Managing an Unraid server with many Docker containers can be challenging when you want to share large files externally—especially if you don’t want to open any incoming ports or rely on public cloud storage. In this guide, we’ll walk through how to securely share files hosted on your Unraid server using Cloudflare Tunnel and a Cloudflare Worker. This solution lets you expose only the correctly formatted FileBrowser share links while rejecting any other requests.
Requirements
Although you’re more than welcome to just read this post for general knowledge, check out my recommendations for what you need to have, in order to be able to fully use the provided information.
What Is a Cloudflare Tunnel?
A Cloudflare Tunnel (formerly known as Argo Tunnel) creates a secure, outbound-only connection between your server and Cloudflare’s global network. Instead of opening inbound ports on your router (which could expose your server to unwanted traffic), your server initiates a connection to Cloudflare. This connection then securely exposes your local services (like FileBrowser) to the internet under a domain name you control (for example, https://files.example.com).
In simple terms, Cloudflare Tunnel lets you “tunnel” traffic from Cloudflare to your server without making your network vulnerable to direct attacks.
Step 1. Setting Up the Cloudflare Tunnel
Create a Tunnel in Cloudflare
1. Log in to Cloudflare Dashboard: Visit the Cloudflare Dashboard and sign in.
2. Navigate to the Zero Trust (or Access) Section: Find the section related to Zero Trust, which now handles tunnels and secure access.
3. Create a New Tunnel: Look for an option to create a new tunnel. During this process, Cloudflare will generate a token—a unique string that authorizes your server to connect securely to Cloudflare’s network.
4. Save the Token: Copy and store this token somewhere safe. You will need it when configuring the Unraid Cloudflared Tunnel app.
Configure the Unraid Cloudflared Tunnel App
1. Install the App: On your Unraid server, install the Unraid-Cloudflared-Tunnel Docker container. This container is specifically designed to run the Cloudflare Tunnel on Unraid.
2. Enter the Token: In the Docker container’s settings (accessible via the Unraid web interface), find the configuration field for the Cloudflare token and paste the token you received from Cloudflare.
3. Set the Service URL and Public Hostname: Enter your internal URL (e.g., http://192.168.1.69:9999) where FileBrowser is running, and specify the public hostname you want to use (e.g., files.example.com).
With these settings, the container establishes an outbound connection to Cloudflare. Cloudflare now safely exposes your internal FileBrowser service on the public domain without opening any inbound ports on your router.
Step 2. Understanding the FileBrowser URL Issue
When you access FileBrowser directly via the internal URL:
http://192.168.1.69:9999/share/2Qvw8cKF
FileBrowser serves its share page correctly, including all associated assets (CSS, JavaScript, etc.). However, when accessing:
https://files.example.com/share/2Qvw8cKF
via Cloudflare Tunnel, the page appears stuck. This happens because FileBrowser generates asset links and redirects based on the internal URL. When accessed externally through the tunnel, those references still point to 192.168.1.69:9999, which isn’t reachable outside your network.
A workaround is to use the full API download URL, such as:
https://files.example.com/api/public/dl/2Qvw8cKF/your_file_name.rar
This works because it directly calls the download endpoint that includes the full file name. Our goal is to have a simple URL like https://files.example.com/share/<UniqueID> work correctly by rewriting it automatically.
Step 3. Setting Up the Cloudflare Worker
A Cloudflare Worker is a small JavaScript function that runs on Cloudflare’s edge servers. It intercepts incoming HTTP requests, allowing you to modify or redirect them before they reach your origin server.
Why Use a Worker?
We want to ensure that only URLs matching the FileBrowser share format (i.e., /share/<UniqueID>) are allowed. The Worker will intercept requests to https://files.example.com, verify the URL pattern, and then internally rewrite the request to FileBrowser’s API endpoint (/api/public/dl/<UniqueID>). This way, FileBrowser sends back the correct redirect with the complete file name, and users are seamlessly directed to the correct download URL.
How to Set Up the Worker:
1. Access the Workers Section in Cloudflare: Log in to your Cloudflare Dashboard and navigate to the Workers section.
2. Create a New Worker: Click on “Create a Worker” to start a new script. Replace the default code with the following script:
addEventListener('fetch', event => {
event.respondWith(handleRequest(event.request))
})
async function handleRequest(request) {
const url = new URL(request.url)
// Bypass the Worker for internal fetch requests.
if (request.headers.get("X-Bypass-Worker") === "true") {
return fetch(request)
}
// Allow only URLs that match exactly "/share/<UniqueID>" (alphanumeric only).
const shareMatch = url.pathname.match(/^\/share\/([A-Za-z0-9]+)$/)
if (!shareMatch) {
return new Response("Not Found", { status: 404 })
}
const shareID = shareMatch[1]
// Construct the API URL by replacing the path.
const apiUrl = new URL(request.url)
apiUrl.pathname = `/api/public/dl/${shareID}`
// Create a new request to the API URL, adding a header to bypass this Worker.
let newRequest = new Request(apiUrl.toString(), request)
newRequest.headers.set("X-Bypass-Worker", "true")
// Fetch the API endpoint without automatically following redirects.
const response = await fetch(newRequest, { redirect: 'manual' })
// If a redirect is returned, forward it to the client.
if (response.status >= 300 && response.status < 400) {
const location = response.headers.get("Location")
if (location) {
return Response.redirect(location, response.status)
}
}
// Return the original response if no redirect is present.
return response
}
3. Deploy the Worker and Set Its Route: Save and deploy the Worker. Then, set up a route for the Worker so that it runs on all requests to your public hostname. For example, use the route files.example.com/*. This ensures that every request to https://files.example.com is intercepted by the Worker.
After following these steps:
Valid Share Links: Visiting https://files.example.com/share/YourUniqueID will be intercepted by the Worker, rewritten to call the FileBrowser API, and then redirected to the correct download URL.
Invalid URLs: Any request not matching the /share/<UniqueID> pattern (such as accessing https://files.example.com/ directly) will receive a 404 response, preventing unauthorized access.
This solution allows you to securely share large files directly from your Unraid server without exposing internal IP addresses or installing additional software on your server. By leveraging Cloudflare Tunnel and Workers, you achieve a secure, flexible, and efficient file-sharing setup ideal for a modern smart home or tech-savvy environment.
Happy sharing!
