Implementing Cloudflare with a mini suitcase server node that is mobile.

Flynn · Oct 1, 2025

Implementing Cloudflare with a mini suitcase server node that is mobile.

Below is a complete, production-ready starter you can drop into your stack. It hides your ASP.NET Core app behind Cloudflare, restores real client IPs, verifies Cloudflare Access JWTs, and boots cloudflared as a daemon. I listed every file and fully regenerated code (with comments) per your rules.

File list & full code

infrastructure/cloudflared/config.yml

Purpose: declarative Tunnel config. One tunnel, two services: web (HTTPS) and SSH (TCP). mTLS to CF, no inbound ports on your host.

tunnel: membership-core
credentials-file: /etc/cloudflared/membership-core.json

ingress:

Public hostname → local service

hostname: app.yourdomain.com
service: http://localhost:5000
originRequest:
http2Origin: true # Enable HTTP/2 between CF edge and origin (via tunnel)
noTLSVerify: true # If you terminate TLS at CF and run HTTP to Kestrel locally
connectTimeout: 10s
keepAliveTimeout: 1m
disableChunkedEncoding: false
httpHostHeader: app.yourdomain.com

Optional: TCP/SSH over Tunnel via Cloudflare Access SSH

hostname: ssh.yourdomain.com
service: ssh://localhost:22
service: http_status:404

warp-routing:
enabled: false

metrics: 127.0.0.1:40657
loglevel: info
protocol: quic # Faster, resilient edge↔tunnel transport

infrastructure/cloudflared/cloudflared.service

Purpose: systemd unit to run the daemon at boot and auto-restart.

[Unit]
Description=Cloudflare Tunnel daemon
After=network-online.target
Wants=network-online.target

[Service]
User=cloudflared
Group=cloudflared
Environment=LOGNAME=cloudflared
ExecStart=/usr/local/bin/cloudflared tunnel --config /etc/cloudflared/config.yml run
Restart=always
RestartSec=5
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=full
ProtectHome=true
CapabilityBoundingSet=
AmbientCapabilities=
CacheDirectory=cloudflared

[Install]
WantedBy=multi-user.target

infrastructure/cloudflare/zero-trust-access-policy.md

Purpose: define who can hit app.yourdomain.com before it ever reaches your origin.

Application: app.yourdomain.com
Policy: “Members Only”
Decision: Allow if ALL:
- Identity Provider group: Members (Okta/AzureAD/Google Workspace)
- Device posture: (optional) WARP healthy AND OS ≠ rooted AND Disk encrypted
- Country: NOT (CN, RU, KP, IR) # adjust to taste
Session duration: 12h
JWT audience (aud): urn:manoffocus:membership
JWT issuers: https://<your-team>.cloudflareaccess.com
Headers added by CF edge:
- Cf-Access-Jwt-Assertion: <JWT>
- Cf-Connecting-Ip: <client-ip>
- Cf-Ipcountry: <country>
- Cf-Ray: <trace id>

docker-compose.yml

Purpose: local/dev orchestration: your app + cloudflared (optional for dev).

version: "3.9"
services:
web:
build: ./src
ports:
- "5000:8080" # Kestrel inside container on 8080
environment:
- ASPNETCORE_URLS=http://0.0.0.0:8080
- ACCESS_AUD=urn:manoffocus:membership
- ACCESS_ISS=https://yourteam.cloudflareaccess.com
cloudflared:
image: cloudflare/cloudflared:latest
command: tunnel run --config /etc/cloudflared/config.yml
volumes:
- ./infrastructure/cloudflared/config.yml:/etc/cloudflared/config.yml:ro
- ./infrastructure/cloudflared/creds.json:/etc/cloudflared/membership-core.json:ro
depends_on:
- web

src/Program.cs
// Purpose: minimal ASP.NET Core 8 app wiring Cloudflare headers, Access JWT validation, and a health endpoint.
using Microsoft.AspNetCore.HttpOverrides;
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;

