From f65deca8c1dd91125d6b8a507c6c320a3b705f10 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 19 Feb 2026 19:47:32 -0500 Subject: [PATCH 01/33] new coredash tunnel tile --- .github/CODEOWNERS | 1 + .github/labeler.yml | 4 + public/__redirects | 6 + .../2024-12-19-diagnostic-logs.mdx | 0 .../2025-07-15-udp-improvements.mdx | 0 ...el-networks-list-endpoints-new-default.mdx | 0 .../2025-09-18-tunnel-hostname-routing.mdx | 0 .../2025-11-11-cloudflared-proxy-dns.mdx | 0 ...2026-01-15-warp-connector-ping-support.mdx | 0 .../directory/cloudflare-tunnel-sase.yaml | 10 + src/content/directory/cloudflare-tunnel.yaml | 6 +- .../docs/cloudflare-one/changelog/tunnel.mdx | 4 +- .../do-more-with-tunnels/index.mdx | 9 +- .../local-management/index.mdx | 4 +- .../do-more-with-tunnels/trycloudflare.mdx | 4 + .../connectors/cloudflare-tunnel/index.mdx | 9 +- .../docs/cloudflare-tunnel/changelog.mdx | 11 + .../configure-tunnels/cipher-suites.mdx | 20 + .../cloudflared-parameters/index.mdx | 152 +++ .../origin-parameters.mdx | 194 +++ .../cloudflared-parameters/run-parameters.mdx | 196 +++ .../configure-tunnels/index.mdx | 49 + .../tunnel-availability/deploy-replicas.mdx | 55 + .../tunnel-availability/index.mdx | 86 ++ .../system-requirements.mdx | 109 ++ .../configure-tunnels/tunnel-permissions.mdx | 185 +++ .../tunnel-with-firewall.mdx | 325 +++++ .../deployment-guides/ansible.mdx | 308 +++++ .../deployment-guides/aws.mdx | 147 ++ .../deployment-guides/azure.mdx | 118 ++ .../google-cloud-platform.mdx | 121 ++ .../deployment-guides/index.mdx | 12 + .../deployment-guides/kubernetes.mdx | 337 +++++ .../deployment-guides/terraform.mdx | 463 +++++++ .../downloads/copyrights.mdx | 1195 +++++++++++++++++ .../cloudflare-tunnel/downloads/index.mdx | 72 + .../cloudflare-tunnel/downloads/license.mdx | 220 +++ .../downloads/update-cloudflared.mdx | 180 +++ src/content/docs/cloudflare-tunnel/faq.mdx | 79 ++ .../get-started/create-remote-tunnel-api.mdx | 204 +++ .../get-started/create-remote-tunnel.mdx | 99 ++ .../cloudflare-tunnel/get-started/index.mdx | 16 + .../get-started/tunnel-useful-terms.mdx | 44 + src/content/docs/cloudflare-tunnel/index.mdx | 69 + .../cloudflare-tunnel/integrations/access.mdx | 42 + .../cloudflare-tunnel/integrations/index.mdx | 53 + .../integrations/load-balancing.mdx | 40 + .../integrations/spectrum.mdx | 27 + .../integrations/workers-vpc.mdx | 33 + .../monitor-tunnels/index.mdx | 11 + .../monitor-tunnels/logs.mdx | 94 ++ .../monitor-tunnels/metrics.mdx | 111 ++ .../monitor-tunnels/notifications.mdx | 19 + .../other-tunnel-types/index.mdx | 14 + .../local-management/as-a-service/index.mdx | 15 + .../local-management/as-a-service/linux.mdx | 61 + .../local-management/as-a-service/macos.mdx | 67 + .../local-management/as-a-service/windows.mdx | 132 ++ .../local-management/configuration-file.mdx | 166 +++ .../local-management/create-local-tunnel.mdx | 212 +++ .../local-management/index.mdx | 16 + .../local-management/local-tunnel-terms.mdx | 35 + .../local-management/tunnel-permissions.mdx | 34 + .../tunnel-useful-commands.mdx | 42 + .../other-tunnel-types/quick-tunnels.mdx | 54 + .../docs/cloudflare-tunnel/routing/dns.mdx | 60 + .../docs/cloudflare-tunnel/routing/index.mdx | 10 + .../routing/load-balancers.mdx | 209 +++ .../cloudflare-tunnel/routing/protocols.mdx | 24 + .../troubleshoot/common-errors.mdx | 160 +++ .../troubleshoot/connectivity-prechecks.mdx | 329 +++++ .../troubleshoot/diag-logs.mdx | 134 ++ .../cloudflare-tunnel/troubleshoot/index.mdx | 11 + src/icons/cloudflare-tunnel-sase.svg | 1 + src/icons/cloudflare-tunnel.svg | 1 + 75 files changed, 7324 insertions(+), 16 deletions(-) rename src/content/changelog/{cloudflare-tunnel => cloudflare-tunnel-sase}/2024-12-19-diagnostic-logs.mdx (100%) rename src/content/changelog/{cloudflare-tunnel => cloudflare-tunnel-sase}/2025-07-15-udp-improvements.mdx (100%) rename src/content/changelog/{cloudflare-tunnel => cloudflare-tunnel-sase}/2025-09-02-tunnel-networks-list-endpoints-new-default.mdx (100%) rename src/content/changelog/{cloudflare-tunnel => cloudflare-tunnel-sase}/2025-09-18-tunnel-hostname-routing.mdx (100%) rename src/content/changelog/{cloudflare-tunnel => cloudflare-tunnel-sase}/2025-11-11-cloudflared-proxy-dns.mdx (100%) rename src/content/changelog/{cloudflare-tunnel => cloudflare-tunnel-sase}/2026-01-15-warp-connector-ping-support.mdx (100%) create mode 100644 src/content/directory/cloudflare-tunnel-sase.yaml create mode 100644 src/content/docs/cloudflare-tunnel/changelog.mdx create mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/cipher-suites.mdx create mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/index.mdx create mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters.mdx create mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters.mdx create mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/index.mdx create mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/deploy-replicas.mdx create mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/index.mdx create mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements.mdx create mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-permissions.mdx create mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx create mode 100644 src/content/docs/cloudflare-tunnel/deployment-guides/ansible.mdx create mode 100644 src/content/docs/cloudflare-tunnel/deployment-guides/aws.mdx create mode 100644 src/content/docs/cloudflare-tunnel/deployment-guides/azure.mdx create mode 100644 src/content/docs/cloudflare-tunnel/deployment-guides/google-cloud-platform.mdx create mode 100644 src/content/docs/cloudflare-tunnel/deployment-guides/index.mdx create mode 100644 src/content/docs/cloudflare-tunnel/deployment-guides/kubernetes.mdx create mode 100644 src/content/docs/cloudflare-tunnel/deployment-guides/terraform.mdx create mode 100644 src/content/docs/cloudflare-tunnel/downloads/copyrights.mdx create mode 100644 src/content/docs/cloudflare-tunnel/downloads/index.mdx create mode 100644 src/content/docs/cloudflare-tunnel/downloads/license.mdx create mode 100644 src/content/docs/cloudflare-tunnel/downloads/update-cloudflared.mdx create mode 100644 src/content/docs/cloudflare-tunnel/faq.mdx create mode 100644 src/content/docs/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx create mode 100644 src/content/docs/cloudflare-tunnel/get-started/create-remote-tunnel.mdx create mode 100644 src/content/docs/cloudflare-tunnel/get-started/index.mdx create mode 100644 src/content/docs/cloudflare-tunnel/get-started/tunnel-useful-terms.mdx create mode 100644 src/content/docs/cloudflare-tunnel/index.mdx create mode 100644 src/content/docs/cloudflare-tunnel/integrations/access.mdx create mode 100644 src/content/docs/cloudflare-tunnel/integrations/index.mdx create mode 100644 src/content/docs/cloudflare-tunnel/integrations/load-balancing.mdx create mode 100644 src/content/docs/cloudflare-tunnel/integrations/spectrum.mdx create mode 100644 src/content/docs/cloudflare-tunnel/integrations/workers-vpc.mdx create mode 100644 src/content/docs/cloudflare-tunnel/monitor-tunnels/index.mdx create mode 100644 src/content/docs/cloudflare-tunnel/monitor-tunnels/logs.mdx create mode 100644 src/content/docs/cloudflare-tunnel/monitor-tunnels/metrics.mdx create mode 100644 src/content/docs/cloudflare-tunnel/monitor-tunnels/notifications.mdx create mode 100644 src/content/docs/cloudflare-tunnel/other-tunnel-types/index.mdx create mode 100644 src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/index.mdx create mode 100644 src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/linux.mdx create mode 100644 src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/macos.mdx create mode 100644 src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/windows.mdx create mode 100644 src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file.mdx create mode 100644 src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel.mdx create mode 100644 src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/index.mdx create mode 100644 src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms.mdx create mode 100644 src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-permissions.mdx create mode 100644 src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-useful-commands.mdx create mode 100644 src/content/docs/cloudflare-tunnel/other-tunnel-types/quick-tunnels.mdx create mode 100644 src/content/docs/cloudflare-tunnel/routing/dns.mdx create mode 100644 src/content/docs/cloudflare-tunnel/routing/index.mdx create mode 100644 src/content/docs/cloudflare-tunnel/routing/load-balancers.mdx create mode 100644 src/content/docs/cloudflare-tunnel/routing/protocols.mdx create mode 100644 src/content/docs/cloudflare-tunnel/troubleshoot/common-errors.mdx create mode 100644 src/content/docs/cloudflare-tunnel/troubleshoot/connectivity-prechecks.mdx create mode 100644 src/content/docs/cloudflare-tunnel/troubleshoot/diag-logs.mdx create mode 100644 src/content/docs/cloudflare-tunnel/troubleshoot/index.mdx create mode 100644 src/icons/cloudflare-tunnel-sase.svg create mode 100644 src/icons/cloudflare-tunnel.svg diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 9b5b7219809e0e5..f12fb50da7eccfa 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -69,6 +69,7 @@ package.json @cloudflare/content-engineering /src/content/docs/cloudflare-one/access-controls/ @kennyj42 @ranbel @cloudflare/pcx-technical-writing /src/content/docs/cloudflare-one/team-and-resources/devices/ @ranbel @cloudflare/pcx-technical-writing /src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/ @nikitacano @ranbel @cloudflare/pcx-technical-writing +/src/content/docs/cloudflare-tunnel/ @nikitacano @ranbel @cloudflare/pcx-technical-writing /src/content/docs/cloudflare-one/cloud-and-saas-findings/ @cloudflare/pcx-technical-writing /src/content/docs/cloudflare-one/traffic-policies/ @cloudflare/pcx-technical-writing /src/content/docs/cloudflare-one/remote-browser-isolation/ @deadlypants1973 @cloudflare/pcx-technical-writing diff --git a/.github/labeler.yml b/.github/labeler.yml index f69306930b744d6..23063d9faff8681 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -78,6 +78,10 @@ product:cloudflare-one: - changed-files: - any-glob-to-any-file: - src/content/docs/cloudflare-one/** +product:cloudflare-tunnel: + - changed-files: + - any-glob-to-any-file: + - src/content/docs/cloudflare-tunnel/** product:constellation: - changed-files: - any-glob-to-any-file: diff --git a/public/__redirects b/public/__redirects index 759b6b56687dfd8..5da1fc67a84232a 100644 --- a/public/__redirects +++ b/public/__redirects @@ -2374,6 +2374,9 @@ /cloudflare-one/email-security/settings/trusted-domains/ /cloudflare-one/email-security/settings/detection-settings/trusted-domains/ 301 /cloudflare-one/email-security/monitoring/search-email/ /cloudflare-one/email-security/investigation/search-email/ 301 +# Cloudflare Tunnel IA restructure (quick tunnels moved under other-tunnel-types) +/cloudflare-tunnel/quick-tunnels/ /cloudflare-tunnel/other-tunnel-types/quick-tunnels/ 301 + # ============================================================================ # DYNAMIC REDIRECTS # ============================================================================ @@ -2579,3 +2582,6 @@ # Network Flow (formerly Magic Network Monitoring) /magic-network-monitoring/* /network-flow/:splat 301 + +# Cloudflare Tunnel IA restructure (locally-managed + quick tunnels moved under other-tunnel-types) +/cloudflare-tunnel/local-management/* /cloudflare-tunnel/other-tunnel-types/local-management/:splat 301 diff --git a/src/content/changelog/cloudflare-tunnel/2024-12-19-diagnostic-logs.mdx b/src/content/changelog/cloudflare-tunnel-sase/2024-12-19-diagnostic-logs.mdx similarity index 100% rename from src/content/changelog/cloudflare-tunnel/2024-12-19-diagnostic-logs.mdx rename to src/content/changelog/cloudflare-tunnel-sase/2024-12-19-diagnostic-logs.mdx diff --git a/src/content/changelog/cloudflare-tunnel/2025-07-15-udp-improvements.mdx b/src/content/changelog/cloudflare-tunnel-sase/2025-07-15-udp-improvements.mdx similarity index 100% rename from src/content/changelog/cloudflare-tunnel/2025-07-15-udp-improvements.mdx rename to src/content/changelog/cloudflare-tunnel-sase/2025-07-15-udp-improvements.mdx diff --git a/src/content/changelog/cloudflare-tunnel/2025-09-02-tunnel-networks-list-endpoints-new-default.mdx b/src/content/changelog/cloudflare-tunnel-sase/2025-09-02-tunnel-networks-list-endpoints-new-default.mdx similarity index 100% rename from src/content/changelog/cloudflare-tunnel/2025-09-02-tunnel-networks-list-endpoints-new-default.mdx rename to src/content/changelog/cloudflare-tunnel-sase/2025-09-02-tunnel-networks-list-endpoints-new-default.mdx diff --git a/src/content/changelog/cloudflare-tunnel/2025-09-18-tunnel-hostname-routing.mdx b/src/content/changelog/cloudflare-tunnel-sase/2025-09-18-tunnel-hostname-routing.mdx similarity index 100% rename from src/content/changelog/cloudflare-tunnel/2025-09-18-tunnel-hostname-routing.mdx rename to src/content/changelog/cloudflare-tunnel-sase/2025-09-18-tunnel-hostname-routing.mdx diff --git a/src/content/changelog/cloudflare-tunnel/2025-11-11-cloudflared-proxy-dns.mdx b/src/content/changelog/cloudflare-tunnel-sase/2025-11-11-cloudflared-proxy-dns.mdx similarity index 100% rename from src/content/changelog/cloudflare-tunnel/2025-11-11-cloudflared-proxy-dns.mdx rename to src/content/changelog/cloudflare-tunnel-sase/2025-11-11-cloudflared-proxy-dns.mdx diff --git a/src/content/changelog/cloudflare-tunnel/2026-01-15-warp-connector-ping-support.mdx b/src/content/changelog/cloudflare-tunnel-sase/2026-01-15-warp-connector-ping-support.mdx similarity index 100% rename from src/content/changelog/cloudflare-tunnel/2026-01-15-warp-connector-ping-support.mdx rename to src/content/changelog/cloudflare-tunnel-sase/2026-01-15-warp-connector-ping-support.mdx diff --git a/src/content/directory/cloudflare-tunnel-sase.yaml b/src/content/directory/cloudflare-tunnel-sase.yaml new file mode 100644 index 000000000000000..36de8244eb1ee4f --- /dev/null +++ b/src/content/directory/cloudflare-tunnel-sase.yaml @@ -0,0 +1,10 @@ +id: tUn3lSASE +name: Cloudflare Tunnel for SASE + +entry: + title: Cloudflare Tunnel for SASE + group: Cloudflare One + url: /cloudflare-one/networks/connectors/cloudflare-tunnel/ + +meta: + description: Connect private networks and resources to Cloudflare One diff --git a/src/content/directory/cloudflare-tunnel.yaml b/src/content/directory/cloudflare-tunnel.yaml index d037860d25bcc48..38dda18cba3e093 100644 --- a/src/content/directory/cloudflare-tunnel.yaml +++ b/src/content/directory/cloudflare-tunnel.yaml @@ -3,8 +3,8 @@ name: Cloudflare Tunnel entry: title: Cloudflare Tunnel - group: Cloudflare One - url: /cloudflare-one/networks/connectors/cloudflare-tunnel/ + group: Network Services + url: /cloudflare-tunnel/ meta: - description: Securely connect resources to Cloudflare without a publicly routable IP address + description: Connect your origin servers, APIs, and services to Cloudflare without a publicly routable IP address diff --git a/src/content/docs/cloudflare-one/changelog/tunnel.mdx b/src/content/docs/cloudflare-one/changelog/tunnel.mdx index 264cae9e738edfb..e1b147cdfaedbaf 100644 --- a/src/content/docs/cloudflare-one/changelog/tunnel.mdx +++ b/src/content/docs/cloudflare-one/changelog/tunnel.mdx @@ -9,10 +9,10 @@ description: Review recent changes to Cloudflare Tunnel. import { ProductChangelog, Render } from "~/components"; -{/* S1 + cf2-->S1 + end + C -- "Connections x 4
"--> cf1 + C --> cf1 + C --> cf1 + C --> cf1 + C -- Connections x 4--> cf2 + C --> cf2 + C --> cf2 + C --> cf2 +``` + +By design, replicas do not offer any level of traffic steering (random, hash, or round-robin). Instead, when a request arrives to Cloudflare, it will be forwarded to the replica that is geographically closest. If that distance calculation is unsuccessful or the connection fails, we will retry others, but there is no guarantee about which connection is chosen. + +### When to use `cloudflared` replicas + +- To provide additional points of availability for a single tunnel. +- To allocate failover nodes within your network. +- To update the configuration of a tunnel [without downtime](/cloudflare-tunnel/downloads/update-cloudflared/#update-with-multiple-cloudflared-instances). + +For setup instructions, refer to [Deploy cloudflared replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/deploy-replicas/). + +## Cloudflare Load Balancers + +[Cloudflare Load Balancing](/load-balancing/) proactively steers traffic away from unhealthy origins and intelligently distributes the traffic load based on your choice of [steering algorithms](/load-balancing/understand-basics/traffic-steering/). Unlike [`cloudflared` replicas](#cloudflared-replicas) which all use the same tunnel, a typical load balancer setup requires creating multiple tunnels. Most customers will create one tunnel per data center and one load balancer pool per tunnel. + +```mermaid +graph LR + accTitle: Load balancing traffic to applications behind Cloudflare Tunnel + + A[Internet] --> C{Cloudflare
Load Balancer} + C -- Tunnel 1 --> cf1 + C -- Tunnel 2 --> cf2 + subgraph F[Data center 2] + cf2[cloudflared
server] + S3[App server] + S4[App server] + cf2-->S3 + cf2-->S4 + end + subgraph E[Data center 1] + cf1[cloudflared
server] + S1[App server] + S2[App server] + cf1-->S1 + cf1-->S2 + end +``` + +### When to use load balancers + +- To intelligently steer traffic based on latency, geolocation, or other signals. +- To implement failover logic if a tunnel reaches an inactive state. +- To get a [health alert](/notifications/notification-available/#load-balancing) when a tunnel reaches an inactive state. +- To distribute traffic more evenly across your Cloudflare Tunnel-accessible origins or endpoints. + +For setup instructions, refer to [Public load balancers](/cloudflare-tunnel/routing/load-balancers/). + +:::note +For private network load balancing with WARP clients and Cloudflare WAN, refer to [Private Network Load Balancing](/load-balancing/private-network/) and [Cloudflare Tunnel for SASE](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/). +::: \ No newline at end of file diff --git a/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements.mdx b/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements.mdx new file mode 100644 index 000000000000000..f6ebea9ca0601aa --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements.mdx @@ -0,0 +1,109 @@ +--- +pcx_content_type: concept +title: System requirements +sidebar: + order: 6 +--- + +import { Render, TabItem, Tabs, TunnelCalculator } from "~/components"; + +Our connector, `cloudflared`, was designed to be lightweight and flexible enough to be effectively deployed on Raspberry Pi, your laptop or a server in a data center. + +## Recommendations + +For most use cases, we recommend the following baseline configuration: + +- Run a [`cloudflared` replica](/cloudflare-tunnel/configure-tunnels/tunnel-availability/#cloudflared-replicas) on two dedicated host machines per network location. Using two hosts enables server-side redundancy. +- Size each host with minimum 4GB of RAM and 4 CPU cores. +- Allocate 50,000 [ports](#number-of-ports) to the `cloudflared` process on each host. + +This setup is usually sufficient to handle moderate traffic loads. The actual amount of resources used by `cloudflared` will depend on many variables, including the number of requests per second, bandwidth, network path, and hardware. As traffic increases beyond your existing [tunnel capacity](#estimated-throughput), you can scale your tunnel by adding an additional `cloudflared` host in that location. + +### Number of ports + +When `cloudflared` receives a request, it uses the ports on the host machine to evaluate and forward the request to your origin service. Every machine by system design is hardware-limited to a maximum 65,535 ports. Additionally, each service on the machine has a limited number of ports that it can consume. For this reason, we recommend the following deployment model: + +- `cloudflared` should be deployed on a dedicated host machine. This model is typically appropriate, but there may be serverless or clustered workflows where a dedicated host is not possible. +- The host machine should allocate 50,000 ports to be available for use by the `cloudflared` service. The remaining ports are reserved for system administrative processes. + + + +To increase the number of ports available to `cloudflared` on Linux: + +If your machine has a `/etc/sysctl.d/` directory: + +```sh +echo 'net.ipv4.ip_local_port_range = 11000 60999' | sudo tee -a /etc/sysctl.d/99-cloudflared.conf +sudo sysctl -p /etc/sysctl.d/99-cloudflared.conf +``` + +Otherwise: + +```sh +echo 'net.ipv4.ip_local_port_range = 11000 60999' | sudo tee -a /etc/sysctl.conf +sudo sysctl -p /etc/sysctl.conf +``` + + + +To increase the number of ports available to `cloudflared` on Windows, set the [dynamic port range](https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/tcp-ip-port-exhaustion-troubleshooting) for TCP and UDP: + +```txt +netsh int ipv4 set dynamicport tcp start=11000 num=50000 +netsh int ipv4 set dynamicport udp start=11000 num=50000 +netsh int ipv6 set dynamicport tcp start=11000 num=50000 +netsh int ipv6 set dynamicport udp start=11000 num=50000 +``` + + + +### ulimits + +On Linux and macOS, `ulimit` settings determine the system resources available to a logged-in user. We recommend configuring the following ulimits on the `cloudflared` server: + +| ulimit | Description | Value | +| ------ | ------------------------------------------------ | -------- | +| `-n` | Maximum number of open files or file descriptors | ≥ 70,000 | + +To view your current ulimits, open a terminal and run: + +```sh +ulimit -a +``` + +To set the open files `ulimit`: + +```sh +ulimit -n 70000 +``` + +The command above sets the open files limit only for the current terminal session and will not persist after a reboot or new login. To apply this limit permanently, configure it using the persistent method appropriate for your operating system. + +## Estimated throughput + +Most traffic proxied by `cloudflared` falls in one of two categories: + +- TCP requests (more common, less resource intensive) +- UDP requests (less common, more resource intensive) + +TCP traffic uses and releases ports almost instantaneously. This means that in order to overload a `cloudflared` instance with 50,000 available ports, your organization would need to continuously generate 50,001 TCP requests per second. + +UDP traffic is more unique. DNS queries - usually the bulk of UDP traffic - are held by ports in `cloudflared` for five seconds. Non-DNS UDP traffic holds each port for the duration of the connection, which can be any amount of time. This means that in order to overload a `cloudflared` instance with 50,000 available ports, you would need to continuously generate either 10,000 DNS queries per second, or a cumulative 50,000 non-DNS UDP requests over a shorter time than your connection reset rate. + +### Calculate your tunnel capacity + +Our [baseline recommendations](#recommendations) serve as a starting point for a Cloudflare Tunnel deployment. Once you have a representative population of users engaging with your network for at least a week, you can customize tunnel sizing according to your own traffic patterns. + +To calculate your tunnel capacity: + +1. Set up a [metrics service](/cloudflare-one/tutorials/grafana/) when you run the tunnel. +2. After a week or so, query the following [tunnel metrics](/cloudflare-tunnel/monitor-tunnels/metrics/#cloudflared-metrics): + - `cloudflared_tcp_total_sessions` + - `cloudflared_udp_total_sessions` +3. Compute the average **TCP requests per second** and **Non-DNS UDP requests per second** by dividing total sessions by total time. +4. If applicable, obtain the average **DNS requests per second** from your DNS resolver. +5. Input your values into our sizing calculator: + + + +You can use these results to determine if your tunnel is appropriately sized. To increase your tunnel capacity, add identical host machines running [`cloudflared` replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/#cloudflared-replicas). diff --git a/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-permissions.mdx b/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-permissions.mdx new file mode 100644 index 000000000000000..af0b75e0e5dde4a --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-permissions.mdx @@ -0,0 +1,185 @@ +--- +pcx_content_type: how-to +title: Tunnel permissions +description: | + Manage tunnel tokens and control who can run your remotely-managed tunnels. +sidebar: + order: 10 +--- + +import { TabItem, Tabs, Render, APIRequest } from "~/components"; + +A remotely-managed tunnel only requires the tunnel token to run. Anyone with access to the token will be able to run the tunnel. + +## Get the tunnel token + +To get the token for a remotely-managed tunnel: + + + +1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels**. +2. Select a `cloudflared` tunnel and select **Edit**. +3. Copy the `cloudflared` installation command. +4. Paste the installation command into any text editor. The token value is of the form `eyJhIjoiNWFiNGU5Z...` + + + + +Make a `GET` request to the [Cloudflare Tunnel token](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/token/methods/get/) endpoint: + + + +```sh output +{ + "success": true, + "errors": [], + "messages": [], + "result": "eyJhIjoiNWFiNGU5Z..." +} +``` + +The token value can be found in the `result`. + + + + + + + + + + + +## Rotate a token without service disruption + +Cloudflare recommends rotating the tunnel token at a regular cadence to reduce the risk of token compromise. You can rotate a token with minimal disruption to users as long as the tunnel is served by at least two [`cloudflared` replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/). To ensure service availability, we recommend performing token rotations outside of working hours or in a maintenance window. + +To rotate a tunnel token: + +1. Refresh the token on Cloudflare: + + + +1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels**. +2. Select a `cloudflared` tunnel and select **Edit**. +3. Select **Refresh token**. +4. Copy the `cloudflared` installation command for your operating system. This command contains the new token. + + + + 1. Generate a random base64 string (minimum size 32 bytes) to use as a tunnel secret: + + ```sh + openssl rand -base64 32 + ``` + + ```sh output + AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg= + ``` + +2. Make a `PATCH` request to the [Cloudflare Tunnel](/api/resources/zero_trust/subresources/tunnels/methods/edit/) endpoint: + + + + +After refreshing the token, `cloudflared` can no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic. + +2. On half of your `cloudflared` replicas, update `cloudflared` to use the new token. For example, on a Linux host: + + ```sh + sudo cloudflared service install + ``` + +3. Restart `cloudflared`: + + ```sh + sudo systemctl restart cloudflared.service + ``` + +4. Confirm that the service started correctly: + + ```sh + sudo systemctl status cloudflared + ``` + + While these replicas are connecting to Cloudflare with the new token, traffic will automatically route through the other replicas. + +5. Wait 10 minutes for traffic to route through the new connectors. + +6. Repeat steps 2, 3, and 4 for the second half of the replicas. + +The tunnel token is now fully rotated. The old token is no longer in use. + +## Rotate a compromised token + +If your tunnel token is compromised, we recommend taking the following steps: + +1. Refresh the token using the dashboard or API. Refer to Step 1 of [Rotate a token without service disruption](#rotate-a-token-without-service-disruption). +2. [Delete all connections](/api/resources/zero_trust/subresources/tunnels/subresources/connections/methods/delete/) between `cloudflared` and Cloudflare: + + + + This will clean up any unauthorized connections and prevent users from connecting to your network. + +3. On each `cloudflared` replica, update `cloudflared` to use the new token. For example, on a Linux host: + + ```sh + sudo cloudflared service install + ``` + +4. Restart `cloudflared`: + + ```sh + sudo systemctl restart cloudflared.service + ``` + +5. Confirm that the service started correctly: + ```sh + sudo systemctl status cloudflared + ``` + +The tunnel token is now fully rotated. The old token is no longer in use. + +## Account-scoped roles + + diff --git a/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx b/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx new file mode 100644 index 000000000000000..d4a2342bd8be647 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx @@ -0,0 +1,325 @@ +--- +pcx_content_type: reference +title: Tunnel with firewall +description: | + Configure firewall rules to allow `cloudflared` egress traffic while blocking all ingress, implementing a positive security model. +sidebar: + order: 3 +--- + +You can implement a positive security model with Cloudflare Tunnel by blocking all ingress traffic and allowing only egress traffic from `cloudflared`. Only the services specified in your tunnel configuration will be exposed to the outside world. + +## Ports + +The parameters below can be configured for egress traffic inside of a firewall. + +How you configure your firewall depends on the firewall type: + +- If your firewall supports domain-based rules (FQDN allowlists), you can allow outbound connections to the hostnames listed below. +- If your firewall requires IP-based rules, allow outbound connections to all listed IP addresses for each domain. + +Ensure port `7844` is allowed for both TCP and UDP protocols (for `http2` and `quic`). + +### Required for tunnel operation + +`cloudflared` connects to Cloudflare's global network on port `7844`. To use Cloudflare Tunnel, your firewall must allow outbound connections to the following destinations on port `7844` (via UDP if using the `quic` protocol or TCP if using the `http2` protocol). + +#### `region1.v2.argotunnel.com` + +| IPv4 | IPv6 | Port | Protocols | +| ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | +| `198.41.192.167` `198.41.192.67` `198.41.192.57` `198.41.192.107` `198.41.192.27` `198.41.192.7` `198.41.192.227` `198.41.192.47` `198.41.192.37` `198.41.192.77` | `2606:4700:a0::1` `2606:4700:a0::2` `2606:4700:a0::3` `2606:4700:a0::4` `2606:4700:a0::5` `2606:4700:a0::6` `2606:4700:a0::7` `2606:4700:a0::8` `2606:4700:a0::9` `2606:4700:a0::10` | 7844 | TCP/UDP (`http2`/`quic`) | + +#### `region2.v2.argotunnel.com` + +| IPv4 | IPv6 | Port | Protocols | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | +| `198.41.200.13` `198.41.200.193` `198.41.200.33` `198.41.200.233` `198.41.200.53` `198.41.200.63` `198.41.200.113` `198.41.200.73` `198.41.200.43` `198.41.200.23` | `2606:4700:a8::1` `2606:4700:a8::2` `2606:4700:a8::3` `2606:4700:a8::4` `2606:4700:a8::5` `2606:4700:a8::6` `2606:4700:a8::7` `2606:4700:a8::8` `2606:4700:a8::9` `2606:4700:a8::10` | 7844 | TCP/UDP (`http2`/`quic`) | + +#### `_v2-origintunneld._tcp.argotunnel.com` + +| IPv4 | IPv6 | Port | Protocols | +| -------------- | -------------- | ---- | ------------- | +| Not applicable | Not applicable | 7844 | TCP (`http2`) | + +This rule is only required for firewalls that enforce SNI. + +#### `cftunnel.com` + +| IPv4 | IPv6 | Port | Protocols | +| -------------- | -------------- | ---- | ------------------------ | +| Not applicable | Not applicable | 7844 | TCP/UDP (`http2`/`quic`) | + +This rule is only required for firewalls that enforce SNI. + +#### `h2.cftunnel.com` + +| IPv4 | IPv6 | Port | Protocols | +| -------------- | -------------- | ---- | ------------- | +| Not applicable | Not applicable | 7844 | TCP (`http2`) | + +This rule is only required for firewalls that enforce SNI. + +#### `quic.cftunnel.com` + +| IPv4 | IPv6 | Port | Protocols | +| -------------- | -------------- | ---- | ------------ | +| Not applicable | Not applicable | 7844 | UDP (`quic`) | + +This rule is only required for firewalls that enforce SNI. + +### Region US + +When using the [US region](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#region), ensure your firewall allows outbound connections to these US-region destinations on port `7844` (TCP/UDP) for tunnel operation. + +#### `us-region1.v2.argotunnel.com` + +| IPv4 | IPv6 | Port | Protocol | +| ------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | +| `198.41.218.1` `198.41.218.2` `198.41.218.3` `198.41.218.4` `198.41.218.5` `198.41.218.6` `198.41.218.7` `198.41.218.8` `198.41.218.9` `198.41.218.10` | `2606:4700:a1::1` `2606:4700:a1::2` `2606:4700:a1::3` `2606:4700:a1::4` `2606:4700:a1::5` `2606:4700:a1::6` `2606:4700:a1::7` `2606:4700:a1::8` `2606:4700:a1::9` `2606:4700:a1::10` | 7844 | TCP/UDP (`http2`/`quic`) | + +#### `us-region2.v2.argotunnel.com` + +| IPv4 | IPv6 | Port | Protocol | +| ------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | +| `198.41.219.1` `198.41.219.2` `198.41.219.3` `198.41.219.4` `198.41.219.5` `198.41.219.6` `198.41.219.7` `198.41.219.8` `198.41.219.9` `198.41.219.10` | `2606:4700:a9::1` `2606:4700:a9::2` `2606:4700:a9::3` `2606:4700:a9::4` `2606:4700:a9::5` `2606:4700:a9::6` `2606:4700:a9::7` `2606:4700:a9::8` `2606:4700:a9::9` `2606:4700:a9::10` | 7844 | TCP/UDP (`http2`/`quic`) | + +### Optional + +Opening port `443` enables some optional features. Failure to allow these connections may prompt a log error, but `cloudflared` will still run correctly. + +#### `api.cloudflare.com` + +Allows `cloudflared` to query if software updates are available. + +| IPv4 | IPv6 | Port | Protocols | +| --------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ----------- | +| `104.19.192.29` `104.19.192.177` `104.19.192.175` `104.19.193.29` `104.19.192.174` `104.19.192.176` | `2606:4700:300a::6813:c0af` `2606:4700:300a::6813:c01d` `2606:4700:300a::6813:c0ae` `2606:4700:300a::6813:c11d` `2606:4700:300a::6813:c0b0` `2606:4700:300a::6813:c0b1` | 443 | TCP (HTTPS) | + +#### `update.argotunnel.com` + +Allows `cloudflared` to query if software updates are available. + +| IPv4 | IPv6 | Port | Protocols | +| ------------------------------- | --------------------------------------------- | ---- | ----------- | +| `104.18.25.129` `104.18.24.129` | `2606:4700::6812:1881` `2606:4700::6812:1981` | 443 | TCP (HTTPS) | + +#### `github.com` + +Allows `cloudflared` to download the latest release and perform a software update. + +| IPv4 | IPv6 | Port | Protocols | +| ------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | ---- | ----------- | +| [GitHub's IPs](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) | [GitHub's IPs](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) | 443 | TCP (HTTPS) | + +#### `.cloudflareaccess.com` + +Allows `cloudflared` to validate the Access JWT. Only required if the [`access`](https://developers.cloudflare.com/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#access) setting is enabled. + +| IPv4 | IPv6 | Port | Protocols | +| ------------------------------- | ------------------------------------------------------- | ---- | ----------- | +| `104.19.194.29` `104.19.195.29` | `2606:4700:300a::6813:c31d` `2606:4700:300a::6813:c21d` | 443 | TCP (HTTPS) | + +#### `pqtunnels.cloudflareresearch.com` + +Allows `cloudflared` to report [post-quantum key exchange](https://blog.cloudflare.com/post-quantum-tunnel/) errors to Cloudflare. + +| IPv4 | IPv6 | Port | Protocols | +| --------------------------- | ------------------------------------------- | ---- | ----------- | +| `104.18.4.64` `104.18.5.64` | `2606:4700::6812:540` `2606:4700::6812:440` | 443 | TCP (HTTPS) | + +#### `cfd-features.argotunnel.com` + +| IPv4 | IPv6 | Port | Protocols | +| -------------- | -------------- | ---- | ------------ | +| Not applicable | Not applicable | Not applicable | Not applicable | + +Performing a DNS query for a `TXT` record to this hostname allows `cloudflared` to determine which version of [UDP datagram](/changelog/2025-07-15-udp-improvements/) to use when connecting via the `quic` protocol. If your firewall filters egress DNS queries by FQDN, you may need to allow queries for this domain to ensure optimal `quic` performance. + +## Firewall configuration + +### Cloud VM firewall + +If you host your services on a virtual machine (VM) instance in a cloud provider, you may set up instance-level firewall rules to block all ingress traffic and allow only egress traffic. For example, on Google Cloud Platform (GCP), you may delete all ingress rules, leaving only the relevant egress rules. This is because GCP's firewall denies ingress traffic unless it matches an explicit rule. + +### OS firewall + +Alternatively, you may use operating system (OS)-level firewall rules to block all ingress traffic and allow only egress traffic. For example, if your server runs on Linux, you may use `iptables` to set up firewall rules: + +1. Check your current firewall rules. + + ```sh + sudo iptables -L + ``` + +2. Allow `localhost` to communicate with itself. + + ```sh + sudo iptables -A INPUT -i lo -j ACCEPT + ``` + +3. Allow already established connection and related traffic. + + ```sh + sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + ``` + +4. Allow new SSH connections. + + ```sh + sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT + ``` + +5. Drop all other ingress traffic. + :::caution[Warning] + + Be very careful with the following command. If you did not preserve the current SSH connection or allow new SSH connections, you would be logged out and unable to SSH back into the system again. + ::: + + ```sh + sudo iptables -A INPUT -j DROP + ``` + +6. After setting the firewall rules, use this command to check the current `iptables` settings: + + ```sh + sudo iptables -L + ``` + +7. Run your tunnel and check that all configured services are still accessible to the outside world via the tunnel, but not via the external IP address of the server. + +8. By default, rules you add via the `iptables` command are stored only in memory and do not persist on reboot. There are many different ways to save and reload your firewall rules, depending on your Linux distribution. For example, on Debian you can use the [`iptables-persistent`](https://packages.debian.org/sid/iptables-persistent) package: + + ```sh + sudo apt install iptables-persistent + sudo netfilter-persistent save + ``` + +## Test connectivity + +### Test with dig + +To test your connectivity to Cloudflare, you can use the `dig` command to query the hostnames listed above. Note that `cloudflared` defaults to connecting with IPv4. + +```sh +dig A region1.v2.argotunnel.com +``` + +```sh output +;; ANSWER SECTION: +region1.v2.argotunnel.com. 86400 IN A 198.41.192.167 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.67 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.57 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.107 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.27 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.7 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.227 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.47 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.37 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.77 +... +``` + +```sh +dig AAAA region1.v2.argotunnel.com +``` + +```sh output +... +;; ANSWER SECTION: +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::1 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::2 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::3 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::4 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::5 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::6 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::7 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::8 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::9 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::10 +... +``` + +```sh +dig A region2.v2.argotunnel.com +``` + +```sh output +;; ANSWER SECTION: +region2.v2.argotunnel.com. 86400 IN A 198.41.200.13 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.193 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.33 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.233 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.53 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.63 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.113 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.73 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.43 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.23 +... +``` + +```sh +dig AAAA region2.v2.argotunnel.com +``` + +```sh output +... +;; ANSWER SECTION: +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::1 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::2 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::3 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::4 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::5 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::6 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::7 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::8 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::9 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::10 +... +``` + +### Test with PowerShell + +On Windows, you can use PowerShell commands if `dig` is not available. + +To test DNS: + +```powershell +Resolve-DnsName -Name _v2-origintunneld._tcp.argotunnel.com SRV +``` + +```txt output +Name Type TTL Section NameTarget Priority Weight Port +---- ---- --- ------- ---------- -------- ------ ---- +_v2-origintunneld._tcp.argotunnel.com SRV 112 Answer region2.v2.argotunnel.com 2 1 7844 +_v2-origintunneld._tcp.argotunnel.com SRV 112 Answer region1.v2.argotunnel.com 1 1 7844 +``` + +To test ports: + +```powershell +tnc region1.v2.argotunnel.com -port 443 +``` + +```txt output +ComputerName : region1.v2.argotunnel.com +RemoteAddress : 198.41.192.227 +RemotePort : 443 +InterfaceAlias : Ethernet +SourceAddress : 10.0.2.15 +TcpTestSucceeded : True +``` + +```powershell +tnc region1.v2.argotunnel.com -port 7844 +``` + +```txt output +ComputerName : region1.v2.argotunnel.com +RemoteAddress : 198.41.192.227 +RemotePort : 7844 +InterfaceAlias : Ethernet +SourceAddress : 10.0.2.15 +TcpTestSucceeded : True +``` diff --git a/src/content/docs/cloudflare-tunnel/deployment-guides/ansible.mdx b/src/content/docs/cloudflare-tunnel/deployment-guides/ansible.mdx new file mode 100644 index 000000000000000..c8e6a79ec2fb011 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/deployment-guides/ansible.mdx @@ -0,0 +1,308 @@ +--- +pcx_content_type: how-to +title: Ansible +sidebar: + order: 1 +--- + +import { Render } from "~/components"; + +Ansible is a software tool that enables at scale management of infrastructure. Ansible is agentless — all it needs to function is the ability to SSH to the target and Python installed on the target. + +Ansible works alongside Terraform to streamline the Cloudflare Tunnel setup process. In this guide, you will use Terraform to deploy an SSH server on Google Cloud and create a [locally-managed tunnel](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/) that makes the server available over the Internet. Terraform will automatically run an Ansible playbook that installs and configures `cloudflared` on the server. + + + +## Prerequisites + +To complete the steps in this guide, you will need: + +- [A Google Cloud Project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project) and [GCP CLI installed and authenticated](https://cloud.google.com/sdk/docs/install). +- [Basic knowledge of Terraform](/cloudflare-tunnel/deployment-guides/terraform/) and [Terraform installed](https://developer.hashicorp.com/terraform/tutorials/certification-associate-tutorials/install-cli). +- [A zone on Cloudflare](/fundamentals/manage-domains/add-site/). +- [A Cloudflare API token](/fundamentals/api/get-started/create-token/) with `Cloudflare Tunnel` and `DNS` permissions. + +## 1. Install Ansible + +Refer to the [Ansible installation instructions](https://docs.ansible.com/ansible/latest/installation_guide/index.html). + +## 2. (Optional) Create an SSH key pair + +Terraform and Ansible require an unencrypted SSH key to connect to the GCP server. If you do not already have a key, you can generate one as follows: + +1. Open a terminal and type the following command: + + ```sh + ssh-keygen -t rsa -f ~/.ssh/gcp_ssh -C + ``` + +2. When prompted for a passphrase, press the `Enter` key twice to leave it blank. Terraform cannot decode encrypted private keys. + +Two files will be generated: `gcp_ssh` which contains the private key, and `gcp_ssh.pub` which contains the public key. + +## 3. Create a configuration directory + +1. Create a folder for your Terraform and Ansible configuration files: + + ```sh + mkdir ansible-tunnel + ``` + +2. Change to the new directory: + + ```sh + cd ansible-tunnel + ``` + +## 4. Create Terraform configuration files + +### Define input variables + + + +### Assign values to the variables + + + +### Configure Terraform providers + +You will need to declare the [providers](https://registry.terraform.io/browse/providers) used to provision the infrastructure. + +1. In your configuration directory, create a `.tf` file: + + ```sh + touch providers.tf + ``` + +2. Add the following providers to `providers.tf`. The `random` provider is used to generate a tunnel secret. + + + +### Configure Cloudflare resources + +The following configuration will modify settings in your Cloudflare account. + +1. In your configuration directory, create a `.tf` file: + + ```sh + touch Cloudflare-config.tf + ``` + +2. Add the following resources to `Cloudflare-config.tf`: + + ```tf + + # Creates a new remotely-managed tunnel for the GCP VM. + resource "cloudflare_zero_trust_tunnel_cloudflared" "gcp_tunnel" { + account_id = var.cloudflare_account_id + name = "Ansible GCP tunnel" + config_src = "cloudflare" + } + + # Reads the token used to run the tunnel on the server. + data "cloudflare_zero_trust_tunnel_cloudflared_token" "gcp_tunnel_token" { + account_id = var.cloudflare_account_id + tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id + } + + # Creates the CNAME record that routes http_app.${var.cloudflare_zone} to the tunnel. + resource "cloudflare_dns_record" "http_app" { + zone_id = var.cloudflare_zone_id + name = "http_app" + content = "${cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id}.cfargotunnel.com" + type = "CNAME" + ttl = 1 + proxied = true + } + + # Configures tunnel with a published application for clientless access. + resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" { + tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id + account_id = var.cloudflare_account_id + config = { + ingress = [ + { + hostname = "http_app.${var.cloudflare_zone}" + service = "http://localhost:80" + }, + { + service = "http_status:404" + } + ] + } + } + ``` + +### Configure GCP resources + +The following configuration defines the specifications for the GCP virtual machine and installs Python3 on the machine. Python3 allows Ansible to configure the GCP instance instead of having to run a [startup script](/cloudflare-tunnel/deployment-guides/terraform/#create-a-startup-script) on boot. + +1. In your configuration directory, create a `.tf` file: + + ```sh + touch GCP-config.tf + ``` + +2. Open the file in a text editor and copy and paste the following example. Be sure to insert your own GCP username and SSH key pair. + + ```txt + # Selects the OS for the GCP VM. + data "google_compute_image" "image" { + family = "ubuntu-2204-lts" + project = "ubuntu-os-cloud" + } + + # Sets up a GCP VM instance. + resource "google_compute_instance" "http_server" { + name = "ansible-inst" + machine_type = var.machine_type + zone = var.zone + tags = [] + boot_disk { + initialize_params { + image = data.google_compute_image.image.self_link + } + } + network_interface { + network = "default" + access_config { + // Ephemeral IP + } + } + scheduling { + preemptible = true + automatic_restart = false + } + + // Installs Python3 on the VM. + provisioner "remote-exec" { + inline = [ + "sudo apt update", "sudo apt install python3 -y", "echo Done!" + ] + connection { + host = self.network_interface.0.access_config.0.nat_ip + user = "" + type = "ssh" + private_key= file("") + } + } + provisioner "local-exec" { + // If specifying an SSH key and user, add `--private-key -u var.name` + command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u --private-key -i ${self.network_interface.0.access_config.0.nat_ip}, playbook.yml" + } + + metadata = { + cf-email = var.cloudflare_email + cf-zone = var.cloudflare_zone + ssh-keys = ":${file("")}" + } + depends_on = [ + local_file.tf_ansible_vars_file + ] + } + ``` + +### Export variables to Ansible + +The following Terraform resource exports the [tunnel token](/cloudflare-tunnel/configure-tunnels/tunnel-permissions/) and other variables to `tf_ansible_vars_file.yml`. Ansible will use the tunnel token to configure and run `cloudflared` on the server. + +1. In your configuration directory, create a new `tf` file: + + ```sh + touch export.tf + ``` + +2. Copy and paste the following content into `export.tf`: + + ```tf + resource "local_file" "tf_ansible_vars_file" { + content = <<-DOC + # Ansible vars_file containing variable values from Terraform. + tunnel_id: ${cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id} + tunnel_name: ${cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.name} + tunnel_token: ${data.cloudflare_zero_trust_tunnel_cloudflared_token.gcp_tunnel_token.token} + DOC + + filename = "./tf_ansible_vars_file.yml" + } + ``` + +## 5. Create the Ansible playbook + +Ansible playbooks are YAML files that declare the configuration Ansible will deploy. + +1. Create a new `.yml` file: + + ```sh + touch playbook.yml + ``` + +2. Open the file in a text editor and copy and paste the following content: + +```yml +--- +- hosts: all + become: yes + # Import tunnel variables into the VM. + vars_files: + - ./tf_ansible_vars_file.yml + # Execute the following commands on the VM. + tasks: + - name: Download the cloudflared Linux package. + shell: wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb + - name: Depackage cloudflared. + shell: sudo dpkg -i cloudflared-linux-amd64.deb + - name: Install the tunnel as a systemd service. + shell: "cloudflared service install {{ tunnel_token }}" + - name: Start the tunnel. + systemd: + name: cloudflared + state: started + enabled: true + masked: no + - name: Deploy an example Apache web server on port 80. + shell: apt update && apt -y install apache2 + - name: Edit the default Apache index file. + copy: + dest: /var/www/html/index.html + content: | + + + +

