01 / 05
Cloudflare Tunnel Setup
Outbound origin protection from a single config file. Routes any number of subdomains from one local box. No firewall ports opened, no static cloud IP needed.
Cloudflare Development Services · 2026
Production sites behind Cloudflare Tunnel. Cloud-bill complexity not required.
We run production sites behind Cloudflare Tunnel — including this one. Zero exposed origin, edge-cached responses, $0 infra on the cloud side.
NerdHeadz runs Cloudflare Tunnel as the front door to every production site we ship — including this one. The pattern is simple: an outbound tunnel from origin to Cloudflare's edge means there's no public IP, no firewall holes, and no exposed origin to attack. Combined with edge caching, Transform Rules for header injection, and Bulk Redirects for canonicalization, a small box on a residential network can serve a real-world site with the same hardening as a Fortune 500 deployment. We pick Cloudflare for production work when the application doesn't need persistent WebSocket connections at million-concurrent scale and when the team wants global edge caching without the operational overhead of a CDN+VPS pairing.
Production sites behind a single Cloudflare Tunnel. Zero exposed origin, edge-cached responses, $0 cloud bill — and the runbook to keep it that way.
02 / 05
Edge Caching Strategy
Per-route s-maxage tuning, manual purge on deploy via the API, cache hit rate above 90% on most workloads. Cache misses become observability events, not surprises.
03 / 05
Transform Rules
Header injection at the edge — HSTS, CSP, X-Robots-Tag — without origin code changes. One Transform Rule replaces what would otherwise be middleware logic.
04 / 05
Bulk Redirects & Workers
Apex-to-www, legacy URL canonicalization, lightweight edge logic. Workers reserved for responses fully derivable from request — origin compute stays the default.
05 / 05
R2 Storage & Backups
S3-compatible object storage with zero egress fees inside the Cloudflare network. Used here for nightly MongoDB backups and media offload.
Definition · in plain English
How We Run Production Sites Behind Cloudflare
Why we run production behind Cloudflare Tunnel
This site — www.nerdheadz.com — runs on a single box at 192.168.1.210. There is no public IP exposed. There is no firewall port open to inbound traffic. The origin is unreachable from the public internet by design. What you reach through your browser is Cloudflare's edge, which forwards requests to a tunnel daemon on that local box. The tunnel routes six services from one machine:
- www.nerdheadz.com → port 3000 (this Next.js app)
- estimate.nerdheadz.com → port 5175 (the AI estimator)
- estimation-api.nerdheadz.com → port 8000 (estimator backend)
- upwork.nerdheadz.com → port 5176
- upwork-api.nerdheadz.com → port 8001
- content-api.nerdheadz.com → port 8002
Catch-all unknown subdomains return 404. Total infra cost on the cloud side: $0. The pattern works for any team that wants origin protection without managing a separate firewall layer or pinning a static cloud IP — see how this slots into our web development engagement shape.
When Cloudflare Tunnel is the wrong call
Tunnel is the right pattern for most production work, but not all of it. Real cases where we choose differently:
- High-throughput APIs that bill on bandwidth. Cloudflare's pricing curve makes egregious egress expensive. A 50TB/mo media API is cheaper to front through a CDN with origin pull and dedicated bandwidth quotas. - Compliance regimes that require origin IP whitelisting. Some financial integrations enumerate allowed source IPs. Edge-fronted traffic looks like Cloudflare to the upstream, so the whitelist breaks. Dedicated origin IP wins. - Long-running WebSockets at scale. Tunnel handles WebSocket fine technically, but config drift between Free tier and Workers Unlimited gets fiddly past ten thousand concurrent connections. - Sub-100ms request paths where every hop matters. Edge-to-origin adds a hop. For most sites this is invisible; for HFT-adjacent work, it is a deal-breaker.
This is the section competitors will not write — it sounds like negative selling. It is actually credibility. If your build looks like one of these, we will say so on the call instead of selling you Cloudflare Tunnel anyway.
What we use Cloudflare for in practice
A working pattern, not a feature catalog. Concrete usage on production sites we run:
- Tunnel — primary pattern for origin protection. Single config file at /etc/cloudflared/config.yml routes subdomains to local ports.
- Cache — s-maxage=3600 for hub pages, s-maxage=14400 for detail pages, with manual purge on deploy via the API. Cache hit rate runs 90%+ on this site.
- Transform Rules — header injection without origin code change. Live example on this zone: X-Robots-Tag: noindex, nofollow set on *-api.nerdheadz.com subdomains, so Search Console does not pollute on internal API endpoints.
- Bulk Redirects — apex nerdheadz.com → www.nerdheadz.com. Browser-cached, edge-resolved, zero origin hop.
- R2 — used for nightly MongoDB backups and media offload. S3-compatible API plus zero egress fees inside Cloudflare's network.
- Workers — sparingly. Origin compute as default; Workers only when a response is fully derivable from the request and global latency matters.
Pair this with maintenance and support to keep the operational layer alive after launch — origin observability, runbooks for tunnel outages, and the boring on-call rotation.
Three ways to deploy a production Next.js site
| Pattern | Public IP exposed | DDoS surface | Setup time | Monthly cost (small site) |
|---|---|---|---|---|
| Classic VPS + Cloudflare proxy | Yes — DNS history reveals origin | Origin reachable directly | ~30 min | $5–20 VPS + $0 CF Free |
| CF Tunnel + cloud VM | No — outbound only | Tunnel-only attack surface | ~45 min | $5–20 VM + $0 CF Free |
| CF Tunnel + own hardware (this site's pattern) | No | Tunnel-only | ~1 hr first time | $0 cloud, hardware amortized |
The third row is what www.nerdheadz.com runs on. The trade-off is operational: hardware on your premises means power redundancy is on you, not on the cloud provider. For a development agency that is a feature, not a bug — outage drills happen on real hardware in real conditions. Deployment topology questions belong early in scoping; bring them to our custom software development entry point, or look at how the pattern slots in with our Next.js work.
