HTTPS using Cloudflare Tunnel

☁️ Cloudflare Tunnel

HTTPS using Cloudflare Tunnel

Expose HridaAI to the internet securely. No open ports, no certificates, no reverse proxy.

🔒 Automatic TLS🛡️ DDoS Protection🌐 Works behind NAT⚡ Zero open ports🔑 Access Controls

Cloudflare Tunnel (cloudflared) creates an outbound-only connection from your machine to Cloudflare's edge network. Traffic flows through Cloudflare's infrastructure with automatic TLS, DDoS protection, and access controls, all without exposing a single port on your server.

✅ When to use Cloudflare Tunnel

This is the recommended approach when you want production-grade public access without managing TLS certificates or firewall rules. It works on any network, including behind NAT or restrictive firewalls.

Prerequisites

Requirement	Details
HridaAI	Running locally on port `8080` (default)
Cloudflare account	Free at cloudflare.com
Domain on Cloudflare	Your domain's DNS must be managed by Cloudflare

Option A: Dashboard setup (no CLI)

Option A

Dashboard Setup

The simplest path. Everything configured through the Cloudflare dashboard.

Option B

CLI Setup

For automation, infrastructure-as-code, or headless servers.

The simplest path. Everything configured through the Cloudflare dashboard.

1Create the tunnel

Go to Zero Trust → Networks → Connectors
Click Create a tunnel → select Cloudflared
Name it (e.g., hrida-ai)
Follow the install instructions to run the connector on your machine

2Add a public hostname

In the tunnel config, add a Public Hostname:

Field	Value
Subdomain	`chat` (or whatever you prefer)
Domain	Select your Cloudflare domain
Service type	`HTTP`
URL	`localhost:8080`

Save. Cloudflare creates the DNS record automatically.

3Access HridaAI

Open https://chat.your-domain.com. HTTPS is handled entirely by Cloudflare.

Option B: CLI setup

For automation, infrastructure-as-code, or headless servers.

1Install cloudflared

macOS
Linux
Windows

brew install cloudflared

curl -sSL  \
  -o /usr/local/bin/cloudflared && chmod +x /usr/local/bin/cloudflared

winget install Cloudflare.cloudflared

2Authenticate

cloudflared tunnel login

This opens a browser to authorize cloudflared with your Cloudflare account.

3Create the tunnel

cloudflared tunnel create hrida-ai

Note the Tunnel ID in the output. You'll need it for the config.

4Configure

Create ~/.cloudflared/config.yml:

tunnel: YOUR_TUNNEL_ID
credentials-file: /home/YOUR_USER/.cloudflared/YOUR_TUNNEL_ID.json

ingress:
  - hostname: chat.your-domain.com
    service: http://localhost:8080
  - service: http_status:404

5Create DNS record

cloudflared tunnel route dns hrida-ai chat.your-domain.com

6Start the tunnel

cloudflared tunnel run hrida-ai

Open https://chat.your-domain.com.

Run as a system service

To keep the tunnel running after reboot:

sudo cloudflared service install
sudo systemctl enable cloudflared
sudo systemctl start cloudflared

This uses the config at ~/.cloudflared/config.yml automatically.

Configure HridaAI

Set HRIDAAI_URL so OAuth callbacks and internal links resolve correctly:

docker run -d \
  -p 8080:8080 \
  -e HRIDAAI_URL=https://chat.your-domain.com \
  -v hrida-ai:/app/backend/data \
  --name hrida-ai \
  ghcr.io/hrida-ai/hrida-ai-studio:main

Docker Compose with cloudflared

Run both HridaAI and the tunnel connector in a single stack:

services:
  hrida-ai:
    image: ghcr.io/hrida-ai/hrida-ai-studio:main
    container_name: hrida-ai
    volumes:
      - hrida-ai:/app/backend/data
    environment:
      - HRIDAAI_URL=https://chat.your-domain.com
    restart: unless-stopped

  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    command: tunnel --no-autoupdate run --token YOUR_TUNNEL_TOKEN
    restart: unless-stopped

volumes:
  hrida-ai:

Get your tunnel token from the Cloudflare dashboard → Go to [Networking → Tunnels] → Select your tunnel → Select Add a replica → Copy the install command. The token starts with eyJ....

💡 Tip

No ports needed on the hrida-ai service. cloudflared connects to it via Docker's internal network. To use this, change the service URL in your tunnel config to http://hrida-ai:8080.

Add access controls (optional)

Cloudflare Zero Trust lets you gate access behind authentication without touching HridaAI:

Go to Zero Trust → Access controls → Applications
Create new application → Self-hosted and private
Set the public hostname to chat.your-domain.com
Create an Access Policy (e.g., allow only @your-company.com emails)

Users see a Cloudflare login page before reaching HridaAI.

Quick reference

What	Command / Value
Create tunnel	`cloudflared tunnel create hrida-ai`
Start tunnel	`cloudflared tunnel run hrida-ai`
Add DNS	`cloudflared tunnel route dns hrida-ai chat.your-domain.com`
Install as service	`sudo cloudflared service install`
Dashboard	dash.cloudflare.com → Zero Trust → Networks → Connectors
Set CORS origin	`CORS_ALLOW_ORIGIN=https://chat.your-domain.com`

This content is for informational purposes only and does not constitute a warranty, guarantee, or contractual commitment. Hrida AI is proprietary software owned by Zlabs Innovation, provided "as is." See your license for applicable terms. © 2026 Zlabs Innovation. All rights reserved.

HTTPS using Cloudflare Tunnel

Prerequisites​

Option A: Dashboard setup (no CLI)​

Dashboard Setup

CLI Setup

Option B: CLI setup​

Run as a system service​

Configure HridaAI​

Docker Compose with cloudflared​

Add access controls (optional)​

Quick reference​

Prerequisites

Option A: Dashboard setup (no CLI)

Option B: CLI setup

Run as a system service

Configure HridaAI

Docker Compose with cloudflared

Add access controls (optional)

Quick reference