Hello Cloudflare!

+

This page was created for a Cloudflare demo.

+ + +``` + +[Keywords](https://docs.ansible.com/ansible/latest/reference_appendices/playbooks_keywords.html#play) define how Ansible will execute the configuration. In the example above, the `vars_files` keyword specifies where variable definitions are stored, and the `tasks` keyword specifies the actions Ansible will perform. + +[Modules](https://docs.ansible.com/ansible/2.9/user_guide/modules.html) specify what tasks to complete. In this example, the `copy` module creates a file and populates it with content. + +## 6. Deploy the configuration + +Once you have created the configuration files, you can deploy them through Terraform. The Ansible deployment happens within the Terraform deployment when the `ansible-playbook` command is run. + +1. Initialize your configuration directory: + + ```sh + terraform init + ``` + +2. (Optional) Preview everything that will be created: + + ```sh + terraform plan + ``` + +3. Deploy the configuration: + + ```sh + terraform apply + ``` + +It may take several minutes for the GCP instance and tunnel to come online. You can view your new tunnel in [Cloudflare One](https://one.dash.cloudflare.com) under **Networks** > **Connectors** > **Cloudflare Tunnels**. + +## 7. Test the connection + +To test, open a browser and go to `http://http_app..com` (for example, `http_app.example.com`). You should see the **Hello Cloudflare!** test page. diff --git a/src/content/docs/cloudflare-tunnel/deployment-guides/aws.mdx b/src/content/docs/cloudflare-tunnel/deployment-guides/aws.mdx new file mode 100644 index 000000000000000..638daed50b40795 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/deployment-guides/aws.mdx @@ -0,0 +1,147 @@ +--- +pcx_content_type: how-to +title: AWS +sidebar: + order: 2 +head: + - tag: title + content: Deploy cloudflared in AWS +--- + +import { Render } from "~/components"; +import SubtractIPCalculator from "~/components/SubtractIPCalculator.tsx"; + +This guide covers how to connect an Amazon Web Services (AWS) virtual machine to Cloudflare using our lightweight connector, `cloudflared`. + +We will deploy: + +- An EC2 virtual machine that runs a basic HTTP server. +- A Cloudflare Tunnel that allows users to connect to the service via either a public hostname or a private IP address. + + + +### Prerequisites + +To complete the following procedure, you will need to: + +- [Add a website to Cloudflare](/fundamentals/manage-domains/add-site/) +- [Deploy the WARP client](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/) on an end-user device + +## 1. Create a VM instance in AWS + +1. From the AWS console, go to **Compute** > **EC2** > **Instances** + +2. Select **Launch instance**. + +3. Name your VM instance. In this example we will name it `http-test-server`. + +4. For \*_Amazon Machine Image (AMI)_ choose your desired operating system and specifications. For this example, we will use _Ubuntu Server 24.04 LTS (HVM), SSD Volume Type_. + +5. For **Instance type:**, you can select _t2.micro_ which is available on the free tier. + +6. In **Key pair (login)**, create a new key pair to use for SSH. You will need to download the `.pem` file onto your local machine. + +7. In **Network settings**, select **Create security group**. + +8. Turn on the following Security Group rules: + - **Allow SSH traffic from _My IP_** to prevent the instance from being publicly accessible. + - **Allow HTTPS traffic from the internet** + - **Allow HTTP traffic from the internet** + +9. Select **Launch instance**. + +10. Once the instance is up and running, go to the **Instances** summary page and copy its **Public IPv4 DNS** hostname (for example, `ec2-44-202-59-16.compute-1.amazonaws.com`). + +11. To log in to the instance over SSH, open a terminal and run the following commands: + +```sh +cd Downloads +``` + +``` +chmod 400 "YourKeyPair.pem" +``` + +```sh +ssh -i "YourKeyPair.pem" ubuntu@ec2-44-202-59-16.compute-1.amazonaws.com +``` + +12. Run `sudo su` to gain full admin rights to the instance. + +13. For testing purposes, you can deploy a basic Apache web server on port `80`: + +```bash +$ apt update + +$ apt -y install apache2 + +$ cat < /var/www/html/index.html +

Hello Cloudflare!

+

This page was created for a Cloudflare demo.

+ +EOF +``` + +14. To verify that the Apache server is running, open a browser and go to `http://ec2-44-202-59-16.compute-1.amazonaws.com` (make sure to connect over `http`, not `https`). You should see the **Hello Cloudflare!** test page. + +## 2. Create a Cloudflare Tunnel + + + +## 3. Connect using a public hostname + + + +## 4. Connect using a private IP + +[Private network routes](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/) allow users to connect to your virtual private cloud (VPC) using the WARP client. To add a private network route for your Cloudflare Tunnel: + +1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Networks** > **Routes**. +2. In the **CIDR** tab, enter the **Private IPv4 address** of your AWS instance (for example, `172.31.19.0`). You can expand the IP range later if necessary. +3. In your [Split Tunnel configuration](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the private IP is routing through WARP. For example, if you are using Split Tunnels in **Exclude** mode, delete `172.16.0.0/12`. We recommend re-adding the IPs that are not explicitly used by your AWS instance. + + To determine which IP addresses to re-add, subtract your AWS instance IPs from `172.16.0.0/12`: + + + + Add the results back to your Split Tunnel Exclude mode list. + +4. To test on a user device: + 1. [Log in to the WARP client](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/). + 2. Open a terminal window and connect to the service using its private IP: + + ```sh + $ curl 172.31.19.0 +

Hello Cloudflare!

+

This page was created for a Cloudflare demo.

+ + ``` + +You can optionally [create Gateway network policies](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/#4-recommended-filter-network-traffic-with-gateway) to control who can access the instance via its private IP. + +:::caution + + + +::: + +## Firewall configuration + +To secure your AWS instance, you can configure your [Security Group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) to deny all inbound traffic and allow only outbound traffic to the [Cloudflare Tunnel IP addresses](/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/#required-for-tunnel-operation). All Security Group rules are Allow rules; traffic that does not match a rule is blocked. Therefore, you can delete all inbound rules and leave only the relevant outbound rules. + +:::note + +If you delete the inbound rule for port `22`, you will be unable to SSH back into the instance. +::: + +After configuring your Security Group rules, verify that you can still access the service through Cloudflare Tunnel via its [public hostname](#3-connect-using-a-public-hostname) or [private IP](#4-connect-using-a-private-ip). The service should no longer be accessible from outside Cloudflare Tunnel -- for example, if you go to `http://ec2-44-202-59-16.compute-1.amazonaws.com` the test page should no longer load. diff --git a/src/content/docs/cloudflare-tunnel/deployment-guides/azure.mdx b/src/content/docs/cloudflare-tunnel/deployment-guides/azure.mdx new file mode 100644 index 000000000000000..48d5c14dff4d469 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/deployment-guides/azure.mdx @@ -0,0 +1,118 @@ +--- +pcx_content_type: how-to +title: Azure +sidebar: + order: 3 +--- + +import { Render } from "~/components"; + +The purpose of this guide is to walk through some best practices for accessing private resources on Azure by deploying Cloudflare's lightweight connector, `cloudflared`. + +We will walk through how to initialize a service on a Linux VM in Azure, and route to it from another VM running `cloudflared`. This deployment guide does not take into account routing beyond basic security groups and default VPCs. + + + +## Prerequisites + +- In [Cloudflare One](https://one.dash.cloudflare.com/), create a Cloudflare One account. +- [Enroll an end-user device](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/) into your Cloudflare One account. + +## Create your environment + +Make sure you sign up for Azure and create a new subscription. + +1. First, create your first resource group. + + ![Azure group](~/assets/images/cloudflare-one/connections/connect-apps/azure-1.png) + +2. In addition, create your first keypair as well. You will be using the keypair to SSH into your Virtual Machine. + + ![Azure keypair](~/assets/images/cloudflare-one/connections/connect-apps/azure-2.png) + +3. Next, define your inbound and outbound ports to the VM. If these ports are not configured properly, the solution will not function as intended. For testing purposes, we will leave access open. + + ![Azure keypair](~/assets/images/cloudflare-one/connections/connect-apps/azure-3.png) + +Create two Ubuntu 20.04 LTS VMs, and make sure you record their internal IP addresses. Azure by default uses the `10.0.0.0/8` subnet. + +## Deploy `cloudflared` + +1. SSH into your Azure instance using the command line. + + ```sh + cd Downloads + ``` + + ```sh + ssh -i azureuser@20.115.124.241 + ``` + +2. Run `sudo su` to gain full admin rights to the Virtual Machine. + +3. Install `cloudflared` on your instance. In this example, we are running a Debian-based instance, so use the Debian package of `cloudflared`: + + + +4. Run the following command to authenticate `cloudflared` with your Cloudflare account. The command will launch a browser window where you will be prompted to log in with your Cloudflare account and pick any zone you have added to Cloudflare. + + ```sh + cloudflared tunnel login + ``` + +5. Create a tunnel. + + ```sh + cloudflared tunnel create Azure-01 + ``` + +## Complete tunnel configuration + +1. Make a directory for your configuration file. + + ```sh + mkdir /etc/cloudflared + ``` + + ```sh + cd /etc/cloudflared + ``` + +2. Build a configuration file. Before moving forward and entering vim, copy your Tunnel ID and credentials path to a notepad. + + ```sh + vim config.yml + ``` + +3. Type `i` to begin editing the file and copy-paste the following settings in it. + + ```txt + tunnel: + credentials-file: /root/.cloudflared/.json + protocol: quic + warp-routing: + enabled: true + logfile: /var/log/cloudflared.log + #cloudflared to the origin debug + loglevel: debug + #cloudflared to cloudflare debug + transport-loglevel: info + ``` + +4. Press `esc` and then enter `:x` to save and exit. + +5. Run `cloudflared` as a service. + +```sh +cloudflared service install +``` + +```sh +systemctl start cloudflared +``` + +```sh +systemctl status cloudflared +``` + +Next, visit Cloudflare One and ensure your new tunnel shows as **active**. Optionally, begin creating [Access policies](/cloudflare-one/access-controls/policies/) to secure your private resources. diff --git a/src/content/docs/cloudflare-tunnel/deployment-guides/google-cloud-platform.mdx b/src/content/docs/cloudflare-tunnel/deployment-guides/google-cloud-platform.mdx new file mode 100644 index 000000000000000..44c04fc50a8cdc1 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/deployment-guides/google-cloud-platform.mdx @@ -0,0 +1,121 @@ +--- +pcx_content_type: how-to +title: GCP +sidebar: + order: 5 +--- + +import { Render } from "~/components"; +import SubtractIPCalculator from "~/components/SubtractIPCalculator.tsx"; + +This guide covers how to connect a Google Cloud Project (GCP) virtual machine to Cloudflare using our lightweight connector, `cloudflared`. + +We will deploy: + +- A Google Cloud Project (GCP) virtual machine that runs a basic HTTP server. +- A Cloudflare Tunnel that allows users to connect to the service via either a public hostname or a private IP address. + + + +### Prerequisites + +To complete the following procedure, you will need to: + +- [Add a website to Cloudflare](/fundamentals/manage-domains/add-site/) +- [Deploy the WARP client](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/) on an end-user device + +## 1. Create a VM instance in GCP + +1. In your [Google Cloud Console](https://console.cloud.google.com/), [create a new project](https://developers.google.com/workspace/guides/create-project). + +2. Go to **Compute Engine** > **VM instances**. + +3. Select **Create instance**. + +4. Name your VM instance. In this example we will name it `http-test-server`. + +5. Choose your desired operating system and specifications. For this example, you can use the following settings: + - **Machine family:** General Purpose + - **Series:** E2 + - **Machine type:** e2-micro + - **Boot disk image:** Debian GNU/Linux 12 + - **Firewalls**: Allow HTTP and HTTPS traffic + +6. Under **Advanced options** > **Management** > **Automation**, add the following startup script. This example deploys a basic Apache web server on port `80`. + + ```bash + #!/bin/bash + apt update + apt -y install apache2 + cat < /var/www/html/index.html +

Hello Cloudflare!

+

This page was created for a Cloudflare demo.

+ + EOF + ``` + +7. Select **Create**. + +8. The operating system automatically starts the Apache HTTP server. To verify that the server is running: + 1. Copy the **External IP** for the VM instance. + 2. Open a browser and go to `http://`. You should see the **Hello Cloudflare!** test page. + +9. To login to the VM instance, open the dropdown next to **SSH** and select _Open in browser window_. + +## 2. Create a Cloudflare Tunnel + + + +## 3. Connect using a public hostname + + + +## 4. Connect using a private IP + +To configure a private network route for your Cloudflare Tunnel: + +1. In the **CIDR** tab, enter the **Internal IP** of your GCP VM instance (for example, `10.0.0.2`). You can expand the IP range later if necessary. +2. In your [Split Tunnel configuration](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the internal IP is routing through WARP. For example, if you are using Split Tunnels in **Exclude** mode, delete `10.0.0.0/8`. We recommend re-adding the IPs that are not explicitly used by your GCP VM. + + To determine which IP addresses to re-add, subtract your GCP instance IPs from `10.0.0.0/8`: + + + + Add the results back to your Split Tunnel Exclude mode list. + +3. To test on a user device: + 1. [Log in to the WARP client](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/). + 2. Open a terminal window and connect to the service using its private IP: + + ```sh + curl 10.0.0.2 + ``` + + ```sh output +

Hello Cloudflare!

+

This page was created for a Cloudflare demo.