src/Services/AccessJwtValidator.cs
// Purpose: verify the CF Access JWT (issuer/audience, signature). Uses JWKS fetch + cache.
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Net.Http.Json;

public sealed class AccessJwtValidator
{
private readonly HttpClient _http = new HttpClient();
// Configure via env or appsettings
private readonly string _issuer = Environment.GetEnvironmentVariable("ACCESS_ISS") ?? "https://yourteam.cloudflareaccess.com";
private readonly string _aud = Environment.GetEnvironmentVariable("ACCESS_AUD") ?? "urn:manoffocus:membership";
private JsonWebKeySet? _jwks;
private DateTime _jwksFetchedAt = DateTime.MinValue;

public async Task<(bool IsValid, ClaimsIdentity ClaimsIdentity)> ValidateAsync(string jwt) { try { var handler = new JwtSecurityTokenHandler(); var parameters = new TokenValidationParameters { ValidIssuer = _issuer, ValidateIssuer = true, ValidateIssuerSigningKey = true, ValidateAudience = true, ValidAudience = _aud, ValidateLifetime = true, ClockSkew = TimeSpan.FromMinutes(2), IssuerSigningKeys = await GetSigningKeysAsync() }; var principal = handler.ValidateToken(jwt, parameters, out _); return (true, (ClaimsIdentity)principal.Identity!); } catch { return (false, new ClaimsIdentity()); } } private async Task<IEnumerable<SecurityKey>> GetSigningKeysAsync() { // Refresh JWKS every 12h if (_jwks == null || (DateTime.UtcNow - _jwksFetchedAt) > TimeSpan.FromHours(12)) { var jwksUrl = $"{_issuer}/cdn-cgi/access/certs"; _jwks = await _http.GetFromJsonAsync<JsonWebKeySet>(jwksUrl); _jwksFetchedAt = DateTime.UtcNow; } return _jwks!.Keys; } 
}

src/Middleware/CloudflareRealIpMiddleware.cs (optional, if you prefer explicit CF header handling)
// Purpose: if you want to read CF-Connecting-IP specifically and stamp HttpContext.Connection.RemoteIpAddress.
using System.Net;

public class CloudflareRealIpMiddleware
{
private readonly RequestDelegate _next;

public CloudflareRealIpMiddleware(RequestDelegate next) => _next = next; public async Task Invoke(HttpContext context) { if (context.Request.Headers.TryGetValue("CF-Connecting-IP", out var cfIp) && IPAddress.TryParse(cfIp.ToString(), out var ip)) { context.Connection.RemoteIpAddress = ip; } await _next(context); } 
}

// In Program.cs, add: app.UseMiddleware<CloudflareRealIpMiddleware>(); before auth.

src/Controllers/MemberController.cs
// Purpose: sample protected API endpoint returning identity and client IP.
using Microsoft.AspNetCore.Mvc;

[ApiController]
[Route("api/member")]
public class MemberController : ControllerBase
{
[HttpGet("me")]
public IActionResult Me()
{
var name = User.Identity?.Name ?? "(no name claim)";
var ip = HttpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown";
return Ok(new
{
user = name,
claims = User.Claims.Select(c => new { c.Type, c.Value }),
clientIp = ip
});
}
}

src/Dockerfile

Purpose: containerize the ASP.NET Core app for clean deployments behind Tunnel.

FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS base
WORKDIR /app
EXPOSE 8080
ENV ASPNETCORE_URLS=http://+:8080

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
WORKDIR /src
COPY ./ ./
RUN dotnet restore
RUN dotnet publish -c Release -o /out

FROM base AS final
WORKDIR /app
COPY --from=build /out ./
ENTRYPOINT ["dotnet", "Membership.Core.dll"]

src/appsettings.json
{
"Logging": { "LogLevel": { "Default": "Information", "Microsoft.AspNetCore": "Warning" } },
"AllowedHosts": "*"
}
README.md

Purpose: operator runbook.

