使用Cloudflare Tunnel将Cloudflare代理的外部域名流量转发到本地端口

需要实现的目标如下

外部访问：
https://www.example.com
        ↓
Cloudflare
        ↓
本机
http://localhost:7777 或者任意端口

你现在 不需要公网 IP、不需要端口映射、不需要防火墙放行指定端口 👉 用 Cloudflare Tunnel（cloudflared）就是最优解

✅ 官方推荐方案：Cloudflare Tunnel

这是 Cloudflare 自己提供的内网穿透 + 反向代理方案 比 frp / ngrok 稳定、安全、永久免费（基础用法）

一、整体原理

浏览器
  ↓
Cloudflare 边缘节点
  ↓
Cloudflare Tunnel（你本机主动连出去）
  ↓
localhost:7777

关键点：

• 你的机器只“出站连接”
• 外界无法直接访问你的服务器
• 天生防 DDoS

二、安装 cloudflared（Windows）

1️⃣ 下载

https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/

下载：

cloudflared-windows-amd64.exe

重命名为：

cloudflared.exe

放到任意目录（如 C:\cloudflared\）

三、登录 Cloudflare（只做一次）

cd /d 你的Cloudflare下载目录
cloudflared login

会：

• 自动打开浏览器
• 让你选择 Cloudflare 账号
• 授权成功后本地生成证书

四、创建 Tunnel

cloudflared tunnel create myTunnel（也可以是你自己tunnel名称，后文以myTunnel为例）

成功后你会得到：

• Tunnel ID
• Tunnel 名称
• 自动生成一个 JSON 凭据文件

记住 tunnel 名字：myTunnel

五、配置转发规则（重点）

创建配置文件：

📄 C:\cloudflared\config.yml

tunnel: myTunnel
credentials-file: C:\Users\你的用户名\.cloudflared\xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.json

ingress:
  - hostname: www.example.com
    service: http://localhost:7777

  - hostname: 更多域名.example.com
    service: http://localhost:7778

  - service: http_status:404

⚠️ 注意：

• service 必须是 localhost
• 不要写 0.0.0.0
• 域名后面不能有端口（默认80或443）
• 不需要写端口映射

六、绑定域名到 Tunnel（非常关键）

cloudflared tunnel route dns myTunnel www.example.com
cloudflared tunnel route dns myTunnel 更多域名.example.com

这一步会在 Cloudflare 后台自动创建一条 DNS 记录：

www.example.com  →  Tunnel

✔ 不会暴露 IP ✔ 自动走 CDN + WAF

七、启动 Tunnel

cloudflared tunnel run myTunnel

看到类似日志说明成功：

cloudflared tunnel run
2026-02-01T16:09:27Z INF Starting tunnel tunnelID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
2026-02-01T16:09:27Z INF Version 2025.11.1 (Checksum xxxxxxxxxxxxxxxxxxxxxxx)
2026-02-01T16:09:27Z INF GOOS: windows, GOVersion: go1.24.9, GoArch: amd64
2026-02-01T16:09:27Z INF Settings: map[cred-file:C:\Users\Administrator\.cloudflared\xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.json credentials-file:C:\Users\Administrator\.cloudflared\xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.json]
2026-02-01T16:09:27Z INF cloudflared will not automatically update on Windows systems.
2026-02-01T16:09:27Z INF Generated Connector ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
2026-02-01T16:09:27Z INF Initial protocol quic
2026-02-01T16:09:27Z INF ICMP proxy will use x.x.x.x as source for IPv4
2026-02-01T16:09:27Z INF ICMP proxy will use xxxx::xxxx:xxxx:xxxx:xxxx in zone 以太网 as source for IPv6
2026-02-01T16:09:27Z INF cloudflared does not support loading the system root certificate pool on Windows. Please use --origin-ca-pool <PATH> to specify the path to the certificate pool
2026-02-01T16:09:27Z INF cloudflared does not support loading the system root certificate pool on Windows. Please use --origin-ca-pool <PATH> to specify the path to the certificate pool
2026-02-01T16:09:27Z INF cloudflared does not support loading the system root certificate pool on Windows. Please use --origin-ca-pool <PATH> to specify the path to the certificate pool
2026-02-01T16:09:27Z INF cloudflared does not support loading the system root certificate pool on Windows. Please use --origin-ca-pool <PATH> to specify the path to the certificate pool
2026-02-01T16:09:27Z INF cloudflared does not support loading the system root certificate pool on Windows. Please use --origin-ca-pool <PATH> to specify the path to the certificate pool
2026-02-01T16:09:27Z INF cloudflared does not support loading the system root certificate pool on Windows. Please use --origin-ca-pool <PATH> to specify the path to the certificate pool
2026-02-01T16:09:27Z INF cloudflared does not support loading the system root certificate pool on Windows. Please use --origin-ca-pool <PATH> to specify the path to the certificate pool
2026-02-01T16:09:27Z INF ICMP proxy will use x.x.x.x as source for IPv4
2026-02-01T16:09:27Z INF Tunnel connection curve preferences: [XXXXXXX] connIndex=0 event=0 ip=xxx.xxx.xxx.xxx
2026-02-01T16:09:27Z INF ICMP proxy will use xxxx::xxxx:xxxx:xxxx:xxxx in zone 以太网 as source for IPv6
2026-02-01T16:09:27Z INF Starting metrics server on 127.0.0.1:xxxx/metrics
2026-02-01T16:09:28Z INF Registered tunnel connection connIndex=0 connection=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx event=0 ip=xxx.xxx.xxx.xxx location=sjc06 protocol=quic
2026-02-01T16:09:28Z INF Tunnel connection curve preferences: [XXXXXXX] connIndex=1 event=0 ip=xxx.xxx.xxx.xxx
2026-02-01T16:09:28Z INF Registered tunnel connection connIndex=1 connection=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx event=0 ip=xxx.xxx.xxx.xxx location=sjc08 protocol=quic
2026-02-01T16:09:29Z INF Tunnel connection curve preferences: [XXXXXXX] connIndex=2 event=0 ip=xxx.xxx.xxx.xxx
2026-02-01T16:09:29Z INF Registered tunnel connection connIndex=2 connection=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx event=0 ip=xxx.xxx.xxx.xxx location=sjc06 protocol=quic

八、现在你可以这样访问了 🎉

http://www.example.com

或

http://更多域名.example.com

等价于本机的：

http://localhost:7777

或

http://localhost:7777

✔ 支持 WebSocket ✔ 支持 HTTP/HTTPS ✔ 支持大流量 ✔ 自动抗 DDoS

九、你的服务要注意什么？

1️⃣ 监听地址

http://localhost:7777

或：

http://127.0.0.1:8088

❌ 不要用 0.0.0.0 ❌ 不需要公网绑定

2️⃣ 获取真实客户端 IP

CF-Connecting-IP

Cloudflare Tunnel 同样会保留该 Header

十、常见坑（你可以直接避开）