+ + ``` + +You can optionally [create Gateway network policies](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/#4-recommended-filter-network-traffic-with-gateway) to control who can access the VM via its private IP. + +## Firewall configuration + +To secure your VM instance, you can [configure your VPC firewall rules](https://cloud.google.com/firewall/docs/using-firewalls) to deny all ingress traffic and allow only egress traffic to the [Cloudflare Tunnel IP addresses](/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/#required-for-tunnel-operation). Since GCP denies ingress traffic by [default](https://cloud.google.com/firewall/docs/firewalls#default_firewall_rules), you can delete all ingress rules and leave only the relevant egress rules. + +:::note + +If you delete the default `allow-ssh` rule, you will be unable to SSH back into the VM. +::: + +After configuring your VPC firewall rules, verify that you can still access the service through Cloudflare Tunnel via its [public hostname](#3-connect-using-a-public-hostname) or [private IP](#4-connect-using-a-private-ip). The service should no longer be accessible from outside Cloudflare Tunnel -- for example, if you go to `http://` the test page should no longer load. diff --git a/src/content/docs/cloudflare-tunnel/deployment-guides/index.mdx b/src/content/docs/cloudflare-tunnel/deployment-guides/index.mdx new file mode 100644 index 000000000000000..c2001e98cc26863 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/deployment-guides/index.mdx @@ -0,0 +1,12 @@ +--- +pcx_content_type: navigation +title: Environments +sidebar: + order: 6 +--- + +import { DirectoryListing } from "~/components" + +Learn how to deploy Cloudflare Tunnel in specific environments: + + diff --git a/src/content/docs/cloudflare-tunnel/deployment-guides/kubernetes.mdx b/src/content/docs/cloudflare-tunnel/deployment-guides/kubernetes.mdx new file mode 100644 index 000000000000000..ab93122a8e96c65 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/deployment-guides/kubernetes.mdx @@ -0,0 +1,337 @@ +--- +pcx_content_type: how-to +title: Kubernetes +sidebar: + order: 6 +--- + +import { Render } from "~/components"; + +[Kubernetes](https://kubernetes.io/) is a container orchestration tool that is used to deploy applications onto physical or virtual machines, scale the deployment to meet traffic demands, and push updates without downtime. The Kubernetes cluster, or environment, where the application instances are running is connected internally through a private network. You can install the `cloudflared` daemon inside of the Kubernetes cluster in order to connect applications inside of the cluster to Cloudflare. + +This guide will cover how to expose a Kubernetes service to the public Internet using a [remotely-managed](/cloudflare-tunnel/get-started/tunnel-useful-terms/#remotely-managed-tunnel) Cloudflare Tunnel. For the purposes of this example, we will deploy a basic web application alongside `cloudflared` in Google Kubernetes Engine (GKE). The same principles apply to any other Kubernetes environment (such as `minikube`, `kubeadm`, or a cloud-based Kubernetes service) where `cloudflared` can connect to Cloudflare's network. + + + +:::note[Locally-managed tunnels] +If you are looking to set up a [locally-managed tunnel](/cloudflare-tunnel/get-started/tunnel-useful-terms/#locally-managed-tunnel) in Kubernetes, refer to the [example code in GitHub](https://github.com/cloudflare/argo-tunnel-examples/tree/master/named-tunnel-k8s). +::: + +## Architecture + +![Diagram showing how a user connects to Kubernetes services through Cloudflare Tunnel](~/assets/images/cloudflare-one/connections/connect-apps/kubernetes-tunnel.png) + +As shown in the diagram, we recommend setting up `cloudflared` as an adjacent [deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) to the application deployments. Having a separate Kubernetes deployment for `cloudflared` allows you to scale `cloudflared` independently of the application. In the `cloudflared` deployment, you can spin up [multiple replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/) running the same Cloudflare Tunnel — there is no need to build a dedicated tunnel for each `cloudflared` pod. Each `cloudflared` replica / pod can reach all Kubernetes services in the cluster. + +:::note +We do not recommend using `cloudflared` in autoscaling setups because downscaling (removing replicas) will break existing user connections to that replica. Additionally, `cloudflared` does not load balance across replicas; replicas are strictly for high availability. To load balance traffic to your nodes, you can use [Cloudflare Load Balancer](/load-balancing/private-network/) or a third-party load balancer. +::: + +Once the cluster is connected to Cloudflare, you can configure Cloudflare Tunnel routes to control how `cloudflared` will proxy traffic to services within the cluster. For example, you may wish to publish certain Kubernetes applications to the Internet and restrict other applications to internal WARP client users. + +## Prerequisites + +To complete the following procedure, you will need: +- [A Google Cloud Project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project) +- [A zone on Cloudflare](/fundamentals/manage-domains/add-site/) + +## 1. Create a GKE cluster + +To create a new Kubernetes cluster in Google Cloud: + +1. Open [Google Cloud](https://console.cloud.google.com/) and go to **Kubernetes Engine**. +2. In **Clusters**, select **Create**. +3. Name the cluster. In this example, we will name it `cloudflare-tunnel`. +4. (Optional) Choose your desired region and other cluster specifications. For this example, we will use the default specifications. +5. Select **Create**. +6. To connect to the cluster: + 1. Select the three-dot menu. + 2. Select **Connect**. + 3. Select **Run in Cloud Shell** to open a terminal in the browser. + 4. Select **Authorize**. + 5. Press `Enter` to run the pre-populated `gcloud` command. + 6. (Recommended) In the Cloud Shell menu, select **Open Editor** to launch the built-in IDE. +7. In the Cloud Shell terminal, run the following command to check the cluster status: + ```sh + kubectl get all + ``` + ```sh output + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + service/kubernetes ClusterIP 34.118.224.1 443/TCP 15m + ``` + +## 2. Create pods for the web app + +A pod represents an instance of a running process in the cluster. In this example, we will deploy the [httpbin](https://httpbin.org/) application with two pods and make the pods accessible inside the cluster at `httpbin-service:80`. + +1. Create a folder for your Kubernetes manifest files: + + ```sh + mkdir tunnel-example + ``` + +2. Change into the directory: + + ```sh + cd tunnel-example + ``` + +4. In the `tunnel-example` directory, create a new file called `httpbin.yaml`. This file defines the Kubernetes deployment for the httpbin app. + + ```yaml title="httpbin.yaml" + apiVersion: apps/v1 + kind: Deployment + metadata: + name: httpbin-deployment + namespace: default + spec: + replicas: 2 + selector: + matchLabels: + app: httpbin + template: + metadata: + labels: + app: httpbin + spec: + containers: + - name: httpbin + image: kennethreitz/httpbin:latest + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + ``` + +5. Create a new `httpbinsvc.yaml` file. This file defines a Kubernetes service that allows other apps in the cluster (such as `cloudflared`) to access the set of httpbin pods. + + ```yaml title="httpbinsvc.yaml" + apiVersion: v1 + kind: Service + metadata: + name: httpbin-service + namespace: default + spec: + type: LoadBalancer + selector: + app: httpbin + ports: + - port: 80 + targetPort: 80 + ``` + +6. Use the following command to run the application inside the cluster: + + ```sh + kubectl create -f httpbin.yaml -f httpbinsvc.yaml + ``` + +7. Check the status of your deployment: + + ```sh + kubectl get all + ``` + + ```sh output + NAME READY STATUS RESTARTS AGE + pod/httpbin-deployment-bc6689c5d-b5ftk 1/1 Running 0 79s + pod/httpbin-deployment-bc6689c5d-cbd9m 1/1 Running 0 79s + + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + service/httpbin-service LoadBalancer 34.118.225.147 34.75.201.60 80:31967/TCP 79s + service/kubernetes ClusterIP 34.118.224.1 443/TCP 24h + + NAME READY UP-TO-DATE AVAILABLE AGE + deployment.apps/httpbin-deployment 2/2 2 2 79s + + NAME DESIRED CURRENT READY AGE + replicaset.apps/httpbin-deployment-bc6689c5d 2 2 2 79s + ``` + +## 3. Create a tunnel + +To create a Cloudflare Tunnel: + +1. Open a new browser tab and log in to [Cloudflare One](https://one.dash.cloudflare.com). + +2. Go to **Networks** > **Connectors** > **Cloudflare Tunnels**. + +3. Select **Create a tunnel**. + +4. Choose **Cloudflared** for the connector type and select **Next**. + +5. Enter a name for your tunnel (for example, `gke-tunnel`). + +6. Select **Save tunnel**. + +7. Under **Choose an environment**, select **Docker**. + + Applications must be packaged into a containerized image before you can run it in Kubernetes. Therefore, we will use the `cloudflared` Docker container image to deploy the tunnel in Kubernetes. + +8. Instead of running the installation command, copy just the token value rather than the whole command. The token value is of the form `eyJhIjoiNWFiNGU5Z...` You will need the token for the Kubernetes manifest file. + +Leave the Cloudflare Tunnel browser tab open while we focus on the Kubernetes deployment. + +## 4. Store the tunnel token + +`cloudflared` uses a tunnel token to run a remotely-managed Cloudflare Tunnel. You can store the tunnel token in a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/). + +1. In GKE Cloud Shell, create a `tunnel-token.yaml` file with the following content. Make sure to replace `` with your tunnel token (`eyJhIjoiNWFiNGU5Z...`). + + ```yaml title="tunnel-token.yaml" + apiVersion: v1 + kind: Secret + metadata: + name: tunnel-token + stringData: + token: + ``` + +2. Create the secret: + + ```sh + kubectl create -f tunnel-token.yaml + ``` + +3. Check the newly created secret: + + ```sh + kubectl get secrets + ``` + + ```sh output + NAME TYPE DATA AGE + tunnel-token Opaque 1 100s + ``` + +## 5. Create pods for cloudflared + +To run the Cloudflare Tunnel in Kubernetes: + +1. Create a Kubernetes deployment for a remotely-managed Cloudflare Tunnel: + + ```yaml title="tunnel.yaml" + apiVersion: apps/v1 + kind: Deployment + metadata: + name: cloudflared-deployment + namespace: default + spec: + replicas: 2 + selector: + matchLabels: + pod: cloudflared + template: + metadata: + labels: + pod: cloudflared + spec: + securityContext: + sysctls: + # Allows ICMP traffic (ping, traceroute) to resources behind cloudflared. + - name: net.ipv4.ping_group_range + value: "65532 65532" + containers: + - image: cloudflare/cloudflared:latest + name: cloudflared + env: + # Defines an environment variable for the tunnel token. + - name: TUNNEL_TOKEN + valueFrom: + secretKeyRef: + name: tunnel-token + key: token + command: + # Configures tunnel run parameters + - cloudflared + - tunnel + - --no-autoupdate + - --loglevel + - info + - --metrics + - 0.0.0.0:2000 + - run + livenessProbe: + httpGet: + # Cloudflared has a /ready endpoint which returns 200 if and only if + # it has an active connection to Cloudflare's network. + path: /ready + port: 2000 + failureThreshold: 1 + initialDelaySeconds: 10 + periodSeconds: 10 + ``` + +2. Deploy `cloudflared` to the cluster: + + ```sh + kubectl create -f tunnel.yaml + ``` + + Kubernetes will install the `cloudflared` image on two pods and run the tunnel using the command `cloudflared tunnel --no-autoupdate --loglevel info --metrics 0.0.0.0:2000 run`. `cloudflared` will consume the tunnel token from the `TUNNEL_TOKEN` environment variable. + +3. Check the status of your cluster: + + ```sh + kubectl get all + ``` + + ```sh output + NAME READY STATUS RESTARTS AGE + pod/cloudflared-deployment-6d5f9f9666-85l5w 1/1 Running 0 21s + pod/cloudflared-deployment-6d5f9f9666-wb96x 1/1 Running 0 21s + pod/httpbin-deployment-bc6689c5d-b5ftk 1/1 Running 0 3m36s + pod/httpbin-deployment-bc6689c5d-cbd9m 1/1 Running 0 3m36s + + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + service/httpbin-service LoadBalancer 34.118.225.147 34.75.201.60 80:31967/TCP 3m36s + service/kubernetes ClusterIP 34.118.224.1 443/TCP 24h + + NAME READY UP-TO-DATE AVAILABLE AGE + deployment.apps/cloudflared-deployment 2/2 2 2 22s + deployment.apps/httpbin-deployment 2/2 2 2 3m37s + + NAME DESIRED CURRENT READY AGE + replicaset.apps/cloudflared-deployment-6d5f9f9666 2 2 2 22s + replicaset.apps/httpbin-deployment-bc6689c5d 2 2 2 3m37s + ``` + +You should see two `cloudflared` pods and two `httpbin` pods with a `Running` status. If your `cloudflared` pods keep restarting, check the `command` syntax in `tunnel.yaml` and make sure that the [tunnel run parameters](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/) are in the correct order. + +## 6. Verify tunnel status + +To print logs for a `cloudflared` instance: + +```sh +kubectl logs pod/cloudflared-deployment-6d5f9f9666-85l5w +``` + +```sh output +2025-06-11T22:00:47Z INF Starting tunnel tunnelID=64c359b6-e111-40ec-a3a9-199c2a656613 +2025-06-11T22:00:47Z INF Version 2025.6.0 (Checksum 72f233bb55199093961bf099ad62d491db58819df34b071ab231f622deff33ce) +2025-06-11T22:00:47Z INF GOOS: linux, GOVersion: go1.24.2, GoArch: amd64 +2025-06-11T22:00:47Z INF Settings: map[loglevel:debug metrics:0.0.0.0:2000 no-autoupdate:true token:*****] +2025-06-11T22:00:47Z INF Generated Connector ID: aff7c4a0-85a3-4ac9-8475-1e0aa1af8d94 +2025-06-11T22:00:47Z DBG Fetched protocol: quic +2025-06-11T22:00:47Z INF Initial protocol quic +... +``` + +## 7. Add a tunnel route + +Now that the tunnel is up and running, we can use the Zero Trust dashboard to route the httpbin service through the tunnel. + +1. Switch to the browser tab where you were configuring Cloudflare Tunnel. + +2. Go to the **Route tunnel** step. + +3. In the **Public hostnames** tab, enter a hostname for the application (for example, `httpbin..com`). + +4. Under **Service**, enter `http://httpbin-service`. `httpbin-service` is the name of the Kubernetes service defined in `httpbinsvc.yaml`. + +5. Select **Complete setup**. + +## 8. Test the connection + +To test, open a new browser tab and go to `httpbin..com`. You should see the httpbin homepage. + +You can optionally [create an Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to control who can access the service. diff --git a/src/content/docs/cloudflare-tunnel/deployment-guides/terraform.mdx b/src/content/docs/cloudflare-tunnel/deployment-guides/terraform.mdx new file mode 100644 index 000000000000000..2dc49be0b73b52b --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/deployment-guides/terraform.mdx @@ -0,0 +1,463 @@ +--- +pcx_content_type: how-to +title: Terraform +sidebar: + order: 7 +head: + - tag: title + content: Deploy Tunnels with Terraform +description: Learn how to deploy a Cloudflare Tunnel using Terraform and our + lightweight server-side daemon, cloudflared. +--- + +import { Tabs, TabItem, Render } from "~/components"; + +[Terraform](https://www.terraform.io/) is an infrastructure as code software tool that allows you to deploy services from different providers using a standardized configuration syntax. When creating a Terraform configuration file, you define the final state of the configuration rather than the step-by-step procedure. This allows you to easily deploy, modify, and manage your Tunnels alongside your other infrastructure. + +In this guide, you will use Terraform to deploy: + +- A Google Cloud Project (GCP) virtual machine that runs an HTTP test server +- A Cloudflare Tunnel that makes the server available over the Internet +- A Cloudflare Access policy that defines who can connect to the server + + + +## Prerequisites + +To complete the following procedure, you will need: + +- [A Google Cloud Project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project) +- [A zone on Cloudflare](/fundamentals/manage-domains/add-site/) +- Enabled [one-time PIN login](/cloudflare-one/integrations/identity-providers/one-time-pin/) or integrated an [identity provider](/cloudflare-one/integrations/identity-providers/) + +## 1. Install Terraform + +Refer to the [Terraform installation guide](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) for your operating system. + +## 2. Install the gcloud CLI + +1. [Install the gcloud CLI](https://cloud.google.com/sdk/docs/install) so that Terraform can interact with your GCP account. + +2. Authenticate with the CLI by running: + + ```sh + gcloud auth application-default login + ``` + +## 3. Create a Cloudflare API token + +[Create an API token](/fundamentals/api/get-started/create-token/) so that Terraform can interact with your Cloudflare account. At minimum, your token should include the following permissions: + +| Type | Item | Permission | +| ------- | ------------------------- | ---------- | +| Account | Cloudflare Tunnel | Edit | +| Account | Access: Apps and Policies | Edit | +| Zone | DNS | Edit | + +## 4. Create a configuration directory + + + +## 5. Create Terraform configuration files + +### Define input variables + + + +### Assign values to the variables + + + +### Configure Terraform providers + +You will need to declare the [providers](https://registry.terraform.io/browse/providers) used to provision the infrastructure. + +1. In your configuration directory, create a `.tf` file: + + ```sh + touch providers.tf + ``` + +2. Add the following providers to `providers.tf`. The `random` provider is used to generate a tunnel secret. + + + + + + + + + + ```tf + terraform { + required_providers { + cloudflare = { + source = "cloudflare/cloudflare" + version = ">= 4.40.0, < 5.0.0" + } + google = { + source = "hashicorp/google" + } + random = { + source = "hashicorp/random" + } + } + required_version = ">= 1.2" + } + + # Providers + provider "cloudflare" { + api_token = var.cloudflare_token + } + provider "google" { + project = var.gcp_project_id + } + provider "random" { + } + ``` + + + + +### Configure Cloudflare resources + +The following configuration will modify settings in your Cloudflare account. + +1. In your configuration directory, create a `.tf` file: + + ```sh + touch Cloudflare-config.tf + ``` + +2. Add the following resources to `Cloudflare-config.tf`: + + + + + ```tf + + # Creates a new remotely-managed tunnel for the GCP VM. + resource "cloudflare_zero_trust_tunnel_cloudflared" "gcp_tunnel" { + account_id = var.cloudflare_account_id + name = "Terraform GCP tunnel" + config_src = "cloudflare" + } + + # Reads the token used to run the tunnel on the server. + data "cloudflare_zero_trust_tunnel_cloudflared_token" "gcp_tunnel_token" { + account_id = var.cloudflare_account_id + tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id + } + + # Creates the CNAME record that routes http_app.${var.cloudflare_zone} to the tunnel. + resource "cloudflare_dns_record" "http_app" { + zone_id = var.cloudflare_zone_id + name = "http_app" + content = "${cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id}.cfargotunnel.com" + type = "CNAME" + ttl = 1 + proxied = true + } + + # Configures tunnel with a published application for clientless access. + resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" { + tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id + account_id = var.cloudflare_account_id + config = { + ingress = [ + { + hostname = "http_app.${var.cloudflare_zone}" + service = "http://httpbin:80" + }, + { + service = "http_status:404" + } + ] + } + } + + # (Optional) Routes internal IP of GCP instance through the tunnel for private network access using WARP. + resource "cloudflare_zero_trust_tunnel_cloudflared_route" "example_tunnel_route" { + account_id = var.cloudflare_account_id + tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id + network = google_compute_instance.http_server.network_interface.0.network_ip + comment = "Example tunnel route" + } + + # Creates a reusable Access policy. + resource "cloudflare_zero_trust_access_policy" "allow_emails" { + account_id = var.cloudflare_account_id + name = "Allow email addresses" + decision = "allow" + include = [ + { + email = { + email = var.cloudflare_email + } + }, + { + email_domain = { + domain = "@example.com" + } + } + ] + } + + # Creates an Access application to control who can connect to the public hostname. + resource "cloudflare_zero_trust_access_application" "http_app" { + account_id = var.cloudflare_account_id + type = "self_hosted" + name = "Access application for http_app.${var.cloudflare_zone}" + domain = "http_app.${var.cloudflare_zone}" + policies = [ + { + id = cloudflare_zero_trust_access_policy.allow_emails.id + precedence = 1 + } + ] + } + ``` + + + + + ```tf + # Generates a 32-byte secret for the tunnel. + resource "random_bytes" "tunnel_secret" { + byte_length = 32 + } + + # Creates a new remotely-managed tunnel for the GCP VM. + resource "cloudflare_zero_trust_tunnel_cloudflared" "gcp_tunnel" { + account_id = var.cloudflare_account_id + name = "Terraform GCP tunnel" + secret = random_bytes.tunnel_secret.base64 + } + + # Creates the CNAME record that routes http_app.${var.cloudflare_zone} to the tunnel. + resource "cloudflare_record" "http_app" { + zone_id = var.cloudflare_zone_id + name = "http_app" + content = "${cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.cname}" + type = "CNAME" + proxied = true + } + + # Configures tunnel with a published application for clientless access. + resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" { + tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id + account_id = var.cloudflare_account_id + config { + ingress_rule { + hostname = "${cloudflare_record.http_app.hostname}" + service = "http://httpbin:80" + } + ingress_rule { + service = "http_status:404" + } + } + } + + # (Optional) Route internal IP of GCP instance through the tunnel for private network access using WARP. + resource "cloudflare_zero_trust_tunnel_route" "example_tunnel_route" { + account_id = var.cloudflare_account_id + tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id + network = google_compute_instance.http_server.network_interface.0.network_ip + comment = "Example tunnel route" + } + + # Creates an Access application to control who can connect to the public hostname. + resource "cloudflare_zero_trust_access_application" "http_app" { + account_id = var.cloudflare_account_id + name = "Access application for http_app.${var.cloudflare_zone}" + domain = "http_app.${var.cloudflare_zone}" + } + + # Creates a (legacy) Access policy for the Access application. + resource "cloudflare_zero_trust_access_policy" "allow_emails" { + application_id = cloudflare_zero_trust_access_application.http_app.id + account_id = var.cloudflare_account_id + name = "Example policy for http_app.${var.cloudflare_zone}" + precedence = "1" + decision = "allow" + include { + email = [var.cloudflare_email] + } + } + ``` + + + +To learn more about these resources, refer to the [Cloudflare provider documentation](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs). + +### Configure GCP resources + +The following configuration defines the specifications for the GCP virtual machine and configures a startup script to run upon boot. + +1. In your configuration directory, create a `.tf` file: + + ```sh + touch GCP-config.tf + ``` + +2. Add the following content to `GCP-config.tf`: + + + + + ```tf + # OS the server will use + data "google_compute_image" "image" { + family = "ubuntu-2204-lts" + project = "ubuntu-os-cloud" + } + + # GCP Instance resource + resource "google_compute_instance" "http_server" { + name = "test" + machine_type = var.machine_type + zone = var.zone + tags = [] + boot_disk { + initialize_params { + image = data.google_compute_image.image.self_link + } + } + + network_interface { + network = "default" + access_config { + //Ephemeral IP + } + } + // Optional config to make instance ephemeral + /* scheduling { + preemptible = true + automatic_restart = false + } */ + + // Pass the tunnel token to the GCP server so that the server can install and run the tunnel upon startup. + metadata_startup_script = templatefile("./install-tunnel.tftpl", + { + tunnel_token = data.cloudflare_zero_trust_tunnel_cloudflared_token.gcp_tunnel_token.token + }) + } + ``` + + + + + ```tf + # OS the server will use + data "google_compute_image" "image" { + family = "ubuntu-2204-lts" + project = "ubuntu-os-cloud" + } + + # GCP Instance resource + resource "google_compute_instance" "http_server" { + name = "test" + machine_type = var.machine_type + zone = var.zone + tags = [] + boot_disk { + initialize_params { + image = data.google_compute_image.image.self_link + } + } + + network_interface { + network = "default" + access_config { + //Ephemeral IP + } + } + // Optional config to make instance ephemeral + /* scheduling { + preemptible = true + automatic_restart = false + } */ + + // Pass the tunnel token to the GCP server so that the server can install and run the tunnel upon startup. + metadata_startup_script = templatefile("./install-tunnel.tftpl", + { + tunnel_token = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.tunnel_token + }) + } + ``` + + + +### Create a startup script + +The following script will install `cloudflared` and run the tunnel as a service. This example also installs a lightweight HTTP application that you can use to test connectivity. + +:::note +If you would prefer to manually install the tunnel, refer to [Install and run the tunnel](/cloudflare-tunnel/get-started/create-remote-tunnel-api/#4-install-and-run-the-tunnel). +::: + +1. In your configuration directory, create a Terraform template file: + + ```sh + touch install-tunnel.tftpl + ``` + +2. Open the file in a text editor and copy and paste the following bash script: + + ```bash + # Script to install Cloudflare Tunnel and Docker resources + + # Docker configuration + cd /tmp + sudo apt-get install software-properties-common + # Retrieving the docker repository for this OS + curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - + sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable" + # The OS is updated and docker is installed + sudo apt update -y && sudo apt upgrade -y + sudo apt install docker docker-compose -y + # Add the HTTPBin application and run it on localhost:8080. + cat > /tmp/docker-compose.yml << "EOF" + version: '3' + services: + httpbin: + image: kennethreitz/httpbin + restart: always + container_name: httpbin + ports: + - 8080:80 + + cloudflared: + image: cloudflare/cloudflared:latest + restart: always + container_name: cloudflared + command: tunnel run --token ${tunnel_token} + EOF + cd /tmp + sudo docker-compose up -d + ``` + +## 6. Deploy Terraform + + + +It may take several minutes for the GCP instance and tunnel to come online. You can view your new tunnel, Access application, and Access policy in [Cloudflare One](https://one.dash.cloudflare.com). The new DNS records are available in the [Cloudflare dashboard](/dns/manage-dns-records/how-to/create-dns-records/). + +:::note[Remove Terraform resources] + +If you need to roll back the configuration, run `terraform destroy` to delete everything created through Terraform. Both `terraform apply` and `terraform destroy` prompt for user input before applying the changes. To run without requiring user input, you can add the `-auto-approve` flag to the command. +::: + +## 7. Test the connection + +1. In **Networks** > **Connectors** > **Cloudflare Tunnels**, verify that your tunnel is active. + +2. In **Access controls** > **Applications**, verify that your Cloudflare email is allowed by the Access policy. + +3. From any device, open a browser and go to `http_app.` (for example, `http_app.example.com`). + + You will see the Access login page if you have not recently logged in. + +4. Log in with your Cloudflare email. + + You should see the [HTTPBin](https://httpbin.org/) homepage. diff --git a/src/content/docs/cloudflare-tunnel/downloads/copyrights.mdx b/src/content/docs/cloudflare-tunnel/downloads/copyrights.mdx new file mode 100644 index 000000000000000..9fb542b9bfb5637 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/downloads/copyrights.mdx @@ -0,0 +1,1195 @@ +--- +pcx_content_type: reference +title: Copyrights +sidebar: + order: 102 +head: [] +description: View associated copyrights. + +--- + +*** + +[https://github.com/BurntSushi/toml](https://github.com/BurntSushi/toml) + +The MIT License (MIT) + +Copyright (c) 2013 TOML authors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + +*** + +[https://github.com/Sirupsen/logrus](https://github.com/Sirupsen/logrus) + +The MIT License (MIT) + +Copyright (c) 2014 Simon Eskildsen + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + +*** + +[https://github.com/beorn7/perks/](https://github.com/beorn7/perks/) + +Copyright (C) 2013 Blake Mizerany + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +*** + +[https://github.com/certifi/gocertifi](https://github.com/certifi/gocertifi) + +This Source Code Form is subject to the terms of the Mozilla Public License, +v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain +one at [http://mozilla.org/MPL/2.0/](http://mozilla.org/MPL/2.0/). + +*** + +[https://github.com/coreos/go-oidc/](https://github.com/coreos/go-oidc/) +[https://github.com/coreos/go-systemd/](https://github.com/coreos/go-systemd/) + +Apache License +Version 2.0, January 2004 +[http://www.apache.org/licenses/](http://www.apache.org/licenses/) + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + +``` + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. +``` + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +``` + http://www.apache.org/licenses/LICENSE-2.0 +``` + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +*** + +[https://github.com/facebookgo/grace](https://github.com/facebookgo/grace) + +BSD License + +For grace software + +Copyright (c) 2015, Facebook, Inc. All rights reserved. + +Redistribution and use in source and binary forms, with or without modification, +are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +* Neither the name Facebook nor the names of its contributors may be used to + endorse or promote products derived from this software without specific + prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR +ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON +ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +*** + +[https://github.com/getsentry/raven-go](https://github.com/getsentry/raven-go) + +Copyright (c) 2013 Apollic Software, LLC. All rights reserved. +Copyright (c) 2015 Functional Software, Inc. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + +* Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +* Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following disclaimer + in the documentation and/or other materials provided with the + distribution. +* Neither the name of Apollic Software, LLC nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +*** + +[https://github.com/glycerine/rbtree](https://github.com/glycerine/rbtree) + +Copyright (C) 2012 Yasushi Saito + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + +*** + +[https://github.com/golang/protobuf](https://github.com/golang/protobuf) + +Go support for Protocol Buffers - Google's data interchange format + +Copyright 2010 The Go Authors. All rights reserved. +[https://github.com/golang/protobuf](https://github.com/golang/protobuf) + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + +``` +* Redistributions of source code must retain the above copyright +``` + +notice, this list of conditions and the following disclaimer. \* Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. \* Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +*** + +[https://github.com/lib/pq](https://github.com/lib/pq) + +Copyright (c) 2011-2013, 'pq' Contributors +Portions Copyright (C) 2011 Blake Mizerany + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +*** + +[https://godoc.org/github.com/matttproud/golang\\\_protobuf\\\_extensions/pbutil](https://godoc.org/github.com/matttproud/golang\\_protobuf\\_extensions/pbutil) + +``` + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ +``` + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + +``` + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. +``` + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +``` + http://www.apache.org/licenses/LICENSE-2.0 +``` + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +*** + +[https://github.com/mitchellh/go-homedir](https://github.com/mitchellh/go-homedir) + +The MIT License (MIT) + +Copyright (c) 2013 Mitchell Hashimoto + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + +*** + +[https://github.com/pkg/errors](https://github.com/pkg/errors) + +Copyright (c) 2015, Dave Cheney [dave@cheney.net](mailto:dave@cheney.net) +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +*** + +[https://github.com/prometheus/client\_golang](https://github.com/prometheus/client_golang) +[https://github.com/prometheus/client\_model](https://github.com/prometheus/client_model) +[https://github.com/prometheus/common](https://github.com/prometheus/common) +[https://github.com/prometheus/procfs](https://github.com/prometheus/procfs) + +``` + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ +``` + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + +``` + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. +``` + +Copyright \[yyyy] \[name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +``` + http://www.apache.org/licenses/LICENSE-2.0 +``` + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +*** + +[https://github.com/urfave/cli](https://github.com/urfave/cli) + +MIT License + +Copyright (c) 2016 Jeremy Saenz & Contributors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + +*** + +[https://github.com/go-yaml/yaml](https://github.com/go-yaml/yaml) + +``` + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ +``` + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + +``` + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. +``` + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +``` + http://www.apache.org/licenses/LICENSE-2.0 +``` + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +*** + +[https://zombiezen.com/go/capnproto2](https://zombiezen.com/go/capnproto2) + +go-capnproto is licensed under the terms of the MIT license reproduced below. + +\=============================================================================== + +Copyright (C) 2014 the go-capnproto authors and contributors. