Cloudflare Tunnels Explained: Free SSL + Public URLs Without a VPS

// OCTOBER 14, 2025 · THE JARVIS CREATIONS PLAYBOOK · cloudflare · infra · self-hosting

Hosting a real website doesn't require AWS, Vercel, or any other cloud provider. Every site we run lives on a single Mac mini in our office, exposed to the internet via Cloudflare Tunnels. Free SSL. Public URLs. Zero VPS bills. Here's how it works.

The traditional hosting setup

The default story for "putting a site on the internet" goes like this: rent a VPS for $20/month, configure DNS, install a web server, configure SSL with Let's Encrypt, set up auto-renewals, monitor uptime, patch the server when CVEs drop, scale up when traffic spikes. By year three you're paying $50/month and spending a Saturday a quarter on infrastructure.

It's fine. It's also wildly more complex than necessary for most small business sites.

How Cloudflare Tunnels work

You install a small daemon called cloudflared on your local machine — your laptop, a Mac mini, a Raspberry Pi, anything that runs Linux or macOS. The daemon opens an outbound connection to Cloudflare's network. From that point on, Cloudflare can route traffic from a public domain to your local machine, through the daemon's connection, securely.

From the outside, it looks like a regular website hosted on Cloudflare. Visitors hit your domain, Cloudflare terminates SSL, and the request gets forwarded to your local machine. From your local machine's perspective, requests just appear on a localhost port.

What you get for free

SSL is automatic. Cloudflare provisions and renews the cert. You don't run Let's Encrypt. You don't think about it.

DDoS protection is automatic. Cloudflare's network absorbs attacks before they reach your local machine. A small Mac mini suddenly has the same defensive posture as a Fortune 500 company.

CDN is automatic. Static assets are cached at Cloudflare's edge globally. Your local machine only serves the dynamic requests, and the cached assets serve in 50ms or less worldwide.

Public IP exposure is zero. Your local machine never has an open inbound port. The connection is outbound-only. Your home or office network is untouched.

What it costs

Free for the most common configuration: one tunnel, one or many subdomains, basic traffic. Cloudflare's free tier covers most small business needs comfortably. The paid tiers exist for high-traffic SaaS and enterprise setups, but if you're a small business or a consultancy, you'll never hit the limits.

The actual setup, end-to-end

Install cloudflared on your machine. Authenticate it with your Cloudflare account. Create a tunnel (one CLI command). Add a DNS record pointing your domain at the tunnel. Write a small config file telling the tunnel which local port serves which hostname. Start the tunnel as a background service so it auto-restarts.

Total time, end to end: about 30 minutes the first time you do it. Five minutes once you know the pattern.

Why we use it for everything

Every site on jarviscreations.app, every client site we manage, every internal tool — they all run through Cloudflare tunnels on the same Mac mini. The infrastructure cost for nine production sites is approximately the monthly cost of the electricity to keep the Mac mini running. There is no cloud bill. There is no scaling worry.

If we ever outgrow the Mac mini, the migration to a real cloud host is a 30-minute job — same code, different machine, same tunnel architecture. Until then, why pay?

The catch

You need a machine that's always on. A Mac mini ($600 one-time) or a Raspberry Pi ($75) works. If your local internet drops, the tunnel reconnects automatically when service comes back, but the site is offline during the drop. For most small business uses this is fine — for a startup serving global SaaS traffic, you'd want true cloud hosting.

For everything else, Cloudflare Tunnels are an underrated piece of infrastructure that lets a small operator run software at agency scale, on a single machine, for free.