong>Public Hostname</strong> 頁籤 → <strong>Add a public hostname</strong>:</p> <table> <thead> <tr> <th>欄位</th> <th>值</th> </tr> </thead> <tbody> <tr> <td>Subdomain</td> <td><code>foo</code></td> </tr> <tr> <td>Domain</td> <td><code>example.com</code></td> </tr> <tr> <td>Service Type</td> <td><code>HTTP</code></td> </tr> <tr> <td>URL</td> <td><code>localhost:3000</code></td> </tr> </tbody> </table> <p>存檔完,Cloudflare 自動幫你在 DNS 建一筆 CNAME:<code>foo.example.com → &lt;tunnel-uuid&gt;.cfargotunnel.com</code>。打開 <code>https://foo.example.com</code>,憑證是 Cloudflare 的 edge cert,你本機完全不用裝 TLS。</p> <h2 id="加身份驗證zero-trust-access"><a href="#%e5%8a%a0%e8%ba%ab%e4%bb%bd%e9%a9%97%e8%ad%89zero-trust-access" class="header-anchor"></a>加身份驗證:Zero Trust Access </h2><p>不想讓 demo 網址被陌生人掃到?加個登入閘:</p> <p><strong>Zero Trust → Access → Applications → Add an application → Self-hosted</strong></p> <ul> <li>Application domain 填 <code>foo.example.com</code></li> <li>新增 policy:Action = <strong>Allow</strong>,Include = <strong>Emails ending in <code>@yourco.com</code></strong>(或指定 email 清單)</li> <li>Identity provider 用預設的 <strong>One-time PIN</strong>(送 email OTP),或到 <strong>Settings → Authentication</strong> 接 Google SSO / GitHub</li> </ul> <p>下次打開 <code>foo.example.com</code> 會先跳 Cloudflare 登入頁,認證通過才進得去。免費方案吃到 <strong>50 個使用者</strong>都免錢。</p> <h2 id="trycloudflare一次性的-demo-tunnel"><a href="#trycloudflare%e4%b8%80%e6%ac%a1%e6%80%a7%e7%9a%84-demo-tunnel" class="header-anchor"></a>TryCloudflare:一次性的 demo tunnel </h2><p>要快速給人看個 webhook 或 demo,連帳號都懶得開:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cloudflared tunnel --url http://localhost:8080 </span></span></code></pre></td></tr></table> </div> </div><p>跑起來會印一個 <code>https://&lt;random-words&gt;.trycloudflare.com</code>,隨機子網域、流量打回本機。關掉程序網址就失效。適合臨時,不適合長期,有 rate limit。</p> <h2 id="本機-configyml-派gitops-派推薦"><a href="#%e6%9c%ac%e6%a9%9f-configyml-%e6%b4%begitops-%e6%b4%be%e6%8e%a8%e8%96%a6" class="header-anchor"></a>本機 config.yml 派(GitOps 派推薦) </h2><p>要把 tunnel 設定放進 Git 版控、或跑 IaC(Terraform),還是可以用傳統方式:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cloudflared tunnel login </span></span><span class="line"><span class="cl">cloudflared tunnel create dev-laptop </span></span><span class="line"><span class="cl">cloudflared tunnel route dns dev-laptop foo.example.com </span></span></code></pre></td></tr></table> </div> </div><p><code>~/.cloudflared/config.yml</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">tunnel</span><span class="p">:</span><span class="w"> </span><span class="l">dev-laptop</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">credentials-file</span><span class="p">:</span><span class="w"> </span><span class="l">/Users/me/.cloudflared/&lt;UUID&gt;.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">ingress</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="l">foo.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span><span class="l">http://localhost:3000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="l">api.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span><span class="l">http://localhost:4000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">originRequest</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">connectTimeout</span><span class="p">:</span><span class="w"> </span><span class="l">30s</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">noTLSVerify</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">service</span><span class="p">:</span><span class="w"> </span><span class="l">http_status:404</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>跑:<code>cloudflared tunnel run dev-laptop</code></p> <h2 id="幾個踩過的坑"><a href="#%e5%b9%be%e5%80%8b%e8%b8%a9%e9%81%8e%e7%9a%84%e5%9d%91" class="header-anchor"></a>幾個踩過的坑 </h2><p><strong>Ingress 最後一定要放 catch-all</strong>。