DEV Community

Anim Mouse
Anim Mouse

Posted on

Expose your web server on GitHub Actions to the internet using Cloudflare Tunnel

My Workflow

GitHub Actions runners are firewalled from the internet, so you can't test your web server outside of the runners. What if you need to test your web server on GitHub Actions interactively?

This GitHub Action installs the cloudflared Cloudflare Tunnel client and allows you to tunnel connections so that you can now access your server inside the GitHub Actions runners to the internet.

This is an example workflow that tunnels the Python Simple HTTP server so that it is accessible over the internet.

name: Test setup-cloudflared
      - .github/workflows/test.yml

    runs-on: ubuntu-latest
      - name: Setup cloudflared using setup-cloudflared
        uses: AnimMouse/setup-cloudflared@v1
          cloudflare_tunnel_certificate: ${{ secrets.CLOUDFLARE_TUNNEL_CERTIFICATE }}
          cloudflare_tunnel_credential: ${{ secrets.CLOUDFLARE_TUNNEL_CREDENTIAL }}
          cloudflare_tunnel_configuration: ${{ secrets.CLOUDFLARE_TUNNEL_CONFIGURATION }}
          cloudflare_tunnel_id: ${{ secrets.CLOUDFLARE_TUNNEL_ID }}

      - name: Test cloudflared installed by setup-cloudflared using Python HTTP server for 5 minutes
        run: timeout 5m python -m http.server 8000 || true

      - name: Shutdown cloudflared using setup-cloudflared/shutdown
        if: always()
        uses: AnimMouse/setup-cloudflared/shutdown@v1
Enter fullscreen mode Exit fullscreen mode

Submission Category:

Maintainer Must-Haves

Yaml File or Link to Code

name: Setup cloudflared
description: Setup/Install Cloudflare Tunnel client for GitHub Actions
  icon: cloud
  color: orange
    description: Cloudflare Tunnel Certificate (cert.pem)
    required: true
    description: Cloudflare Tunnel Credential encoded in base64 (deadbeef-1234-4321-abcd-123456789ab.json)
    required: true
    description: Cloudflare Tunnel Configuration encoded in base64 (config.yml)
    required: true
    description: Cloudflare Tunnel ID (deadbeef-1234-4321-abcd-123456789ab)
    required: true
    description: Autostart Cloudflare Tunnel
    required: false
    default: true

  using: composite
    - name: Download cloudflared for Linux
      shell: bash
      working-directory: ${{ runner.temp }}
      run: aria2c -x 16 ""

    - name: Install cloudflared
      shell: bash
      working-directory: ${{ runner.temp }}
      run: |
        chmod +x cloudflared-linux-amd64
        mv cloudflared-linux-amd64 /usr/local/bin/cloudflared

    - name: Login to Cloudflare Tunnel client
      shell: bash
        cloudflare_tunnel_certificate: ${{ inputs.cloudflare_tunnel_certificate }}
        cloudflare_tunnel_credential: ${{ inputs.cloudflare_tunnel_credential }}
        cloudflare_tunnel_configuration: ${{ inputs.cloudflare_tunnel_configuration }}
        cloudflare_tunnel_id: ${{ inputs.cloudflare_tunnel_id }}
      run: |
        mkdir ~/.cloudflared/
        echo $cloudflare_tunnel_certificate > ~/.cloudflared/cert.pem
        echo $cloudflare_tunnel_credential | base64 -d > ~/.cloudflared/${cloudflare_tunnel_id}.json
        echo $cloudflare_tunnel_configuration | base64 -d > ~/.cloudflared/config.yml

    - name: Run Cloudflare Tunnel
      if: inputs.autostart == 'true'
      shell: bash
        cloudflare_tunnel_id: ${{ inputs.cloudflare_tunnel_id }}
      run: |
        nohup cloudflared tunnel run > ${RUNNER_TEMP}/cloudflared.log 2>&1 &
        echo $! > ${RUNNER_TEMP}/
Enter fullscreen mode Exit fullscreen mode

GitHub logo AnimMouse / setup-cloudflared

Setup/Install Cloudflare Tunnel client for GitHub Actions

Setup cloudflared for GitHub Actions

Setup Cloudflare Tunnel client for GitHub Actions.

This action installs cloudflared for use in actions by installing it on tool cache using AnimMouse/tool-cache.

This action will automatically sign in and start Cloudflare Tunnel.

Other virtual environments besides Ubuntu are not supported yet.

Test page for setup-cloudflared


  1. Paste the contents of the cert.prm file to CLOUDFLARE_TUNNEL_CERTIFICATE secret. No need to encode it to base64 as it is already in base64.
  2. Encode the JSON credential in base64 using this command base64 -w 0 <cloudflare-tunnel-id>.json and paste it to CLOUDFLARE_TUNNEL_CREDENTIAL secret.
  3. At the config.yml, set credentials-file: to /home/runner/.cloudflared/<cloudflare-tunnel-id>.json
  4. Encode the config.yml in base64 using this command base64 -w 0 config.yml and paste it to CLOUDFLARE_TUNNEL_CONFIGURATION secret.
  5. Add the Cloudflare Tunnel ID to CLOUDFLARE_TUNNEL_ID secret.

To gracefully shutdown Cloudflare Tunnel after being started in the background, use the AnimMouse/setup-cloudflared/shutdown action as composite actions does not support post:

Additional Resources / Info

GitHub logo cloudflare / cloudflared

Cloudflare Tunnel client (formerly Argo Tunnel)

Cloudflare Tunnel client

Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible Extensive documentation can be found in the Cloudflare Tunnel section of the Cloudflare Docs All usages related with proxying to your origins are available under cloudflared tunnel help.

You can also use cloudflared to access Tunnel origins (that are protected with cloudflared tunnel) for TCP traffic at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc. Such usages are available under cloudflared access help.

You can instead use WARP client to access private origins behind…

Used by:

GitHub logo AnimMouse / SOCKS5-proxy-actions

Proof of concept SOCKS5 proxy running on GitHub Actions through Chisel

SOCKS5 Proxy Actions

SOCKS5 Proxy hosted on GitHub Actions.

Proof of concept Chisel's SOCKS5 Proxy running on GitHub Actions.

As GitHub Actions runner does not have an accessible IP address, we use Cloudflare Tunnel to have a tunnel to GitHub Actions runner.

Your Computer > Cloudflare > GitHub Actions runner > GitHub Actions' Internet


  1. Setup Cloudflare Tunnel Client by following instructions on setup-cloudflared
  2. At the config.yml, set service: to http://localhost:8080 at ingress:.
  - service: http://localhost:8080
  1. Run the workflow.
  2. Connect to your chisel websocket by running chisel client socks.
  3. Connect your browser to chisel's SOCKS5 proxy by setting proxy settings to localhost:1080.

Top comments (0)