Pros:
Static URL, so no need to update Dynamic DNS in BlueBubbles server
Auto start at boot
You can configure a custom landing page to block unwanted connections to your server (in addition to the default one in BlueBubbles)
Cons:
You need a domain to link to Cloudflare (subdomain services like DuckDNS and No-IP won't work)
Setup is a tad bit more complicated
Sign up for a Cloudflare account at https://dash.cloudflare.com/sign-up
Add a site on the portal
Enter your domain name (do not use a subdomain)
Click the free plan and click continue
If you are using the domain for any other websites copy the records below (if you are just using the domain for BlueBubbles you can skip this part)
Configure your domain name servers to Cloudflare
Wait for Cloudflare to validate your domain
Login to the Zero Trust dashboard at https://dash.teams.cloudflare.com/ and go to Networks > Tunnels.
Select Create a tunnel
Enter a name for your tunnel. For example, you could name it Bluebubbles.
Select Save tunnel
Next, you will need to install cloudflared and run it. You can install it here, https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation/
After installing cloudflared, you can see that when choosing your OS as Mac, cloudflare provides a command to enter into terminal. Run this command.
Once the command has been run successfully, your connector will show up underneath the command in the Zero Trust Dashboard.
Select Next
Now in the Public Hostnames tab, type in your subdomain, for example, bluebubbles.(This does not have to be the name of your tunnel)
Choose the main domain you want to use for it.
Below, you should see a section called Service. For this, you want to put the localhost address for the bluebubbles server. The default one would be: HTTP://localhost:1234 .
Save the tunnel
After doing this, you may need to run sudo launchctl start com.cloudflare.cloudflared when initially setting up the tunnel to start it.
As we installed cloudflared as a service, it should automatically launch at startup.
Navigate to the settings page of the server app
Change the proxy to dynamic dns
For the URL, type in the url displayed in the tunnels section of the Zero Trust dashboard. Make sure you use HTTPS as cloudflare uses that by default.
Now try opening the bluebubbles app and see if it connects.
It is recommended that you ensure the server is fully working and the app is connecting before proceeding.
Login to the Zero Trust dashboard at https://dash.teams.cloudflare.com/ and go to Access > Service Auth.
Select Create Service Token.
Give it a name (This does not have to be the name of your server) like "bb".
Set the duration to as long as you want before a new token is required (Non-expiring means you'll not have to reset this in the future).
Click Generate Token.
Record somewhere the Header and client ID and the Header and client secret. Hit Save.
From the left hand menu go to Access > Applications.
Select Add an application, and select Self-hosted.
Leave everything as default unless specified below.
Under Application Name put "Blue Bubbles".
Under Subdomain set to the subdomain you used during "Setting up Cloudflare tunnels with your domain" above for example, "bluebubbles"
Under Domain select the main domain you used for it.
Click Next.
Under Policy name, insert "servicetoken".
Set Action to Service Auth.
Under Configure Rules, change Selector drop-down to Service Token and select the service token name you set in step 4 above.
Click Next & click Add application.
In the Blue Bubbles app on Android (or Windows etc), under "Settings/Connection & Server" scroll down to "Configure Custom Headers".
Add Header Key "cf-access-client-id" and set Value to your client id (remove "CF-Access-Client-Id:" from the start - ie only insert alphanumericstring.access)
Add Header Key "cf-access-client-secret" and set Value to your client secret (remove "CF-Access-Client-Secret:" from the start - ie only insert longalphanumericstring)
Hit OK.
Test syncing your messages by selecting "Manually Sync Messages" for the last hour.
In Cloudflare, from the left hand menu, go to Access > Service Auth and refresh the browser.
"Last Seen" should be updated to shown the Service Token has been used.
Congrats - your Blue Bubbles server is now secured so only your app can access it.