Cloudflare is one of the popular CDN and security platform, powering millions of sites from small to enterprise. When you implement Cloudflare for your website, all the traffic is secured and accelerated. But this is true when a site is accessed using a domain name. How about if someone finds out the actual server IP (Origin) and misuse it? Finding server IP for the site behind Cloudflare doesn’t take much. You can find out how, as explained here and here. You see, just implementing CDN and Cloud-based WAF is not enough. You should also consider protecting origin. So, what’s the solution? Argo Tunnel – a smart solution by Cloudflare to protect the origin server from direct attack.

It is a daemon that you need to install on your server that creates an encrypted tunnel between server to Cloudflare network. There is zero complicated ACL/IP table configuration.

The good news is you don’t need to be under PRO or higher plan. You can get it started even you are under the FREE plan. All you pay is for Argo subscription, which starts from $5 per month. Let’s get it started with installation and setup.

Installing Cloudflare daemon

Login to the origin server with root or sudo privilege Download the latest stable package. I am on Ubuntu so, .deb file for other OS, check out the official download page.

Install the downloaded package

Let’s verify the version to ensure it has installed

Great!

Authenticate Daemon

Next would be to authenticate to Cloudflare using the daemon. Run the below command

It will prompt you the URL which you can use to login to Cloudflare and authorize the site.

Once authorized, you should see something like this.

Starting the tunnel

Let’s start the tunneling below. Ex: Congratulations! origin is locked down now. Try to access your website using origin IP, and you should see the “connection refused” message.

Starting Argo Tunnel at Boot

Let’s ensure the Argo Tunnel is started when the server reboot. Run the below command on the server.

Conclusion

Cloudflare Argo Tunnel looks promising. Just in around 30 minutes, you can protect the origin server.

How to Protect Origin with Cloudflare Argo Tunnel  - 29How to Protect Origin with Cloudflare Argo Tunnel  - 53How to Protect Origin with Cloudflare Argo Tunnel  - 1