Fit · honest take
When this actually delivers value
It works well for a specific set of problem shapes — and fails predictably on others.
§ fit
Production sites behind Tunnel
Origin protection without managing a separate firewall layer or pinning a static cloud IP. 90%+ cache hit rate. Zero exposed ports by design.
Sustained 50TB/month outbound
Zero egress fees, but check the per-zone bandwidth quotas — they exist, and burst-heavy workloads can hit them. Worth a sizing call before committing.
IP-whitelist compliance regimes
Edge-fronted traffic looks like Cloudflare to the upstream, so financial-integration whitelists break. Dedicated origin IP wins.
Craft · 05 disciplines
We're Dedicated to Every Element of Cloudflare Infrastructure
§ capabilities
C
Cloudflare Tunnel Setup
Outbound origin protection from a single config file. Routes any number of subdomains from one box to one tunnel — no public IP, no inbound firewall holes, no exposed origin.
E
Edge Caching Strategy
Per-route s-maxage tuning, manual purge on deploy via the API, and cache hit rate targeting 90%+ on hub pages. We tune the cache, we do not just turn it on.
T
Transform Rules & Header Injection
X-Robots-Tag, HSTS, CSP, and other response headers injected at the edge — without origin code changes. Useful for noindex on internal API subdomains and security headers across a zone.
B
Bulk Redirects & Workers
Apex-to-www redirects, legacy-URL canonicalization, and lightweight edge logic via Workers when origin compute would be wasteful. Origin remains the default; Workers only earn their place when latency or scale demands them.
R
R2 Storage & Backups
S3-compatible object storage with zero egress fees inside the Cloudflare network. We use R2 for nightly MongoDB backups, media offload, and any asset pipeline where bandwidth math beats CDN-fronting an origin.
Stack · the most advanced tools
Built with, in production.
CloudflareTunnelWorkersR2KVD1Durable ObjectsBulk RedirectsTransform RulesPage RulesDNSEdge CacheHSTSArgoPagesStreamZero TrustAccessEmail RoutingLogpushCloudflareTunnelWorkersR2KVD1Durable ObjectsBulk RedirectsTransform RulesPage RulesDNSEdge CacheHSTSArgoPagesStreamZero TrustAccessEmail RoutingLogpush
Selected work · production
Agents we've put into production.
Recognition · Trusted worldwide
up•work
★★★★★
TOP RATED PLUS
Featured in
Top 100
iOS Developers
Trustpilot
Top
Developers
Developers
Clutch
sort·list
Top Asia
Business Leaders
6+ industry awards · 2024 – 2025Clutch · TechReview · Fluxx · TradeFlock · Upwork
Orchestration
BRBulk Redirects
TRTransform Rules
CRCache Rules
Data & retrieval
RR2
KVKV
D1D1
Ship
☁Cloudflare
TTunnel
WWorkers
Total1–4 weekssketch → production
01
Discovery
1 weekAudit current origin exposure, traffic shapes, and compliance constraints. Identify which workloads benefit from edge caching versus which need bypass.
02
Tunnel Setup
1 weekConfigure cloudflared on the origin box. Wire DNS records. Test failover. Document the runbook so on-call can read it at 3am.
03
Cache & Rules
2–3 weeksPer-route s-maxage tuning. Transform rules for header injection. Bulk redirects for legacy URLs. R2 wired for backups and media offload.
04
Handoff
1 weekTunnel observability, runbook for outages, and a one-week support window while the team learns the edge layer.
Proof · client voices
And it works, every time.
Hear it straight from our customers.
01 / 06
“
They consistently surpassed any expectations I had, positioning them as one of, if not the best, in their field.
NerdHeadz delivered high-quality, cohesive content that aligned with the client's brand and goals, resulting in a steady flow of 4-10 leads per month. They met deadlines and fulfilled needs and requests promptly. Their eagerness to go above and beyond to ensure client satisfaction was commendable.
James Quirk
Director of Marketing, Lisap Milano USA
3+
Years of industry leadership
30+
Experts ready to build
35+
Projects delivered on time
90%
Client retention
Why us · 04 reasons
Why NerdHeadz for cloudflare?
01
Experts in Solving Complex Problems
We take on tough challenges and turn them into simple, effective solutions for you.
02
Specialized in High-Performance Apps
We build fast, reliable apps that perfectly fit your project requirements.
03
Custom Software That Grows With You
Our solutions grow and adapt alongside your business, helping you stay ahead.
04
Transparent, Client-Focused Development
We maintain open communication and work with you every step of the way.
Related · adjacent services
This is one specialization.
Depending on what you're actually building, one of these may fit better.
FAQ · 05 questions
Frequently asked questions.
Yes — www.nerdheadz.com does. The pattern works because Cloudflare Tunnel is an outbound connection from the box to Cloudflare's edge; the residential ISP's lack of stable inbound port forwarding is irrelevant. Dynamic IP changes do not matter either, since the tunnel re-establishes on the new IP automatically. What does fail: services that need direct SMTP delivery (residential IPs are blacklisted), or peer-to-peer protocols expecting the box to be addressable. For HTTP traffic, the residential constraint is invisible to end users.
Let's ship a real product — not a demo.
Talk to an AI.
Ask our demo agent about scope, cost, and timelines. Hands you off to a human if you want.
Open the agent →Book a call with a human.
30 minutes with one of our AI engineers. Scoped proposal back within 48 hours.
Pick a time →Recently shipped
