Cloudflare Tunnel + Uptime Kuma: Building a Domestic Server Monitoring System Without ICP Filing

Wapuu
1

Background

Domestic cloud servers (e.g., Tencent Cloud Light) do not allow domains without an ICP filing to provide HTTP services publicly. However, we need to run Uptime Kuma on such a server for service monitoring. What should we do?

The answer is Cloudflare Tunnel. It establishes an encrypted tunnel between your server and Cloudflare, routing traffic without exposing any public ports on the server—thus bypassing the ICP filing requirement.

Architecture

User’s browser → Cloudflare CDN → Tunnel → Server’s localhost:3001 (Uptime Kuma)

The entire connection is encrypted, and no HTTP port needs to be exposed on the server.

Step 1: Deploy Uptime Kuma

Run Uptime Kuma using Podman (or Docker):

podman run -d --name uptime-kuma --network host \
  -v /opt/uptime-kuma/data:/app/data:Z \
  --memory 256m docker.io/louislam/uptime-kuma:1

We recommend using --network host mode so Uptime Kuma can directly access localhost services on the host machine (e.g., node-exporter).

Step 2: Install Cloudflare Tunnel

Install cloudflared on Debian/Ubuntu:

# Add Cloudflare’s APT repository
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg \
  | tee /usr/share/keyrings/cloudflare-main.gpg
echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflare-d1 bookworm main' \
  | tee /etc/apt/sources.list.d/cloudflare.list
apt update && apt install cloudflared

Note: Do not download cloudflared from GitHub—it’s inaccessible from mainland China servers. Always use Cloudflare’s official APT repository.

Step 3: Create a Tunnel

On a machine with access to Cloudflare (or via proxy):

cloudflared tunnel login
cloudflared tunnel create <tunnel-name>

Then configure it in the Cloudflare Zero Trust dashboard:

  • Public Hostname: monitor.your-domain.com
  • Service: http://localhost:3001

Step 4: Server-Side Configuration

Configure the Tunnel token as a systemd service:

cloudflared service install <tunnel-token>
systemctl enable cloudflared-tunnel
systemctl start cloudflared-tunnel

Step 5: Configure Uptime Kuma Monitoring

After logging into the web UI, you can add various types of monitors:

  • HTTP(s): Monitor website availability and response time
  • TCP Port: Monitor port connectivity (e.g., SSH, databases)
  • Ping: Monitor host reachability
  • DNS: Monitor DNS resolution

Recommended monitoring targets:

  • Production website (60-second interval)
  • Git platform (60 seconds)
  • Forum (120 seconds)
  • Local services such as node-exporter (120 seconds)

Common Pitfalls & Solutions

  1. On Tencent Cloud, all HTTP ports are blocked for domains without ICP filing, returning HTTP 502 errors; only Cloudflare Tunnel bypasses this restriction.
  2. When running Uptime Kuma with -p port mapping, localhost inside the container resolves to the container itself—not the host—so host services cannot be monitored. Switching to --network host resolves this.
  3. Downloading cloudflared from GitHub times out in mainland China; always use the pkg.cloudflare.com APT repository.
  4. Tunnel configuration changes require restarting the cloudflared service to take effect.

Cost

  • Cloudflare Tunnel: Free
  • Uptime Kuma: Open-source and free (~100 MB RAM usage)
  • Total: Only requires the cheapest available cloud server (e.g., 2 vCPU / 2 GB RAM is sufficient)