Cloudflare Worker: Tunnel Broker scaffold and deployment
Summary
Set up a Cloudflare Worker in this repo to serve as a tunnel broker. The Worker will mint per-device named Cloudflare Tunnels and DNS, return a connector token + hostname to the desktop, and expose standalone REST endpoints (no client-specific coupling). Follow mcp-lite’s Cloudflare Worker example structure for code layout.
Proposed structure
- worker/
- src/index.ts – Hono app entrypoint; mounts REST routes and
/mcp (later)
- src/broker/*.ts – broker functions (create/revoke/status, DNS helpers, naming)
- src/config.ts – env bindings and constants (prefix/suffix, timeouts)
- wrangler.jsonc – config, compatibility_date, bindings, routes
Endpoints
- POST /tunnels → create tunnel + CNAME; returns { tunnelId, hostname, token, createdAt }
- GET /tunnels/:id/status → connected + route details
- DELETE /tunnels/:id → revoke tunnel + remove DNS
Naming and routing
- Hostname policy: first‑level subdomains
tunnel-<rand>.<ZONE> (TLS via Universal SSL)
- Default vars:
TUNNEL_HOST_PREFIX=tunnel-, TUNNEL_HOST_SUFFIX=<your-domain>
- Ingress: configure
<hostname> -> http://localhost:8787 and catch‑all 404
Security
- Store CF API token and account/zone IDs as Worker secrets:
CF_API_TOKEN, CF_ACCOUNT_ID, CF_ZONE_ID
- Shared broker key optional:
BROKER_KEY (require for DELETE/GET; POST may be public for one‑command UX)
- Do not log the connector token
Acceptance criteria
- Deployed Worker responds to POST /tunnels with { hostname, token, tunnelId }
- DNS resolves for the minted hostname; TLS handshake succeeds (400/404 is OK for GET /)
- DELETE revokes the tunnel and removes DNS
- Status returns connector state (at least basic connected flag)
- README updated with deploy steps (wrangler), env/secrets, and example curl
Notes
- Use Bun for dependency management and local dev scripts; wrangler for deploy
- Reference: mcp-lite/examples/cloudflare-worker-kv for Worker + Hono project structure
Cloudflare Worker: Tunnel Broker scaffold and deployment
Summary
Set up a Cloudflare Worker in this repo to serve as a tunnel broker. The Worker will mint per-device named Cloudflare Tunnels and DNS, return a connector token + hostname to the desktop, and expose standalone REST endpoints (no client-specific coupling). Follow mcp-lite’s Cloudflare Worker example structure for code layout.
Proposed structure
/mcp(later)Endpoints
Naming and routing
tunnel-<rand>.<ZONE>(TLS via Universal SSL)TUNNEL_HOST_PREFIX=tunnel-,TUNNEL_HOST_SUFFIX=<your-domain><hostname> -> http://localhost:8787and catch‑all 404Security
CF_API_TOKEN,CF_ACCOUNT_ID,CF_ZONE_IDBROKER_KEY(require for DELETE/GET; POST may be public for one‑command UX)Acceptance criteria
Notes