沒寫 <code>- service: http_status:404</code> 的話 cloudflared 會拒絕啟動:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">ingress</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="l">foo.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span><span class="l">http://localhost:3000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">service</span><span class="p">:</span><span class="w"> </span><span class="l">http_status:404 </span><span class="w"> </span><span class="c"># 少了這行會開不起來</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><strong>WebSocket 直接可用</strong>。2022 之後預設支援,不用額外旗標。Next.js HMR、Socket.IO 都沒問題。</p> <p><strong>SSH / RDP 也能走</strong>。ingress 寫 <code>service: ssh://localhost:22</code>,對方不用裝 client,在 Access application 裡啟用 <strong>Browser rendering</strong>,瀏覽器就能開 SSH terminal。</p> <p><strong>同一個 tunnel 開多個 replica</strong>。同樣 token 在第二台機器再跑一次,Cloudflare 自動做 HA 跟 load balancing。主機重開機期間服務不中斷。</p> <p><strong>originRequest per hostname</strong>。每個 ingress 可以獨立設 <code>httpHostHeader</code>(改 Host header)、<code>connectTimeout</code>、<code>noTLSVerify</code>,不用為了一個服務改全域設定。</p> <h2 id="費用"><a href="#%e8%b2%bb%e7%94%a8" class="header-anchor"></a>費用 </h2><ul> <li><strong>Tunnel 本身:完全免費</strong>,不限流量、不限條數、不限 bandwidth</li> <li><strong>Zero Trust Access:50 個使用者以下免費</strong>,超過走 Cloudflare One pay-as-you-go 約 $7/user/月</li> <li>沒有 egress fee、沒有連線數限制</li> </ul> <p>對個人跟小團隊來說幾乎是白送。</p> <h2 id="20252026-的重要更新"><a href="#20252026-%e7%9a%84%e9%87%8d%e8%a6%81%e6%9b%b4%e6%96%b0" class="header-anchor"></a>2025–2026 的重要更新 </h2><p><strong>Dashboard 整併</strong>:舊的 <code>dash.teams.cloudflare.com</code> 完全退役,統一走 <code>one.dash.cloudflare.com</code>。如果搜到舊教學點到老介面,換新網址就好。</p> <p><strong>WARP Connector GA</strong>:原本 tunnel 是「單一服務對外」,WARP Connector 把<strong>整個內網網段</strong>接上 Cloudflare。想讓員工 VPN 進辦公室網段、或站對站互連,這是新選擇。Tunnel + WARP Connector 搭起來就是 site-to-site VPN 的替代品。</p> <p><strong>Cloudflare One 品牌整合</strong>:Access、Gateway、Tunnel、WARP、CASB、DLP、Email Security 全合併成一個 SSE 平台。Zero Trust 選單下面現在一次能設完企業所有網路安全。</p> <p><strong>Terraform provider v5</strong> 穩定:tunnel 資源完整 IaC 化,多環境部署用 Terraform 一鍵建完。</p> <p><strong>QUIC 成預設</strong>:cloudflared 協定預設走 QUIC(HTTP/3),比舊的 HTTP/2 連線建立更快,壞網路環境也更穩。</p> <h2 id="什麼時候別用-tunnel"><a href="#%e4%bb%80%e9%ba%bc%e6%99%82%e5%80%99%e5%88%a5%e7%94%a8-tunnel" class="header-anchor"></a>什麼時候別用 Tunnel </h2><p>雖然好用但不是萬用:</p> <ul> <li><strong>純 P2P 不經過第三方</strong>:用 Tailscale / WireGuard</li> <li><strong>法規要求流量不能經美國/CF 網路</strong>:走 self-hosted frp 或企業 VPN</li> <li><strong>超大流量靜態檔</strong>:直接用 Cloudflare Pages / R2 比走 tunnel 合理</li> <li><strong>只想 5 分鐘 demo</strong>:TryCloudflare 或 ngrok 更快,不用設網域</li> </ul> <h2 id="結語"><a href="#%e7%b5%90%e8%aa%9e" class="header-anchor"></a>結語 </h2><p>2026 年架 demo 環境、接 webhook、開發過程中給同事看進度——這些 Cloudflare Tunnel 基本都是最省力的答案。免費額度大方,安全性有 Cloudflare 托底,從開發到上 production 都能用同一條路徑。</p> <p>最短的上手只要三步:<code>brew install cloudflared</code> → dashboard 建 tunnel → 貼上 token。之後所有複雜度都在雲端 UI 點一點就好。</p> <h2 id="參考資源"><a href="#%e5%8f%83%e8%80%83%e8%b3%87%e6%ba%90" class="header-anchor"></a>參考資源 </h2><ul> <li><a class="link" href="https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/" target="_blank" rel="noopener" >Cloudflare Tunnel 官方文件</a></li> <li><a class="link" href="https://github.com/cloudflare/cloudflared" target="_blank" rel="noopener" >cloudflared GitHub</a></li> <li><a class="link" href="https://one.dash.cloudflare.com" target="_blank" rel="noopener" >Zero Trust Dashboard</a></li> <li><a class="link" href="https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/" target="_blank" rel="noopener" >TryCloudflare</a></li> <li><a class="link" href="https://www.cloudflare.com/plans/zero-trust-services/" target="_blank" rel="noopener" >Cloudflare Access 定價</a></li> </ul>