The Infrastructure Overview

Exposing home lab services to the internet can be both necessary and risky. Traditional methods — port forwarding, VPNs, reverse proxies with open inbound ports — come with their own set of challenges. This is where Cloudflare Tunnel (formerly Argo Tunnel) comes in as an elegant solution.

In this article, I’ll walk you through how I’ve implemented a secure infrastructure using Cloudflare Tunnel with WebSocket support, running on a Kubernetes cluster with Apache HTTPD as a reverse proxy. This setup allows me to securely expose internal services without opening ports on my residential firewall.

The Semi-Unuseful Apache Implementation in Kubernetes

When you have Ingress resources, Ambassador, Nginx, Traefik, and service meshes — why would you put Apache HTTPD in a Kubernetes pod?

Because sometimes the routing logic isn’t ops’ problem. It’s a product problem.

Digression

Complex e-commerce sites serve multiple microservices under one domain. www.example.com might route like this:

• /it/ and /it/offerte → CMS
• /uk/ and /uk/offers → CMS
• /it/clienti/ → customer-app
• /uk/customers/ → customers-app
• /secure/ → payment-app

And then there are third-party domain acquisitions that need redirects. And A/B test variants. And country-specific promotional paths that change weekly.