- Hostinger N8N plan
- Cloudflare free account
- OS: Ubuntu 24.04 LTS
- Reverse proxy: Traefik (running in Docker)
- App (e.g. n8n) is running behind Traefik
- You want to protect
https://<subdomain>.<domain>with Cloudflare Zero Trust via a Cloudflare Tunnel - Your DNS for
<domain>is managed by Cloudflare
In your Traefik service (Docker Compose or similar), the command block should look like:
command:
- --api=true
- --api.insecure=true
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.websecure.address=:443Important:
- Do not configure ACME / Let’s Encrypt inside Traefik
(no
--certificatesresolvers.*.acme.*flags) - Traefik terminates HTTPS internally on port
443 - HTTP on
80just redirects towebsecure(HTTPS)
Restart Traefik so this config is live.
Log into Hostinger. Click on terminal button in top right corner.
Run these commands on the server:
# Add Cloudflare GPG key
sudo mkdir -p --mode=0755 /usr/share/keyrings
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
# Add Cloudflare repos (stable + next)
echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared noble main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared noble main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
# Install cloudflared
sudo apt-get update && sudo apt-get install cloudflaredVerify:
cloudflared --versioncloudflared tunnel loginA browser window opens → choose your Cloudflare account and a domain → authorize.
Pick a tunnel name, e.g. my-tunnel:
cloudflared tunnel create my-tunnelThis prints:
- Tunnel ID (UUID), e.g.
11111111-2222-3333-4444-555555555555 - Path to the credentials JSON file (under
~/.cloudflared/)
Create or edit the config:
sudo nano /etc/cloudflared/config.ymlPut this inside (replace with your actual Tunnel ID and JSON filename):
tunnel: 11111111-2222-3333-4444-555555555555
credentials-file: /root/.cloudflared/11111111-2222-3333-4444-555555555555.json
ingress:
- hostname: <subdomain>.<domain>
service: https://localhost:443
originRequest:
noTLSVerify: true
- service: http_status:404Key points:
service: https://localhost:443→ the tunnel talks directly to Traefik’s HTTPS entrypoint (websecure)noTLSVerify: true→ allows Traefik to use self-signed or internal certificates
Save, then restart the tunnel:
sudo systemctl restart cloudflared
sudo systemctl status cloudflaredYou should see active (running).
Let cloudflared create/update the DNS record for you:
cloudflared tunnel route dns my-tunnel <subdomain>.<domain>my-tunnel= tunnel name (from step 4)<subdomain>.<domain>= the hostname you want to protect
This command:
- Creates/updates a CNAME in Cloudflare DNS for
<subdomain>.<domain> - Associates that hostname with the
my-tunnelCloudflare Tunnel
No manual DNS edits are required.
In the Cloudflare dashboard:
-
Go to Zero Trust → Access → Applications
-
Click Add an application → Self-hosted
-
Configure:
- Application name: (e.g.
n8n) - Domain:
<subdomain>.<domain>
- Application name: (e.g.
-
Under Policies, create an access rule, for example:
- Action: Allow
- Include:
Emails → [email protected](or your org domain)
Save the application.
Confirm Traefik is answering on HTTPS:
curl -I -k https://localhost:443You should see HTTP headers (even a 302 or 404 is fine) — that means Traefik is reachable on 443.
Open an incognito/private browser window and go to:
https://<subdomain>.<domain>
Expected flow:
- Cloudflare Zero Trust / Access login prompt
- After successful login, traffic is sent over the Cloudflare Tunnel
- The tunnel forwards HTTPS to
https://localhost:443(Traefik) - Traefik routes the request to your app (e.g. n8n)
- Your app UI loads, protected by Cloudflare Zero Trust.