Skip to content

stupside/moley

BranchesTags

Repository files navigation

Moley

Release Go Reference Homebrew License CI

Moley

Share a local app on your own domain in one command.

Moley unlocks the good parts of Cloudflare (Tunnels, DNS, Access) straight from a single config file. Point it at localhost:3000, declare who can see it, get a live URL. You never have to touch the Cloudflare dashboard.

What you can do

One moley.yml, one command, and Cloudflare does the rest. A few real setups:

Share a dev app with a teammate

You're building something on localhost:3000 and want to show it to one person, signed in with their GitHub account, on your own domain.

access:
  policies:
    - name: just-us
      decision: allow
      include:
        - email: {email: "teammate@example.com"}

ingress:
  zone: "example.com"
  mode: subdomain
  apps:
    - target: {hostname: localhost, port: 3000, protocol: http}
      expose: {subdomain: demo}
      access:
        providers: [github, onetimepin]
        session_duration: "168h"
      policies: [just-us]

moley tunnel rundemo.example.com, behind a GitHub login, locked to the email you listed.

Let the whole company in

Swap the policy. Anyone with a company email, signed in through your corporate IdP, gets through.

access:
  policies:
    - name: company-only
      decision: allow
      include:
        - email_domain: {domain: "mycompany.com"}

ingress:
  zone: "example.com"
  mode: subdomain
  apps:
    - target: {hostname: localhost, port: 3000, protocol: http}
      expose: {subdomain: staging}
      access:
        providers: [google-workspace]
      policies: [company-only]

Gate an API for a single service

Expose a local API so only one caller can reach it, using a Cloudflare service token. No browser flow, no IdP.

access:
  policies:
    - name: one-client
      decision: non_identity
      include:
        - service_token: {token_id: "your-service-token-uuid"}

ingress:
  zone: "example.com"
  mode: subdomain
  apps:
    - target: {hostname: localhost, port: 8080, protocol: http}
      expose: {subdomain: api}
      policies: [one-client]

The caller sends CF-Access-Client-Id and CF-Access-Client-Secret headers. Everyone else gets blocked at Cloudflare's edge, before a single packet hits your laptop.

Mix and match

Nothing stops you from combining these in one file. Dashboard behind a GitHub login, webhook behind a service token, public status page behind nothing at all, all running through the same tunnel, all cleaned up when you run moley tunnel stop.

Install

Homebrew:

brew install --cask stupside/tap/moley

Go:

go install github.com/stupside/moley/v2@latest

Or grab a binary from the releases page.

Quick start

cloudflared tunnel login

moley config set --cloudflare.token="your-api-token"

moley tunnel init

moley tunnel run

Documentation

Full documentation is available at moley.dev.

Contributing

See CONTRIBUTING.md.

License

MIT. See LICENSE.

About

moley.dev/

Topics

go cli tunnel proxy access cloudflare localhost cloudflared zerotrust

Resources

Readme

License

MIT license

Contributing

Contributing

Security policy

Security policy
Activity

Stars

86 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 19

v2.5.1 Latest
Apr 15, 2026
+ 18 releases

Packages

 
 
 

Contributors

Languages