Using Cloudflare for HTTP traffic and Not Having to Open Internal Ports

Chris Youll

2 min read
Share

Cloudflare Tunnel is a simple, secure way to make your internal web server (like the one hosting https://chrisyoull.com) publicly accessible without opening any ports on my router or firewall.

Normal Way Without Cloudflare

  1. Your web server runs inside your home/network on a private IP (e.g., http://192.168.x.x:80 or :8080).
  2. To reach it from the internet, you normally:
    • Forward port 443 (HTTPS) on your router to your server.
    • Your public IP gets exposed.
    • You deal with firewall rules, certificates, DDoS worries, etc.

This creates an inbound hole in your network — anyone (or any attacker) can try to connect to your public IP on port 443.

How Cloudflare Tunnel Works (The Magic)

Instead of poking holes for inbound traffic, an outbound tunnel is created from the internal network out to Cloudflare:

  1. A small program called cloudflared runs on the server hosting the website
  2. cloudflared reaches out to Cloudflare's network and says: "Hey, I'm here and ready. Keep a connection open to me."
    • This is an outbound-only connection. The internal router allows this by default, no special port rules needed.
  3. In your Cloudflare web dashboard, a Tunnel is created and configured with a public hostname (e.g., chrisyoull.com).
  4. The tunnel is configured to: "Allow any traffic coming to chrisyoull.com  to go to my local server at http://localhost:80"

Traffic flow when someone visits https://chrisyoull.com:

  • Visitor → Cloudflare's global network (they handle DNS, HTTPS certificate, security, DDoS protection, etc.).
  • Cloudflare → sends the request through the open outbound tunnel back to your cloudflared.
  • cloudflared → forwards it to the local web server (as plain HTTP internally).
  • The internal server responds → back through the tunnel → Cloudflare → to the visitor (as HTTPS).

It's like a secure, persistent reverse connection. Your server "phones home" to Cloudflare, and Cloudflare uses that phone line to send visitors to

Why You Don't Need Port 443 Open on Your Router

  • No inbound connections are ever made to your public IP or router from the outside.
  • The only traffic is outbound from cloudflared to Cloudflare (usually on port 7844 or similar).
  • Your router/firewall sees this as normal internet traffic going out, not something coming in.

This is the big advantage: Zero open ports on your network perimeter = much lower attack surface.

Visitor[](https://chrisyoull.com)
          ↓
     Cloudflare Edge (handles TLS, security, etc.)
          ↓
   [Outbound Tunnel - always open]
          ↓
     cloudflared (on your server)
          ↓
     Your local web server[](http://localhost:80)

Cloudflare Tunnel for chrisyoull.com Summary

  • cloudflared runs on the server and maintains persistent outbound connections to Cloudflare.
  • Public hostname chrisyoull.com is mapped in the Tunnel config to the internal service.
  • Cloudflare terminates HTTPS and proxies requests securely through the tunnel.
  • No port forwarding or inbound firewall rules required.
  • Benefits: Free SSL, DDoS protection, easy management, hides your home IP.