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + +\=============================================================================== diff --git a/src/content/docs/cloudflare-tunnel/downloads/index.mdx b/src/content/docs/cloudflare-tunnel/downloads/index.mdx new file mode 100644 index 000000000000000..06eb9a8cdfd9933 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/downloads/index.mdx @@ -0,0 +1,72 @@ +--- +pcx_content_type: reference +title: Downloads +sidebar: + order: 2 +--- + +Cloudflare Tunnel requires the installation of a lightweight server-side daemon, `cloudflared`, to connect your infrastructure to Cloudflare. If you are [creating a tunnel through the dashboard](/cloudflare-tunnel/get-started/create-remote-tunnel/), you can simply copy-paste the installation command shown in the dashboard. + +To download and install `cloudflared` manually, use one of the following links. + +## GitHub repository + +`cloudflared` is an [open source project](https://github.com/cloudflare/cloudflared) maintained by Cloudflare. + +- [All releases](https://github.com/cloudflare/cloudflared/releases) + +- [Release notes](https://github.com/cloudflare/cloudflared/blob/master/RELEASE_NOTES) + +## Latest release + +### Linux + +You can download and install `cloudflared` via the [Cloudflare Package Repository](https://pkg.cloudflare.com/). + +Alternatively, download the latest release directly: + +| Type | amd64 / x86-64 | x86 (32-bit) | ARM | ARM64 | +| ------ | ----------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | +| Binary | [Download](https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64) | [Download](https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-386) | [Download](https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm) | [Download](https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64) | +| .deb | [Download](https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb) | [Download](https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-386.deb) | [Download](https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm.deb) | [Download](https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb) | +| .rpm | [Download](https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm) | [Download](https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-386.rpm) | [Download](https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm.rpm) | [Download](https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-aarch64.rpm) | + +### macOS + +Download and install `cloudflared` via Homebrew: + +```sh +brew install cloudflared +``` + +Alternatively, download the [latest Darwin arm64 release](https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-darwin-arm64.tgz) or [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-darwin-amd64.tgz) directly. + +### Windows + +Download and install `cloudflared` via [winget](https://learn.microsoft.com/en-us/windows/package-manager/winget/): + +```bash +winget install --id Cloudflare.cloudflared +``` + +Alternatively, download the latest release directly: + +| Type | 32-bit | 64-bit | +| ---------- | ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | +| Executable | [Download](https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-386.exe) | [Download](https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.exe) | + +:::note + +Instances of `cloudflared` do not automatically update on Windows. You will need to perform manual updates. + +::: + +### Docker + +A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared). + +## Deprecated releases + +Cloudflare supports versions of `cloudflared` that are within one year of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. For example, as of January 2023 Cloudflare will support `cloudflared` version 2023.1.1 to cloudflared 2022.1.1. + +To update `cloudflared`, refer to [these instructions](/cloudflare-tunnel/downloads/update-cloudflared/). diff --git a/src/content/docs/cloudflare-tunnel/downloads/license.mdx b/src/content/docs/cloudflare-tunnel/downloads/license.mdx new file mode 100644 index 000000000000000..532f3d32b2f57b9 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/downloads/license.mdx @@ -0,0 +1,220 @@ +--- +pcx_content_type: reference +title: License +sidebar: + order: 51 + +--- + +Apache License +Version 2.0, January 2004 +[http://www.apache.org/licenses/](http://www.apache.org/licenses/) + +``` +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +``` + +## Runtime Library Exception to the Apache 2.0 License: + +``` +As an exception, if you use this Software to compile your source code and +portions of this Software are embedded into the binary product as a result, +you may redistribute such product without providing attribution as would +otherwise be required by Sections 4(a), 4(b) and 4(d) of the License. +``` diff --git a/src/content/docs/cloudflare-tunnel/downloads/update-cloudflared.mdx b/src/content/docs/cloudflare-tunnel/downloads/update-cloudflared.mdx new file mode 100644 index 000000000000000..13654dc2da5a255 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/downloads/update-cloudflared.mdx @@ -0,0 +1,180 @@ +--- +pcx_content_type: how-to +title: Update cloudflared +sidebar: + order: 5 +--- + +import { TabItem, Tabs, Render } from "~/components"; + +Updates will cause `cloudflared` to restart which will impact traffic currently being served. You can perform zero-downtime upgrades by using Cloudflare's [Load Balancer product](/cloudflare-tunnel/downloads/update-cloudflared/#update-with-cloudflare-load-balancer) or by using [multiple `cloudflared` instances](/cloudflare-tunnel/downloads/update-cloudflared/#update-with-multiple-cloudflared-instances). + +## Update the `cloudflared` service + +Refer to the following commands to update `cloudflared` for a [remotely-managed tunnel](/cloudflare-tunnel/get-started/create-remote-tunnel/) created through the dashboard or a [locally-managed tunnel](/cloudflare-tunnel/other-tunnel-types/local-management/). Locally-managed tunnels must be set up to [run as a service](/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/) for the following commands to execute successfully. + + + +Run the following command: + +```powershell +cloudflared update +``` + +After running `cloudflared update` to update `cloudflared`, you must restart the service for it to take effect. Run: + +```powershell +net start cloudflared +``` + + + +1. Update the `cloudflared` package: + +```sh +brew upgrade cloudflared +``` + +2. Restart the service: + +```sh +sudo launchctl stop com.cloudflare.cloudflared +sudo launchctl unload /Library/LaunchDaemons/com.cloudflare.cloudflared.plist +sudo launchctl load /Library/LaunchDaemons/com.cloudflare.cloudflared.plist +sudo launchctl start com.cloudflare.cloudflared +``` + + + +**If installed via apt:** + +1. Update the `cloudflared` package: + +```sh +sudo apt-get update && sudo apt-get install --only-upgrade cloudflared +``` + +2. Restart the service: + +```sh +sudo systemctl restart cloudflared.service +``` + +**If installed via `dpkg -i`:** + +Use the following commands if you installed `cloudflared` using the `dpkg` package manager. + +1. Update the `cloudflared` package: + +```sh +curl --location --output cloudflared.deb "https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-$(dpkg --print-architecture).deb" && sudo dpkg -i cloudflared.deb +``` + +2. Restart the service: + +```sh +sudo systemctl restart cloudflared.service +``` + + + +1. Update the `cloudflared` package: + +```sh +sudo yum update cloudflared +``` + +2. Restart the service: + +```sh +sudo systemctl restart cloudflared.service +``` + + + +**If you created a remotely-managed tunnel using the [dashboard](/cloudflare-tunnel/get-started/create-remote-tunnel/):** + +1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels**. +2. Select your tunnel and select **Edit**. +3. Select **Docker** and copy the installation command shown in the dashboard. The copied command will contain your token. +4. Paste this command into a terminal window. + +This command creates a new container from the latest `cloudflared` image. You can now delete the old container. + +:::caution + +Cloudflare recommends creating remotely-managed tunnels when working with Docker. + +::: + +**If you created a remotely or locally-managed tunnel using the [API](/cloudflare-tunnel/get-started/create-remote-tunnel-api/), run the following command:** + +```sh +docker run --pull always cloudflare/cloudflared:latest tunnel --no-autoupdate run --token +``` + +**If you created a locally-managed tunnel using the [CLI](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/#2-authenticate-cloudflared):** + +1. Mount your local `.cloudflared` [directory](/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms/#default-cloudflared-directory) into the Docker container using a volume. + +2. Run the following command to update `cloudflared`: + + ```sh + docker run --pull always -v :/home/nonroot/.cloudflared cloudflare/cloudflared:latest tunnel --no-autoupdate run + ``` + + + +If you installed `cloudflared` from GitHub-provided binaries or from source, run the following command: + +```sh +cloudflared update +``` + +If you installed `cloudflared` with a package manager, you must update it using the same package manager. + + + +## Update with Cloudflare Load Balancer + +You can update `cloudflared` without downtime by using Cloudflare's Load Balancer product with your Cloudflare Tunnel deployment. + +1. Install a new instance of `cloudflared` and [create](/cloudflare-tunnel/get-started/) a new Tunnel. +2. Configure the instance to point traffic to the same locally-available service as your current, active instance of `cloudflared`. +3. [Add the address](/cloudflare-tunnel/routing/public-load-balancers/) of the new instance of `cloudflared` into your Load Balancer pool as priority 2. +4. Swap the priority such that the new instance is now priority 1 and monitor to confirm traffic is being served. +5. Once confirmed, you can remove the older version from the Load Balancer pool. + +## Update with multiple `cloudflared` instances + +If you are not using Cloudflare's Load Balancer, you can use multiple instances of `cloudflared` to update without the risk of downtime. + +1. Install a new instance of `cloudflared` and [create](/cloudflare-tunnel/get-started/) a new Tunnel. +2. Configure the instance to point traffic to the same locally-available service as your current, active instance of `cloudflared`. +3. In the Cloudflare DNS dashboard, [replace](/cloudflare-tunnel/routing/dns/) the address of the current instance of `cloudflared` with the address of the new instance. Save the record. +4. Remove the now-inactive instance of `cloudflared`. + +:::note[Traffic handling] + +When the old replica is stopped, it will drop long-lived HTTP requests (for example, WebSocket) and TCP connections (for example, SSH). UDP flows will also be dropped, as they are modeled based on timeouts. When the new replica connects, it will handle all new traffic, including new HTTP requests, TCP connections, and UDP flows. + +::: + +### Run multiple instances in Windows + +Windows systems require services to have a unique name and display name. You can run multiple instances of `cloudflared` by creating `cloudflared` services with unique names. + +1. Install and configure `cloudflared`. +2. Next, create a service with a unique name and point to the `cloudflared` executable and configuration file. + +```powershell +sc.exe create binPath='' --config '' displayname="Unique Name" +``` + +3. Proceed to create additional services with unique names. + +4. You can now start each unique service. + +```powershell +sc.exe start +``` diff --git a/src/content/docs/cloudflare-tunnel/faq.mdx b/src/content/docs/cloudflare-tunnel/faq.mdx new file mode 100644 index 000000000000000..f5db10ba0a8f742 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/faq.mdx @@ -0,0 +1,79 @@ +--- +pcx_content_type: faq +title: FAQ +structured_data: true +sidebar: + order: 12 +description: Review frequently asked questions about Cloudflare Tunnel. +--- + +import { Render } from "~/components"; + +## Can I create a Tunnel for an apex domain? + +Yes. With [Named Tunnels](https://blog.cloudflare.com/argo-tunnels-that-live-forever/) you can create a CNAME at the apex that points to the named tunnel. + +## Does Cloudflare Tunnel support Websockets? + +Yes. Cloudflare Tunnel has full support for Websockets. + +## Does Cloudflare Tunnel support gRPC? + +Yes. + +## How can Tunnel be used with Partial DNS (CNAME Setup)? + +Cloudflare offers two modes of setup: [Full Setup](/dns/zone-setups/full-setup/), in which the domain uses Cloudflare DNS nameservers, and [Partial Setup](/dns/zone-setups/partial-setup/) (also known as CNAME setup) in which the domain uses non-Cloudflare DNS servers. + +The best experience with Cloudflare Tunnel is using Full Setup because Cloudflare manages DNS for the domain and can automatically configure DNS records for newly started Tunnels. + +You can still use Tunnel with Partial Setup. You will need to create a new DNS record with your current DNS provider for each new hostname connected through Cloudflare Tunnel. The DNS record should be of type CNAME or ALIAS if it is on the root of the domain. The name of the record should be the subdomain it corresponds to (for example, `example.com` or `tunnel.example.com`) and the value of the record should be `subdomain.domain.tld.cdn.cloudflare.net` (for example, `example.com.cdn.cloudflare.net` or `tunnel.example.com.cdn.cloudflare.net`). + +## How can origin servers be secured when using Tunnel? + +Tunnel can expose web applications to the Internet that sit behind a NAT or firewall. Thus, you can keep your web server otherwise completely locked down. To double check that your origin web server is not responding to requests outside Cloudflare while Tunnel is running you can run netcat in the command line: + +```sh +netcat -zv [your-server's-ip-address] 80 +netcat -zv [your-server's-ip-address] 443 +``` + +If your server is still responding on those ports, you will see: + +```txt +[ip-address] 80 (http) open +``` + +If your server is correctly locked down, you will see: + +```txt +[ip-address] 443 (https): Connection refused +``` + +## What records are created for routing to a Named Tunnel's hostname? + +Named Tunnels can be routed via DNS records, in which case we use CNAME records to point to `.cfargotunnel.com`; or as Load Balancing endpoints, which also point to `.cfargotunnel.com`. + +## Does Cloudflare Tunnel send visitor IPs to my origin? + +No. When using Cloudflare Tunnel, all requests to the origin are made internally between `cloudflared` and the origin. + +To log external visitor IPs, you will need to [configure an alternative method](/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/). + +## Why does the name 'warp' and 'argo' appear in some legacy materials? + +Cloudflare Tunnel was previously named Warp during the beta phase. As Warp was added to the Argo product family, we changed the name to Argo Tunnel to match. Once we no longer required users to purchase Argo to create Tunnels, we renamed Argo Tunnel to Cloudflare Tunnel. + +## Is it possible to restore a deleted tunnel? + +No. You cannot undo a tunnel deletion. If the tunnel was locally-managed, its [configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/) will still be present and you can create a new tunnel with the same configuration. If the tunnel was remotely-managed, both the tunnel and its configuration are permanently deleted. + +## How do I contact support? + +Before contacting the Cloudflare support team: + +1. Take note of any specific error messages and/or problematic behaviors. +2. Make sure that `cloudflared` is updated to the [latest version](https://github.com/cloudflare/cloudflared). +3. Gather any relevant error/access logs from your server. +4. If needed, set [`--loglevel`](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#loglevel) to `debug`, so the Cloudflare support team can get more info from the `cloudflared.log` file. +5. Include your [Cloudflare Tunnel diagnostic logs](/cloudflare-tunnel/troubleshoot/diag-logs/) (`cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip`). diff --git a/src/content/docs/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx b/src/content/docs/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx new file mode 100644 index 000000000000000..a5cbb0fe24fb465 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx @@ -0,0 +1,204 @@ +--- +title: Create a tunnel (API) +pcx_content_type: how-to +sidebar: + order: 2 +--- + +import { Render, APIRequest } from "~/components"; + +Follow this guide to set up a Cloudflare Tunnel using the API. + + + +## Create an API token + +[Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: + +| Type | Item | Permission | +| ------- | ----------------- | ---------- | +| Account | Cloudflare Tunnel | Edit | +| Zone | DNS | Edit | + +## 2. Create a tunnel + +Make a `POST` request to the [Cloudflare Tunnel](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/methods/create/) endpoint: + + + +```sh output +{ + "success": true, + "errors": [], + "messages": [], + "result": { + "id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", + "account_tag": "699d98642c564d2e855e9661899b7252", + "created_at": "2025-02-18T22:41:43.534395Z", + "deleted_at": null, + "name": "example-tunnel", + "connections": [], + "conns_active_at": null, + "conns_inactive_at": "2025-02-18T22:41:43.534395Z", + "tun_type": "cfd_tunnel", + "metadata": {}, + "status": "inactive", + "remote_config": true, + "credentials_file": { + "AccountTag": "699d98642c564d2e855e9661899b7252", + "TunnelID": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", + "TunnelName": "api-tunnel", + "TunnelSecret": "bTSquyUGwLQjYJn8cI8S1h6M6wUc2ajIeT7JotlxI7TqNqdKFhuQwX3O8irSnb==" + }, + "token": "eyJhIjoiNWFiNGU5Z..." + } +} +``` + +Copy the `id` and `token` values shown in the output. You will need these values to configure and run the tunnel. + +## 3. Publish an application + +Before you publish an application through your tunnel, you must: + +- [Add a website to Cloudflare](/fundamentals/manage-domains/add-site/). +- [Change your domain nameservers to Cloudflare](/dns/zone-setups/full-setup/setup/). + +Follow these steps to publish an application to the Internet. + +1. Make a [`PUT` request](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/configurations/methods/update/) to route your [local service URL](/cloudflare-tunnel/routing/protocols/) to a public hostname. For example, + + + :::note + If you add a multi-level subdomain (more than one level of subdomain), you must [order an Advanced Certificate for the hostname](/cloudflare-one/faq/troubleshooting/#i-see-this-site-cant-provide-a-secure-connection). + ::: + + Your ingress rules must include a catch-all rule at the end. In this example, `cloudflared` will respond with a 404 status code when the request does not match any of the previous hostnames. + +2. [Create a DNS record](/api/resources/dns/subresources/records/methods/create/) for your application: + + + + This DNS record allows Cloudflare to proxy `app.example.com` traffic to your Cloudflare Tunnel (`.cfargotunnel.com`). + +This application will be publicly available on the Internet once you [run the tunnel](#4-install-and-run-the-tunnel). Cloudflare will automatically proxy traffic through its network, applying your configured CDN, WAF, and security settings. + +:::note +To connect a private network through your tunnel for Zero Trust access, refer to [Cloudflare Tunnel for SASE](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api/#3b-connect-a-network). +::: + +## 4. Install and run the tunnel + +Install `cloudflared` on your server and run the tunnel using the `token` value obtained in [2. Create a tunnel](#2-create-a-tunnel). You can also get the tunnel token using the [Cloudflare Tunnel token](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/token/methods/get/) endpoint. + + + +## 5. Verify tunnel status + +To check if the tunnel is serving traffic: + + + +```sh output +{ + "success": true, + "errors": [], + "messages": [], + "result": { + "id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", + "account_tag": "699d98642c564d2e855e9661899b7252", + "created_at": "2025-02-18T22:41:43.534395Z", + "deleted_at": null, + "name": "example-tunnel", + "connections": [ + { + "colo_name": "bos01", + "uuid": "2xz99mfm-a59e-4924-gyh9-z9vafaw6k0i2", + "id": "2xz99mfm-a59e-4924-gyh9-z9vafaw6k0i2", + "is_pending_reconnect": false, + "origin_ip": "10.1.0.137", + "opened_at": "2025-02-19T19:11:12.101642Z", + "client_id": "4xh4eb3f-cz0j-2aso-hu6i-36207018771a", + "client_version": "2025.2.0" + }, + { + "colo_name": "phl01", + "uuid": "axe2socu-2fb5-3akx-b860-898zyes3cs9q", + "id": "axe2socu-2fb5-3akx-b860-898zyes3cs9q", + "is_pending_reconnect": false, + "origin_ip": "10.1.0.137", + "opened_at": "2025-02-19T19:11:12.006297Z", + "client_id": "4xh4eb3f-cz0j-2aso-hu6i-36207018771a", + "client_version": "2025.2.0" + }, + { + "colo_name": "phl01", + "uuid": "9b5y0wm9-ca7f-ibq6-8ff4-sm53xekfyym1", + "id": "9b5y0wm9-ca7f-ibq6-8ff4-sm53xekfyym1", + "is_pending_reconnect": false, + "origin_ip": "10.1.0.137", + "opened_at": "2025-02-19T19:11:12.004721Z", + "client_id": "4xh4eb3f-cz0j-2aso-hu6i-36207018771a", + "client_version": "2025.2.0" + }, + { + "colo_name": "bos01", + "uuid": "g6cdeiz1-80f5-3akx-b18b-3y0ggktoxwkd", + "id": "g6cdeiz1-80f5-3akx-b18b-3y0ggktoxwkd", + "is_pending_reconnect": false, + "origin_ip": "10.1.0.137", + "opened_at": "2025-02-19T19:11:12.110765Z", + "client_id": "4xh4eb3f-cz0j-2aso-hu6i-36207018771a", + "client_version": "2025.2.0" + } + ], + "conns_active_at": "2025-02-19T19:11:12.004721Z", + "conns_inactive_at": null, + "tun_type": "cfd_tunnel", + "metadata": {}, + "status": "healthy", + "remote_config": true + } +} +``` + +A healthy tunnel will have four connections to Cloudflare's network. diff --git a/src/content/docs/cloudflare-tunnel/get-started/create-remote-tunnel.mdx b/src/content/docs/cloudflare-tunnel/get-started/create-remote-tunnel.mdx new file mode 100644 index 000000000000000..0c02abccff1a126 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/get-started/create-remote-tunnel.mdx @@ -0,0 +1,99 @@ +--- +title: Create a tunnel (dashboard) +pcx_content_type: how-to +sidebar: + order: 1 +--- + +import { Render, Stream, Details } from "~/components"; + +Follow this step-by-step guide to create your first [remotely-managed tunnel](/cloudflare-tunnel/get-started/tunnel-useful-terms/#remotely-managed-tunnel) using the Cloudflare dashboard. + +## Prerequisites + + + +## 1. Create a tunnel + + + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels**. + +2. Select **Create Tunnel**. + +3. Enter a name for your tunnel. We suggest choosing a name that reflects the type of resources you want to connect through this tunnel (for example, `enterprise-VPC-01`). + +4. Select **Create Tunnel**. + +5. Under **Setup Environment**, select the operating system and architecture for the machine where you would like to install `cloudflared`. You can install `cloudflared` on your origin server or on any other machine on your network that can connect to the origin server. + +6. To install `cloudflared`, copy the commands shown under **Install and Run** and paste them into a terminal window. Run the commands. + +7. Once the tunnel is successfully connected, select **Continue**. + +Your tunnel should appear on the **Tunnels** page with a `Healthy` status. If your tunnel status is `Inactive`, `Down`, or `Degraded`, refer to the [troubleshooting documentation](/cloudflare-tunnel/troubleshoot/common-errors/#tunnel-status) for recommended next steps. + +## 2. Publish an application + +Now that you have connected your infrastructure to Cloudflare, you can expose your applications to the Internet via a domain on Cloudflare. + +:::note[Prerequisites] +Before you publish an application through your tunnel, you must [add a website to Cloudflare](/fundamentals/manage-domains/add-site/). +::: + +To add a published application route: + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels** and select your tunnel. + +2. Under **Routes**, select **Add route**. + +3. Select **Published application**. + +4. Under **Hostname**, enter a subdomain and select a domain from the drop-down menu. + :::note + If you add a multi-level subdomain (more than one level of subdomain), you must [order an Advanced Certificate for the hostname](/cloudflare-one/faq/troubleshooting/#i-see-this-site-cant-provide-a-secure-connection). + ::: + +5. For **Service URL**, enter your application's [local address and port](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/protocols/). + + For example, if you have an HTTP application on port `80` running on the same machine as `cloudflared`, enter `http://localhost:80`. If your application is running on a different machine from the `cloudflared` host, enter `http://:80`. + +
+ To set up a lightweight HTTP application for testing, run the following commands on your `cloudflared` host: + + 1. Install Docker on your system: + ```sh + sudo apt update && sudo apt upgrade -y + sudo apt install -y docker.io + ``` + + 2. Start Docker for this session only: + ```sh + sudo systemctl start docker + ``` + + 3. Pull the [HTTPBin image](https://httpbin.org/) and run it locally: + ```sh + docker run -p 80:80 kennethreitz/httpbin + ``` + + This command maps port `80` on the `cloudflared` host to the container's internal port `80`. HTTPBin is now running at `http://localhost:80`. +
+ +6. Select **Add route**. + +Anyone on the Internet can now access the HTTP/HTTPS application at the specified hostname. Cloudflare will automatically proxy traffic through its network, applying any CDN, WAF, and security settings that you have configured for your domain. + +:::note[Non-HTTP applications] +Non-HTTP services (such as SSH or TCP) require users to install client-side software. Refer to the [protocols reference](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/protocols/) for more information. +::: + +## Next steps + +- Troubleshoot [common errors](/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors/) such as `502 Bad Gateway`. +- Review configuration options for your tunnel. +- Deploy multiple `cloudflared` replicas for high availability and automatic failover. diff --git a/src/content/docs/cloudflare-tunnel/get-started/index.mdx b/src/content/docs/cloudflare-tunnel/get-started/index.mdx new file mode 100644 index 000000000000000..c013e2b4bc20b99 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/get-started/index.mdx @@ -0,0 +1,16 @@ +--- +title: Get started +pcx_content_type: navigation +sidebar: + order: 1 +head: + - tag: title + content: Set up your first tunnel + +--- + +import { DirectoryListing, GlossaryTooltip } from "~/components" + +To create and manage tunnels, you will need to install and authenticate cloudflared on your origin server. `cloudflared` is what connects your server to Cloudflare's global network. + + diff --git a/src/content/docs/cloudflare-tunnel/get-started/tunnel-useful-terms.mdx b/src/content/docs/cloudflare-tunnel/get-started/tunnel-useful-terms.mdx new file mode 100644 index 000000000000000..ab9063230e48f50 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/get-started/tunnel-useful-terms.mdx @@ -0,0 +1,44 @@ +--- +pcx_content_type: reference +title: Useful terms +sidebar: + order: 4 +--- + +Review terminology for Cloudflare Tunnels. + +## Tunnel + +A tunnel is a secure, outbound-only pathway you can establish between your origin and Cloudflare's global network. Each tunnel you create will be assigned a [name](#tunnel-name) and a [UUID](#tunnel-uuid). + +## Tunnel UUID + +A tunnel UUID is an alphanumeric, unique ID assigned to a tunnel. The tunnel UUID can be used whenever you need to reference a specific tunnel. + +## Tunnel name + +A tunnel name is a unique, user-friendly identifier that you choose for a tunnel. Since a tunnel can proxy traffic to multiple services, tunnel names do not need to be hostnames. For example, you can assign your tunnel a name that represents your application/network, a particular server, or the cloud environment where it runs. + +## Connector + +The connector, referred to as `cloudflared`, establishes connectivity from your origin server to the Cloudflare global network. Our connector offers high availability by creating four long-lived connections to two distinct data centers within Cloudflare's global network. This built-in redundancy means that if an individual connection, server, or data center goes down, your origin remains available. + +## Replica + +You can create and configure a tunnel once and run that tunnel through multiple, unique instances of the connector, `cloudflared`. These instances are known as replicas. DNS records and Cloudflare Load Balancers will still point to the tunnel and its DNS Record (`UUID.cfargotunnel.com`), while that tunnel sends traffic to the multiple instances of `cloudflared` that run through it. Today, there is no guarantee about which replica will be chosen. Replicas are often deployed to provide tunnels with high availability in the event a given host running `cloudflared` is interrupted or taken offline. + +## Remotely-managed tunnel + +A remotely-managed tunnel is a [tunnel](#tunnel) that was created in [Cloudflare One](https://one.dash.cloudflare.com/) under **Networks** > **Tunnels**. Tunnel configuration is stored in Cloudflare, which allows you to manage the tunnel from the dashboard or using the [API](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/configurations/methods/get/). + +## Locally-managed tunnel + +A locally-managed tunnel is a [tunnel](#tunnel) that was created by running `cloudflared tunnel create ` on the command line. Tunnel configuration is stored in your local [cloudflared directory](#default-cloudflared-directory). For terminology specific to locally-managed tunnels, refer to the [Locally-managed tunnel glossary](/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms/). + +## Quick tunnels + +Quick tunnels, when run, will generate a URL that consists of a random subdomain of the website `trycloudflare.com`, and point traffic to localhost on port `8080`. If you have a web service running at that address, users who visit the generated subdomain will be able to visit your web service through Cloudflare's network. Refer to [TryCloudflare](/cloudflare-tunnel/other-tunnel-types/quick-tunnels/) for more information on how to run quick tunnels. + +## Virtual networks + +A [virtual network](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) is a software abstraction that allows you to logically segregate resources on your private network. Virtual networks are especially useful for exposing resources which have overlapping IP routes. To connect to a resource, end users would select a virtual network in their WARP client settings before entering the destination IP. diff --git a/src/content/docs/cloudflare-tunnel/index.mdx b/src/content/docs/cloudflare-tunnel/index.mdx new file mode 100644 index 000000000000000..9a47cccd3a07496 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/index.mdx @@ -0,0 +1,69 @@ +--- +pcx_content_type: overview +title: Cloudflare Tunnel +sidebar: + order: 1 +description: Connect your origin servers, APIs, and services to Cloudflare without a publicly routable IP address. +--- + +import { + CardGrid, + Description, + LinkTitleCard, + Plan, + Stream, +} from "~/components"; + + + Connect your origin servers, APIs, and services to Cloudflare without a + publicly routable IP address. + + + + +Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (`cloudflared`) creates [outbound-only connections](#outbound-only-connections) to Cloudflare's global network. This way, your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare. + + + +## How it works + +`cloudflared` establishes [outbound connections](#outbound-only-connections) (tunnels) between your resources and Cloudflare's global network. Tunnels are persistent objects that route traffic to DNS records. Within the same tunnel, you can run as many `cloudflared` processes (connectors) as needed. These processes will establish connections to Cloudflare and send traffic to the nearest Cloudflare data center. + +![How an HTTP request reaches an origin connected with Cloudflare Tunnel](~/assets/images/cloudflare-one/connections/connect-apps/handshake.jpg) + +### Outbound-only connections + +Cloudflare Tunnel uses an outbound-only connection model to enable bidirectional communication. When you install and run `cloudflared`, it initiates an outbound connection through your firewall from the origin to the Cloudflare global network. + +Once the connection is established, traffic flows in both directions over the tunnel between your origin and Cloudflare. Most firewalls allow outbound traffic by default. `cloudflared` takes advantage of this standard by connecting out to the Cloudflare network from the server you installed `cloudflared` on. You can then [configure your firewall](/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/) to allow only these outbound connections and block all inbound traffic, effectively blocking access to your origin from anything other than Cloudflare. + +## Use cases + +Cloudflare Tunnel connects your applications and services to Cloudflare. Common use cases include: + +- **Secure origin connectivity** — Eliminate publicly routable origin IPs. All traffic to your origin flows through Cloudflare, allowing you to apply CDN caching, WAF rules, Bot Management, and DDoS protection. +- **Public ingress routing** — Publish internal applications to the Internet by mapping public hostnames to local services, with support for HTTP, HTTPS, TCP, SSH, RDP, and other protocols. +- **Workers VPC connectivity** — Enable Cloudflare Workers to securely access private databases, APIs, and services through your tunnel. +- **Load Balancer origins** — Use tunnels as origin endpoints in Cloudflare Load Balancer pools for high availability and intelligent traffic steering across your infrastructure. + +:::note[Looking for Zero Trust private network access?] +For [Secure Access Service Edge (SASE)](https://www.cloudflare.com/learning/access-management/what-is-sase/) use cases such as VPN replacement, access to private IPs and hostnames, and network traffic filtering, refer to the [Cloudflare One documentation](/cloudflare-one/networks/connectors/cloudflare-tunnel/). +::: + +## Next steps + + + + + Create your first tunnel using the dashboard or API. + + + + Download and install cloudflared on your server. + + + diff --git a/src/content/docs/cloudflare-tunnel/integrations/access.mdx b/src/content/docs/cloudflare-tunnel/integrations/access.mdx new file mode 100644 index 000000000000000..df054015acdaf8d --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/integrations/access.mdx @@ -0,0 +1,42 @@ +--- +pcx_content_type: integration-guide +title: Cloudflare Access +sidebar: + order: 4 +description: Secure applications published through Cloudflare Tunnel by adding Cloudflare Access as an identity-aware authentication layer. +--- + +[Cloudflare Access](/cloudflare-one/access-controls/) provides an identity-aware proxy that authenticates and authorizes every request to your applications. When combined with Cloudflare Tunnel, Access lets you publish internal web applications to the Internet while ensuring that only authorized users can reach them. + +## How it works + +Cloudflare Tunnel creates an outbound-only connection from your origin to Cloudflare's global network, making your application available on a public hostname without opening inbound ports. Cloudflare Access sits in front of that hostname and requires users to authenticate with a configured identity provider (IdP) before the request is forwarded through the tunnel to your origin. + +The typical request flow is: + +1. A user visits the application's public hostname (for example, `app.example.com`). +2. Cloudflare Access intercepts the request and redirects the user to your identity provider for authentication. +3. After the user authenticates, Access evaluates your [Access policies](/cloudflare-one/access-controls/policies/) to determine whether the user is allowed. +4. If allowed, Access issues a signed [JSON Web Token (JWT)](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/) and forwards the request through the tunnel to `cloudflared`. +5. (Optional) `cloudflared` validates the JWT using the [`access` origin parameter](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#access) before proxying the request to your origin application. + +This architecture eliminates the need for a VPN and ensures that your origin server is never directly exposed to the Internet. + +## Limitations + +- Cloudflare Access authentication applies to HTTP and HTTPS applications exposed via public hostnames. For non-HTTP protocols (such as SSH, RDP, or SMB), refer to the protocol-specific [use cases](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/). +- JWT validation at the tunnel level (the `access` origin parameter) only applies to L7 requests on public hostname routes. It does not apply to private network routes. + +## Get started + +For step-by-step instructions on publishing an application through a tunnel and securing it with Access, refer to [Publish a self-hosted application to the Internet](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). + +To set up a tunnel for your origin, refer to [Create a remotely-managed tunnel](/cloudflare-tunnel/get-started/create-remote-tunnel/). + +## Related resources + +- [Access policies](/cloudflare-one/access-controls/policies/) — Configure rules based on identity, device posture, location, and more. +- [Identity providers](/cloudflare-one/integrations/identity-providers/) — Integrate your IdP (Okta, Azure AD, Google Workspace, and others) with Cloudflare Access. +- [Validate Access JWTs](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) — Verify the Access JWT in your application code for end-to-end authentication. +- [`access` origin parameter](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#access) — Configure `cloudflared` to validate Access JWTs before proxying traffic. +- [Secure application delivery design guide](/reference-architecture/design-guides/secure-application-delivery/) — Reference architecture combining Tunnel, Access, and other Cloudflare services. diff --git a/src/content/docs/cloudflare-tunnel/integrations/index.mdx b/src/content/docs/cloudflare-tunnel/integrations/index.mdx new file mode 100644 index 000000000000000..ab4eb17072ea44d --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/integrations/index.mdx @@ -0,0 +1,53 @@ +--- +pcx_content_type: navigation +title: Integrations +sidebar: + order: 5 +description: Use Cloudflare Tunnel with other Cloudflare products and services. +--- + +import { DirectoryListing, LinkTitleCard, CardGrid } from "~/components"; + +Cloudflare Tunnel integrates with several Cloudflare products to provide secure origin connectivity, private network access, and high availability for your applications. + + + +## Additional integrations + +The following products also integrate with Cloudflare Tunnel. Refer to each product's documentation for setup instructions. + + + + + Use Tunnel to securely connect your key server to Cloudflare without exposing + it to the public Internet. + + + + Establish TLS 1.3 tunnels with post-quantum key agreement between your data + centers and Cloudflare. + + + + Restrict tunnel connectivity to specific regions for data residency + requirements. + + + + Use Tunnel as a fallback origin for SaaS provider architectures with Regional + Services. + + + diff --git a/src/content/docs/cloudflare-tunnel/integrations/load-balancing.mdx b/src/content/docs/cloudflare-tunnel/integrations/load-balancing.mdx new file mode 100644 index 000000000000000..93c18c034e9e77a --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/integrations/load-balancing.mdx @@ -0,0 +1,40 @@ +--- +pcx_content_type: integration-guide +title: Load Balancing +sidebar: + order: 2 +description: Use Cloudflare Tunnel as origin endpoints in Load Balancer pools for high availability and intelligent traffic steering. +--- + +[Cloudflare Load Balancing](/load-balancing/) distributes traffic across multiple origins using health checks, steering algorithms, and failover logic. When combined with Cloudflare Tunnel, you can load balance traffic to origins that do not have publicly routable IP addresses. + +## How it works + +Each Cloudflare Tunnel is assigned a subdomain of `cfargotunnel.com` using the tunnel's UUID. You add this subdomain as an [endpoint address](/load-balancing/understand-basics/load-balancing-components/#endpoints) in a Load Balancer pool, and specify the application hostname in the [endpoint host header](/load-balancing/additional-options/override-http-host-headers/). + +This allows Cloudflare to steer traffic across multiple tunnels — typically one tunnel per data center or cloud region — using latency-based, geolocation, or other [steering algorithms](/load-balancing/understand-basics/traffic-steering/). + +## Architecture patterns + +### Single tunnel with replicas + +For basic high availability, deploy multiple [`cloudflared` replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/#cloudflared-replicas) of the same tunnel. Cloudflare routes requests to the geographically closest replica. This approach does not require Load Balancing. + +### Multiple tunnels with Load Balancer + +For intelligent traffic steering and health-check-based failover, create separate tunnels per data center and add each as an endpoint in a Load Balancer pool. This provides: + +- Active health monitoring per tunnel +- Automatic failover when a tunnel becomes unhealthy +- Traffic distribution based on your chosen steering algorithm +- Session affinity options + +## Get started + +For step-by-step setup instructions, refer to [Public load balancers](/cloudflare-tunnel/routing/load-balancers/). + +## Related resources + +- [Tunnel availability and failover](/cloudflare-tunnel/configure-tunnels/tunnel-availability/) — When to use replicas versus load balancers. +- [Load Balancing with Tunnel](/load-balancing/additional-options/cloudflare-tunnel/) — Load Balancing product documentation for tunnel endpoints. +- [Load Balancing reference architecture](/reference-architecture/architectures/load-balancing/) — Design patterns for load balancing with tunnels. diff --git a/src/content/docs/cloudflare-tunnel/integrations/spectrum.mdx b/src/content/docs/cloudflare-tunnel/integrations/spectrum.mdx new file mode 100644 index 000000000000000..1749163be4b6a9b --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/integrations/spectrum.mdx @@ -0,0 +1,27 @@ +--- +pcx_content_type: integration-guide +title: Spectrum +sidebar: + order: 3 +description: Route Spectrum application traffic through Cloudflare Tunnel for HTTP and HTTPS origins. +--- + +[Cloudflare Spectrum](/spectrum/) extends Cloudflare's DDoS protection and traffic acceleration to non-HTTP protocols such as TCP and UDP. You can route Spectrum application traffic to origins connected via Cloudflare Tunnel. + +## How it works + +You can route traffic from a Spectrum application to a Cloudflare Tunnel origin using either: + +- A **DNS record** — Create a CNAME record pointing to `.cfargotunnel.com` and configure the Spectrum application to use that hostname. +- A **Load Balancer** — Add the tunnel as an endpoint in a Load Balancer pool, then configure the Spectrum application to use the load balancer. + +## Limitations + +Cloudflare Tunnel integration with Spectrum is only supported for **HTTP and HTTPS** applications. Direct TCP connections (such as connecting to a tunnel UUID subdomain over raw TCP) are not supported. + +For the full list of limitations, refer to the [Spectrum limitations documentation](/spectrum/reference/limitations/). + +## Related resources + +- [DNS records for tunnel routing](/cloudflare-tunnel/routing/dns/) — Create CNAME records for your tunnel. +- [Public load balancers](/cloudflare-tunnel/routing/load-balancers/) — Add tunnel endpoints to load balancer pools. diff --git a/src/content/docs/cloudflare-tunnel/integrations/workers-vpc.mdx b/src/content/docs/cloudflare-tunnel/integrations/workers-vpc.mdx new file mode 100644 index 000000000000000..bc38fdfdee23719 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/integrations/workers-vpc.mdx @@ -0,0 +1,33 @@ +--- +pcx_content_type: integration-guide +title: Workers VPC +sidebar: + order: 1 +description: Use Cloudflare Tunnel with Workers VPC to access private databases, APIs, and services from Cloudflare Workers. +--- + +[Workers VPC](/workers-vpc/) enables Cloudflare Workers to access private resources — such as databases, internal APIs, and other services — in your infrastructure. Cloudflare Tunnel serves as the connectivity layer, establishing a secure outbound connection from your private network to Cloudflare. + +## How it works + +1. You deploy `cloudflared` in your private network (for example, within a VPC on AWS, GCP, or Azure). +2. `cloudflared` creates an outbound-only tunnel to Cloudflare's global network, exposing the private IP ranges of your services. +3. Workers VPC bindings in your Worker code connect to