Endpoint Access Modes
An endpoint defines how traffic reaches a service running on a remote server. When you deploy a service to a server managed by the Clank agent, you need to tell Clank how users (or other systems) will connect to it. Clank supports five endpoint access modes, each suited to different network topologies and security requirements.
Choosing a mode
Section titled “Choosing a mode”Start here:
Does the server have a public IP? | +-- YES: Do you want to use Cloudflare for DDoS protection / CDN? | | | +-- YES --> PUBLIC_TUNNEL_CLOUDFLARE | +-- NO --> PUBLIC_DIRECT | +-- NO: Should the service be accessible outside your local network? | +-- YES: Do you have Tailscale installed? | | | +-- YES --> PRIVATE_TAILSCALE_HTTPS | +-- NO: Do you have a Cloudflare account? | | | +-- YES --> PUBLIC_TUNNEL_CLOUDFLARE | +-- NO --> BYO_PROXY (set up your own tunnel/VPN) | +-- NO: Is this a LAN-only tool (dev server, internal dashboard)? | +-- YES --> LAN_ONLY +-- NO --> BYO_PROXYPUBLIC_DIRECT
Section titled “PUBLIC_DIRECT”Your server has a public IP and you want the shortest network path between users and your service.
Network flow:
User --> DNS A record --> Server public IP:443 --> Agent Traefik --> ContainerTLS: The agent’s Traefik instance obtains a Let’s Encrypt certificate using the HTTP-01 challenge. Traefik listens on ports 80 and 443. Certificate renewal is automatic.
Prerequisites:
- Server has a public IPv4 address.
- Ports 80 and 443 are open and not occupied by another process.
- You control the DNS for your domain. You must create an A record pointing to the server’s public IP.
Best for: VPS deployments (Hetzner, DigitalOcean, Linode, Vultr, AWS EC2) where you want direct access with minimal latency. Production workloads where you manage your own DDoS protection or do not need it.
Configuration: Provide the hostname (e.g., app.example.com). Clank tells the agent to configure Traefik with that hostname. You create the DNS A record yourself.
PUBLIC_TUNNEL_CLOUDFLARE
Section titled “PUBLIC_TUNNEL_CLOUDFLARE”Your domain is on Cloudflare and you want to route traffic through a Cloudflare Tunnel. The server does not need a public IP.
Network flow:
User --> Cloudflare edge (anycast) --> Cloudflare Tunnel --> Agent Traefik --> ContainerTLS: Cloudflare terminates TLS at the edge using its own certificate for your domain. The tunnel connection between Cloudflare and the agent is encrypted. No Let’s Encrypt certificates needed.
Prerequisites:
- A Cloudflare account with your domain added (free plan is fine).
- A Cloudflare Tunnel created for this server. You paste the tunnel token into Clank.
- A CNAME record on your domain pointing to the tunnel (Cloudflare creates this when you configure the tunnel’s public hostname).
Best for: Homelab servers behind NAT, servers without public IPs, or any deployment where you want Cloudflare’s DDoS protection and CDN caching in front of your service. Also the recommended mode when the Clank control plane itself is behind a Cloudflare Tunnel.
Configuration: Create a Cloudflare Tunnel in the Cloudflare dashboard (or via cloudflared), copy the tunnel token, and paste it into the server settings in Clank. Then add a public hostname in the Cloudflare Tunnel config pointing to the agent’s Traefik port (typically http://localhost:80). Set the endpoint hostname in Clank to match.
PRIVATE_TAILSCALE_HTTPS
Section titled “PRIVATE_TAILSCALE_HTTPS”The service is accessible only to devices on your Tailscale network (tailnet). Uses Tailscale’s built-in HTTPS certificate provisioning.
Network flow:
User (on tailnet) --> Tailscale HTTPS --> Agent Traefik --> ContainerTLS: Tailscale provisions HTTPS certificates for your machine’s Tailscale hostname (e.g., server-name.tailnet-name.ts.net). The agent’s Traefik uses these certificates. No Let’s Encrypt, no Cloudflare.
