Skip to main content
A Cloudflare Tunnel creates an outbound-only connection from your server to Cloudflare’s network. Traffic reaches your app through Cloudflare without requiring you to open any inbound firewall ports or expose your server’s IP address. When CLOUDFLARE_TOKEN is set, the egg downloads the cloudflared binary at startup, then runs the tunnel in the background alongside your Next.js app.
The cloudflared binary is downloaded at startup if not already present. Your server must have outbound internet access for this to succeed.

Prerequisites

  • A Cloudflare account with Zero Trust enabled
  • A tunnel created and configured in the Cloudflare dashboard

Steps

1

Open the Zero Trust dashboard

Go to the Cloudflare Zero Trust dashboard and navigate to Networks → Tunnels.
2

Create or select a tunnel

Click Create a tunnel (or open an existing one). Choose Cloudflared as the connector type and follow the prompts to name your tunnel.
3

Copy the run token

After creating the tunnel, Cloudflare displays a Run token in the tunnel’s configuration page. Copy this value.
4

Set the token in the panel

In your server’s startup variables, set CLOUDFLARE_TOKEN to the token you copied.
5

Configure the public hostname

In the tunnel configuration, add a Public Hostname that points to localhost on your server’s SERVER_PORT. For example:
FieldValue
Hostnameapp.yourdomain.com
Servicehttp://localhost:25565
Replace 25565 with the port assigned to your server.
6

Start the server

Start (or restart) your server. The egg installs cloudflared automatically if needed, then starts the tunnel in the background before launching Next.js.
The tunnel runs in the background as a separate process. Your Next.js app still binds to SERVER_PORT internally — the tunnel forwards external traffic to that port.
Leave CLOUDFLARE_TOKEN empty to disable the tunnel entirely. The egg skips the cloudflared install and startup steps when no token is set.