these private services through the tunnel, without requiring any public endpoints. + +This architecture allows Workers to reach internal databases, REST APIs, gRPC services, and other TCP-based resources that are not exposed to the Internet. + +## Get started + +To set up Tunnel for Workers VPC: + +1. [Create a Cloudflare Tunnel](/cloudflare-tunnel/get-started/create-remote-tunnel/) and install `cloudflared` in your private network. +2. Follow the [Workers VPC getting started guide](/workers-vpc/get-started/) to configure VPC Services and bind them to your Worker. + +For detailed tunnel configuration specific to Workers VPC, refer to the [Workers VPC tunnel documentation](/workers-vpc/configuration/tunnel/). + +## Related resources + +- [Workers VPC hardware requirements](/workers-vpc/configuration/tunnel/hardware-requirements/) — Sizing guidance for `cloudflared` replicas in Workers VPC deployments. +- [Connect to a private API](/workers-vpc/examples/private-api/) — Example of accessing a private API from a Worker via Tunnel. +- [Connect to a private S3 bucket](/workers-vpc/examples/private-s3-bucket/) — Example of accessing a private S3 bucket from a Worker via Tunnel. +- [Hyperdrive + Tunnel](/hyperdrive/configuration/connect-to-private-database/) — Connect Hyperdrive to a private database using Cloudflare Tunnel. diff --git a/src/content/docs/cloudflare-tunnel/monitor-tunnels/index.mdx b/src/content/docs/cloudflare-tunnel/monitor-tunnels/index.mdx new file mode 100644 index 000000000000000..a6ba333ef5b74eb --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/monitor-tunnels/index.mdx @@ -0,0 +1,11 @@ +--- +pcx_content_type: navigation +title: Monitor tunnels +sidebar: + order: 9 + +--- + +import { DirectoryListing } from "~/components" + + diff --git a/src/content/docs/cloudflare-tunnel/monitor-tunnels/logs.mdx b/src/content/docs/cloudflare-tunnel/monitor-tunnels/logs.mdx new file mode 100644 index 000000000000000..7fc558f84c8f20c --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/monitor-tunnels/logs.mdx @@ -0,0 +1,94 @@ +--- +pcx_content_type: reference +title: Log streams +sidebar: + order: 1 +head: + - tag: title + content: Tunnel log streams +--- + +Tunnel logs record all activity between a `cloudflared` instance and Cloudflare's global network, as well as all activity between `cloudflared` and your origin server. These logs allow you to investigate connectivity or performance issues with a Cloudflare Tunnel. You can configure your server to store persistent logs, or you can stream real-time logs from any client machine. + +## View logs on the server + +If you have access to the origin server, you can use the [`--loglevel` flag](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#loglevel) to enable logging when you start the tunnel. By default, `cloudflared` prints logs to stdout and does not store logs on the server. You can optionally use the [`--logfile` flag](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#logfile) to write your logs to a file. + +To enable logs for a locally-managed tunnel: + +```sh +cloudflared tunnel --loglevel info --logfile cloudflared.log run +``` + +To enable logs for a remotely-managed tunnel, add `--loglevel info` and `--logfile ` to your system service as shown in [Add tunnel run parameters](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/#update-tunnel-run-parameters). + +## View logs on your local machine + +You can view real-time logs for a Cloudflare Tunnel via the dashboard or from any machine that has `cloudflared` installed. With remote log streams, you do not need to SSH into the server that is running the tunnel. To get remote logs, the tunnel must be active and able to receive requests. + +### Dashboard + +:::note +Tunnel log streams require [edit permissions](/fundamentals/manage-members/roles/) for Cloudflare Tunnel. Due to the sensitive nature of these logs, read-only roles (such as `Zero Trust Read Only`) do not have access. +::: + +Dashboard log streams are only available for remotely-managed tunnels. To view logs from the dashboard: + +1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels** and select a remotely-managed tunnel. +2. In the sidebar, select the **Connector ID** for the `cloudflared` instance you want to view. +3. Select **Begin log stream**. + +### CLI + +The `cloudflared` daemon can stream logs from any tunnel in your account to the local command line. `cloudflared` must be installed on both your local machine and the origin server. + +#### View logs + +1. On your local machine, authenticate `cloudflared` to your Cloudflare One account: + + ```sh + cloudflared tunnel login + ``` + +2. Run `cloudflared tail` for a specific tunnel: + + ```sh + cloudflared tail + ``` + + For a more structured view of the JSON message, you can pipe the output to tools like [jq](https://stedolan.github.io/jq/): + + ```sh + cloudflared tail --output=json | jq . + ``` + +#### Filter logs + +You can filter logs by event type (`--event`), event level (`--level`), or sampling rate (`-sampling`) to reduce the volume of logs streamed from the origin. This helps mitigate the performance impact on the origin, especially when the origin is normally under high load. For example: + +```sh +cloudflared tail --level debug +``` + +| Flag | Description | Allowed values | Default value | +| ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | ------------- | +| `--event` | Filter by the type of event / request. | `cloudflared`, `http`, `tcp`, `udp` | All events | +| `--level` | Return logs at this level and above. Works independently of the [`--loglevel`](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#loglevel) setting on the server. | `debug`, `info`, `warn`, `error`, `fatal` | `debug` | +| `--sampling` | Sample a fraction of the total logs. | Number from `0.0` to `1.0` | `1.0` | +| | | | | + +#### View logs for a replica + +If you are running multiple `cloudflared` instances for the same tunnel (also known as [replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/)), you must specify an individual instance to stream logs from: + +1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels** and select your tunnel. +2. Find the **Connector ID** for the `cloudflared` instance you want to view. +3. Specify the Connector ID in `cloudflared tail`: + ```sh + cloudflared tail --connector-id + ``` + +### Performance considerations + +- The logging session will only be held open for one hour. All logging systems introduce some level of performance overhead, and this limit helps prevent long term impact to your tunnel's end-to-end latencies. +- When streaming logs for a high throughput tunnel, Cloudflare intentionally prioritizes service stability over log delivery. To reduce the number of dropped logs, try [requesting fewer logs](#filter-logs). To ensure that you are seeing all logs, [view logs on the server](/cloudflare-tunnel/monitor-tunnels/logs/#view-logs-on-the-server) instead of streaming the logs remotely. diff --git a/src/content/docs/cloudflare-tunnel/monitor-tunnels/metrics.mdx b/src/content/docs/cloudflare-tunnel/monitor-tunnels/metrics.mdx new file mode 100644 index 000000000000000..bb1b6c26390ad3f --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/monitor-tunnels/metrics.mdx @@ -0,0 +1,111 @@ +--- +pcx_content_type: concept +title: Metrics +sidebar: + order: 7 +head: + - tag: title + content: Tunnel metrics +--- + +Tunnel metrics show a Cloudflare Tunnel's throughput and resource usage over time. When you run a tunnel, `cloudflared` will spin up a Prometheus metrics endpoint — an HTTP server that exposes metrics in [Prometheus](https://prometheus.io/docs/introduction/overview/) format. You can use the Prometheus toolkit on a remote machine to scrape metrics data from the `cloudflared` server. + +## Default metrics server address + +In non-containerized environments, `cloudflared` starts the metrics server on `127.0.0.1:/metrics`, where `` is the first available port in the range `20241` to `20245`. In case of all ports being unavailable then the fallback is to bind to a random port. In containerized environments such as Docker and Kubernetes, the default address is `0.0.0.0:/metrics`. + +To determine the default port being used by a `cloudflared` instance, you can check your [Tunnel logs](/cloudflare-tunnel/monitor-tunnels/logs/) around the time when the tunnel started. For example: + +```text +2024-12-19T21:17:58Z INF Starting metrics server on 127.0.0.1:20241/metrics +``` + +## Configure the metrics server address + +To serve metrics on a custom IP address and port, perform these steps on the `cloudflared` host: + +1. Run the tunnel using the [--metrics](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#metrics) flag. Here is an example command for a locally-managed tunnel: + + ```sh + cloudflared tunnel --metrics 127.0.0.1:60123 run my-tunnel + ``` + + To learn how to add the `--metrics` flag to a remotely-managed tunnel, refer to [Configure a remotely-managed tunnel](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/#update-tunnel-run-parameters). + + :::note + If you plan to fetch metrics from another machine on the local network, replace `127.0.0.1` with the internal IP of the `cloudflared` server (for example, `198.168.x.x`). To serve metrics on all available network interfaces, use `0.0.0.0`. + ::: + +2. Verify that the metrics server is running by going to `http://localhost:60123/metrics`. This will only work if you configured a localhost IP (`127.0.0.1` or `0.0.0.0`). + +You can now export the metrics to Prometheus and Grafana in order to visualize and query the data. Refer to our [tutorial](/cloudflare-one/tutorials/grafana/) for instructions on getting started with these tools. + +## Available metrics + +### cloudflared metrics + +| Name | Description | Type | Labels | +| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ------- | ------------------------------------------ | +| `build_info` | Build and version information. | GAUGE | `goversion`, `revision`, `type`, `version` | +| `cloudflared_config_local_config_pushes` | Number of local configuration pushes to Cloudflare. | COUNTER | | +| `cloudflared_config_local_config_pushes_errors` | Number of errors that occurred during local configuration pushes. | COUNTER | | +| `cloudflared_orchestration_config_version` | Configuration version. | GAUGE | | +| `cloudflared_tcp_active_sessions` | Concurrent number of TCP sessions that are being proxied to any origin. | GAUGE | | +| `cloudflared_tcp_total_sessions` | Total number of TCP sessions that have been proxied to any origin. | COUNTER | | +| `cloudflared_tunnel_active_streams` | Total number of active streams. | GAUGE | | +| `cloudflared_tunnel_concurrent_requests_per_tunnel` | Concurrent number of requests proxied through each tunnel. | GAUGE | | +| `cloudflared_tunnel_ha_connections` | Number of active HA connections. | GAUGE | | +| `cloudflared_tunnel_request_errors` | Number of errors proxying to origin. | COUNTER | | +| `cloudflared_tunnel_server_locations` | Where each tunnel is connected to. `1` means current location, `0` means previous locations. | GAUGE | `connection_id`, `edge_location` | +| `cloudflared_tunnel_timer_retries` | Unacknowledged heart beats count. | GAUGE | | +| `cloudflared_tunnel_total_requests` | Number of requests proxied through all tunnels. | COUNTER | | +| `cloudflared_tunnel_tunnel_authenticate_success` | Number of successful tunnel authentication events. | COUNTER | | +| `cloudflared_tunnel_tunnel_register_success` | Number of successful tunnel registrations. | COUNTER | `rpcName` | +| `cloudflared_udp_active_sessions` | Concurrent number of UDP sessions that are being proxied to any origin. | GAUGE | | +| `cloudflared_udp_total_sessions` | Total number of UDP sessions that have been proxied to any origin. | COUNTER | | +| `coredns_panics_total` | Number of panics. | COUNTER | | +| `quic_client_closed_connections` | Number of connections that have been closed. | COUNTER | | +| `quic_client_latest_rtt` | Latest round-trip time (RTT) measured on a connection. | GAUGE | `conn_index` | +| `quic_client_lost_packets` | Number of packets that have been lost from a connection. | COUNTER | `conn_index`, `reason` | +| `quic_client_min_rtt` | Lowest RTT measured on a connection in ms. | GAUGE | `conn_index` | +| `quic_client_packet_too_big_dropped` | Number of packets received from origin that are too big to send to Cloudflare and are dropped as a result. | COUNTER | | +| `quic_client_smoothed_rtt` | Smoothed RTT calculated for a connection in ms. | GAUGE | `conn_index` | +| `quic_client_total_connections` | Number of connections initiated. For all QUIC metrics, client means the side initiating the connection. | COUNTER | | + +### Prometheus metrics + +| Name | Description | Type | Labels | +| -------------------------------------------- | -------------------------------------------- | ------- | ------ | +| `promhttp_metric_handler_requests_in_flight` | Current number of scrapes being served. | GAUGE | | +| `promhttp_metric_handler_requests_total` | Total number of scrapes by HTTP status code. | COUNTER | `code` | +| | | | | + +### Go runtime metrics + +| Name | Description | Type | Labels | +| ---------------------------------- | ------------------------------------------------------------------ | ------- | --------- | +| `go_gc_duration_seconds` | A summary of the pause duration of garbage collection cycles. | SUMMARY | | +| `go_goroutines` | Number of goroutines that currently exist. | GAUGE | | +| `go_info` | Information about the Go environment. | GAUGE | `version` | +| `go_memstats_alloc_bytes` | Number of bytes allocated and still in use. | GAUGE | | +| `go_memstats_alloc_bytes_total` | Total number of bytes allocated, even if freed. | COUNTER | | +| `go_memstats_buck_hash_sys_bytes` | Number of bytes used by the profiling bucket hash table. | GAUGE | | +| `go_memstats_frees_total` | Total number of frees. | COUNTER | | +| `go_memstats_gc_sys_bytes` | Number of bytes used for garbage collection system metadata. | GAUGE | | +| `go_memstats_heap_alloc_bytes` | Number of heap bytes allocated and still in use. | GAUGE | | +| `go_memstats_heap_idle_bytes` | Number of heap bytes waiting to be used. | GAUGE | | +| `go_memstats_heap_inuse_bytes` | Number of heap bytes that are in use. | GAUGE | | +| `go_memstats_heap_objects` | Number of allocated objects. | GAUGE | | +| `go_memstats_heap_released_bytes` | Number of heap bytes released to OS. | GAUGE | | +| `go_memstats_heap_sys_bytes` | Number of heap bytes obtained from system. | GAUGE | | +| `go_memstats_last_gc_time_seconds` | Number of seconds since 1970 of last garbage collection. | GAUGE | | +| `go_memstats_lookups_total` | Total number of pointer lookups. | COUNTER | | +| `go_memstats_mallocs_total` | Total number of mallocs. | COUNTER | | +| `go_memstats_mcache_inuse_bytes` | Number of bytes in use by mcache structures. | GAUGE | | +| `go_memstats_mcache_sys_bytes` | Number of bytes used for mcache structures obtained from system. | GAUGE | | +| `go_memstats_mspan_inuse_bytes` | Number of bytes in use by mspan structures. | GAUGE | | +| `go_memstats_mspan_sys_bytes` | Number of bytes used for mspan structures obtained from system. | GAUGE | | +| `go_memstats_next_gc_bytes` | Number of heap bytes when next garbage collection will take place. | GAUGE | | +| `go_memstats_other_sys_bytes` | Number of bytes used for other system allocations. | GAUGE | | +| `go_memstats_stack_inuse_bytes` | Number of bytes in use by the stack allocator. | GAUGE | | +| | | | | diff --git a/src/content/docs/cloudflare-tunnel/monitor-tunnels/notifications.mdx b/src/content/docs/cloudflare-tunnel/monitor-tunnels/notifications.mdx new file mode 100644 index 000000000000000..4b5b1524dcb249a --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/monitor-tunnels/notifications.mdx @@ -0,0 +1,19 @@ +--- +pcx_content_type: concept +title: Notifications +sidebar: + order: 1 + +--- + +import { AvailableNotifications } from "~/components" + +Administrators can receive an alert when Cloudflare Tunnels in an account change their health or deployment status. Notifications can be delivered via email, webhook, and third-party services. + +## Manage notifications + +Tunnel notifications are configured on the [Cloudflare dashboard](https://dash.cloudflare.com/). For more information, refer to [Create a notification](/notifications/get-started/#create-a-notification). + +## Available notifications + + diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/index.mdx b/src/content/docs/cloudflare-tunnel/other-tunnel-types/index.mdx new file mode 100644 index 000000000000000..de32fa78e5b51f1 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/other-tunnel-types/index.mdx @@ -0,0 +1,14 @@ +--- +pcx_content_type: navigation +title: Other tunnel types +sidebar: + order: 11 +--- + +import { DirectoryListing } from "~/components"; + +Cloudflare recommends creating a [remotely-managed tunnel](/cloudflare-tunnel/get-started/) for most use cases. Remotely-managed tunnels store their configuration on Cloudflare, which allows you to manage the tunnel from any machine using the dashboard, API, or Terraform. + +The following pages cover alternative tunnel workflows that are intended for specific scenarios such as local development, testing, or legacy configurations. + + diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/index.mdx b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/index.mdx new file mode 100644 index 000000000000000..93da2df62587c70 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/index.mdx @@ -0,0 +1,15 @@ +--- +pcx_content_type: navigation +title: Run as a service +sidebar: + order: 4 + +--- + +import { DirectoryListing } from "~/components" + +You can install `cloudflared` as a system service on Linux and Windows, and as a launch agent on macOS. In most cases, we recommend running `cloudflared` as a service. Running as a service helps ensure the availability of `cloudflared` to your origin by allowing the program to start at boot and continue running while your origin is online. + +Follow our guides to set up and run `cloudflared` as a service in your environment: + + diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/linux.mdx b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/linux.mdx new file mode 100644 index 000000000000000..17871b6b2d0167d --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/linux.mdx @@ -0,0 +1,61 @@ +--- +pcx_content_type: how-to +title: Linux +sidebar: + order: 31 +head: + - tag: title + content: Run as a service on Linux +--- + +You can install `cloudflared` as a system service on Linux. + +## Prerequisites + +Before you install Cloudflare Tunnel as a service on Linux, follow Steps 1 through 4 of the [Tunnel CLI setup guide](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/). At this point you should have a named tunnel and a `config.yml` file in your `.cloudflared` directory. + +## 1. Configure `cloudflared` as a service + +By default, Cloudflare Tunnel expects all of the configuration to exist in the `$HOME/.cloudflared/config.yml` [configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/). At a minimum you must specify the following arguments to run as a service: + +| Argument | Description | +| ------------------ | ---------------------------------------------------- | +| `tunnel` | The UUID of your tunnel | +| `credentials-file` | The location of the credentials file for your Tunnel | + +## 2. Run `cloudflared` as a service + +1. Install the `cloudflared` service. + + ```sh + cloudflared service install + ``` + + :::note + Installing the `cloudflared` systemd service on Linux typically requires elevated privileges. When the install command is run with `sudo`, `$HOME` points to `/root`, which may prevent `cloudflared` from locating a configuration file created in `/home//.cloudflared/config.yml`. In this case, the config path can be passed explicitly: + + ```sh + sudo cloudflared --config /home//.cloudflared/config.yml service install + ``` + + ::: + +2. Start the service. + + ```sh + systemctl start cloudflared + ``` + +3. (Optional) View the status of the service. + + ```sh + systemctl status cloudflared + ``` + +## Next steps + +You can now [route traffic through your tunnel](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/#5-start-routing-traffic). If you add IP routes or otherwise change the configuration, restart the service to load the new configuration: + +```sh +systemctl restart cloudflared +``` diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/macos.mdx b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/macos.mdx new file mode 100644 index 000000000000000..cbd0856bc9f776a --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/macos.mdx @@ -0,0 +1,67 @@ +--- +pcx_content_type: how-to +title: macOS +sidebar: + order: 31 +head: + - tag: title + content: Run as a service on macOS +--- + +You can install `cloudflared` as a system service on macOS. + +## Prerequisites + +Before you install Cloudflare Tunnel as a service on your OS, follow Steps 1 through 4 of the [Tunnel CLI setup guide](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/). At this point you should have a named tunnel and a `config.yml` file in your `$HOME/.cloudflared` directory. + +## 1. Configure `cloudflared` as a service + +By default, Cloudflare Tunnel expects all of the configuration to exist in the `$HOME/.cloudflared/config.yml` [configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/). At a minimum you must specify the following arguments to run as a service: + +| Argument | Description | +| ------------------ | ---------------------------------------------------- | +| `tunnel` | The UUID of your tunnel | +| `credentials-file` | The location of the credentials file for your tunnel | + +## 2. Run `cloudflared` as a service + +You can install the service to either run at login or at boot. + +### Run at login + +Open a terminal window and run the following command: + +```sh +cloudflared service install +``` + +Cloudflare Tunnel will be installed as a launch agent and start whenever you log in, using your local user configuration found in `~/.cloudflared/`. + +### Run at boot + +Open a terminal window and run the following command: + +```sh +sudo cloudflared service install +``` + +Cloudflare Tunnel will be installed as a launch daemon and start whenever your system boots, using your configuration found in `/etc/cloudflared`. + +## 3. Manually start the service + +Run the following command: + +```sh +sudo launchctl start com.cloudflare.cloudflared +``` + +The output will be logged to `/Library/Logs/com.cloudflare.cloudflared.err.log` and `/Library/Logs/com.cloudflare.cloudflared.out.log`. + +## Next steps + +You can now [route traffic through your tunnel](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/#5-start-routing-traffic). If you add IP routes or otherwise change the configuration, restart the service to load the new configuration: + +```sh +sudo launchctl stop com.cloudflare.cloudflared +sudo launchctl start com.cloudflare.cloudflared +``` diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/windows.mdx b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/windows.mdx new file mode 100644 index 000000000000000..68ed5e26553a872 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/windows.mdx @@ -0,0 +1,132 @@ +--- +pcx_content_type: how-to +title: Windows +sidebar: + order: 31 +head: + - tag: title + content: Run as a service on Windows +--- + +You can install `cloudflared` as a system service on Windows. + +## Configure `cloudflared` as a service + +By default, Cloudflare Tunnel expects all of the configuration to exist in the `%USERPROFILE%\.cloudflared\config.yml` [configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/). At a minimum you must specify the following arguments to run as a service: + +| Argument | Description | +| ------------------ | ---------------------------------------------------- | +| `tunnel` | The UUID of your tunnel | +| `credentials-file` | The location of the credentials file for your tunnel | + +## Run `cloudflared` as a service + +1. [Download](/cloudflare-tunnel/downloads/) the latest `cloudflared` version. + +2. Create a new directory: + + ```bash + C:\Cloudflared\bin + ``` + +3. Copy the `.exe` file you downloaded in step 1 to the new directory and rename it to `cloudflared.exe`. + +4. Open CMD as an administrator and go to `C:\Cloudflared\bin`. + +5. Run this command to install `cloudflared`: + + ```bash + cloudflared.exe service install + ``` + +6. Next, run this command to create another directory: + + ```bash + mkdir C:\Windows\System32\config\systemprofile\.cloudflared + ``` + +7. Log in and authenticate `cloudflared`: + + ```bash + cloudflared.exe login + ``` + +8. The login command will generate a `cert.pem` file and save it to your user profile by default. Copy the file to the `.cloudflared` folder created in step 5 using this command: + + ```bash + copy C:\Users\%USERNAME%\.cloudflared\cert.pem C:\Windows\System32\config\systemprofile\.cloudflared\cert.pem + ``` + +9. Next, create a tunnel: + + ```bash + cloudflared.exe tunnel create + ``` + + This will generate a [credentials file](/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms/#credentials-file) in `.json` format. + +10. [Create a configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/#4-create-a-configuration-file) with the following content: + + ```txt + tunnel: + credentials-file: C:\Windows\System32\config\systemprofile\.cloudflared\.json + # Uncomment the following two lines if you are using self-signed certificates in your origin server + # originRequest: + # noTLSVerify: true + + ingress: + - hostname: app.mydomain.com + service: https://internal.mydomain.com + - service: http_status:404 + logfile: C:\Cloudflared\cloudflared.log + ``` + +11. Copy the credentials file to the folder created in step 6: + + ```bash + copy C:\Users\%USERNAME%\.cloudflared\.json C:\Windows\System32\config\systemprofile\.cloudflared\.json + ``` + +12. Validate the ingress rule entries in your configuration file using the command: + + ```bash + cloudflared.exe tunnel ingress validate + ``` + +13. In the Registry Editor, go to `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cloudflared`. + +14. In the Cloudflared registry entry, modify `ImagePath` to point to the `cloudflared.exe` and `config.yml` files. Make sure that there are no extra spaces or characters while you modify the registry entry, as this could cause problems with starting the service. + + ```bash + C:\Cloudflared\bin\cloudflared.exe --config=C:\Windows\System32\config\systemprofile\.cloudflared\config.yml tunnel run + ``` + +15. If the service does not start, run the following command from `C:\Cloudflared\bin`: + + ```bash + sc start cloudflared + ``` + + You will see the output below: + + ```txt + SERVICE_NAME: cloudflared + TYPE : 10 WIN32_OWN_PROCESS + STATE : 2 START_PENDING + (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x7d0 + PID : 3548 + FLAGS : + ``` + +## Next steps + +You can now [route traffic through your tunnel](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/#5-start-routing-traffic). If you add IP routes or otherwise change the configuration, restart the service to load the new configuration: + +```bash +sc stop cloudflared +sc start cloudflared +``` diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file.mdx b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file.mdx new file mode 100644 index 000000000000000..130d95dfa2fb5e8 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file.mdx @@ -0,0 +1,166 @@ +--- +pcx_content_type: reference +title: Configuration file +sidebar: + order: 2 +--- + +:::note + +[Quick tunnels](/cloudflare-tunnel/get-started/tunnel-useful-terms/#quick-tunnels) do not need a configuration file. + +::: + +Locally-managed tunnels run as an instance of `cloudflared` on your machine. You can configure `cloudflared` properties by modifying [command line parameters](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/) or by editing the tunnel [configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/#4-create-a-configuration-file). + +The CLI provides a quick way to handle configurations if you are connecting a single service through `cloudflared`. The tunnel configuration file is useful if you are connecting multiple services and need to configure properties or exceptions for specific origins. In the configuration file, you can define top-level properties for your `cloudflared` instance as well as [origin-specific properties](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/). For a full list of configuration options, type `cloudflared tunnel help` in your terminal. + +In the absence of a configuration file, `cloudflared` will proxy outbound traffic through port `8080`. + +:::note +To configure `warp-routing` for private network access via Zero Trust, refer to the [Cloudflare Tunnel for SASE configuration file documentation](/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/configuration-file/#file-structure-for-private-networks). +::: + +## File structure for published applications + +If you are exposing local services to the Internet, you can assign a public hostname to each service: + +```yml +tunnel: 6ff42ae2-765d-4adf-8112-31c55c1551ef +credentials-file: /root/.cloudflared/6ff42ae2-765d-4adf-8112-31c55c1551ef.json + +ingress: + - hostname: gitlab.widgetcorp.tech + service: http://localhost:80 + - hostname: gitlab-ssh.widgetcorp.tech + service: ssh://localhost:22 + - service: http_status:404 +``` + +Configuration files that contain ingress rules must always include a catch-all rule that concludes the file. In this example, `cloudflared` will respond with a `404` status code when the request does not match any of the previous hostnames. + +### How traffic is matched + +When `cloudflared` receives an incoming request, it evaluates each ingress rule from top to bottom to find which rule matches the request. Rules can match either the hostname or path of an incoming request, or both. If a rule does not specify a hostname, all hostnames will be matched. If a rule does not specify a path, all paths will be matched. + +The last ingress rule must be a catch-all rule that matches all traffic. + +Here is an example configuration file that specifies several rules: + +```yml +tunnel: 6ff42ae2-765d-4adf-8112-31c55c1551ef +credentials-file: /root/.cloudflared/6ff42ae2-765d-4adf-8112-31c55c1551ef.json + +ingress: + # Rules map traffic from a hostname to a local service: + - hostname: example.com + service: https://localhost:8000 + # Rules can match the request's path to a regular expression: + - hostname: static.example.com + path: \.(jpg|png|css|js)$ + service: https://localhost:8001 + # Rules can match the request's hostname to a wildcard character: + - hostname: "*.example.com" + service: https://localhost:8002 + # An example of a catch-all rule: + - service: https://localhost:8003 +``` + +#### Wildcards + +You can use wildcards to match traffic to multiple subdomains. For example, if you set the `hostname` key to `*.example.com`, both `alpha.example.com` and `beta.example.com` will route traffic to your origin. `cloudflared` does not support wildcards in the middle of the hostname, such as `test.*.example.com`. + +You can also enter regular expressions for the `path` key. For example, if `hostname` is `static.example.com` and `path` is `\.(jpg|png|css|js)$`, matching URLs could include `https://static.example.com/data.js`, `http://static.example.com/images/photo.jpg`, and so on. Cloudflare parses the path regex using the [Go `syntax` package](https://pkg.go.dev/regexp/syntax). + +### Services + +In addition to HTTP, `cloudflared` supports protocols like SSH, RDP, arbitrary TCP services, and Unix sockets. You can also route traffic to the built-in `hello_world` test server or respond to traffic with an HTTP status. For a full list of supported service types, refer to [Protocols for published applications](/cloudflare-tunnel/routing/protocols/). + +```yml +tunnel: 6ff42ae2-765d-4adf-8112-31c55c1551ef +credentials-file: /root/.cloudflared/6ff42ae2-765d-4adf-8112-31c55c1551ef.json + +ingress: + # Example of a request over TCP: + - hostname: example.com + service: tcp://localhost:8000 + # Example of an HTTP request over a Unix socket: + - hostname: staging.example.com + service: unix:/home/production/echo.sock + # Example of a request mapping to the Hello World test server: + - hostname: test.example.com + service: hello_world + # Example of a rule responding to traffic with an HTTP status: + - service: http_status:404 +``` + +### Origin configuration + +If you need to proxy traffic to multiple origins within one instance of `cloudflared`, you can define the way `cloudflared` sends requests to each service by specifying [configuration options](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/) as part of your ingress rules. + +In the following example, the top-level configuration `connectTimeout: 30s` sets a 30-second connection timeout for all services within that instance of `cloudflared`. The ingress rule for `service: localhost:8002` then configures an exception to the top-level configuration by setting `connectTimeout` for that service at `10s`. The 30-second connection timeout still applies to all other services. + +```yml +tunnel: 6ff42ae2-765d-4adf-8112-31c55c1551ef +credentials-file: /root/.cloudflared/6ff42ae2-765d-4adf-8112-31c55c1551ef.json +originRequest: # Top-level configuration + connectTimeout: 30s + +ingress: + # The localhost:8000 service inherits all root-level configuration. + # In other words, it will use a connectTimeout of 30 seconds. + - hostname: example.com + service: localhost:8000 + - hostname: example2.com + service: localhost:8001 + # The localhost:8002 service overrides some root-level config. + - service: localhost:8002 + originRequest: + connectTimeout: 10s + disableChunkedEncoding: true + # Some built-in services such as `http_status` do not use any configuration. + # The service below will simply respond with HTTP 404. + - service: http_status:404 +``` + +### Validate ingress rules + +To validate the ingress rules in your configuration file, run: + +```sh +cloudflared tunnel ingress validate +``` + +This will ensure that the set of ingress rules specified in your config file is valid. + +### Test ingress rules + +To verify that `cloudflared` will proxy the right traffic to the right local service, use `cloudflared tunnel ingress rule`. This checks a URL against every rule, from first to last, and shows the first rule that matches. For example: + +```sh +cloudflared tunnel ingress rule https://foo.example.com +``` + +```sh output +Using rules from /usr/local/etc/cloudflared/config.yml +Matched rule #3 + hostname: *.example.com + service: https://localhost:8000 +``` + +## Update a configuration file + +When making changes to the configuration file for a given tunnel, we suggest relying on [`cloudflared` replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/) to propagate the new configuration with minimal downtime. + +1. Have a `cloudflared` instance running with the original version of the configuration file. +2. Start a `cloudflared` replica running with the updated version of the configuration file. +3. Wait for the replica to be fully running and usable. +4. Stop the first instance of `cloudflared`. + +Your `cloudflared` will now be running with the updated version of your configuration file. + +:::note[Traffic handling] + +When the first instance of `cloudflared` is stopped, long-lived HTTP requests (for example, Websocket) and TCP connections (for example, SSH) will be dropped. UDP flows will also be dropped, as they are modeled based on timeouts. When the new replica connects, it will handle all new traffic, including new HTTP requests, TCP connections, and UDP flows. + +::: diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel.mdx b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel.mdx new file mode 100644 index 000000000000000..635b4ac80929cb3 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel.mdx @@ -0,0 +1,212 @@ +--- +title: Create a locally-managed tunnel +pcx_content_type: how-to +sidebar: + order: 1 +--- + +import { Render, TabItem, Tabs } from "~/components"; + +Follow this step-by-step guide to get your first tunnel up and running using the CLI. + + + +## Prerequisites + +Before you start, make sure you: + +- [Add a website to Cloudflare](/fundamentals/manage-domains/add-site/). +- [Change your domain nameservers to Cloudflare](/dns/zone-setups/full-setup/setup/). + +## 1. Download and install `cloudflared` + + + +1. Download `cloudflared` on your machine. Visit the [downloads](/cloudflare-tunnel/downloads/) page to find the right package for your OS. + +2. Rename the executable to `cloudflared.exe` + +3. In PowerShell, change directory to your Downloads folder and run `.\cloudflared.exe --version`. It should output the version of `cloudflared`. Note that `cloudflared.exe` could be `cloudflared-windows-amd64.exe` or `cloudflared-windows-386.exe` if you have not renamed it. + +```powershell +PS C:\Users\Administrator\Downloads\cloudflared-stable-windows-amd64> .