Cloudflare Architecture
Cloudflare Tunneling, formerly known as Argo Tunnel, involves several steps and technologies working together to securely expose your local services to the internet. Here's a step-by-step explanation of the internal process and the technologies involved:
Cloudflare Tunnel Daemon (Cloudflared):
Cloudflared is the client-side software that runs on your local machine. It's responsible for creating and managing the encrypted connection between your machine and Cloudflare's edge network.
Cloudflared is built using Go programming language.
TLS Handshake:
When Cloudflared starts, it initiates a TLS handshake with Cloudflare's edge servers. This handshake establishes a secure, encrypted communication channel using Transport Layer Security (TLS) protocol.
TLS ensures that the data exchanged between Cloudflared and Cloudflare's edge is encrypted and secure.
WebSocket Connection:
After the TLS handshake is completed, Cloudflared establishes a WebSocket connection with Cloudflare's edge.
WebSocket is a communication protocol that provides full-duplex communication channels over a single TCP connection. It allows for efficient, bi-directional communication between Cloudflared and Cloudflare's edge servers.
Cloudflare Edge Network:
Cloudflare's edge network consists of data centers distributed globally. Each data center acts as a point of presence (PoP) where incoming traffic is processed and optimized.
Cloudflare's edge servers handle incoming requests from users and route them to the appropriate destination, including the Cloudflare Tunnel endpoints.
*Tunnel Endpoint:
*
Cloudflare assigns a unique tunnel endpoint to each Cloudflared instance running on your local machine. This endpoint acts as the entry point for incoming traffic destined for your local services.
The tunnel endpoint is a domain name or a subdomain hosted by Cloudflare.
Service Discovery:
You configure Cloudflared to specify which local services you want to expose to the internet. This can include web servers, APIs, or any other TCP-based service running on your machine.
Cloudflared dynamically discovers these services and establishes connections to them.
Encrypted Tunnel:
Once the WebSocket connection is established and services are discovered, Cloudflared creates an encrypted tunnel between your machine and Cloudflare's edge network.
This tunnel securely forwards incoming traffic from Cloudflare's edge to the specified local services running on your machine.
DNS Configuration:
You configure DNS records on Cloudflare's platform to point to the tunnel endpoint assigned to your Cloudflared instance.
This ensures that incoming traffic to your domain is directed through Cloudflare's network to your local machine via the established tunnel.
Traffic Routing:
When a user accesses your domain, their request is routed through Cloudflare's global network to the nearest data center.
From there, it's forwarded through the established tunnel to your local machine where your service is hosted.
Security Features:
Cloudflare provides various security features such as DDoS protection, Web Application Firewall (WAF), and rate limiting to safeguard your exposed services from malicious attacks and unauthorized access.
Top comments (0)