Install PlikShare with Cloudflare Tunnel.
Run PlikShare without exposing a single port to the internet. cloudflared opens an outbound connection to Cloudflare, and every request flows back through that tunnel. TLS termination, DDoS protection and routing all live on Cloudflare's side.
sudo /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/damian-krychowski/plikshare/refs/heads/main/deployment/plikshare-install-cloudflare-tunnel.sh)"Prefer to read before you run? Inspect the script on GitHub first.
Before you run it
You will need to do the full Cloudflare setup before running the script. The script consumes the tunnel token and assumes the route is already configured on Cloudflare's side. Walk through:
- A Cloudflare account with your domain on it. DNS must be managed by Cloudflare so the published hostname can resolve back through the tunnel.
- Create a Tunnel. In the Cloudflare Zero Trust dashboard go to Networks → Connectors → Cloudflare Tunnels → Create a tunnel, pick the Cloudflared connector type, give it a name (e.g.
plikshare). - Copy the Tunnel token. On the "Install and run a connector" screen pick the Docker tab. Cloudflare shows a
docker run … --token eyJhIjoi…command. Do not run it yourself - the install script handles cloudflared. Just copy the long token value after--token(starts withey); the script will ask for it. - Add a published application route. On the next screen, click Add a published application route and fill in:
- Subdomain - the leftmost label (e.g.
plikshare) - Domain - your domain from the dropdown
- Path - leave empty
- Service Type -
HTTP - URL -
plikshare:8080
- Subdomain - the leftmost label (e.g.
- Save the tunnel. Cloudflare creates a CNAME record for the hostname automatically - no DNS A record needed.
plikshare:8080 - not localhost:8080 as the placeholder text suggests.cloudflared runs as its own container on the Compose network. plikshare is the service name that resolves to the PlikShare container; localhost would be cloudflared's own loopback, where nothing is listening. What the script does
- Installs prerequisites - Docker. No firewall rules for 80 / 443 are added - those ports are never opened to the internet.
- Collects setup details - admin email, initial admin password, encryption passwords, storage volumes and the Cloudflare Tunnel token.
- Installs PlikShare - generates a Docker Compose file with two services (PlikShare and
cloudflared). - Starts the stack -
cloudflaredconnects outbound to Cloudflare using the token. Cloudflare routes traffic to PlikShare through the published application route you set up. - Sets up cron jobs - optional nightly PlikShare updates.
When the script finishes, visit your hostname - PlikShare is live. TLS is terminated at Cloudflare's edge and traffic flows over the tunnel to your server. No inbound ports were ever opened.
A note on download throughput
Every request - file downloads included - is proxied through cloudflared to Cloudflare's edge and back. For browsing and day-to-day sharing this is a non-issue, but for download-heavy or large-file workloads that extra hop means the tunnel itself, rather than your server or PlikShare, can become the throughput ceiling.
We saw this in our own load testing: the same server delivered several times higher aggregate download throughput when exposed directly than when the identical files were served through the tunnel. PlikShare streams files straight from disk and can comfortably saturate multi-gigabit links on its own, so when downloads feel capped, the tunnel is the first place to look. The exact numbers depend on your server size, region and how many people download at once, so benchmark your own setup rather than treating any figure as fixed.
See the installation in action
Rather not run it yourself?
If you'd like a hand getting PlikShare running, or you want it fully managed by someone else, let's have a quick chat.
- Initial setup on your server - Docker, SSL, reverse proxy
- Storage (S3 / R2 / B2 / Azure / GCS) and email provider
- Ongoing updates, backups and migrations