Cloudflare Tunnel automation for Docker, honestly reviewed. Not a Cloudflare ad, not a homelab fantasy — just what you actually get.

TL;DR

What it is: Open-source (GPL-3.0) Cloudflare Tunnel automation tool that reads Docker labels and handles ingress rules, DNS records, and Access policies so you don’t have to [1][2].
Who it’s for: Self-hosters running multiple Docker containers who want to expose services publicly without touching the Cloudflare dashboard every time something changes. Not for non-technical users who don’t know Docker [1].
Cost savings: DockFlare itself is free. Cloudflare Tunnels are free. Your only cost is the VPS running Docker — typically $5–10/mo. Compare to Ngrok’s $8–25+/mo for a similar tunneling capability, without the automation layer.
Key strength: Three Docker labels and your container is public, DNS-registered, and optionally behind Cloudflare Access authentication. No dashboard clicks, no manual cloudflared config, no forgotten tunnel entries [1][2].
Key weakness: You’re still fully dependent on Cloudflare’s infrastructure. Cloudflare Tunnels have a 100MB per-request file size cap, a ToS prohibition on high-volume media streaming, and Cloudflare terminates your TLS — all problems DockFlare cannot solve because they’re upstream of it [4].

What is DockFlare

DockFlare is a self-hosted control plane for Cloudflare Tunnels. It runs as a Docker container alongside your stack, watches for container events, reads labels you define, and translates them into Cloudflare API calls — creating tunnel ingress rules, DNS records, and Zero Trust Access applications on your behalf.

The core pitch is in the GitHub description: “Automate Cloudflare Tunnels with Docker Labels.” Every time you start a container with three specific labels, DockFlare picks it up, creates the necessary Cloudflare configuration, and registers it in its own web UI. When the container stops, DockFlare cleans up after it [1][README].

Version 3.0, released in late 2025, expanded the scope significantly [2]. What started as a single-host tunnel manager became a distributed system with a Master and lightweight remote Agents. The Master runs the web UI, manages encrypted config, and orchestrates Cloudflare API calls. Agents run on remote Docker hosts, stream container events back to the Master, and execute tunnel commands locally. This architecture is the key reason self-hosters behind CGNAT — where you can’t forward ports from your home network — are using it [2].

The project is a one-person effort from a Swiss developer. It sits at 1,933 GitHub stars, version 3.0.9 as of this review, and is licensed under GPL-3.0.

Why People Choose It

The XDA Developers review [1] by Joe Rice-Jones captures the practical appeal cleanly: managing Cloudflare Tunnels manually gets painful fast. You create a tunnel in the dashboard, install cloudflared on the server, define ingress rules, add DNS records, optionally configure Access — for every single service. Multiply that by ten or twenty containers in an active homelab, and the dashboard becomes a graveyard of stale entries when you tear things down.

DockFlare collapses all of that into three labels [1]:

labels:
  - "dockflare.enable=true"
  - "dockflare.hostname=portainer.your-domain.com"
  - "dockflare.service=http://portainer:9000"

The reviewer notes it also handles Cloudflare’s API rate limits automatically — when you bring up multiple containers simultaneously, DockFlare queues and throttles its API calls to stay under the limit rather than hammering the API and getting 429 errors [1].

The v3.0 Reddit announcement [2] from the developer highlights the fleet management angle specifically: “Especially handy if you’re stuck behind CGNAT at home.” CGNAT (Carrier-Grade NAT) is increasingly common on residential ISPs and makes traditional port forwarding impossible. Cloudflare Tunnels bypass CGNAT entirely, and DockFlare makes running those tunnels across multiple physical hosts manageable from a single interface.

The same author who praised DockFlare in May 2025 [1] later wrote in February 2026 that he’d moved away from Cloudflare Tunnels altogether [4]. The reasons are worth reading carefully because they reveal the ceiling of what DockFlare can offer: a 100MB per-request file size limit that broke Immich, ToS language around video streaming that put Jellyfin usage in a gray area, and Cloudflare’s TLS termination model which means your data is decrypted inside Cloudflare’s network even in tunnel mode. DockFlare automates Cloudflare Tunnels. It cannot fix Cloudflare Tunnels [4].

