Back to Blog
Infrastructure

Setting Up Nginx with Cloudflare Tunnel for AI API Proxying

E
By Engineering Team

Setting Up Nginx with Cloudflare Tunnel for AI API Proxying

In this tutorial, we'll walk through setting up a robust, resource-efficient infrastructure for proxying AI API requests using Nginx and Cloudflare Tunnel. This setup is particularly useful for resource-constrained environments and provides secure, scalable access to AI services.

Architecture Overview

Our infrastructure consists of:

  • Nginx: Resource-optimized reverse proxy
  • Cloudflare Tunnel: Secure tunnel without opening firewall ports
  • Health Monitoring: Automated monitoring with GitHub integration
  • Production Server: Internal server hosting the services

Why This Architecture?

Benefits

  • Security: Outbound-only connections, no inbound firewall rules needed
  • Performance: Optimized for low-resource environments (1GB RAM)
  • Reliability: Built-in health monitoring and automated status reporting
  • Scalability: Easy to extend with additional services

Use Cases

  • AI API proxying and rate limiting
  • Secure access to internal services
  • Resource-constrained deployments
  • Development and staging environments

Prerequisites

Before starting, ensure you have:

  • A server with at least 1GB RAM
  • Domain access (we use tinova-ai.cc)
  • Cloudflare account with tunnel capabilities
  • Basic Linux administration knowledge

Step 1: Nginx Configuration

Create an optimized Nginx configuration for resource-constrained environments:

# /etc/nginx/nginx.conf
user nginx;
worker_processes 1;  # Single worker for low-resource environments

events {
    worker_connections 512;  # Reduced for memory efficiency
    use epoll;
}

http {
    # Basic settings
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    
    # Compression
    gzip on;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/json application/javascript;
    
    # Security headers
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    
    # Include site configurations
    include /etc/nginx/sites-enabled/*;
}

Reverse Proxy Configuration

# /etc/nginx/sites-available/reverse-proxy.conf
server {
    listen 3000;
    server_name localhost;
    
    # Health check endpoint
    location /health {
        access_log off;
        return 200 'OK';
        add_header Content-Type text/plain;
    }
    
    # Claude API proxy
    location /claude {
        proxy_pass https://api.anthropic.com;
        proxy_set_header Host api.anthropic.com;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # Buffer settings for efficiency
        proxy_buffering on;
        proxy_buffer_size 4k;
        proxy_buffers 8 4k;
        
        # Timeout settings
        proxy_connect_timeout 30s;
        proxy_send_timeout 30s;
        proxy_read_timeout 30s;
    }
}

Step 2: Cloudflare Tunnel Setup

Install Cloudflare Tunnel

# Download and install cloudflared
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared-linux-amd64.deb

Authentication and Configuration

# Login to Cloudflare
cloudflared tunnel login

# Create a new tunnel
cloudflared tunnel create claude-api-tunnel

# Configure DNS routing
cloudflared tunnel route dns claude-api-tunnel claudeapi.tinova-ai.cc

Tunnel Configuration

Create /etc/cloudflared/config.yml:

tunnel: claude-api-tunnel
credentials-file: /root/.cloudflared/[tunnel-id].json

ingress:
  - hostname: claudeapi.tinova-ai.cc
    service: http://localhost:3000
  - service: http_status:404

Step 3: Health Monitoring Setup

Create an automated health monitoring system:

#!/bin/bash
# /usr/local/bin/health-monitor.sh

ENDPOINT="https://claudeapi.tinova-ai.cc/health"
LOGFILE="/var/log/claudeapi-status.log"
STATUS_FILE="/var/log/claudeapi-status.md"

# Perform health check
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" "$ENDPOINT")
RESPONSE_TIME=$(curl -s -o /dev/null -w "%{time_total}" "$ENDPOINT")

# Log results
echo "$(date): HTTP $HTTP_CODE, Response time: ${RESPONSE_TIME}s" >> "$LOGFILE"

# Update status file for GitHub integration
if [ "$HTTP_CODE" = "200" ]; then
    STATUS="✅ Healthy"
    COLOR="green"
else
    STATUS="❌ Unhealthy"
    COLOR="red"
fi

cat > "$STATUS_FILE" << EOF
# Service Status Report

**Last Updated:** $(date)

## Services Status

| Service | Status | Response Time | Endpoint |
|---------|---------|---------------|----------|
| Claude API Proxy | $STATUS | ${RESPONSE_TIME}s | $ENDPOINT |

## System Metrics
- **Uptime**: $(uptime)
- **Memory Usage**: $(free -m | awk 'NR==2{printf "%.1f%%", $3*100/$2 }')
- **Disk Usage**: $(df -h / | awk 'NR==2{print $5}')
EOF

Systemd Service Configuration

# /etc/systemd/system/claudeapi-monitor.service
[Unit]
Description=Claude API Health Monitor
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/health-monitor.sh
User=root

# /etc/systemd/system/claudeapi-monitor.timer  
[Unit]
Description=Run Claude API Health Monitor every 5 minutes
Requires=claudeapi-monitor.service

[Timer]
OnCalendar=*:0/5
Persistent=true

[Install]
WantedBy=timers.target

Step 4: Testing and Validation

Test Nginx Configuration

sudo nginx -t
sudo systemctl restart nginx

Test Cloudflare Tunnel

cloudflared tunnel run claude-api-tunnel

Verify Health Monitoring

curl -I https://claudeapi.tinova-ai.cc/health

Performance Optimization

Memory Usage

  • Nginx with our configuration uses ~5-15MB RAM
  • Much more efficient than Docker-based solutions
  • Single worker process optimized for low-resource environments

Security Features

  • Outbound-only connections (no inbound firewall rules)
  • Cloudflare's network-level protection
  • Proper proxy headers for client identification

Troubleshooting

Common Issues

502 Bad Gateway

  • Check if local service on port 3000 is running
  • Verify Nginx configuration syntax

Tunnel Not Connecting

  • Verify credentials file exists
  • Check DNS routing configuration
  • Review cloudflared logs

Health Check Failing

  • Ensure /health endpoint is accessible
  • Check network connectivity
  • Verify SSL certificates

Monitoring Commands

# Check nginx status
sudo systemctl status nginx

# View nginx logs
sudo tail -f /var/log/nginx/error.log

# Check tunnel status
cloudflared tunnel list

# View tunnel logs
sudo journalctl -u cloudflared -f

Conclusion

This setup provides a robust, resource-efficient infrastructure for AI API proxying with:

  • Minimal resource usage (suitable for 1GB RAM environments)
  • Enterprise-grade security through Cloudflare
  • Automated health monitoring and reporting
  • Easy scalability for additional services

The combination of Nginx and Cloudflare Tunnel offers an excellent balance of performance, security, and operational simplicity.

Next Steps

  • Implement rate limiting for API endpoints
  • Add SSL/TLS termination at Nginx level
  • Set up log aggregation and analysis
  • Explore load balancing for multiple backend services

For more infrastructure tutorials and updates, follow our technical blog.

Read More Articles