Cloudflare Named Tunnels (Dark Origin)
A Cloudflare named tunnel publishes a service to the public internet through an outbound-only connection from the origin, so the origin Mac needs no open inbound ports, no static IP, and no exposed address. The origin stays dark.
What a named tunnel is
A Cloudflare named tunnel is a persistent, named connection created by the cloudflared daemon that links a local service to Cloudflare's edge. Unlike a quick "try it" tunnel with a random throwaway hostname, a named tunnel has a stable identity (a tunnel ID and credentials file) and a configuration that maps public hostnames to local origins. It survives restarts and is the production-grade form of the feature.
The key property is direction. The tunnel is established by an outbound connection from your machine to Cloudflare. Public traffic arrives at Cloudflare's edge and is delivered back down that pre-established connection. Your machine never accepts an inbound connection from the open internet.
The dark-origin property
"Dark origin" describes the security posture this produces: the origin server has no listening inbound ports exposed to the internet, no public IP that resolves to it, and nothing to port-scan or DDoS directly. The only path to your service runs through Cloudflare, which means edge protections — WAF, rate limiting, TLS termination, bot filtering — apply before any request can reach your hardware.
For a sovereign stack this matters enormously. The whole point is running production on a Mac in your home or office. A dark origin means that Mac is not advertising itself to the internet, is not dependent on a residential ISP giving you a static address or letting you open ports, and is not a sitting target. The attack surface collapses to "whatever Cloudflare lets through to a single outbound link."
Configuration model
A named tunnel is driven by a config.yml that declares the tunnel, its credentials, and an ordered list of ingress rules mapping hostnames to local services. A single tunnel can fan a whole portfolio of domains and subdomains to different local ports — which is exactly how the one-Mac-three-domains pattern publishes three apex domains plus their subdomains through one tunnel ID.
Each ingress rule pairs a public hostname with a service URL like http://localhost:3001. Requests are matched top-to-bottom, with a catch-all http_status:404 as the final rule. DNS for each hostname is a CNAME pointing at the tunnel, so adding a domain is two steps: a new ingress rule and a DNS record.
Operational notes
cloudflared runs as a long-lived background service — under launchd on macOS — so the tunnel reconnects automatically across reboots and network blips. Because the tunnel is the only ingress, its health is the health of the whole site; a monitoring job that probes the public URLs catches a dropped tunnel the same way it catches a crashed app.
Trade-offs to weigh: all traffic flows through Cloudflare, so you accept them as a dependency and a party that sees decrypted requests at the edge; and a single tunnel is a shared path for every domain it carries, so its failure takes them all down together. For a solo operator publishing owned hardware to the world without renting a static IP or poking holes in a firewall, those trade-offs are usually well worth the dark-origin guarantee.