Features

Core tunnel automation:

Automatic tunnel ingress and DNS creation from Docker labels [1][README]
Real-time container event detection — rules created on start, removed on stop [1]
Path-based routing: different URL paths routed to different services under one hostname [README]
Support for http, https, tcp, ssh, and rdp service types [README]
Cloudflare API rate limit awareness — queues requests rather than failing [1]
Multi-zone DNS handling for accounts with multiple domains [README]

Zero Trust and Access:

Cloudflare Access application lifecycle management from labels or UI [README]
Access Groups and reusable policies assignable via a single label (dockflare.access.group=admin-team) [README]
Built-in OAuth/OIDC provider management: Google, Azure AD, GitHub, Okta, custom OIDC [README]
Email and domain restrictions on Access policies [README]
UI-level policy overrides that persist and can be reverted without touching labels [README]

Multi-server fleet management (v3.0):

Lightweight agents on remote Docker hosts, streaming events to the Master [2][README]
Per-agent API keys with revocation [README]
Cloudflare Zero Trust service tokens for encrypted Master–Agent communication [README]
One-liner deploy scripts for both Master and Agent [2][README]

Web UI and operations:

Dashboard with live tunnel and agent status [README]
Real-time log streaming [README]
Backup and restore of encrypted configuration and runtime state [2][README]
Deep-links into Cloudflare Zero Trust pages from the DockFlare UI [README]
10-language UI localization [README]
Multiple UI themes [README]

Security hardening:

Runs as non-root (UID/GID 65532) [2][README]
Docker socket access mediated through a proxy, not mounted directly [2][README]
CSRF protection, XSS mitigation, path traversal hardening across all endpoints [README]
Encrypted configuration storage [README]

Pricing: Self-Hosted Math

DockFlare is free software. There is no SaaS tier, no commercial license, no per-seat pricing. The GPL-3.0 license means you can run it on your own hardware indefinitely at no cost [README].

What you actually pay for:

DockFlare: $0
Cloudflare Tunnels: $0 (included with any Cloudflare account, free tier sufficient)
Cloudflare Access: Free for up to 50 users per application on the Zero Trust free plan
VPS to run it on: $5–10/mo (Hetzner, Contabo, or DigitalOcean)

What this replaces:

If you’re running Ngrok to expose services, that’s $8/mo for one tunnel on the Personal plan, $25/mo for the Pro plan with multiple tunnels and custom domains. DockFlare + Cloudflare handles unlimited services under your own domain for the cost of a VPS.

Tailscale is a different category (mesh VPN, not public tunnels) but Tailscale Business is $18/user/month if you need team access. Cloudflare Access on the free plan covers the same use case for small teams at $0.

The honest caveat: Cloudflare Zero Trust has its own pricing above 50 users, and if you need features like WARP for team devices or Gateway policies, that’s a separate Cloudflare conversation. DockFlare doesn’t change Cloudflare’s pricing — it just removes the operational overhead of managing what you’d be using anyway.

Deployment Reality Check

The one-liner install path is real and documented [README]:

curl -fsSL https://dockflare.app/install.sh | bash

The script creates ~/dockflare/, writes a docker-compose.yml, starts the Master, and points you at port 5000 for the setup wizard. You’ll need a Cloudflare account with a domain managed there, an API token with the right permissions, and an existing or new tunnel in your Cloudflare Zero Trust dashboard.

What you actually need:

Docker and docker-compose on the host
A Cloudflare account with at least one domain
A Cloudflare API token (the setup wizard walks you through the required permissions)
Redis (bundled in the default compose file)
A reverse proxy if you want HTTPS for the DockFlare UI itself

For the multi-server agent setup:

A DockFlare Master on one host
The lightweight agent installed on each additional host via the one-liner agent script [2]
Network connectivity between agents and the Master (Cloudflare Zero Trust service tokens handle auth) [README]

The XDA reviewer [1] characterizes setup as straightforward enough that even users without deep container experience can get it running. The setup wizard reduces the configuration surface to what actually matters: your Cloudflare credentials and tunnel name.