Bootstrapping Cloudflare Tunnel

Install cloudflared:
- Linux: curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o /usr/local/bin/cloudflared && chmod +x /usr/local/bin/cloudflared
Login & create tunnel:
- cloudflared tunnel login
- cloudflared tunnel create membership-core
- This outputs a credentials JSON; place it at /etc/cloudflared/membership-core.json
Configure DNS:
- cloudflared tunnel route dns membership-core app.yourdomain.com
Put config at /etc/cloudflared/config.yml (see file above).
systemd:
- useradd --system --home /etc/cloudflared --shell /usr/sbin/nologin cloudflared
- chown -R cloudflared:cloudflared /etc/cloudflared
- cp infrastructure/cloudflared/cloudflared.service /etc/systemd/system/
- systemctl daemon-reload && systemctl enable --now cloudflared
Verify:
- systemctl status cloudflared
- curl -I https://app.yourdomain.com (should return 200 or 302 to Access).

Zero Trust (Access) policy

Create an “Application” for app.yourdomain.com in Cloudflare Zero Trust.
Add an Access policy for your Members group and set AUD to urn:manoffocus:membership.
Save the team domain (ISS) and set env vars on your app host/container:
- ACCESS_ISS=https://yourteam.cloudflareaccess.com
- ACCESS_AUD=urn:manoffocus:membership

ASP.NET integration checklist

Restore real client IPs: ForwardedHeaders + (optional) CloudflareRealIpMiddleware.
Trust only Cloudflare: make sure your firewall blocks inbound; only cloudflared dials out.
JWT verification: Cf-Access-Jwt-Assertion header → AccessJwtValidator.
WebSockets/SignalR: supported through Tunnel out of the box.
gRPC: works over HTTP/2 via Tunnel (http2Origin: true).
Health: /health/live and /health/ready for probes.
Logs: correlate with CF-Ray header for request tracing.

Design notes (plain English)

“Edge node” vs “origin”: your server is not a Cloudflare POP, but with Tunnel + Access + WAF the edge makes decisions (identity, country, bot, rate-limit) and only then forwards to your private origin through encrypted outbound channels you control. That’s the secure, modern pattern.
Redundancy: you can run multiple cloudflared instances (same tunnel) on different boxes; CF will load-balance to healthy connections automatically.
Private services: you can add more hostnames (e.g., api.yourdomain.com, boardroom.yourdomain.com) in config.yml and route each to different local ports/containers.
Device posture (optional but strong): require WARP + posture checks for admins; members can stay identity-only.
Performance: protocol: quic is resilient; keep HTTP/2 to Kestrel for multiplexing.
Secrets: do not bake the Access issuer/audience into code in prod; use env or Key Vault.

If you want, I can extend this with:

CF Turnstile or Bot Management for signup/abuse control
Tiered caching rules for your images/videos
Web analytics + logs (Cloudflare Logpush to your SIEM)
A second tunnel for SSH/RDP bastion with per-user just-in-time access.

Implementing Cloudflare with a mini suitcase server node that is mobile.

File list & full code​

Purpose: declarative Tunnel config. One tunnel, two services: web (HTTPS) and SSH (TCP). mTLS to CF, no inbound ports on your host.​

Public hostname → local service​

Optional: TCP/SSH over Tunnel via Cloudflare Access SSH​

Purpose: systemd unit to run the daemon at boot and auto-restart.​

Purpose: define who can hit app.yourdomain.com before it ever reaches your origin.​

Purpose: local/dev orchestration: your app + cloudflared (optional for dev).​

Purpose: containerize the ASP.NET Core app for clean deployments behind Tunnel.​

Purpose: operator runbook.​

Bootstrapping Cloudflare Tunnel​

Zero Trust (Access) policy​

ASP.NET integration checklist​

Design notes (plain English)​

Similar threads