Skip to content

BasicUsageSingleDomain.md

Jump to bottom
Chris edited this page Jun 22, 2025 · 3 revisions

Basic Usage (Single Domain)

This is the standard and most common method for exposing a single service from a Docker container using one public hostname.

Labeling Strategy

You add a set of non-indexed labels directly to the container's definition in your docker-compose.yml. These keys are described in detail in the Container Labels page.

Example 1: Exposing a Public Web Service

Here's an example of exposing a simple nginx web server as www.example.com. We assume both DockFlare and this new service are on the same cloudflare-net Docker network, allowing them to communicate.

version: '3.8'

services:
  # Your DockFlare service definition (from Quick Start)
  dockflare:
    image: alplat/dockflare:stable
    container_name: dockflare
    restart: unless-stopped
    ports:
      - "5000:5000"
    env_file:
      - .env
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - dockflare_data:/app/data
    networks:
      - cloudflare-net

  # The web service you want to expose
  my-website:
    image: nginx:latest
    container_name: my-website
    restart: unless-stopped
    networks:
      - cloudflare-net # Must be on a network DockFlare can reach
    labels:
      # --- DockFlare Labels ---
      # 1. Enable DockFlare management for this container
      - "dockflare.enable=true"

      # 2. Define the public hostname
      - "dockflare.hostname=www.example.com"

      # 3. Define the internal service address (protocol://container_name:port)
      - "dockflare.service=http://my-website:80"
      # This rule will be public by default.

When you run docker compose up -d, DockFlare detects the my-website container and automatically creates the Cloudflare DNS record and Tunnel ingress rule. Your service becomes publicly accessible at https://www.example.com.

Example 2: Exposing a Private Service with an Access Policy

Here, we'll expose a private service (like a dashboard) and secure it using a Cloudflare Access policy, requiring users to log in.

# (Continuing from the services block above)

  # A private dashboard you want to expose securely
  private-dashboard:
    image: some/dashboard-app
    container_name: private-dashboard
    restart: unless-stopped
    networks:
      - cloudflare-net
    labels:
      # --- Ingress Labels ---
      - "dockflare.enable=true"
      - "dockflare.hostname=dashboard.example.com"
      - "dockflare.service=http://private-dashboard:8080"

      # --- Access Policy Labels ---
      # 4. Secure this service with a Cloudflare Access policy
      - "dockflare.access.policy=authenticate"
      - "dockflare.access.session_duration=8h"

Explanation

  1. dockflare.enable="true": This is the master switch that tells DockFlare to pay attention to this container.
  2. dockflare.hostname="dashboard.example.com": This specifies the public URL. DockFlare will create a CNAME DNS record for this hostname pointing to your tunnel.
  3. dockflare.service="http://private-dashboard:8080": This tells the Cloudflare Tunnel where to send the traffic internally. Because both containers are on the cloudflare-net network, Docker's built-in DNS can resolve the container name private-dashboard.
  4. dockflare.access.policy="authenticate": This is the key for Zero Trust security. DockFlare will automatically create a Cloudflare Access Application for dashboard.example.com that requires users to authenticate with an identity provider you've configured in your Cloudflare account.

This combination of ingress and access labels allows you to define your entire service exposure and security posture declaratively from your docker-compose.yml file.

Clone this wiki locally