\cloudflared.exe --version +``` + + + +To download and install `cloudflared`: + +```sh +brew install cloudflared +``` + +Alternatively, you can [download the latest Darwin amd64 release](/cloudflare-tunnel/downloads/) directly. + + + +**Debian and Ubuntu APT** + +Use the apt package manager to install `cloudflared` on compatible machines. + + + +**RHEL RPM** + +Use the rpm package manager to install `cloudflared` on compatible machines. + +1. Add Cloudflare's repository: + +```sh +curl -fsSl https://pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo +``` + +2. Update repositories and install cloudflared: + +```sh +sudo yum update && sudo yum install cloudflared +``` + +**Arch Linux** + +`cloudflared` is in the Arch Linux [`community` repository](https://wiki.archlinux.org/title/official_repositories#community). +Use `pacman` to install `cloudflared` on compatible machines. + +```sh +pacman -Syu cloudflared +``` + +**Other** + +Alternatively you can download the `cloudflared` binary or the linux packages to your machine and install manually. Visit the [downloads](/cloudflare-tunnel/downloads/) page to find the right package for your OS. + + + +To build the latest version of `cloudflared` from source: + +```sh +git clone https://github.com/cloudflare/cloudflared.git +cd cloudflared +make cloudflared +go install github.com/cloudflare/cloudflared/cmd/cloudflared +``` + +Depending on where you installed `cloudflared`, you can move it to a known path as well. + +```sh +mv /root/cloudflared/cloudflared /usr/bin/cloudflared +``` + + + +## 2. Authenticate `cloudflared` + +```sh +cloudflared tunnel login +``` + +Running this command will: + +- Open a browser window and prompt you to log in to your Cloudflare account. After logging in to your account, select your hostname. +- Generate an account certificate, the [cert.pem file](/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms/#certpem), in the [default `cloudflared` directory](/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms/#default-cloudflared-directory). + +## 3. Create a tunnel and give it a name + +```sh +cloudflared tunnel create +``` + +Running this command will: + +- Create a tunnel by establishing a persistent relationship between the [name you provide](/cloudflare-tunnel/get-started/tunnel-useful-terms/#tunnel-name) and a [UUID](/cloudflare-tunnel/get-started/tunnel-useful-terms/#tunnel-uuid) for your tunnel. At this point, no connection is active within the tunnel yet. +- Generate a [tunnel credentials file](/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms/#credentials-file) in the [default `cloudflared` directory](/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms/#certpem). +- Create a subdomain of `.cfargotunnel.com`. + +From the output of the command, take note of the tunnel's UUID and the path to your tunnel's credentials file. + +Confirm that the tunnel has been successfully created by running: + +```sh +cloudflared tunnel list +``` + +## 4. Create a configuration file + +1. In your `.cloudflared` directory, create a [`config.yml` file](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/) using any text editor. This file will configure the tunnel to route traffic from a given origin to the hostname of your choice. + +2. Add the following fields to the file: + +**If you are connecting an application:** + +```yml +url: http://localhost:8000 +tunnel: +credentials-file: /root/.cloudflared/.json +``` + +**If you are connecting a private network:** + +```yml +tunnel: +credentials-file: /root/.cloudflared/.json +warp-routing: + enabled: true +``` + +3. Confirm that the configuration file has been successfully created by running: + + ```sh + cat config.yml + ``` + +## 5. Start routing traffic + +1. Now assign a `CNAME` record that points traffic to your tunnel subdomain: + - If you are connecting an application, route the service to a [published application](/cloudflare-tunnel/routing/): + + ```sh + cloudflared tunnel route dns + ``` + + - If you are connecting a [private network](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/), route an IP address or CIDR through the tunnel: + + ```sh + cloudflared tunnel route ip add + ``` + +2. Confirm that the route has been successfully established: + + ```sh + cloudflared tunnel route ip show + ``` + +## 6. Run the tunnel + +Run the tunnel to proxy incoming traffic from the tunnel to any number of services running locally on your origin. + +```sh +cloudflared tunnel run +``` + +If your configuration file has a custom name or is not in the `.cloudflared` directory, add the `--config` flag and specify the path. + +```sh +cloudflared tunnel --config /path/your-config-file.yml run +``` + +:::note + +Cloudflare Tunnel can install itself as a system service on Linux and Windows and as a launch agent on macOS. For more information, refer to [run as a service](/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/). + +::: + +## 7. Check the tunnel + +Your tunnel configuration is complete! If you want to get information on the tunnel you just created, you can run: + +```sh +cloudflared tunnel info +``` + +You can now [route traffic](/cloudflare-tunnel/routing/) to your tunnel using Cloudflare DNS or [determine who can reach your tunnel](/cloudflare-one/access-controls/policies/) with Cloudflare Access. + + diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/index.mdx b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/index.mdx new file mode 100644 index 000000000000000..b186217c40e2652 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/index.mdx @@ -0,0 +1,16 @@ +--- +pcx_content_type: navigation +title: Locally-managed tunnels +sidebar: + order: 2 +--- + +import { DirectoryListing } from "~/components"; + +A locally-managed tunnel is a Cloudflare Tunnel created by running `cloudflared tunnel create ` on the command line. Tunnel configuration is stored in your local [cloudflared directory](#default-cloudflared-directory). + +:::note +Cloudflare recommends setting up a [remotely-managed tunnel](/cloudflare-tunnel/get-started/create-remote-tunnel/). Remotely-managed configurations are stored on Cloudflare, which allows you to manage the tunnel from any machine using the dashboard, API, or Terraform. +::: + + diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms.mdx b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms.mdx new file mode 100644 index 000000000000000..361ac6acff7ab4d --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms.mdx @@ -0,0 +1,35 @@ +--- +pcx_content_type: reference +title: Useful terms +sidebar: + order: 10 +--- + +This page contains terminology specific to locally-managed Cloudflare Tunnels. For general Tunnel terminology, refer to the [Get started section](/cloudflare-tunnel/get-started/tunnel-useful-terms/). + +## Default `cloudflared` directory + +`cloudflared` uses a default directory when storing credentials files for your tunnels, as well as the `cert.pem` file it generates when you run `cloudflared login`. The default directory is also where `cloudflared` will look for a [configuration file](#configuration-file) if no other file path is specified when running a tunnel. + +| OS | Path to default directory | +| --------------------------- | -------------------------------------------------------------------------------------- | +| Windows | `%USERPROFILE%\.cloudflared` | +| macOS and Unix-like systems | `~/.cloudflared`, `/etc/cloudflared`, and `/usr/local/etc/cloudflared`, in this order. | + +## Configuration file + +This is a YAML file that functions as the operating manual for `cloudflared`. `cloudflared` will automatically look for the configuration file in the [default `cloudflared` directory](#default-cloudflared-directory), but you can store your configuration file in any directory. It is recommended to always specify the file path for your configuration file whenever you reference it. By creating a configuration file, you can have fine-grained control over how their instance of `cloudflared` will operate. This includes operations like what you want `cloudflared` to do with traffic (for example, proxy websockets to port `xxxx` or SSH to port `yyyy`), where `cloudflared` should search for authorization (credentials file, tunnel token), and what mode it should run in (for example, [`warp-routing`](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/)). In the absence of a configuration file, cloudflared will proxy outbound traffic through port `8080`. For more information on how to create, store, and structure a configuration file, refer to the [dedicated instructions](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/). + +## Cert.pem + +This is the certificate file issued by Cloudflare when you run `cloudflared tunnel login`. This file uses a certificate to authenticate your instance of `cloudflared` and it is required when you create new tunnels, delete existing tunnels, change DNS records, or configure tunnel routing from cloudflared. This file is not required to perform actions such as running an existing tunnel or managing tunnel routing from the Cloudflare dashboard. Refer to the [Tunnel permissions page](/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-permissions/) for more details on when this file is needed. + +The `cert.pem` origin certificate is valid for at least 10 years, and the service token it contains is valid until revoked. + +## Credentials file + +This file is created when you run `cloudflared tunnel create `. It stores your tunnel's credentials in JSON format, and is unique to each tunnel. This file functions as a token authenticating the tunnel it is associated with. Refer to the [Tunnel permissions page](/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-permissions/) for more details on when this file is needed. + +## Ingress rule + +Ingress rules let you specify which local services traffic should be proxied to. If a rule does not specify a path, all paths will be matched. Ingress rules can be listed in your [configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/) or when running `cloudflared tunnel ingress`. diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-permissions.mdx b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-permissions.mdx new file mode 100644 index 000000000000000..84e40c030e2b60d --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-permissions.mdx @@ -0,0 +1,34 @@ +--- +pcx_content_type: reference +title: Tunnel permissions +sidebar: + order: 8 +--- + +import { Render } from "~/components"; + +Tunnel permissions determine who can run and manage a Cloudflare Tunnel. Two files control permissions for a locally-managed tunnel: + +- **An account certificate** (`cert.pem`) is issued for a Cloudflare account when you login to `cloudflared`. Make sure you are intentional about the locations and machines you store this certificate on, as this certificate allows users to create, delete, and manage all tunnels for the account. +- **A tunnel credentials file** (`.json`) is issued for a tunnel when you create the tunnel. The credentials file only allows the user to run that specific tunnel, and do nothing else. Hence, as an admin, you can share tunnel credentials with users who will run the tunnel. + +Refer to the table below for a comparison between the two files and the purposes for which they are intended. + +| | Account certificate | Tunnel credential | +| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | +| **File name** | `cert.pem` | `.json` | +| **Purpose** | Authenticates your instance of `cloudflared` against your Cloudflare account | Authenticates the tunnel it is associated with | +| **Scope** | Account-wide | Tunnel-specific | +| **File type** | `.pem` | `.json` | +| **Stored in** | [Default directory](/cloudflare-tunnel/get-started/tunnel-useful-terms/#default-cloudflared-directory) | [Default directory](/cloudflare-tunnel/get-started/tunnel-useful-terms/#default-cloudflared-directory) | +| **Issued when running** | `cloudflared tunnel login` | `cloudflared tunnel create ` | +| **Valid for** | At least 10 years, and the service token it contains is valid until revoked | Does not expire | +| **Needed to** | Manage tunnels (for example, create, route, delete and list tunnels) | Run a tunnel. Create a config file. | + +## Tunnel ownership + +Tunnel ownership is bound to the Cloudflare account for which the `cert.pem` file was issued upon authenticating `cloudflared`. If a user in a Cloudflare account creates a tunnel, any other user in the same account who has access to the `cert.pem` file for the account can delete, list, or otherwise manage tunnels within it. + +## Account-scoped roles + + diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-useful-commands.mdx b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-useful-commands.mdx new file mode 100644 index 000000000000000..a68c96fe0f90c1b --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-useful-commands.mdx @@ -0,0 +1,42 @@ +--- +pcx_content_type: reference +title: Useful commands +sidebar: + order: 6 +--- + +This page lists the most commonly used commands for managing local tunnels. + +To view all CLI commands, refer to the CLI help text in your terminal. For example, to view all options for the `cloudflared tunnel` subcommand, type `cloudflared tunnel help`. + +## Manage tunnels + +| Command | Description | +| ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `cloudflared tunnel login` | Prompts a browser window where you can authenticate your tunnel to your Cloudflare account. | +| `cloudflared tunnel list` | Displays all active tunnels, their creation time, and associated connections. Use the `-d` flag to include deleted tunnels. | +| `cloudflared tunnel create ` | Creates a tunnel, registers it with the Cloudflare edge and generates a credential file to run this tunnel. | +| `cloudflared tunnel route` | Routes traffic through a tunnel. | +| `cloudflared tunnel route lb ` | Adds a tunnel as an endpoint in a [load balancer pool](/cloudflare-tunnel/routing/public-load-balancers/). A new load balancer and pool will be created if necessary.
  • ``: the public-facing hostname of the load balancer, for example `lb.example.com`
  • ``: the name of the [pool](/load-balancing/pools/create-pool/#create-a-pool) that will contain the tunnel endpoint
To load balance traffic to a [published application](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/#file-structure-for-published-applications), you will also need to specify the application hostname in the [endpoint host header](/load-balancing/additional-options/override-http-host-headers/) using the dashboard or API. | +| `cloudflared tunnel route ip add ` | Adds any network route space (represented as a CIDR) to your routing table. That network space becomes reachable for requests egressing from a user's machine as long as it is using Cloudflare WARP and is enrolled in the same account that is running the tunnel chosen here. Further, those requests will be proxied to the specified tunnel, and reach an IP in the given CIDR, as long as that IP is reachable from the tunnel. To assign the IP route to a specific [Virtual Network](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/), use the `--vnet` option. | +| `cloudflared tunnel route ip show` (or `list`) | Shows your organization's private routing table. You can use additional flags to filter the results. | +| `cloudflared tunnel route ip delete` | Deletes the row for a given CIDR from your routing table. That portion of your network will no longer be reachable by the WARP client. | +| `cloudflared tunnel route ip get ` | Checks which row of the routing table will be used to proxy a given IP. This helps check and validate your configuration. | +| `cloudflared tunnel route dns` | Creates a DNS CNAME record hostname that points to the tunnel. | +| `cloudflared tunnel --config path/config.yaml run ` | Runs a tunnel, creating highly available connections between your server and the Cloudflare edge. You can provide name or UUID of the tunnel to run either as the last command line argument or in the configuration file using `tunnel: `. | +| `cloudflared tunnel info ` | Displays details about the active connectors for a given tunnel identified by name of UUID. | +| `cloudflared tunnel cleanup ` | Deletes connections for tunnels with the given UUIDs or names. This is useful if you get an error trying to delete or run a tunnel after `cloudflared` is not shut down gracefully (for example, if a `kill` command is issued). | +| `cloudflared tunnel cleanup --connector-id ` | Disconnects and deletes a [cloudflared replica](/cloudflare-tunnel/configure-tunnels/tunnel-availability/) with the given connector ID. You can view all replicas for a tunnel by running `cloudflared tunnel info `. | +| `cloudflared tunnel delete ` | Deletes tunnels with the given name or UUID. A tunnel cannot be deleted if it has active connections. To delete the tunnel unconditionally, use the `-f` flag. | +| `cloudflared tunnel vnet add ` | Creates a Virtual Network to which IP routes can be assigned. To make this Virtual Network the default for your Zero Trust organization, use the `-d` flag. | +| `cloudflared tunnel vnet delete ` | Deletes the Virtual Network with the given name or UUID. Before you can delete a Virtual Network, you must first delete all IP routes assigned to the Virtual Network. | +| `cloudflared tunnel vnet list` | Displays all active Virtual Networks, the default Virtual Network, and their creation times. | +| `cloudflared tail ` | Start a session to livestream logs from a specific tunnel. For more information, refer to [Tunnel logs](/cloudflare-tunnel/monitor-tunnels/logs/). | + +## Manage `cloudflared` + +| Command | Description | +| --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `cloudflared update` | Looks for a new version on the official download server. If a new version exists, it updates the agent binary and quits. Otherwise, no action is performed. This command only works if `cloudflared` was installed from GitHub binaries or from source. For more information, refer to the [update instructions](/cloudflare-tunnel/downloads/update-cloudflared/). | +| `cloudflared version` | Prints the `cloudflared` version number and build date. | +| `cloudflared help` | Shows a list of all top-level commands for `cloudflared`. | diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/quick-tunnels.mdx b/src/content/docs/cloudflare-tunnel/other-tunnel-types/quick-tunnels.mdx new file mode 100644 index 000000000000000..3e4bc5c0e19d1b4 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/other-tunnel-types/quick-tunnels.mdx @@ -0,0 +1,54 @@ +--- +pcx_content_type: concept +title: Quick Tunnels +sidebar: + order: 5 +--- + +:::note +Quick Tunnels are intended for testing and development only. For production use, [create a remotely-managed tunnel](/cloudflare-tunnel/get-started/). +::: + +Developers can use the TryCloudflare tool to experiment with Cloudflare Tunnel without adding a site to Cloudflare's DNS. TryCloudflare will launch a process that generates a random subdomain on `trycloudflare.com`. Requests to that subdomain will be proxied through the Cloudflare network to your web server running on localhost. + +## Use TryCloudflare + +1. Follow [these instructions](/cloudflare-tunnel/downloads/) to install `cloudflared`. If you have an older copy, update to 2020.5.1 or later. +2. Launch a web server that is available over localhost to `cloudflared`. +3. Run the following terminal command to start a free tunnel. + +```sh +cloudflared tunnel --url http://localhost:8080 +``` + +`cloudflared` will generate a random subdomain when connecting to the Cloudflare network and print it in the terminal for you to use and share. The output will serve traffic from the server on your local machine to the public Internet, using Cloudflare's Argo Smart Routing, at a public URL. + +:::note + +TryCloudflare quick tunnels are currently not supported if a `config.yaml` configuration file is present in the `.cloudflared` directory. It may be necessary to rename that file temporarily to use the feature. +::: + +## FAQ + +### What are some example use cases for TryCloudflare? + +- Create a web server for a project on your laptop that you want to share with others on different networks +- Test browser compatibility for a new site by creating a free Tunnel and testing the link in different browsers +- Run speed tests from different regions by using a tool like Pingdom or WebPageTest to connect to the randomly-generated subdomain created by TryCloudflare + +### Why does Cloudflare provide this service for free? + +- We want more users to experience the speed and security improvements of Cloudflare Tunnel (and Argo Smart Routing). We hope you test it with TryCloudflare and decide to add it to your production sites. +- Cloudflare's features historically require you to own a domain, set that domain's DNS to Cloudflare's nameservers, and configure its DNS records before you can begin to use any services. We hope to make more and more of our products available to trial without that burden. +- We don't guarantee any SLA or uptime of TryCloudflare - we plan to test new Cloudflare Tunnel features and improvements on these free tunnels. This provides us with a group of connections to test before we deploy to production customers. Free tunnels are meant to be used for testing and development, not for deploying a production website. + +### Limitations + +- Quick Tunnels are subject to a hard limit on the number of concurrent requests that can be proxied at any point in time. Currently, this limit is 200 in-flight requests. If a Quick Tunnel hits this limit, the HTTP response will return a `429` status code. +- Quick Tunnels do not support Server-Sent Events (SSE). + +These limitations only apply to Quick Tunnels. To avoid these limitations, [sign up](https://dash.cloudflare.com/sign-up) for a Cloudflare account and [create a Cloudflare Tunnel](/cloudflare-tunnel/get-started/). + +### Legal + +Your installation of cloudflared software constitutes a symbol of your signature indicating that you accept the terms of the [Cloudflare License](/cloudflare-tunnel/downloads/license/), [Terms](https://www.cloudflare.com/terms/) and [Privacy Policy](https://www.cloudflare.com/privacypolicy/). diff --git a/src/content/docs/cloudflare-tunnel/routing/dns.mdx b/src/content/docs/cloudflare-tunnel/routing/dns.mdx new file mode 100644 index 000000000000000..6e226926e26d312 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/routing/dns.mdx @@ -0,0 +1,60 @@ +--- +pcx_content_type: how-to +title: DNS records +sidebar: + order: 2 +--- + +import { Render, TabItem, Tabs, DashButton } from "~/components"; + +When you create a tunnel, Cloudflare generates a subdomain of `cfargotunnel.com` with the UUID of the created tunnel. You can treat `.cfargotunnel.com` as if it were an origin target in the Cloudflare dashboard. + +Unlike publicly routable IP addresses, `.cfargotunnel.com` will only proxy traffic for a DNS record in the same Cloudflare account. The Tunnel UUID is not secret information; if someone discovers your subdomain UUID, they will not be able to create a DNS record in another account or system to proxy traffic to the address. + +## Create a DNS record for the tunnel + + + +To create a new DNS record for your tunnel: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and go to the **DNS Records** page for your domain. + + + +2. Select **Add record**. +3. Input the following information: + - **Type**: _CNAME_ + - **Name**: Subdomain of your application + - **Target**: `.cfargotunnel.com` +4. Select **Save**. + +![Example of fields completed to create a new CNAME record.](~/assets/images/cloudflare-one/connections/connect-apps/dns/dns-record.png) + + + + + +You can create a new DNS record directly from `cloudflared`: + +```sh +cloudflared tunnel route dns www.app.com +``` + +This command create a `CNAME` record that points to the tunnel subdomain, but will not proxy traffic if the tunnel is not currently running. + +:::note + +To create DNS records using `cloudflared`, the [`cert.pem`](/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms/#certpem) file must be installed on your system. +::: + + + + + +The DNS record is distinct from the state of the tunnel. You can create DNS records that point to a tunnel that is not currently running. If the tunnel stops running, the DNS record will not be deleted. If you point the DNS record to a tunnel not currently running, visitors will see a `1016` error message. + +Additionally, you can create multiple DNS records that point to the same tunnel subdomain. If you are routing traffic from multiple hostnames to multiple services, you will need to create a `CNAME` entry for each hostname. The CNAME entries will share the same target. + +## Optional Cloudflare settings + +The application will default to the Cloudflare settings of the hostname in your account that includes the Cloudflare Tunnel DNS record, including [cache rules](/cache/how-to/cache-rules/) and [firewall policies](/firewall/). You can changes these settings for your hostname in Cloudflare's dashboard. diff --git a/src/content/docs/cloudflare-tunnel/routing/index.mdx b/src/content/docs/cloudflare-tunnel/routing/index.mdx new file mode 100644 index 000000000000000..7c96dcc4b6c85b0 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/routing/index.mdx @@ -0,0 +1,10 @@ +--- +pcx_content_type: concept +title: Public ingress routing +sidebar: + order: 4 +--- + +Cloudflare Tunnel allows you to publish local applications to the Internet via a public hostname. For example, you can [add a published application route](/cloudflare-tunnel/get-started/create-remote-tunnel/#2-publish-an-application) that points `docs.example.com` to `https://localhost:8080`. Anyone can now view your application by going to `docs.example.com` in their web browser. Traffic to published applications flows through Cloudflare's network, where your configured CDN cache, WAF rules, Bot Management, and DDoS protection settings are applied. + +Cloudflare can route traffic to your Cloudflare Tunnel using a [DNS record](/cloudflare-tunnel/routing/dns/) or [Cloudflare Load Balancer](/cloudflare-tunnel/routing/load-balancers/). You can configure either option from the Cloudflare dashboard by pointing a DNS `CNAME` record or a load balancer pool to your Cloudflare Tunnel subdomain (`.cfargotunnel.com`). You can also associate these records with your tunnel from `cloudflared` directly. diff --git a/src/content/docs/cloudflare-tunnel/routing/load-balancers.mdx b/src/content/docs/cloudflare-tunnel/routing/load-balancers.mdx new file mode 100644 index 000000000000000..0915ebba7d3ab3b --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/routing/load-balancers.mdx @@ -0,0 +1,209 @@ +--- +pcx_content_type: concept +title: Public load balancers +sidebar: + order: 3 +--- + +import { Render, DashButton, Details } from "~/components"; + +A [public load balancer](/load-balancing/load-balancers/) allows you to distribute traffic across the servers that are running your [published applications](/cloudflare-tunnel/routing/). + +When you add a [published application route](/cloudflare-tunnel/get-started/create-remote-tunnel/#2-publish-an-application) to your Cloudflare Tunnel, Cloudflare generates a subdomain of `cfargotunnel.com` with the UUID of the created tunnel. You can add the application to a load balancer pool by using `.cfargotunnel.com` as the [endpoint address](/load-balancing/understand-basics/load-balancing-components/#endpoints) and specifying the application hostname (`app.example.com`) in the [endpoint host header](/load-balancing/additional-options/override-http-host-headers/). Load Balancer does not support directly adding `app.example.com` as an endpoint if the service is behind Cloudflare Tunnel. + +## Create a public load balancer + +### Prerequisites + +- A Cloudflare Tunnel with a [published application route](/cloudflare-tunnel/get-started/create-remote-tunnel/#2-publish-an-application) + +### Create a load balancer + +To create a load balancer for Cloudflare Tunnel published applications: + +1. In the Cloudflare dashboard, go to the **Load Balancing** page. + + +2. Select **Create load balancer**. +3. Select **Public load balancer**. +4. Under **Select website**, select the domain of your published application route. +5. On the **Hostname** page, enter a hostname for the load balancer (for example, `lb.example.com`). +6. On the **Pools** page, select **Create a pool**. +7. Enter a descriptive name for the pool. For example, if you are configuring one pool per tunnel, the pool name can match your tunnel name. +8. To add a tunnel endpoint to the pool, configure the following fields: + - **Endpoint Name**: Name of the server that is running the application + - **Endpoint Address**: `.cfargotunnel.com`, where `` is replaced by your Tunnel ID. You can find the **Tunnel ID** in [Cloudflare One](https://one.dash.cloudflare.com) under **Networks** > **Connectors** > **Cloudflare Tunnels**. + - **Header value**: Hostname of your published application route (such as `app.example.com`). To find the hostname value, open your Cloudflare Tunnel configuration and go to the **Published application routes** tab. + - **Weight**: Assign a [weight](/load-balancing/understand-basics/traffic-steering/origin-level-steering/#weights) to the endpoint. If you only have one endpoint, enter `1`. + :::note + A single origin pool cannot have the same Tunnel UUID referenced twice. + ::: +9. On the **Pools** page, choose a **Fallback pool**. Refer to [Global traffic steering](/load-balancing/understand-basics/traffic-steering/steering-policies/) for information on how the load balancer routes traffic to pools. +10. (Recommended) On the **Monitors** page, attach a monitor to the tunnel endpoint. For example, if your application is HTTP or HTTPS, you can create an HTTPS monitor to poll the application: + - **Type**: _HTTPS_ + - **Path**: `/` + - **Port**: `443` + - **Expected Code(s)**: `200` + - **Header Name**: `Host` + - **Value**: `app.example.com` + + :::note + TCP monitors are not supported for tunnel endpoints. For a workaround, refer to [Monitors and TCP tunnel origins](#monitors-and-tcp-tunnel-origins). + ::: + +11. Save and deploy the load balancer. +12. To test the load balancer, access the application using the load balancer hostname (`lb.example.com`). + +Refer to the [Load Balancing documentation](/load-balancing/) for more details on load balancer settings and configurations. + +### Optional Cloudflare settings + +The application will default to the Cloudflare settings for the load balancer hostname, including [Rules](/rules/), [Cache Rules](/cache/how-to/cache-rules/) and [WAF rules](/waf/). You can change the settings for your hostname in the [Cloudflare dashboard](https://dash.cloudflare.com/). + +## Common architectures + +Review common load balancing configurations for published applications behind Cloudflare Tunnel. + +### One app per load balancer + +For this example, assume we have a web application that runs on servers in two different data centers. We want to connect the application to Cloudflare so that users can access the application from anywhere in the world. Additionally, we want Cloudflare to load balance between the servers such that if the primary server fails, the secondary server receives all traffic. + +```mermaid +graph LR + subgraph LB["Public load balancer
app.example.com "] + subgraph P1[Pool 2] + E1(["**Endpoint:** <UUID_1>.cfargotunnel.com
**Host header**: server2.example.com"]) + end + subgraph P2[Pool 1] + E2(["**Endpoint:** <UUID_2>.cfargotunnel.com
**Host header**: server1.example.com"]) + end + end + R@{ shape: text, label: "app.example.com" } + R--> LB + P1 -- Tunnel 1 --> cf1 + P2 -- Tunnel 2 --> cf2 + subgraph D2[Private network] + subgraph r1[Region eu-west-1] + cf1@{ shape: processes, label: "cloudflared
**Route:** server2.example.com" } + S1(["Server 2
10.0.0.1:80"]) + cf1-->S1 + end + subgraph r2[Region us-east-1] + cf2@{ shape: processes, label: "cloudflared
**Route:** server1.example.com" } + S3(["Server 1
10.0.0.2:80"]) + cf2-->S3 + end + end + + style r1 stroke-dasharray: 5 5 + style r2 stroke-dasharray: 5 5 +``` + +As shown in the diagram, a typical setup includes: +- A dedicated Cloudflare Tunnel per data center. +- One load balancer pool per tunnel. The load balancer hostname is set to the user-facing application hostname (`app.example.com`). +- One load balancer endpoint per pool. The endpoint host header is set to the `cloudflared` published application hostname (`server1.example.com`) +- At least two `cloudflared` [replicas](#session-affinity-and-replicas) per tunnel in their respective data centers, in case a `cloudflared` host machine goes down. + +Users can now connect to the application using the load balancer hostname (`app.example.com`). Note that this configuration is only valid for [Active-Passive failover](/load-balancing/load-balancers/common-configurations/#active---passive-failover), since each pool only supports one endpoint per tunnel. + +### Multiple apps per load balancer + +The following diagram illustrates how to steer traffic to two different applications on a private network using a single load balancer. + +```mermaid +graph LR + subgraph LB["Public load balancer
lb.example.com"] + subgraph P1[Pool for App 1] + E1(["**Endpoint:** <UUID_1>.cfargotunnel.com
**Host header**: app1.example.com"]) + E2(["**Endpoint:** <UUID_2>.cfargotunnel.com
**Host header**: app1.example.com"]) + end + subgraph P2[Pool for App 2] + E3(["**Endpoint:** <UUID_1>.cfargotunnel.com
**Host header**: app2.example.com"]) + E4(["**Endpoint:** <UUID_2>.cfargotunnel.com
**Host header**: app2.example.com"]) + end + end + R@{ shape: text, label: "app1.example.com
app2.example.com" } + R--> LB + E1 -- Tunnel 1 -->cf1 + E3 -- Tunnel 1 --> cf1 + E2 -- Tunnel 2 --> cf2 + E4 -- Tunnel 2 --> cf2 + + subgraph N[Private network] + cf2[cloudflared
**Route:** app1.example.com
**Route:** app2.example.com] + S3(["App 1
10.0.0.1:80"]) + cf2-->S3 + cf2-->S1 + cf1[cloudflared
**Route:** app1.example.com
**Route:** app2.example.com] + S1(["App 2
10.0.0.2:80"]) + cf1-->S1 + cf1-->S3 + end +``` + +This load balancing setup includes: + +- Two Cloudflare Tunnels with identical routes to both applications. +- One load balancer pool per application. +- Each load balancer pool has an endpoint per tunnel. +- A [DNS record](#dns-records) for each application that points to the load balancer hostname. + +Users can now access all applications through the load balancer. Since there are multiple tunnel endpoints per pool, this configuration supports [Active-Active Failover](/load-balancing/load-balancers/common-configurations/#active---active-failover). Active-Active uses all available endpoints in the pool to process requests simultaneously, providing better performance and scalability by load balancing traffic across them. + +#### DNS records + +When you configure a published application route via the dashboard, Cloudflare will automatically generate a `CNAME` DNS record that points the application hostname (`app1.example.com`) to the tunnel subdomain (`.cfargotunnel.com`). You can [edit these DNS records](/dns/manage-dns-records/how-to/create-dns-records/#edit-dns-records) so that they point to the load balancer hostname instead. + +:::note +Tunnel routes configured via the API or CLI require [manually creating DNS records](/cloudflare-tunnel/routing/dns/). +::: + +Here is an example of what your DNS records will look like before and after setting up [Multiple apps per load balancer](#multiple-apps-per-load-balancer): + +**Before**: +| Type | Name | Content | +| ---- | ---- | ------- | +| CNAME | app1 | `.cfargotunnel.com` | +| CNAME | app2 | `.cfargotunnel.com` | +| CNAME | app1 | `.cfargotunnel.com` | +| CNAME | app2 | `.cfargotunnel.com` | + +**After**: +| Type | Name | Content | +| ---- | ---- | ------- | +| LB | `lb.example.com` | n/a | +| CNAME | app1 | `lb.example.com` | +| CNAME | app2 | `lb.example.com` | + +## Known limitations + +### Monitors and TCP tunnel origins + +If you have a tunnel to a port or SSH port, do not set up a [TCP monitor](/load-balancing/monitors/). Instead, set up a health check endpoint on the `cloudflared` host and create an HTTPS monitor. For example, you can use `cloudflared` to return a fixed HTTP status response: + +1. In your Cloudflare Tunnel, [add a published application route](/cloudflare-tunnel/get-started/create-remote-tunnel/#2-publish-an-application) to represent the health check endpoint: + - **Hostame**: Enter a hostname for the health check endpoint (for example, `health-check.example.com`) + - **Service Type**: _HTTP_STATUS_ + - **HTTP Status Code**: `200` +2. From the **Load Balancing** page, [create a monitor](/load-balancing/monitors/create-monitor/) with the following properties: + - **Type**: _HTTPS_ + - **Path**: `/` + - **Port**: `443` + - **Expected Code(s)**: `200` + - **Header Name**: `Host` + - **Value**: `health-check.example.com` + +You can now assign this monitor to your load balancer endpoint. The monitor will only verify that your server is reachable. It does not check whether the server is running and accepting requests. + +### Session affinity and replicas + +The load balancer does not distinguish between [replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/) of the same tunnel. If you run the same tunnel UUID on two separate hosts, the load balancer treats both hosts as a single endpoint. To maintain [session affinity](/load-balancing/understand-basics/session-affinity/) between a client and a particular host, you will need to connect each host to Cloudflare using a different tunnel UUID. + +### Local connection preference + +If you notice traffic imbalances across endpoints in different locations, you may have to adjust your load balancer setup. + +When an end user sends a request to your application, Cloudflare routes their traffic using [Anycast routing](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/) and their request typically goes to the nearest Cloudflare data center. Cloudflare Tunnel will prefer to serve the request using `cloudflared` connections in the same data center. This behavior can impact how connections are weighted and traffic is distributed. + +If you are running [`cloudflared` replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/), switch to separate Cloudflare tunnels so that you can have more granular control over [traffic steering](/load-balancing/understand-basics/traffic-steering/). diff --git a/src/content/docs/cloudflare-tunnel/routing/protocols.mdx b/src/content/docs/cloudflare-tunnel/routing/protocols.mdx new file mode 100644 index 000000000000000..9bc4d86fb6677d0 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/routing/protocols.mdx @@ -0,0 +1,24 @@ +--- +pcx_content_type: reference +title: Protocols for published applications +sidebar: + order: 4 + label: Protocols +tableOfContents: false +--- + +When you [add a published application route](/cloudflare-tunnel/get-started/create-remote-tunnel/#2-publish-an-application) to a Cloudflare Tunnel, you are instructing Cloudflare to proxy requests for your public hostname to a service running privately behind `cloudflared`. The table below lists the service types that can route to a public hostname. Non-HTTP services will require [installing `cloudflared` on the client](/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/) for end users to connect. + +| Service type | Description | Example `service` value | +| ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | +| HTTP | Incoming requests to Cloudflare over HTTPS are proxied to the local web service via HTTP. | `http://localhost:8000` | +| HTTPS | Incoming requests to Cloudflare over HTTPS are proxied directly to the local web service. You can [disable TLS verification](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#notlsverify) if your origin uses self-signed certificates. | `https://localhost:8000` | +| UNIX | Just like HTTP, but using a Unix socket instead. | `unix:/home/production/echo.sock` | +| TCP | Enables TCP streams over a Websocket connection. `cloudflared` will take the packets received from the Websocket and reach out to the origin using TCP. To [connect to the public hostname over arbitrary TCP](/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/arbitrary-tcp/), the user needs to run `cloudflared access tcp`, and there are no guarantees on how long the TCP tunnel will live. For long-lived connections, we recommend using [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/) instead. | `tcp://localhost:2222` | +| SSH | Enables SSH streams over a Websocket connection. `cloudflared` will take the packets received from the Websocket and reach out to the origin using SSH. To [connect to the public hostname over SSH](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-cloudflared-authentication/), the client needs to run `cloudflared access ssh`, and there are no guarantees on how long the SSH connection will last. For long-lived connections, we recommend using [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) instead. | `ssh://localhost:22` | +| RDP | Similar to TCP but for RDP streams only. For more information, refer to [Connect to RDP with client-side cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-cloudflared-authentication/). | `rdp://localhost:3389` | +| UNIX + TLS | Just like HTTPS, but using a Unix socket instead. | `unix+tls:/home/production/echo.sock` | +| SMB | Similar to TCP but for SMB streams only. For more information, refer to [Connect to SMB with client-side cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb/#connect-to-smb-server-with-cloudflared-access). | `smb://localhost:445` | +| HTTP_STATUS | Responds to all requests with the given HTTP status. | `http_status:404` | +| BASTION | `cloudflared` will act like a jumphost, allowing access to any local address. | `bastion` | +| HELLO_WORLD | Test server for validating your Cloudflare Tunnel connection (for [locally managed tunnels](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/#file-structure-for-published-applications) only). | `hello_world` | diff --git a/src/content/docs/cloudflare-tunnel/troubleshoot/common-errors.mdx b/src/content/docs/cloudflare-tunnel/troubleshoot/common-errors.mdx new file mode 100644 index 000000000000000..4ec3bdaafbe7205 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/troubleshoot/common-errors.mdx @@ -0,0 +1,160 @@ +--- +pcx_content_type: reference +title: Common errors +sidebar: + order: 2 +--- + +import { Tabs, TabItem, GlossaryTooltip, Render } from "~/components"; + +This