Cloudflare Setup
Secure remote access to reattachd using Cloudflare Tunnel and Access.
Prerequisites: A Cloudflare account and a domain managed by Cloudflare.
Overview
This guide covers two components:
- Cloudflare Tunnel - Securely expose reattachd to the internet without opening ports
- Cloudflare Access - Add authentication to protect your tunnel with Service Tokens
Install cloudflared
macOS
brew install cloudflaredLinux
# Debian/Ubuntu
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o cloudflared.deb
sudo dpkg -i cloudflared.deb
# Other distributions
# See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/Quick Start (for testing)
If you just want to quickly test remote access without setting up a domain, you can use Quick Tunnel:
cloudflared tunnel --url http://localhost:8787This will generate a temporary URL like https://xxxx-xxxx-xxxx.trycloudflare.com.
Note: Quick Tunnel is for testing only. The URL changes every time you restart the command, so you'll need to re-scan the QR code each time. For permanent setup with your own domain, continue below.
Permanent Setup with Custom Domain
cloudflared tunnel loginThis opens a browser to authenticate and authorize cloudflared for your Cloudflare account.
cloudflared tunnel create reattachThis creates a tunnel and generates a credentials file at ~/.cloudflared/<TUNNEL_ID>.json.
Create or edit ~/.cloudflared/config.yml:
tunnel: reattach
credentials-file: /Users/YOUR_USERNAME/.cloudflared/TUNNEL_ID.json
ingress:
- hostname: reattach.your-domain.com
service: http://localhost:8787
- service: http_status:404Replace YOUR_USERNAME, TUNNEL_ID, and your-domain.com with your values.
cloudflared tunnel route dns reattach reattach.your-domain.comThis creates a CNAME record pointing to your tunnel.
Test the tunnel:
cloudflared tunnel run reattachRun as a service (macOS)
sudo cloudflared service install
sudo launchctl start com.cloudflare.cloudflaredRun as a service (Linux)
sudo cloudflared service install
sudo systemctl enable cloudflared
sudo systemctl start cloudflaredPart 2: Cloudflare Access with Service Token
Cloudflare Access adds authentication to your tunnel. Service Tokens allow the Reattach iOS app to authenticate without interactive login.
- Go to Cloudflare Zero Trust Dashboard
- Navigate to Access → Applications
- Click Add an application
- Select Self-hosted
- Configure the application:
- Application name: Reattach
- Session duration: 24 hours (or your preference)
- Application domain:
reattach.your-domain.com
- In the Zero Trust Dashboard, go to Access → Service Auth
- Click Create Service Token
- Enter a name (e.g., "Reattach iOS")
- Set token duration (e.g., 1 year)
- Click Generate token
Important: Copy both CF-Access-Client-Id and CF-Access-Client-Secret immediately. The secret is only shown once!
You will get two values:
CF-Access-Client-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.access
CF-Access-Client-Secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx- Go back to your Reattach application in Access → Applications
- Click on the application to edit it
- Go to the Policies tab
- Add a policy:
- Policy name: Service Token Access
- Action: Service Auth
- Include: Service Token → Select your token
- Save the policy
In the Reattach iOS app:
- Go to server settings
- Enter your Service Token credentials:
- Client ID: Your CF-Access-Client-Id
- Client Secret: Your CF-Access-Client-Secret
- Save the settings
The app will automatically include these headers in all API requests.
Verification
Test that everything is working:
# Test without authentication (should fail with 403)
curl https://reattach.your-domain.com/sessions
# Test with Service Token (should return session list)
curl -H "CF-Access-Client-Id: YOUR_CLIENT_ID" \
-H "CF-Access-Client-Secret: YOUR_CLIENT_SECRET" \
https://reattach.your-domain.com/sessionsNeed help? Check out the GitHub repository for more details and troubleshooting.