Prerequisites:
- Tailscale installed and connected on the server (
tailscaleCLI must be available). - HTTPS certificates enabled on your tailnet (enabled by default on most tailnets).
- The user accessing the service must also be on the same tailnet.
Best for: Internal tools, admin dashboards, staging environments, or any service that should not be publicly accessible. Useful for homelabs where you want secure remote access without exposing ports to the internet.
Configuration: Provide the Tailscale hostname. Clank supports path-prefix routing for multiple services on the same Tailscale hostname (e.g., server.tailnet.ts.net/app1, server.tailnet.ts.net/app2).
LAN_ONLY
Section titled “LAN_ONLY”The service is accessible only from the local network. No TLS. No internet exposure.
Network flow:
User (same LAN) --> Server LAN IP:port --> Agent Traefik --> ContainerTLS: None. Traffic is unencrypted HTTP. Uses sslip.io hostnames (e.g., 192-168-1-50.sslip.io) so that Traefik can route by hostname without you running a local DNS server.
Prerequisites:
- The user and the server must be on the same local network (or reachable via LAN routing).
- No firewall on the server blocking the Traefik port from LAN clients.
Best for: Local development servers, internal dashboards on a home network, IoT control panels, or any service where internet access is unnecessary and TLS overhead is not warranted.
Configuration: Provide the server’s LAN IP or let Clank auto-detect it from the agent’s heartbeat data. The endpoint URL will be an sslip.io hostname like 192-168-1-50.sslip.io.
BYO_PROXY
Section titled “BYO_PROXY”You handle routing yourself. Clank deploys the container and exposes it on a local port. You configure your own reverse proxy, tunnel, or VPN to make it reachable.
Network flow:
User --> [Your proxy/tunnel/VPN] --> Server localhost:port --> ContainerTLS: Clank does not manage TLS for BYO_PROXY endpoints. Your proxy is responsible for terminating TLS.
Prerequisites:
- You have an existing reverse proxy (nginx, Caddy, HAProxy), VPN, or tunnel that can route traffic to the server.
- You know the local port the container will listen on.
Best for: Environments with an existing ingress setup you do not want to replace. Corporate networks with mandatory proxy infrastructure. Cases where none of the other four modes fit.
Configuration: Clank tells you the container’s exposed port. You configure your proxy to forward traffic to localhost:{port} on the server. No Traefik configuration on the agent side.
Comparison table
Section titled “Comparison table”| PUBLIC_DIRECT | PUBLIC_TUNNEL_CF | TAILSCALE_HTTPS | LAN_ONLY | BYO_PROXY | |
|---|---|---|---|---|---|
| Public IP required | Yes | No | No | No | Depends |
| TLS provider | Let’s Encrypt | Cloudflare edge | Tailscale | None | You |
| Internet accessible | Yes | Yes | No (tailnet only) | No (LAN only) | Depends |
| DDoS protection | No (bring your own) | Yes (Cloudflare) | N/A | N/A | Depends |
| Setup complexity | Low | Medium | Low | Minimal | High |
| Latency | Lowest | +10-50ms (Cloudflare hop) | Low (WireGuard) | Lowest | Depends |
| Open ports on server | 80, 443 | None | None | Traefik port | Depends |
Multiple endpoints per service
Section titled “Multiple endpoints per service”A service can have more than one endpoint. For example, a service might have a PUBLIC_TUNNEL_CLOUDFLARE endpoint for production traffic and a PRIVATE_TAILSCALE_HTTPS endpoint for admin access. One endpoint is marked as primary and shown as the main URL in the dashboard. Others are listed as secondary.
You can disable an endpoint without deleting it. Disabled endpoints stop routing traffic but preserve their configuration.
Next steps
Section titled “Next steps”- Projects and Services — Understand how services are configured.
- Servers and the Clank Agent — Learn how the agent manages containers on your servers.