Skip to Content
Deploy on a VPSCloudflare Tunnel

Cloudflare Tunnel

This is the fastest production-friendly path for exposing Hiveloom to Claude, Cursor, and other remote MCP clients that require a public https:// URL.

Why pick this path

  • No inbound ports required on the VPS.
  • No local reverse proxy required.
  • No certificate issuance or renewal on the box.
  • Works well when your main goal is “make /mcp/<tenant>/<agent> reachable over HTTPS”.

Use Deploy on a VPS instead if you want Caddy and full control of TLS on your own host.

Requirements

  • A VPS with Hiveloom running on 127.0.0.1:3000
  • A domain managed in Cloudflare
  • cloudflared installed on the VPS

Verify Hiveloom first:

curl -s http://127.0.0.1:3000/healthz
# {"status":"ok"}

The quick path

# 1. Authenticate cloudflared with your Cloudflare account
cloudflared tunnel login
 
# 2. Create the tunnel
cloudflared tunnel create hiveloom
 
# 3. Create the DNS route
cloudflared tunnel route dns hiveloom mcp.hiveloom.cloud

Then write /etc/cloudflared/config.yml:

tunnel: hiveloom
credentials-file: /root/.cloudflared/<tunnel-uuid>.json
 
ingress:
  - hostname: mcp.hiveloom.cloud
    service: http://127.0.0.1:3000
    originRequest:
      httpHostHeader: mcp.hiveloom.cloud
  - service: http_status:404

Start it as a service:

sudo cloudflared service install
sudo systemctl enable --now cloudflared
sudo systemctl status cloudflared

Your MCP base URL is now:

https://mcp.hiveloom.cloud

And an agent endpoint looks like:

https://mcp.hiveloom.cloud/mcp/default/support-bot

Why httpHostHeader matters

Hiveloom builds OAuth and MCP metadata from forwarded headers. In the current server code, public URLs are derived from:

  • X-Forwarded-Proto or X-Forwarded-Protocol
  • X-Forwarded-Host or Host

Cloudflare forwards X-Forwarded-Proto, and httpHostHeader makes sure the upstream Host matches your public hostname. That keeps OAuth discovery and protected-resource metadata on https://mcp.hiveloom.cloud/... instead of falling back to loopback.

Verify before touching an MCP client

curl -s https://mcp.hiveloom.cloud/healthz
curl -s https://mcp.hiveloom.cloud/.well-known/oauth-authorization-server | jq .issuer

Expect:

"https://mcp.hiveloom.cloud"

If that issuer comes back as http://..., fix the tunnel config before you continue.

Why this works for Claude and remote MCP clients

Anthropic’s MCP connector docs currently say:

  • the MCP server must be publicly exposed through HTTP
  • the MCP server URL must start with https://

That is exactly what this tunnel provides.

Create an MCP identity

Once HTTPS is correct:

hiveloom mcp-identity create \
  --tenant default \
  --name claude-desktop \
  --agent support-bot

If the printed MCP URL still shows http://127.0.0.1:3000, keep the same /mcp/<tenant>/<agent> path and replace only the scheme + host with your public hostname:

https://mcp.hiveloom.cloud/mcp/default/support-bot

Troubleshooting

  • cloudflared shows 502 or Unable to reach the origin service: Hiveloom is not listening on 127.0.0.1:3000, or the tunnel points at the wrong port.
  • OAuth discovery returns http://127.0.0.1:3000: httpHostHeader is missing or wrong in config.yml.
  • Tunnel works, but the MCP client still rejects it: fetch /.well-known/oauth-authorization-server and verify every URL starts with https://.
  • You want the classic reverse-proxy route instead: use Deploy on a VPS.

Next

Last updated on
systemdOverview