section covers the most common errors you might encounter when connecting resources with Cloudflare Tunnel. If you do not see your issue listed below, refer to the [troubleshooting FAQ](/cloudflare-one/faq/troubleshooting/), view your [Tunnel logs](/cloudflare-tunnel/monitor-tunnels/logs/), or [contact Cloudflare Support](/support/contacting-cloudflare-support/). + +## Tunnel status + +You can check your tunnel's connection status either from Cloudflare One (by going to **Networks** > **Connectors** > **Cloudflare Tunnels**) or by running the `cloudflared tunnel list` command. Each tunnel displays a status that reflects its current connection state: + + + +:::note[Tunnel status scope] + +The tunnel status only reflects the connection between `cloudflared` and the Cloudflare network. Tunnel status does not indicate whether `cloudflared` can successfully reach your internal services. As a result, a tunnel can appear `Healthy` while users are still unable to connect to an application. +::: + +## I see `cloudflared service is already installed`. + +If you see this error when installing a remotely-managed tunnel, ensure that no other `cloudflared` instances are running as a service on this machine. Only a single instance of `cloudflared` may run as a service on any given machine. Instead, we recommend adding additional routes to your existing tunnel. Alternatively, you can run `sudo cloudflared service uninstall` to uninstall `cloudflared`. + +## I see `An A, AAAA, or CNAME record with that host already exists`. + +If you are unable to save your tunnel's public hostname, choose a different hostname or delete the existing DNS record. [Check the DNS records](/dns/manage-dns-records/how-to/create-dns-records/) for your domain from the [Cloudflare dashboard](https://dash.cloudflare.com). + +## Tunnel credentials file doesn't exist or is not a file. + +If you encounter the following error when running a tunnel, double check your `config.yml` file and ensure that the `credentials-file` points to the correct location. You may need to change `/root/` to your home directory. + +```sh +cloudflared tunnel run +``` + +```sh output +2021-06-04T06:21:16Z INF Starting tunnel tunnelID=928655cc-7f95-43f2-8539-2aba6cf3592d +Tunnel credentials file '/root/.cloudflared/928655cc-7f95-43f2-8539-2aba6cf3592d.json' doesn't exist or is not a file +``` + +## My tunnel fails to authenticate. + +To start using Cloudflare Tunnel, a super administrator in the Cloudflare account must first log in through `cloudflared login`. The client will launch a browser window and prompt the user to select a hostname in their Cloudflare account. Once selected, Cloudflare generates a certificate that consists of three components: + +- The public key of the origin certificate for that hostname +- The private key of the origin certificate for that domain +- A token that is unique to Cloudflare Tunnel + +Those three components are bundled into a single PEM file that is downloaded one time during that login flow. The host certificate is valid for the root domain and any subdomain one-level deep. Cloudflare uses that certificate file to authenticate `cloudflared` to create DNS records for your domain in Cloudflare. + +The third component, the token, consists of the zone ID (for the selected domain) and an API token scoped to the user who first authenticated with the login command. When user permissions change (if that user is removed from the account or becomes an admin of another account, for example), Cloudflare rolls the user's API key. However, the certificate file downloaded through `cloudflared` retains the older API key and can cause authentication failures. The user will need to login once more through `cloudflared` to regenerate the certificate. Alternatively, the administrator can create a dedicated service user to authenticate. + +## I see an error: x509: certificate signed by unknown authority. + +This means the origin is using a certificate that `cloudflared` does not trust. For example, you may get this error if you are using SSL/TLS inspection in a proxy between your server and Cloudflare. To solve this: + +- Add the certificate to the system certificate pool. +- Use the `--origin-ca-pool` flag and specify the path to the certificate. +- Use the `--no-tls-verify` flag to stop `cloudflared` checking the certificate for a trust chain. + +## I see an error 1033 when attempting to run a tunnel. + + + +For more information, refer to the [comprehensive list](/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/) of Cloudflare 1xxx errors. + +## I see `ERR_TOO_MANY_REDIRECTS` when attempting to connect to an Access self-hosted app. + +This error occurs when `cloudflared` does not recognize the SSL/TLS certificate presented by your origin. To resolve the issue, set the [origin server name](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#originservername) parameter to the hostname on your origin certificate. Here is an example of a locally-managed tunnel configuration: + +```txt +ingress: + - hostname: test.example.com + service: https://localhost:443 + originRequest: + originServerName: test.example.com +``` + +## `cloudflared access` shows an error `websocket: bad handshake`. + +This means that your `cloudflared access` client is unable to reach your `cloudflared tunnel` origin. +To diagnose this, you should look at the `cloudflared tunnel` logs. A very often root cause is that the `cloudflared tunnel` is unable to proxy to your origin (e.g. because the ingress is mis-configured, or the origin is down, or because the origin HTTPS certificate cannot be validated by `cloudflared tunnel`). +If `cloudflared tunnel` has no logs, it means Cloudflare Edge is not even able to route the websocket traffic to it. + +There are a few different possible root causes behind the `websocket: bad handshake` error: + +- Your `cloudflared tunnel` is either not running or not connected to Cloudflare Edge. + +- WebSockets are not [enabled](/network/websockets/#enable-websockets). + +- Your Cloudflare account has Universal SSL enabled but your SSL/TLS encryption mode is set to **Off (not secure)**. To resolve: + 1. On the Cloudflare dashboard for your zone, go to **SSL/TLS** > **Overview**. + 2. Ensure that your SSL/TLS encryption mode is set to either **Flexible**, **Full** or **Full (strict)**. + +- Your requests are blocked by [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/). To resolve, make sure you set **Definitely automated** to _Allow_ in the bot fight mode settings. + +- Your SSH or RDP Access application has the [Binding Cookie](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#binding-cookie) enabled. To disable the cookie, go to **Access controls** > **Applications** and edit the application settings. + +- One or more [Workers routes](/workers/configuration/routing/routes/) are overlapping with the tunnel hostname, and the Workers do not properly handle the traffic. To resolve, you could either exclude your tunnel from the Worker route by not defining a route that includes the tunnel's hostname or update your Worker to only handle specific paths and forward all other requests to the origin, for example, by using `return fetch(req)`. + +## My tunnel randomly disconnects. + +Long-lived connections initiated through Cloudflare One, such as SSH sessions, can last up to eight hours. However, disruptions along the service path may result in more frequent disconnects. Often, these disconnects are caused by regularly scheduled maintenance events such as data center, server, or service updates and restarts. If you believe these events are not the cause of disconnects in your environment, collect the relevant [WARP logs](/cloudflare-one/team-and-resources/devices/warp/troubleshooting/warp-logs/) and [Tunnel logs](/cloudflare-tunnel/monitor-tunnels/logs/) and contact Support. + +## Tunnel connections fail with SSL error. + +If `cloudflared` returns error `error="remote error: tls: handshake failure"`, check to make sure the hostname in question is covered by a SSL certificate. If using a multi-level subdomain, an advanced certificate may be required as the Universal SSL will not cover more than one level of subdomain. This may surface in the browser as `ERR_SSL_VERSION_OR_CIPHER_MISMATCH`. + +## Tunnel connections fail with `Too many open files` error. + +If your [Cloudflare Tunnel logs](/cloudflare-tunnel/monitor-tunnels/logs/) returns a `socket: too many open files` error, it means that `cloudflared` has exhausted the open files limit on your machine. The maximum number of open files, or file descriptors, is an operating system setting that determines how many files a process is allowed to open. To increase the open file limit, you will need to [configure ulimit settings](/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements/#ulimits) on the machine running `cloudflared`. + +## I see `failed to sufficiently increase receive buffer size` in my cloudflared logs. + +This buffer size increase is reported by the [quic-go library](https://github.com/quic-go/quic-go) leveraged by [cloudflared](https://github.com/cloudflare/cloudflared). You can learn more about the log message in the [quic-go repository](https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes). This log message is generally not impactful and can be safely ignored when troubleshooting. However, if you have deployed `cloudflared` within a unique, high-bandwidth environment then buffer size can be manually overridden for testing purposes. + +To set the maximum receive buffer size on Linux: + +1. Create a new file under `/etc/sysctl.d/`: + +```sh +sudo vi 98-core-rmem-max.conf +``` + +2. In the file, define the desired buffer size: + +```txt +net.core.rmem_max=2500000 +``` + +3. Reboot the host machine running `cloudflared`. + +4. To validate that these changes have taken effect, use the `grep` command: + +```sh +sudo sysctl -a | grep net.core.rmem_max +``` + +```sh output +net.core.rmem_max = 2500000 +``` + +## `ping` and `traceroute` commands do not work. + +To ping an IP address behind Cloudflare Tunnel, your system must allow ICMP traffic through `cloudflared`. For configuration instructions, refer to the [ICMP proxy documentation](/cloudflare-one/traffic-policies/proxy/#icmp). + +## Cloudflare Tunnel is buffering my streaming response instead of streaming it live. + +Proxied traffic through Cloudflare Tunnel is buffered by default unless the origin server includes the response header `Content-Type: text/event-stream`. The `Content-Type: text/event-stream` response header tells `cloudflared` to stream data as it arrives instead of buffering the entire response. + +## I see `Error: This route's network is inside an existing subnet's network at "100.96.0.0/12"`. + +This error occurs when you try to add a CIDR route that falls within Cloudflare WARP's CGNAT IP range. The `100.96.0.0/12` range, which covers addresses from `100.96.0.1` to `100.111.255.254`, is reserved for internal WARP routing and cannot be added as a Cloudflare Tunnel route. To connect your private network, you will need to change its IP/CIDR so that it does not overlap with `100.96.0.0/12`. + +## Troubleshooting + +[Troubleshooting](/cloudflare-one/faq/troubleshooting/) - Browse other Cloudflare One-related troubleshooting errors and solutions. diff --git a/src/content/docs/cloudflare-tunnel/troubleshoot/connectivity-prechecks.mdx b/src/content/docs/cloudflare-tunnel/troubleshoot/connectivity-prechecks.mdx new file mode 100644 index 000000000000000..5d82acaad120c61 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/troubleshoot/connectivity-prechecks.mdx @@ -0,0 +1,329 @@ +--- +pcx_content_type: how-to +title: Connectivity pre-checks +--- + +import { Render, TabItem, Tabs } from "~/components"; + +This guide helps you validate connectivity between your environment and [Cloudflare Tunnel endpoints](/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/) before deploying [Cloudflare Tunnel](/cloudflare-tunnel/). You will run DNS and network checks from the same host machine that will run `cloudflared` to help you identify issues that may prevent `cloudflared` from connecting to Cloudflare Tunnel endpoints. + +Running these checks before you install `cloudflared` sets your deployment up for success and narrows down the cause of any later connectivity issues. + +This guide is structured as follows: + +1. [Before you start](#before-you-start): Read prerequisites and terminology. + +2. [DNS test with dig](#2-dns-test-with-dig): Confirm that DNS resolves Cloudflare Tunnel endpoints to the expected IPs. + +3. [Test network connectivity](#3-test-network-connectivity): Verify that your firewall allows outbound traffic on port `7844` (TCP and UDP). + +4. [Get help](/cloudflare-tunnel/troubleshoot/connectivity-prechecks/#4-get-help): What to collect and who to contact if tests fail. + +## 1. Before you start + +### Prerequisites + +You must have: + +- A host machine connected to the Internet where you plan to run `cloudflared`. The tests must run from the same environment where `cloudflared` will run (same network, same firewall path). + +- A terminal session with permission to run `dig` and `nc` (netcat), or similar software. + +`cloudflared` is platform-agnostic and supports a wide range of operating systems. For details, refer to [Tunnel system requirements](/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements/). + +### Terminology + +When troubleshooting connectivity to Cloudflare, it is important to distinguish between: + +- Host machine: The server or virtual machine (VM) where you will run `cloudflared`. + +- Environment: The broader setup containing the host machine (network and firewall configuration). + +Cloudflare Tunnel errors can originate from the environment (for example, DNS or firewall policies), even though they surface as `cloudflared` errors on the host machine. This guide focuses on the environment, not on `cloudflared` itself. + +`cloudflared` establishes [outbound-only connections](/cloudflare-tunnel/#outbound-only-connection) to Cloudflare's global network over port `7844`. The specific destinations and ports are documented in [Tunnel with firewall](/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/). + +## 2. DNS test with dig + +Cloudflare Tunnel requires outbound connectivity to `region1.v2.argotunnel.com` and `region2.v2.argotunnel.com` (or to the equivalent `us-region1` and `us-region2` endpoints when using only the [US region](/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/#region-us)). + +For a successful and healthy deployment, `cloudflared` should have [four active replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/) with connectivity to both regions (that is, both `region1.v2.argotunnel.com` and `region2.v2.argotunnel.com`, or both `us-region1` and `us-region2`). + +First, you need to verify that your DNS resolver returns the expected IP addresses for Cloudflare Tunnel endpoints. + +### 2.1. Test DNS with your current resolver + +Depending on whether you are testing a global region or the US region, run one of the following commands: + + + + +```sh +dig A region1.v2.argotunnel.com +``` + +```sh output +;; ANSWER SECTION: +region1.v2.argotunnel.com. 86400 IN A 198.41.192.167 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.67 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.57 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.107 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.27 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.7 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.227 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.47 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.37 +region1.v2.argotunnel.com. 86400 IN A 198.41.192.77 +... +``` + +```sh +dig AAAA region1.v2.argotunnel.com +``` + +```sh output +;; ANSWER SECTION: +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::1 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::2 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::3 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::4 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::5 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::6 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::7 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::8 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::9 +region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::10 +... +``` + +```sh +dig A region2.v2.argotunnel.com +``` + +```sh output +;; ANSWER SECTION: +region2.v2.argotunnel.com. 86400 IN A 198.41.200.13 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.193 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.33 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.233 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.53 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.63 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.113 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.73 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.43 +region2.v2.argotunnel.com. 86400 IN A 198.41.200.23 +... +``` + +```sh +dig AAAA region2.v2.argotunnel.com +``` + +```sh output +;; ANSWER SECTION: +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::1 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::2 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::3 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::4 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::5 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::6 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::7 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::8 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::9 +region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::10 +... +``` + + + + +```sh +dig A us-region1.v2.argotunnel.com +``` + +```sh output +;; ANSWER SECTION: +us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.1 +us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.2 +us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.3 +us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.4 +us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.5 +us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.6 +us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.7 +us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.8 +us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.9 +us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.10 +... +``` + +```sh +dig AAAA us-region1.v2.argotunnel.com +``` + +```sh output +;; ANSWER SECTION: +us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::1 +us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::2 +us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::3 +us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::4 +us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::5 +us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::6 +us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::7 +us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::8 +us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::9 +us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::10 +... +``` + +```sh +dig A us-region2.v2.argotunnel.com +``` + +```sh output +;; ANSWER SECTION: +us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.1 +us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.2 +us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.3 +us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.4 +us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.5 +us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.6 +us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.7 +us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.8 +us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.9 +us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.10 +... +``` + +```sh +dig AAAA us-region2.v2.argotunnel.com +``` + +```sh output +;; ANSWER SECTION: +us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::1 +us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::2 +us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::3 +us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::4 +us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::5 +us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::6 +us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::7 +us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::8 +us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::9 +us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::10 +... +``` + + + + +The `ANSWER SECTION` should include the expected IP addresses for Cloudflare Tunnel endpoints. + +If you receive: + +- Status `NOERROR` with valid IP addresses - Your DNS resolver is successfully returning addresses for the Tunnel hostname. Continue to [Test network connectivity](#3-test-network-connectivity). + +- Status `SERVFAIL`, `NXDOMAIN`, or an empty answer - Your DNS resolver cannot resolve the Tunnel endpoint. Continue to [Compare against `1.1.1.1`](#compare-against-1111). + +### 2.2. Compare against `1.1.1.1` + +If your original `dig` response is empty or does not match the documented IPs, test again using Cloudflare's public resolver `1.1.1.1`: + +```sh +dig A region1.v2.argotunnel.com @1.1.1.1 +``` +#### If only `1.1.1.1` works + +If `1.1.1.1` returns the correct IPs, but your original resolver does not, your local DNS resolver is misconfigured or blocked. + +To resolve: + +- Configure the host machine to use `1.1.1.1` as its resolver. +- If you must keep using your existing resolver, then investigate with your system administrator or ISP why it is returning different IPs. A recursive resolver should return the same response as the authoritative DNS server. If this cannot be fixed, the issue lies within your local environment and must be resolved before deploying Cloudflare Tunnel. + +#### If neither resolver works + +If neither your original resolver nor `1.1.1.1` returns an answer, your firewall may be blocking DNS queries to Cloudflare Tunnel endpoints. + +To resolve: + +- Check for firewall rules blocking DNS traffic altogether (UDP on port `53`) or specific DNS queries related to Cloudflare. +- If you are behind a managed DNS or security appliance, contact that provider to understand why queries to `region1.v2.argotunnel.com` and other Cloudflare Tunnel endpoints are blocked. + +Once DNS resolution returns the expected IPs from your DNS resolver, proceed to connectivity testing in step 3. + +## 3. Test network connectivity + +After confirming that your DNS resolver returns the correct IPs, test whether your host machine can send packets to Cloudflare on port `7844` using both UDP and TCP. + +Choose one of the IPs from your `dig` output (for example, `198.41.192.167`) and run the following tests. + +### 3.1. Test UDP connectivity + +```sh +nc -uvz -w 3 198.41.192.167 7844 +``` + +Example output: + +```sh +Connection to 198.41.192.167 port 7844 [udp/*] succeeded! +``` + +### 3.2. Test TCP connectivity + +```sh +nc -vz -w 3 198.41.192.167 7844 +``` + +Example output: + +```sh +Connection to 198.41.192.167 port 7844 [tcp/*] succeeded! +``` + +### 3.3 Interpret results + +These tests answer two key questions: + +- Can the host machine send a UDP packet to Cloudflare Tunnel endpoints? +- Can the host machine send a TCP packet to Cloudflare Tunnel endpoints? + +If either protocol succeeds, `cloudflared` can use that protocol to establish the tunnel. + +You have already confirmed DNS is working in the previous steps. These connectivity tests now verify whether your environment allows traffic to Cloudflare on port `7844`. By default, `cloudflared` automatically falls back to whichever protocol is available. + +If a [protocol](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#protocol) is blocked but you force `cloudflared` to use it (for example, forcing QUIC when UDP is blocked), the tunnel will fail to connect. + +#### Both UDP and TCP succeed + +Your firewall allows outbound traffic and return traffic to Cloudflare's tunnel endpoint on port `7844`. `cloudflared` can connect using either `quic` (UDP) or `http2` (TCP). If both UDP and TCP succeed and your DNS test in the previous section was successful, you can successfully deploy Cloudflare Tunnel in this environment. + +#### UDP succeeds, TCP fails + +Outbound UDP is allowed, but TCP on port `7844` is blocked or inspected. + +`cloudflared` will only be able to connect using `quic`. If you force `http2` in your configuration while TCP is blocked, the tunnel will fail. + +To resolve: Either allow TCP on your local network firewall on port `7844` or stop forcing `http2` to allow `cloudflared` to connect over `QUIC` instead. Refer to the [Protocol](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#protocol) parameter documentation for more information. + +#### TCP succeeds, UDP fails + +Outbound TCP is allowed, but UDP on port `7844` is blocked. + +`cloudflared` will only be able to connect using `http2`. If you force `quic` while UDP is blocked, the tunnel will fail. + +To resolve: Either allow UDP on the local network firewall on port `7844` or stop forcing QUIC to allow `cloudflared` to connect over HTTP/2 instead. Refer to the [Protocol](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#protocol) parameter documentation for more information. + +#### Both UDP and TCP fail + +Packets are being dropped somewhere between the host and the [Cloudflare Tunnel endpoints](/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/). + +This usually indicates a firewall policy or upstream security control that does not allow outbound traffic (or return traffic) on port `7844`. + +To resolve: Allow all traffic over port `7844` on the local network firewall. If this does not resolve the issue, troubleshoot with your ISP or service provider. + +## 4. Get help + +If either DNS or network test failed, it will likely be a problem in your local environment. You will need to debug with your administrator, ISP or cloud provider. If you believe the issue is with Cloudflare, please provide detailed information when contacting support. + + diff --git a/src/content/docs/cloudflare-tunnel/troubleshoot/diag-logs.mdx b/src/content/docs/cloudflare-tunnel/troubleshoot/diag-logs.mdx new file mode 100644 index 000000000000000..03b3247a39ba28e --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/troubleshoot/diag-logs.mdx @@ -0,0 +1,134 @@ +--- +pcx_content_type: how-to +title: Tunnel diagnostic logs +sidebar: + order: 1 + label: Diagnostic logs +--- + +import { Details, Render } from "~/components"; + +Cloudflare Tunnel generates a set of diagnostic logs that can be used to troubleshoot issues with `cloudflared`. A diagnostic report collects data from a single instance of `cloudflared` running on the local machine. + +## Get diagnostic logs + +The steps for getting diagnostic logs depend on your `cloudflared` deployment environment. + +### Prerequisites + +- `cloudflared` version 2024.12.2 or later installed on the host + +### Host environment + +These instructions apply to remotely-managed and locally-managed tunnels running directly on the host machine. + +1. (Linux only) To include network diagnostics in the logs, allow the `cloudflared` user to create RAW and PACKET sockets without root permissions: + + ```sh + sudo setcap cap_net_raw+ep /usr/bin/traceroute && sudo setcap cap_net_raw+ep /usr/bin/traceroute + ``` + + If you do not set `cap_net_raw`, then traceroute data will be unavailable. + +2. Get diagnostic logs: + + ```sh + cloudflared tunnel diag + ``` + + If multiple instances of `cloudflared` are running on the same host, specify the [metrics server IP and port](/cloudflare-tunnel/monitor-tunnels/metrics/#configure-the-metrics-server-address) for the instance you want to diagnose. For example: + + ```sh + cloudflared tunnel diag --metrics 127.0.0.1:20241 + ``` + +This command will output the status of each diagnostic task and place a `cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip` file in your working directory. + +### Docker + +`cloudflared` reads diagnostic data from the [tunnel metrics server](/cloudflare-tunnel/monitor-tunnels/metrics/). To get diagnostic logs, the metrics server must be exposed from the Docker container and reachable from the host machine. + +1. Determine the [metrics server port](/cloudflare-tunnel/monitor-tunnels/metrics/#default-metrics-server-address) for the `cloudflared` instance running in Docker. + +2. Ensure the container is deployed with port forwarding enabled. The diagnostic feature will request information from the Docker instance using local port `20241`, therefore you should forward port `20241` to the container port obtained in Step 1: + + ```sh + docker run -d -p 20241: docker.io/cloudflare/cloudflared tunnel ... + ``` + +3. Verify that you can reach the metrics server address from the Docker host environment: + + ```sh + curl localhost:20241/diag/tunnel + ``` + + This command should return a JSON: + ```json + { + "tunnelID": "ef96b330-a7f5-4bce-a00e-827ce5be077f", + "connectorID": "d236670a-9f74-422f-adf1-030f5c5f0523", + "connections": [ + { "isConnected": true, "protocol": 1, "edgeAddress": "198.41.192.167"}, + {"isConnected": true, "protocol": 1, "edgeAddress": "198.41.200.113", "index": 1}, + {"isConnected": true, "protocol": 1, "edgeAddress": "198.41.192.47", "index": 2}, + {"isConnected": true, "protocol": 1, "edgeAddress": "198.41.200.73", "index": 3} + ], + "icmp_sources": ["192.168.1.243", "fe80::c59:bd4a:e815:ed6"] + } + ``` + +4. Run the diagnostic using the Docker container ID: + + ```sh + cloudflared tunnel diag --diag-container-id= + ``` + + Alternatively, you can specify the container's name instead of its ID: + ```sh + cloudflared tunnel diag --diag-container-id= + ``` + + Running the diagnostic command with the container ID allows `cloudflared` to collect information from the Docker environment such as logs and container details. + +This command will output the status of each diagnostic task and place a `cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip` file in your working directory. + +### Kubernetes + +The diagnostic feature will request data from the [tunnel metrics server](/cloudflare-tunnel/monitor-tunnels/metrics/) using ports `20241` to `20245`. You will need to use port forwarding to allow the local `cloudflared` instance to connect to the metrics server on one of these ports. + +1. Determine the tunnel's [metrics server port](/cloudflare-tunnel/monitor-tunnels/metrics/#default-metrics-server-address). + +2. Enable port forwarding: + + ```sh + kubectl port-forward : + ``` + + - ``: Name of the pod where the tunnel is running + - `` is any local port in the range `20241` to `20245`. + - `` is the Kubernetes pod port for the `cloudflared` instance you want to diagnose (obtained in Step 1). + + For example, if you set the metrics server address to `0.0.0.0:12345`: + + ```sh + kubectl port-forward cloudflared-6d4897585b-r8kfz 20244:12345 + ``` + Connections made to local port `20244` are forwarded to port `12345` of the pod that is running the tunnel. + +3. Run the diagnostic: + + ```sh + cloudflared tunnel diag --diag-pod-id= + ``` + + If the pod has multiple applications/services running and `cloudflared` is not the first in the pod, you must specify either the container ID or name: + + ```sh + cloudflared tunnel diag --diag-pod-id= --diag-container-id= + ``` + +This command will output the status of each diagnostic task and place a `cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip` file in your working directory. + +## cloudflared-diag files + + diff --git a/src/content/docs/cloudflare-tunnel/troubleshoot/index.mdx b/src/content/docs/cloudflare-tunnel/troubleshoot/index.mdx new file mode 100644 index 000000000000000..1dd6edca659a470 --- /dev/null +++ b/src/content/docs/cloudflare-tunnel/troubleshoot/index.mdx @@ -0,0 +1,11 @@ +--- +pcx_content_type: navigation +title: Troubleshoot tunnels +sidebar: + order: 10 + +--- + +import { DirectoryListing } from "~/components" + + diff --git a/src/icons/cloudflare-tunnel-sase.svg b/src/icons/cloudflare-tunnel-sase.svg new file mode 100644 index 000000000000000..ddc17157b850dc7 --- /dev/null +++ b/src/icons/cloudflare-tunnel-sase.svg @@ -0,0 +1 @@ + diff --git a/src/icons/cloudflare-tunnel.svg b/src/icons/cloudflare-tunnel.svg new file mode 100644 index 000000000000000..d953c3b96820184 --- /dev/null +++ b/src/icons/cloudflare-tunnel.svg @@ -0,0 +1 @@ + From 3d463be4c84d1c1e19ac9e6eb18f6f93cd0dbf3d Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 19 Feb 2026 19:51:10 -0500 Subject: [PATCH 02/33] update directory tile filters --- src/content/directory/cloudflare-tunnel.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/content/directory/cloudflare-tunnel.yaml b/src/content/directory/cloudflare-tunnel.yaml index 38dda18cba3e093..53705c992953493 100644 --- a/src/content/directory/cloudflare-tunnel.yaml +++ b/src/content/directory/cloudflare-tunnel.yaml @@ -3,7 +3,11 @@ name: Cloudflare Tunnel entry: title: Cloudflare Tunnel - group: Network Services + group: Core platform + additional_groups: + - Network security + - Application security + - Developer platform url: /cloudflare-tunnel/ meta: From ea06bc3d7ead6dae1f984648aa210693e89f5dcf Mon Sep 17 00:00:00 2001 From: Nikita Cano Date: Fri, 20 Feb 2026 16:28:36 +0000 Subject: [PATCH 03/33] [Tunnel] Restructure docs for Core Dashboard launch Rename cloudflare-tunnel/ to tunnel/ with flat structure targeting developer/CDN audience. Replace all CF1 dashboard references with Core Dashboard (dash.cloudflare.com > Networking > Tunnels). Rewrite deployment guides (AWS, GCP, Azure, Kubernetes, Terraform, Ansible) to use dashboard-managed tunnels. Add new top-level pages (setup, routing, configuration, monitoring, troubleshooting, integrations) with post-quantum promotion. Remove bloat (HTTPBin demos, connectivity prechecks, private networking duplication, license/copyright pages). Add 25+ redirect rules for all old paths. --- .github/labeler.yml | 4 +- public/__redirects | 32 +- ...-filtering-for-private-network-onramps.mdx | 3 +- .../2024-06-16-cloudflare-one.mdx | 2 +- .../dash-routes/core-manually-defined.json | 8 +- .../{cloudflare-tunnel.yaml => tunnel.yaml} | 2 +- .../configure-tunnels/cipher-suites.mdx | 20 - .../cloudflared-parameters/index.mdx | 152 --- .../origin-parameters.mdx | 194 --- .../cloudflared-parameters/run-parameters.mdx | 196 --- .../configure-tunnels/index.mdx | 49 - .../tunnel-availability/deploy-replicas.mdx | 55 - .../tunnel-availability/index.mdx | 86 -- .../system-requirements.mdx | 109 -- .../configure-tunnels/tunnel-permissions.mdx | 185 --- .../tunnel-with-firewall.mdx | 325 ----- .../deployment-guides/aws.mdx | 147 -- .../deployment-guides/azure.mdx | 118 -- .../google-cloud-platform.mdx | 121 -- .../deployment-guides/index.mdx | 12 - .../deployment-guides/kubernetes.mdx | 337 ----- .../downloads/copyrights.mdx | 1195 ----------------- .../cloudflare-tunnel/downloads/license.mdx | 220 --- src/content/docs/cloudflare-tunnel/faq.mdx | 79 -- .../get-started/create-remote-tunnel-api.mdx | 204 --- .../get-started/create-remote-tunnel.mdx | 99 -- .../cloudflare-tunnel/get-started/index.mdx | 16 - .../get-started/tunnel-useful-terms.mdx | 44 - src/content/docs/cloudflare-tunnel/index.mdx | 69 - .../cloudflare-tunnel/integrations/access.mdx | 42 - .../cloudflare-tunnel/integrations/index.mdx | 53 - .../integrations/load-balancing.mdx | 40 - .../integrations/spectrum.mdx | 27 - .../integrations/workers-vpc.mdx | 33 - .../monitor-tunnels/index.mdx | 11 - .../monitor-tunnels/logs.mdx | 94 -- .../monitor-tunnels/metrics.mdx | 111 -- .../monitor-tunnels/notifications.mdx | 19 - .../local-management/create-local-tunnel.mdx | 212 --- .../tunnel-useful-commands.mdx | 42 - .../other-tunnel-types/quick-tunnels.mdx | 54 - .../docs/cloudflare-tunnel/routing/dns.mdx | 60 - .../docs/cloudflare-tunnel/routing/index.mdx | 10 - .../routing/load-balancers.mdx | 209 --- .../cloudflare-tunnel/routing/protocols.mdx | 24 - .../troubleshoot/common-errors.mdx | 160 --- .../troubleshoot/connectivity-prechecks.mdx | 329 ----- .../troubleshoot/diag-logs.mdx | 134 -- .../cloudflare-tunnel/troubleshoot/index.mdx | 11 - ...nefits-to-saas-providers-end-customers.mdx | 4 +- .../changelog.mdx | 2 +- src/content/docs/tunnel/configuration.mdx | 570 ++++++++ .../deployment-guides/ansible.mdx | 12 +- .../docs/tunnel/deployment-guides/aws.mdx | 70 + .../docs/tunnel/deployment-guides/azure.mdx | 72 + .../google-cloud-platform.mdx | 65 + .../docs/tunnel/deployment-guides/index.mdx | 12 + .../tunnel/deployment-guides/kubernetes.mdx | 310 +++++ .../deployment-guides/terraform.mdx | 87 +- .../downloads/index.mdx | 6 +- .../downloads/update-cloudflared.mdx | 22 +- src/content/docs/tunnel/faq.mdx | 50 + src/content/docs/tunnel/index.mdx | 76 ++ src/content/docs/tunnel/integrations.mdx | 89 ++ src/content/docs/tunnel/monitoring.mdx | 218 +++ .../other-tunnel-types/index.mdx | 5 +- .../local-management/as-a-service/index.mdx | 0 .../local-management/as-a-service/linux.mdx | 6 +- .../local-management/as-a-service/macos.mdx | 6 +- .../local-management/as-a-service/windows.mdx | 10 +- .../local-management/configuration-file.mdx | 12 +- .../local-management/create-local-tunnel.mdx | 88 ++ .../local-management/index.mdx | 2 +- .../local-management/local-tunnel-terms.mdx | 10 +- .../local-management/tunnel-permissions.mdx | 2 +- .../tunnel-useful-commands.mdx | 37 + .../other-tunnel-types/quick-tunnels.mdx | 39 + src/content/docs/tunnel/routing.mdx | 191 +++ src/content/docs/tunnel/setup.mdx | 173 +++ src/content/docs/tunnel/troubleshooting.mdx | 161 +++ src/icons/tunnel.svg | 1 + 81 files changed, 2352 insertions(+), 5814 deletions(-) rename src/content/directory/{cloudflare-tunnel.yaml => tunnel.yaml} (92%) delete mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/cipher-suites.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/index.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/index.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/deploy-replicas.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/index.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-permissions.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/deployment-guides/aws.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/deployment-guides/azure.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/deployment-guides/google-cloud-platform.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/deployment-guides/index.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/deployment-guides/kubernetes.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/downloads/copyrights.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/downloads/license.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/faq.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/get-started/create-remote-tunnel.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/get-started/index.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/get-started/tunnel-useful-terms.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/index.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/integrations/access.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/integrations/index.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/integrations/load-balancing.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/integrations/spectrum.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/integrations/workers-vpc.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/monitor-tunnels/index.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/monitor-tunnels/logs.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/monitor-tunnels/metrics.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/monitor-tunnels/notifications.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-useful-commands.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/other-tunnel-types/quick-tunnels.