What can go wrong:

The most significant operational risk isn’t DockFlare itself — it’s Cloudflare. The reviewer who originally recommended DockFlare [1] later documented hitting the 100MB request limit while using Immich and the streaming ToS restrictions with Jellyfin [4]. DockFlare will correctly create a tunnel to your Jellyfin instance. That tunnel will work. The question is whether Cloudflare’s ToS or infrastructure limits cause problems downstream, and DockFlare offers no protection against either.

The project is one developer. The GitHub has no org behind it. If the maintainer goes quiet, you have a GPL codebase you can fork, but you lose upstream maintenance. That’s not unusual for a 1,933-star solo project, but worth factoring in if you’re building critical infrastructure on top of it.

Agent mode is flagged as beta in the v3.0 release notes [2]. The developer notes it works well but flags it with appropriate uncertainty for production use.

Pros and Cons

Pros

Actually solves the right problem. The Cloudflare dashboard is annoying to keep current when containers come and go. Three labels per container and DockFlare handles the rest [1].
Cloudflare API rate limiting built in. Bringing up a compose file with ten services doesn’t hammer the API. DockFlare queues intelligently [1].
Multi-server fleet management. v3.0’s Master + Agent model means you can manage tunnels across multiple physical hosts from one UI — critical for CGNAT setups [2].
Non-root with Docker socket proxy. The security posture is better than “mount the Docker socket directly” which is the lazy approach most similar tools take [2][README].
Zero Trust integration is deep. Not just tunnel automation — Access policies, provider management, and groups are all first-class in the UI rather than bolted on [README].
Free, GPL-3.0. No commercial upsell, no features gated behind a license tier, no SaaS dependency for the tool itself [README].
Encrypted config backup and restore. Migrating hosts or recovering from failures is a real workflow, not an afterthought [2][README].

Cons

You’re locked into Cloudflare infrastructure. Every tunnel goes through Cloudflare. 100MB file size limit per request, streaming ToS restrictions, TLS termination inside Cloudflare’s network — these are hard ceilings DockFlare cannot raise [4].
Requires a Cloudflare account. This isn’t a generic tunnel solution. No Cloudflare account, no DockFlare [README].
Solo maintainer. No organization, no commercial backing, no SLA. GPL code can be forked, but upstream momentum depends on one person in Switzerland [2].
Agent mode is beta. The multi-server feature is the biggest v3.0 selling point and it ships with a beta label [2].
No CGNAT bypass magic of its own. DockFlare doesn’t create tunnels — it manages the ones Cloudflare creates. The underlying technology is cloudflared, and its limitations apply fully.
Limited ecosystem of reviews and community content. Outside XDA and a handful of Reddit posts, third-party coverage is thin. Debugging unusual setups means reading source code or opening GitHub issues.
Not for non-technical users. There is no escape hatch here. You need to understand Docker labels, know what a Cloudflare API token is, and be comfortable with a compose file [1].

Who Should Use This / Who Shouldn’t

Use DockFlare if:

You’re already using Cloudflare Tunnels and manually managing ingress rules in the dashboard — DockFlare replaces that operational overhead directly.
You run more than 3–4 Docker services and tunnel maintenance is becoming a time tax.
You’re behind CGNAT and need to manage tunnels across multiple physical hosts from one place.
You want Cloudflare Zero Trust Access policies on your containers without setting up each application manually.
You’re comfortable with Docker and a Cloudflare account, and want a purpose-built automation layer rather than scripting the Cloudflare API yourself.

Skip it and use Pangolin instead if:

You’ve hit Cloudflare’s 100MB file limit (Immich, large file sharing) [4].
You’re running Jellyfin or another media server and want to avoid the streaming ToS ambiguity [4].
You want end-to-end TLS without Cloudflare as a termination point [4].
You don’t have or want a Cloudflare account.

Skip it and use cloudflared directly if:

You have one or two services to expose and the Cloudflare dashboard isn’t a meaningful burden.
You want zero additional software in your stack.

Skip it entirely if:

You’re a non-technical founder who doesn’t know what a Docker label is. There’s no GUI shortcut that hides the underlying infrastructure here.
You need tunneling for a production system with SLA requirements. The solo-maintainer risk is real.

Alternatives Worth Considering

Cloudflared (direct) — The official Cloudflare tunnel daemon without any automation layer. Fine for static setups; painful for dynamic Docker environments. No extra software, but no automation either.
Traefik + Cloudflare plugin — Traefik is a production-grade reverse proxy that has Cloudflare DNS plugins. More complex to configure, but widely deployed and extensively documented. Better if you’re already using Traefik for internal routing.
Nginx Proxy Manager + Cloudflare — A UI-friendly reverse proxy with built-in Let’s Encrypt. Doesn’t touch Cloudflare Tunnels, so port forwarding required, but no Cloudflare infrastructure dependency.
Pangolin — The closest self-hosted alternative to Cloudflare Tunnels as a concept. Runs your own tunnel infrastructure instead of using Cloudflare’s. No 100MB limit, no streaming ToS, no TLS termination by a third party. More setup required. The reviewer who moved away from DockFlare/Cloudflare Tunnels ended up here [4].
Tailscale — Mesh VPN, not public tunnels. Right tool if you’re sharing access with a known set of people (team, family). Wrong tool if you want publicly accessible URLs.
Coolify / Dokploy — PaaS layers that handle container deployment and can manage reverse proxy configuration. If you want a full deployment platform rather than just tunnel automation, these are worth comparing.

Bottom Line

DockFlare solves exactly one problem extremely well: the operational overhead of managing Cloudflare Tunnels across a dynamic Docker environment. If you’ve been clicking through the Cloudflare dashboard every time you spin up a new container, or you’ve let tunnel entries pile up because cleanup is tedious, DockFlare replaces all of that with three labels per service. The v3.0 multi-server support extends that value to homelabs spanning multiple physical hosts — particularly useful behind CGNAT. The security posture (non-root, socket proxy, CSRF hardening) is better than the project’s solo-dev origin might suggest.

The ceiling is Cloudflare itself. DockFlare doesn’t change what Cloudflare Tunnels are: free, convenient infrastructure with a 100MB file size cap, streaming ToS restrictions, and TLS that Cloudflare terminates. For a homelab running Vaultwarden, Nextcloud, and a handful of internal tools, those limits don’t matter. For a homelab running Immich or Jellyfin at scale, they do — and the right answer in that case is Pangolin, not better tunnel automation.

If the deployment step is the blocker, upready.dev deploys exactly this kind of infrastructure for clients. One-time fee, done, you own the setup.

Sources

Joe Rice-Jones, XDA Developers — “DockFlare is a free, open-source tool to manage Cloudflare Tunnels” (May 22, 2025). https://www.xda-developers.com/cloudflare-tunnels-easier-to-manage-free-open-source-self-hosted-tool/
u/ChopSueyYumm, r/selfhosted — “DockFlare 3.0 is here! Manage tunnels across servers, open source & free”. https://www.reddit.com/r/selfhosted/comments/1nos4t4/dockflare_30_is_here_manage_tunnels_across/
Ethan Sholly, selfh.st — “Self-Host Weekly (16 May 2025)”. https://selfh.st/weekly/2025-05-16/
Joe Rice-Jones, XDA Developers — “I stopped using Cloudflare Tunnels for everything, and here’s what I use instead” (Feb 12, 2026). https://www.xda-developers.com/stopped-using-cloudflare-tunnels-for-everything-heres-what-use-instead/
Joe Rice-Jones, XDA Developers — “4 unofficial OPNsense plugins that are surprisingly useful” (Jun 20, 2025). https://www.xda-developers.com/these-unofficial-opnsense-plugins-are-surprisingly-useful/

Primary sources:

GitHub repository and README: https://github.com/chrispybacon-dev/dockflare (1,933 stars, GPL-3.0)
Official website: https://dockflare.app
Feature page: https://dockflare.app/features
Architecture overview: https://dockflare.app/architecture
Documentation: https://dockflare.app/docs

Features

Integrations & APIs

REST API

Related Networking & VPN Tools

View all 99 →

Caddy

71K

A fast, extensible web server with automatic HTTPS — zero-config TLS certificates for every site, built-in reverse proxy, and a simple Caddyfile config format.

networking Apache-2.0

Traefik

62K

Cloud-native application proxy and ingress controller that auto-discovers services and handles TLS certificates, load balancing, and routing with zero manual configuration.

networking MIT