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/routing/dns.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/routing/index.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/routing/load-balancers.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/routing/protocols.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/troubleshoot/common-errors.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/troubleshoot/connectivity-prechecks.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/troubleshoot/diag-logs.mdx delete mode 100644 src/content/docs/cloudflare-tunnel/troubleshoot/index.mdx rename src/content/docs/{cloudflare-tunnel => tunnel}/changelog.mdx (94%) create mode 100644 src/content/docs/tunnel/configuration.mdx rename src/content/docs/{cloudflare-tunnel => tunnel}/deployment-guides/ansible.mdx (90%) create mode 100644 src/content/docs/tunnel/deployment-guides/aws.mdx create mode 100644 src/content/docs/tunnel/deployment-guides/azure.mdx create mode 100644 src/content/docs/tunnel/deployment-guides/google-cloud-platform.mdx create mode 100644 src/content/docs/tunnel/deployment-guides/index.mdx create mode 100644 src/content/docs/tunnel/deployment-guides/kubernetes.mdx rename src/content/docs/{cloudflare-tunnel => tunnel}/deployment-guides/terraform.mdx (84%) rename src/content/docs/{cloudflare-tunnel => tunnel}/downloads/index.mdx (91%) rename src/content/docs/{cloudflare-tunnel => tunnel}/downloads/update-cloudflared.mdx (73%) create mode 100644 src/content/docs/tunnel/faq.mdx create mode 100644 src/content/docs/tunnel/index.mdx create mode 100644 src/content/docs/tunnel/integrations.mdx create mode 100644 src/content/docs/tunnel/monitoring.mdx rename src/content/docs/{cloudflare-tunnel => tunnel}/other-tunnel-types/index.mdx (51%) rename src/content/docs/{cloudflare-tunnel => tunnel}/other-tunnel-types/local-management/as-a-service/index.mdx (100%) rename src/content/docs/{cloudflare-tunnel => tunnel}/other-tunnel-types/local-management/as-a-service/linux.mdx (70%) rename src/content/docs/{cloudflare-tunnel => tunnel}/other-tunnel-types/local-management/as-a-service/macos.mdx (72%) rename src/content/docs/{cloudflare-tunnel => tunnel}/other-tunnel-types/local-management/as-a-service/windows.mdx (81%) rename src/content/docs/{cloudflare-tunnel => tunnel}/other-tunnel-types/local-management/configuration-file.mdx (88%) create mode 100644 src/content/docs/tunnel/other-tunnel-types/local-management/create-local-tunnel.mdx rename src/content/docs/{cloudflare-tunnel => tunnel}/other-tunnel-types/local-management/index.mdx (59%) rename src/content/docs/{cloudflare-tunnel => tunnel}/other-tunnel-types/local-management/local-tunnel-terms.mdx (84%) rename src/content/docs/{cloudflare-tunnel => tunnel}/other-tunnel-types/local-management/tunnel-permissions.mdx (94%) create mode 100644 src/content/docs/tunnel/other-tunnel-types/local-management/tunnel-useful-commands.mdx create mode 100644 src/content/docs/tunnel/other-tunnel-types/quick-tunnels.mdx create mode 100644 src/content/docs/tunnel/routing.mdx create mode 100644 src/content/docs/tunnel/setup.mdx create mode 100644 src/content/docs/tunnel/troubleshooting.mdx create mode 100644 src/icons/tunnel.svg diff --git a/.github/labeler.yml b/.github/labeler.yml index 23063d9faff8681..47399fda172dab1 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -78,10 +78,10 @@ product:cloudflare-one: - changed-files: - any-glob-to-any-file: - src/content/docs/cloudflare-one/** -product:cloudflare-tunnel: +product:tunnel: - changed-files: - any-glob-to-any-file: - - src/content/docs/cloudflare-tunnel/** + - src/content/docs/tunnel/** product:constellation: - changed-files: - any-glob-to-any-file: diff --git a/public/__redirects b/public/__redirects index 5da1fc67a84232a..12e05b3001a0676 100644 --- a/public/__redirects +++ b/public/__redirects @@ -2375,7 +2375,7 @@ /cloudflare-one/email-security/monitoring/search-email/ /cloudflare-one/email-security/investigation/search-email/ 301 # Cloudflare Tunnel IA restructure (quick tunnels moved under other-tunnel-types) -/cloudflare-tunnel/quick-tunnels/ /cloudflare-tunnel/other-tunnel-types/quick-tunnels/ 301 +/cloudflare-tunnel/quick-tunnels/ /tunnel/other-tunnel-types/quick-tunnels/ 301 # ============================================================================ # DYNAMIC REDIRECTS @@ -2584,4 +2584,32 @@ /magic-network-monitoring/* /network-flow/:splat 301 # Cloudflare Tunnel IA restructure (locally-managed + quick tunnels moved under other-tunnel-types) -/cloudflare-tunnel/local-management/* /cloudflare-tunnel/other-tunnel-types/local-management/:splat 301 +/cloudflare-tunnel/local-management/* /tunnel/other-tunnel-types/local-management/:splat 301 + +# Cloudflare Tunnel rename to /tunnel/ with flat structure +/tunnel/get-started/create-remote-tunnel/ /tunnel/setup/ 301 +/tunnel/get-started/create-remote-tunnel-api/ /tunnel/setup/ 301 +/tunnel/get-started/ /tunnel/setup/ 301 +/tunnel/configure-tunnels/tunnel-with-firewall/ /tunnel/configuration/#firewall-rules 301 +/tunnel/configure-tunnels/tunnel-availability/ /tunnel/configuration/#replicas-and-high-availability 301 +/tunnel/configure-tunnels/tunnel-permissions/ /tunnel/configuration/#tunnel-tokens 301 +/tunnel/configure-tunnels/cloudflared-parameters/ /tunnel/configuration/#run-parameters 301 +/tunnel/configure-tunnels/* /tunnel/configuration/ 301 +/tunnel/routing/dns/ /tunnel/routing/#dns-records 301 +/tunnel/routing/load-balancers/ /tunnel/routing/#load-balancing 301 +/tunnel/routing/protocols/ /tunnel/routing/#supported-protocols 301 +/tunnel/integrations/workers-vpc/ /tunnel/integrations/#workers-vpc 301 +/tunnel/integrations/load-balancing/ /tunnel/integrations/#load-balancing 301 +/tunnel/integrations/access/ /tunnel/integrations/#cloudflare-access 301 +/tunnel/integrations/spectrum/ /tunnel/integrations/#spectrum 301 +/tunnel/monitor-tunnels/logs/ /tunnel/monitoring/#logs 301 +/tunnel/monitor-tunnels/metrics/ /tunnel/monitoring/#metrics 301 +/tunnel/monitor-tunnels/notifications/ /tunnel/monitoring/#tunnel-health 301 +/tunnel/monitor-tunnels/* /tunnel/monitoring/ 301 +/tunnel/troubleshoot/common-errors/ /tunnel/troubleshooting/#common-errors 301 +/tunnel/troubleshoot/diag-logs/ /tunnel/monitoring/#diagnostic-logs 301 +/tunnel/troubleshoot/connectivity-prechecks/ /tunnel/troubleshooting/#connectivity-pre-checks 301 +/tunnel/troubleshoot/* /tunnel/troubleshooting/ 301 +/tunnel/downloads/license/ https://github.com/cloudflare/cloudflared/blob/master/LICENSE 301 +/tunnel/downloads/copyrights/ https://github.com/cloudflare/cloudflared 301 +/cloudflare-tunnel/* /tunnel/:splat 301 diff --git a/src/content/changelog/gateway/2025-09-11-dns-filtering-for-private-network-onramps.mdx b/src/content/changelog/gateway/2025-09-11-dns-filtering-for-private-network-onramps.mdx index 8a2ec7ec387349c..649be1524a95b48 100644 --- a/src/content/changelog/gateway/2025-09-11-dns-filtering-for-private-network-onramps.mdx +++ b/src/content/changelog/gateway/2025-09-11-dns-filtering-for-private-network-onramps.mdx @@ -4,7 +4,7 @@ description: Magic WAN and WARP Connector traffic can now privately route DNS qu products: - gateway - cloudflare-wan - - cloudflare-tunnel + - tunnel date: "2025-09-11" --- @@ -13,4 +13,3 @@ date: "2025-09-11" Routing DNS traffic to the Gateway resolver allows DNS resolution and filtering for traffic coming from private networks while preserving source internal IP visibility. This ensures Magic WAN users have full integration with our Cloudflare One features, including [Internal DNS](/cloudflare-one/traffic-policies/resolver-policies/#internal-dns) and [hostname-based policies](/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). To configure DNS filtering, change your Magic WAN or WARP Connector DNS settings to use Cloudflare's shared resolver IPs, `172.64.36.1` and `172.64.36.2`. Once you configure DNS resolution and filtering, you can use _Source Internal IP_ as a traffic selector in your [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) for routing private DNS traffic to your [Internal DNS](/dns/internal-dns/). - diff --git a/src/content/changelog/zero-trust-warp/2024-06-16-cloudflare-one.mdx b/src/content/changelog/zero-trust-warp/2024-06-16-cloudflare-one.mdx index abbd4517ade4441..37bfdc123ec7a39 100644 --- a/src/content/changelog/zero-trust-warp/2024-06-16-cloudflare-one.mdx +++ b/src/content/changelog/zero-trust-warp/2024-06-16-cloudflare-one.mdx @@ -5,7 +5,7 @@ products: - access - browser-isolation - casb - - cloudflare-tunnel + - tunnel - dex - dlp - email-security-cf1 diff --git a/src/content/dash-routes/core-manually-defined.json b/src/content/dash-routes/core-manually-defined.json index fe51488c7066f66..6516b8124d72bdd 100644 --- a/src/content/dash-routes/core-manually-defined.json +++ b/src/content/dash-routes/core-manually-defined.json @@ -1 +1,7 @@ -[] +[ + { + "deeplink": "/?to=/:account/tunnels", + "name": "Tunnels", + "parent": ["Networking"] + } +] diff --git a/src/content/directory/cloudflare-tunnel.yaml b/src/content/directory/tunnel.yaml similarity index 92% rename from src/content/directory/cloudflare-tunnel.yaml rename to src/content/directory/tunnel.yaml index 53705c992953493..1eda0d294295e41 100644 --- a/src/content/directory/cloudflare-tunnel.yaml +++ b/src/content/directory/tunnel.yaml @@ -8,7 +8,7 @@ entry: - Network security - Application security - Developer platform - url: /cloudflare-tunnel/ + url: /tunnel/ meta: description: Connect your origin servers, APIs, and services to Cloudflare without a publicly routable IP address diff --git a/src/content/docs/cloudflare-tunnel/configure-tunnels/cipher-suites.mdx b/src/content/docs/cloudflare-tunnel/configure-tunnels/cipher-suites.mdx deleted file mode 100644 index 113b6331f52f42f..000000000000000 --- a/src/content/docs/cloudflare-tunnel/configure-tunnels/cipher-suites.mdx +++ /dev/null @@ -1,20 +0,0 @@ ---- -pcx_content_type: reference -title: Cipher suites -description: | - Review the TLS cipher suites supported by `cloudflared` for secure connections between your origin and Cloudflare's network. -sidebar: - order: 11 ---- - -Cloudflare Tunnel connections use the cipher suites supported by `cloudflared`, which relies on the Go TLS library for its TLS implementation. These cipher suites apply to both the TLS connection between Cloudflare's network and `cloudflared`, and the HTTPS connection between `cloudflared` and your origin. In both cases, `cloudflared` negotiates the most secure cipher suite supported by both sides. - -The following table lists the cipher suites supported by `cloudflared`: - -| Protocol support | Cipher suites | -|------------------|----------------| -| TLS 1.3 only | `TLS_AES_128_GCM_SHA256`
`TLS_AES_256_GCM_SHA384`
`TLS_CHACHA20_POLY1305_SHA256` | -| TLS 1.2 only | `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`
`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` | -| Up to and including TLS 1.2 | `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`
`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` | - - diff --git a/src/content/docs/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/index.mdx b/src/content/docs/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/index.mdx deleted file mode 100644 index 510d9bb1667be0a..000000000000000 --- a/src/content/docs/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/index.mdx +++ /dev/null @@ -1,152 +0,0 @@ ---- -pcx_content_type: how-to -title: Configure cloudflared parameters -description: | - Modify tunnel service parameters to control how `cloudflared` runs on your system, including logging, connection settings, and protocol options. -sidebar: - order: 1 ---- - -import { TabItem, Tabs, Render } from "~/components"; - -Remotely-managed tunnels run as a service on your OS. You can modify the Cloudflare Tunnel service with one or more [general-purpose tunnel parameters](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/). - -:::note -For instructions on configuring a locally-managed tunnel, refer to the [configuration file documentation](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/). -::: - -## Update tunnel run parameters - - - -On Linux, Cloudflare Tunnel installs itself as a system service using `systemctl`. By default, the service will be named `cloudflared.service`. To configure your tunnel on Linux: - -1. Open `cloudflared.service`. - - ```sh - sudo systemctl edit --full cloudflared.service - ``` - -2. Modify the `cloudflared tunnel run` command with the desired configuration flag. For example, - - ```txt null {8} - [Unit] - Description=Cloudflare Tunnel - After=network.target - - [Service] - TimeoutStartSec=0 - Type=notify - ExecStart=/usr/local/bin/cloudflared tunnel --loglevel info --logfile /var/log/cloudflared/cloudflared.log run --token - Restart=on-failure - RestartSec=5s - - [Install] - WantedBy=multi-user.target - ``` - -3. Restart `cloudflared.service`: - - ```sh - sudo systemctl restart cloudflared - ``` - -4. To verify the new configuration, check the service status: - - ```sh - sudo systemctl status cloudflared - ``` - - ```sh output - ● cloudflared.service - cloudflared - Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; preset: enabled) - Active: active (running) since Wed 2024-10-09 20:02:59 UTC; 2s ago - Main PID: 2157 (cloudflared) - Tasks: 8 (limit: 1136) - Memory: 16.3M - CPU: 136ms - CGroup: /system.slice/cloudflared.service - └─2157 /usr/bin/cloudflared tunnel --loglevel info --logfile /var/log/cloudflared/cloudflared.log run --token eyJhIjoi... - ``` - - - -On macOS, Cloudflare Tunnel installs itself as a launch agent using `launchctl`. By default, the agent will be called `com.cloudflare.cloudflared`. To configure your tunnel on macOS: - -1. Stop the `cloudflared` service. - - ```sh - sudo launchctl stop com.cloudflare.cloudflared - ``` - -2. Unload the configuration file. - - ```sh - sudo launchctl unload /Library/LaunchDaemons/com.cloudflare.cloudflared.plist - ``` - -3. Open `/Library/LaunchDaemons/com.cloudflare.cloudflared.plist` in a text editor. - -4. Modify the `ProgramArguments` key with the desired configuration flag. For example, - - ```txt - - - Label - com.cloudflare.cloudflared - ProgramArguments - - /opt/homebrew/bin/cloudflared - tunnel - --logfile - - --loglevel - debug - run - --token - - - ``` - -5. Load the updated configuration file. - - ```sh - sudo launchctl load /Library/LaunchDaemons/com.cloudflare.cloudflared.plist - ``` - -6. Start the `cloudflared` service. - - ```sh - sudo launchctl start com.cloudflare.cloudflared - ``` - - - -On Windows, Cloudflare Tunnel installs itself as a system service using the Registry Editor. By default, the service will be named `cloudflared`. To configure your tunnel on Windows: - -1. Open the Registry Editor. - -2. Go to **HKEY_LOCAL_MACHINE** > **SYSTEM** > **CurrentControlSet** > **Services** > **cloudflared**. - -3. Double-click **ImagePath**. - -4. Modify **Value data** with the desired configuration flag. For example, - - ```txt - C:\Program Files (x86)\cloudflared\.\cloudflared.exe tunnel --loglevel info --logfile run --token - ``` - -![Modify cloudflared service in the Registry Editor](~/assets/images/cloudflare-one/connections/connect-apps/remote-management-windows.png) - - - -## Update origin configuration - -To configure how `cloudflared` sends requests to your [published applications](/cloudflare-tunnel/routing/): - -1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels**. -2. Choose a tunnel and select **Edit**. -3. Select the **Published application routes** tab. -4. Choose an application and select **Edit**. -5. Under **Additional application settings**, modify one or more [origin configuration parameters](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/). -6. Select **Save**. diff --git a/src/content/docs/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters.mdx b/src/content/docs/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters.mdx deleted file mode 100644 index b6c17a72cee6d6f..000000000000000 --- a/src/content/docs/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters.mdx +++ /dev/null @@ -1,194 +0,0 @@ ---- -pcx_content_type: reference -title: Origin configuration parameters -sidebar: - order: 9 ---- - -Origin configuration parameters determine how `cloudflared` proxies traffic to your origin server. If you are using remotely-managed tunnels (default), configure these settings [using the dashboard or API](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/#update-origin-configuration). If you are using [locally-managed tunnels](/cloudflare-tunnel/other-tunnel-types/local-management/), add these parameters to your [configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/). - -## TLS settings - -### originServerName - -| Default | UI name | -| ------- | ------------------ | -| `""` | Origin Server Name | - -Hostname that `cloudflared` should expect from your origin server certificate. If null, the expected hostname is the service URL, for example `localhost` if the service is `https://localhost:443`. - -### matchSNItoHost - -| Default | UI name | -| ------- | ----------------- | -| `false` | Match SNI to Host | - -When `true`, `cloudflared` will automatically set the Server Name Indication (SNI) during the TLS handshake to the hostname of the incoming request. - -This setting is useful when directing traffic to entry points that host multiple services and rely on SNI to route requests or present the correct certificate. It eliminates the need to explicitly configure [`originServerName`](#originservername) for individual services when using wildcard routing. - -### caPool - -| Default | UI name | -| ------- | -------------------------- | -| `""` | Certificate Authority Pool | - -Local file path to the certificate authority (CA) for your origin server certificate (for example, `/root/certs/ca.pem`). The path should point to a certificate store file or a bundle file in `.pem` or `.crt` format that contains one or more trusted root CA certificates. You should only configure this setting if your certificate is not signed by Cloudflare. - -### noTLSVerify - -| Default | UI name | -| ------- | ------------- | -| `false` | No TLS Verify | - -When `false`, TLS verification is performed on the certificate presented by your origin. - -When `true`, TLS verification is disabled. This will allow any certificate from the origin to be accepted. - -### tlsTimeout - -| Default | UI name | -| ------- | ----------- | -| `10s` | TLS Timeout | - -Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - -### http2Origin - -| Default | UI name | -| ------- | ---------------- | -| `false` | HTTP2 connection | - -When `false`, `cloudflared` will connect to your origin with HTTP/1.1. - -When `true`, `cloudflared` will attempt to connect to your origin server using HTTP/2.0 instead of HTTP/1.1. HTTP/2.0 is a faster protocol for high traffic origins but requires you to deploy an SSL certificate on the origin. We recommend using this setting in conjunction with [noTLSVerify](#notlsverify) so that you can use a self-signed certificate. - -## HTTP settings - -### httpHostHeader - -| Default | UI name | -| ------- | ---------------- | -| `""` | HTTP Host Header | - -Sets the HTTP `Host` header on requests sent to the local service. - -### disableChunkedEncoding - -| Default | UI name | -| ------- | ------------------------ | -| `false` | Disable Chunked Encoding | - -When `false`, `cloudflared` performs chunked transfer encoding when transferring data over HTTP/1.1. - -When `true`, chunked transfer encoding is disabled. This is useful if you are running a Web Server Gateway Interface (WSGI) server. - -## Connection settings - -### connectTimeout - -| Default | UI name | -| ------- | --------------- | -| `30s` | Connect Timeout | - -Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to -establish TLS, which is controlled by tlsTimeout. - -### noHappyEyeballs - -| Default | UI name | -| ------- | ----------------- | -| `false` | No Happy Eyeballs | - -When `false`, `cloudflared` uses the Happy Eyeballs algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - -When `true`, Happy Eyeballs is disabled. - -### proxyType - -| Default | UI name | -| ------- | ---------- | -| `""` | Proxy Type | - -`cloudflared` starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. -This configures what type of proxy will be started. Valid options are: - -- `""` for the regular proxy -- `"socks"` for a SOCKS5 proxy. Refer to the [tutorial on connecting through Cloudflare Access using kubectl](/cloudflare-one/tutorials/kubectl/) for more information. - -### proxyAddress - -:::note - -For locally-managed tunnels only. -::: - -| Default | UI name | -| ----------- | ------- | -| `127.0.0.1` | -- | - -`cloudflared` starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. -This configures the listen address for that proxy. - -### proxyPort - -:::note - -For locally-managed tunnels only. -::: - -| Default | UI name | -| ------- | ------- | -| `0` | -- | - -`cloudflared` starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. -This configures the listen port for that proxy. If set to zero, an unused port will randomly be chosen. - -### keepAliveTimeout - -| Default | UI name | -| ------- | ------------------------------- | -| `1m30s` | Idle Connection Expiration Time | - -Timeout after which an idle keepalive connection can be discarded. - -### keepAliveConnections - -| Default | UI name | -| ------- | ---------------------- | -| `100` | Keep Alive Connections | - -Default: `100` - -Maximum number of idle keepalive connections between Cloudflare and your origin. This does not restrict the total number of concurrent connections. - -### tcpKeepAlive - -| Default | UI name | -| ------- | ----------------------- | -| `30s` | TCP Keep Alive Interval | - -Default: `30s` - -The timeout after which a TCP keepalive packet is sent on a connection between Cloudflare and the origin server. - -## Access settings - -### access - -| Default | UI name | -| ------- | ------------------- | -| `""` | Protect with Access | - -Requires `cloudflared` to validate the [Cloudflare Access JWT](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) prior to proxying traffic to your origin. You can enforce this check on public hostname services that are protected by an Access application. For all L7 requests to these hostnames, Access will send the JWT to `cloudflared` as a `Cf-Access-Jwt-Assertion` request header. - -To enable this security control in a [configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/#origin-configuration), [get the AUD tag](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#get-your-aud-tag) for your Access application and add the following rule to `originRequest`: - -```yml -access: - required: true - teamName: - audTag: - - - - -``` diff --git a/src/content/docs/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters.mdx b/src/content/docs/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters.mdx deleted file mode 100644 index f6640ad02865074..000000000000000 --- a/src/content/docs/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters.mdx +++ /dev/null @@ -1,196 +0,0 @@ ---- -pcx_content_type: reference -title: Tunnel run parameters -sidebar: - order: 4 ---- - -import { Render } from "~/components"; - -This page lists general-purpose configuration options that you can [add](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/#update-tunnel-run-parameters) to the `cloudflared tunnel run` command. - -Alternatively, if you are running a [locally-managed tunnel](/cloudflare-tunnel/other-tunnel-types/local-management/) you can add these flags to your [configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/) as key/value pairs. - -## `autoupdate-freq` - -| Syntax | Default | -| ---------------------------------------------------------------- | ------- | -| `cloudflared tunnel --autoupdate-freq run ` | `24h` | - -Configures the frequency of `cloudflared` updates. - -By default, `cloudflared` will periodically check for updates and restart with the new version. Restarts are performed by spawning a new process that connects to the Cloudflare global network. On successful connection, the old process will gracefully shut down after handling all outstanding requests. See also: [`no-autoupdate`](#no-autoupdate). - -## `config` - -:::note - -For locally-managed tunnels only. -::: - -| Syntax | Default | -| ------------------------------------------------------- | --------------------------- | -| `cloudflared tunnel --config run ` | `~/.cloudflared/config.yml` | - -Specifies the path to a [configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/) in YAML format. - -## `edge-bind-address` - -| Syntax | Environment Variable | -| ---------------------------------------------------------------- | -------------------------- | -| `cloudflared tunnel --edge-bind-address run ` | `TUNNEL_EDGE_BIND_ADDRESS` | - -Specifies the outgoing IP address used to establish a connection between `cloudflared` and the Cloudflare global network. - -By default, `cloudflared` lets the operating system decide which IP address to use. This option is useful if you have multiple network interfaces available and want to prefer a specific interface. - -The IP version of `edge-bind-address` will override [`edge-ip-version`](#edge-ip-version) (if provided). For example, if you enter an IPv6 source address, `cloudflared` will always connect to an IPv6 destination. - -## `edge-ip-version` - -| Syntax | Default | Environment Variable | -| ------------------------------------------------------------------- | ------- | ------------------------ | -| `cloudflared tunnel --edge-ip-version run ` | `4` | `TUNNEL_EDGE_IP_VERSION` | - -Specifies the IP address version (IPv4 or IPv6) used to establish a connection between `cloudflared` and the Cloudflare global network. Available values are `auto`, `4`, and `6`. - -The value `auto` relies on the host operating system to determine which IP version to select. The first IP version returned from the DNS resolution of the region lookup will be used as the primary set. In dual IPv6 and IPv4 network setups, `cloudflared` will separate the IP versions into two address sets that will be used to fallback in connectivity failure scenarios. - -## `grace-period` - -| Syntax | Default | Environment Variable | -| --------------------------------------------------------------- | ------- | --------------------- | -| `cloudflared tunnel --grace-period run ` | `30s` | `TUNNEL_GRACE_PERIOD` | - -When `cloudflared` receives SIGINT/SIGTERM it will stop accepting new requests, wait for in-progress requests to terminate, then shut down. Waiting for in-progress requests will timeout after this grace period, or when a second SIGTERM/SIGINT is received. - -## `logfile` - -| Syntax | Environment Variable | -| -------------------------------------------------------- | -------------------- | -| `cloudflared tunnel --logfile run ` | `TUNNEL_LOGFILE` | - -Saves application log to this file. Mainly useful for reporting issues. For more details on what information you need when contacting Cloudflare support, refer to [this guide](/cloudflare-one/faq/cloudflare-tunnels-faq/). - -## `loglevel` - -| Syntax | Default | Environment Variable | -| ---------------------------------------------------------- | ------- | -------------------- | -| `cloudflared tunnel --loglevel run ` | `info` | `TUNNEL_LOGLEVEL` | - -Specifies the verbosity of logging for the local `cloudflared` instance. Available values are `debug`, `info` (default), `warn`, `error`, and `fatal`. At the `debug` level, `cloudflared` will log and display the request URL, method, protocol, content length, as well as all request and response headers. However, note that this can expose sensitive information in your logs. - -## `metrics` - -| Syntax | Default | Environment Variable | -| ----------------------------------------------------------- | ---------------------------------------------------------------------- | -------------------- | -| `cloudflared tunnel --metrics run ` | Refer to [Tunnel metrics](/cloudflare-tunnel/monitor-tunnels/metrics/) | `TUNNEL_METRICS` | - -Exposes a Prometheus endpoint on the specified IP address and port, which you can then query for [usage metrics](/cloudflare-tunnel/monitor-tunnels/metrics/). - -## `no-autoupdate` - -:::note - -Does not apply if you installed `cloudflared` using a package manager. - -::: - -| Syntax | Environment Variable | -| ------------------------------------------------------- | -------------------- | -| `cloudflared tunnel --no-autoupdate run ` | `NO_AUTOUPDATE` | - -Disables automatic `cloudflared` updates. See also: [`autoupdate-freq`](#autoupdate-freq). - -## `origincert` - -:::note - -For locally-managed tunnels only. -::: - -| Syntax | Default | Environment Variable | -| ----------------------------------------------------------- | ------------------------- | -------------------- | -| `cloudflared tunnel --origincert run ` | `~/.cloudflared/cert.pem` | `TUNNEL_ORIGIN_CERT` | - -Specifies the [account certificate](/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-permissions/) for one of your zones, authorizing the client to serve as an origin for that zone. You can obtain a certificate by using the `cloudflared tunnel login` command or by visiting `https://dash.cloudflare.com/argotunnel`. - -## `pidfile` - -| Syntax | Environment Variable | -| -------------------------------------------------------- | -------------------- | -| `cloudflared tunnel --pidfile run ` | `TUNNEL_PIDFILE` | - -Writes the application's process identifier (PID) to this file after the first successful connection. Mainly useful for scripting and service integration. - -## `post-quantum` - -| Syntax | Environment Variable | -| ------------------------------------------------------ | --------------------- | -| `cloudflared tunnel run --post-quantum ` | `TUNNEL_POST_QUANTUM` | - -By default, Cloudflare Tunnel connections over [`quic`](#protocol) are encrypted using [post-quantum cryptography (PQC)](/ssl/post-quantum-cryptography/) but will fall back to non-PQ if there are issues connecting. If the `--post-quantum` flag is provided, `quic` connections are only allowed to use PQ key agreements, with no fallback to non-PQ. - -Post-quantum key agreements are not supported when using `http2` protocol. - -## `protocol` - -| Syntax | Default | Environment Variable | -| ---------------------------------------------------------- | ------- | --------------------------- | -| `cloudflared tunnel --protocol run ` | `auto` | `TUNNEL_TRANSPORT_PROTOCOL` | - -Specifies the protocol used to establish a connection between `cloudflared` and the Cloudflare global network. Available values are `auto`, `http2`, and `quic`. - -The `auto` value will automatically configure the `quic` protocol. If `cloudflared` is unable to establish UDP connections, it will fallback to using the `http2` protocol. - -## `region` - -| Syntax | Environment Variable | -| -------------------------------------------------------- | -------------------- | -| `cloudflared tunnel --region run ` | `TUNNEL_REGION` | - -Allows you to choose the regions to which connections are established. Currently the only available value is `us`, which routes all connections through data centers in the United States. Omit or leave empty to connect to the global region. - -When the region is set to `us`, `cloudflared` uses different US-specific hostnames and IPs. Refer to [Tunnel with firewall](/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/#region-us) for details. - -## `retries` - -| Syntax | Default | Environment Variable | -| --------------------------------------------------------- | ------- | -------------------- | -| `cloudflared tunnel --retries run ` | `5` | `TUNNEL_RETRIES` | - -Specifies the maximum number of retries for connection/protocol errors. Retries use exponential backoff (retrying at 1, 2, 4, 8, 16 seconds by default), so it is not recommended that you increase this value significantly. - -## `tag` - -| Syntax | Environment Variable | -| ------------------------------------------------------- | -------------------- | -| `cloudflared tunnel --tag run ` | `TUNNEL_TAG` | - -Specifies custom tags used to identify this tunnel. Multiple tags may be specified by adding additional `--tag ` flags to the command. If entering multiple tags into a configuration file, delimit with commas: `tag: {KEY1=VALUE1, KEY2=VALUE2}`. - -## `token` - -:::note - -For remotely-managed tunnels only. -::: - -| Syntax | Environment Variable | -| ----------------------------------------------- | -------------------- | -| `cloudflared tunnel run --token ` | `TUNNEL_TOKEN` | - -Associates the `cloudflared` instance with a specific tunnel. The tunnel's token is shown in the dashboard when you first [create the tunnel](/cloudflare-tunnel/get-started/create-remote-tunnel/). You can also retrieve the token using the [API](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/token/methods/get/). - -## `token-file` - -:::note - -For remotely-managed tunnels only. Requires `2025.4.0` or later. -::: - -| Syntax | Environment Variable | -| -------------------------------------------- | -------------------- | -| `cloudflared tunnel run --token-file ` | `TUNNEL_TOKEN_FILE` | - -Associates the `cloudflared` instance with a specific tunnel using a file which contains the token. diff --git a/src/content/docs/cloudflare-tunnel/configure-tunnels/index.mdx b/src/content/docs/cloudflare-tunnel/configure-tunnels/index.mdx deleted file mode 100644 index 98bfefaa2317ee1..000000000000000 --- a/src/content/docs/cloudflare-tunnel/configure-tunnels/index.mdx +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: Configure a tunnel -pcx_content_type: navigation -sidebar: - order: 3 ---- - -import { DirectoryListing } from "~/components"; - -After [creating your Cloudflare Tunnel](/cloudflare-tunnel/get-started/), you can configure various aspects of how `cloudflared` runs and connects your infrastructure to Cloudflare's network. This section covers advanced configuration options to optimize tunnel performance, security, and availability. - - - -## Common configuration scenarios - -### Optimize for production - -For production deployments, consider the following steps: - -- [Deploy replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/deploy-replicas/) - Run multiple `cloudflared` instances for redundancy. -- [Configure logging](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#loglevel) - Set appropriate log levels for monitoring and troubleshooting. -- [Review system requirements](/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements/) - Ensure your infrastructure meets performance needs. -- [Configure firewall rules](/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/) - Implement egress-only traffic patterns for security. - -### Secure your tunnel - -All tunnel connections between `cloudflared` and Cloudflare's network are secured with TLS 1.3 and post-quantum encryption by default, ensuring your traffic is protected against current and future cryptographic threats. - -Enhance tunnel security with: - -- [Tunnel token management](/cloudflare-tunnel/configure-tunnels/tunnel-permissions/) - Control access to your tunnel credentials. -- [Egress-only firewall rules](/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/) - Allow only necessary outbound connections. -- Least privilege permissions - Run `cloudflared` as a non-root user with minimal permissions needed for tunnel operation. - -### Improve reliability - -Maximize tunnel uptime with: - -- [Multiple replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/#cloudflared-replicas) - Deploy `cloudflared` across different hosts. -- [Health alerts](/cloudflare-tunnel/monitor-tunnels/notifications/) - Get notified when your tunnel is degraded or goes down. -- [Health metrics](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#metrics) - Monitor tunnel resource usage to identify potential bottlenecks. -- [Load balancing](/cloudflare-tunnel/configure-tunnels/tunnel-availability/#cloudflare-load-balancers/) - Distribute traffic across tunnel connections. -- [Automatic failover](/cloudflare-tunnel/configure-tunnels/tunnel-availability/) - Leverage built-in connection redundancy. - -## Next steps - -- [Monitor your tunnels](/cloudflare-tunnel/monitor-tunnels/) to track performance and troubleshoot issues. -- [Configure public ingress routing](/cloudflare-tunnel/routing/) to publish applications to the Internet. -- [Explore integrations](/cloudflare-tunnel/integrations/) with Workers VPC, Load Balancing, and other Cloudflare products. diff --git a/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/deploy-replicas.mdx b/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/deploy-replicas.mdx deleted file mode 100644 index 11c48d71148ed9f..000000000000000 --- a/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/deploy-replicas.mdx +++ /dev/null @@ -1,55 +0,0 @@ ---- -pcx_content_type: how-to -title: Deploy cloudflared replicas -sidebar: - order: 2 ---- - -import { Render } from "~/components"; - -To deploy multiple instances of `cloudflared`, you can create and configure one tunnel and run it on multiple hosts. If your tunnel runs as a service, only one `cloudflared` instance is allowed per host. - -You can run the same tunnel across various `cloudflared` processes for up to 100 connections (25 replicas) per tunnel. Cloudflare Load Balancers and DNS records can still point to the tunnel and its UUID. Traffic will be sent to all `cloudflared` processes associated with the tunnel. - -:::tip[Deploy replicas in Kubernetes] -For information about running `cloudflared` in a Kubernetes deployment, refer to the [Kubernetes guide](/cloudflare-tunnel/deployment-guides/kubernetes/). -::: - -## Remotely-managed tunnels - -1. To create a remotely-managed tunnel, follow the [dashboard setup guide](/cloudflare-tunnel/get-started/create-remote-tunnel/). -2. On the **Tunnels** page, select your newly created tunnel. -3. In the side panel, scroll down to **Connectors** to view the `cloudflared` instances for that tunnel. -4. Select **Edit**. -5. Select the operating system of the host where you want to deploy a replica. -6. Copy the installation command and run it on the host. - -The new replica will appear on the **Connectors** list for the tunnel. All replicas will serve the same routes and use the same configuration parameters. - -## Locally-managed tunnels - -1. To create a locally-managed tunnel, complete Steps 1 through 5 in the [CLI setup guide](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/). - -2. Run your newly created tunnel. - - ```sh - cloudflared tunnel run - ``` - - This will start a `cloudflared` instance and generate a unique `connector_id`. - -3. In a separate window or on another host, run the same command again: - - ```sh - cloudflared tunnel run - ``` - - This will initialize another `cloudflared` instance and generate another `connector_id`. - -4. Run `tunnel info` to show each `cloudflared` instance running your tunnel: - - ```sh - cloudflared tunnel info - ``` - -This will output your tunnel UUID as well as two Connector IDs, one for each `cloudflared` process running your tunnel. With this command, you can also see that your tunnel is now being served by eight connections. diff --git a/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/index.mdx b/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/index.mdx deleted file mode 100644 index 21fa1f9ed74093f..000000000000000 --- a/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/index.mdx +++ /dev/null @@ -1,86 +0,0 @@ ---- -pcx_content_type: concept -title: Tunnel availability and failover -description: | - Deploy multiple `cloudflared` replicas for high availability and automatic failover across your infrastructure. -sidebar: - order: 4 ---- - -import { Details, GlossaryTooltip } from "~/components"; - -Our lightweight and open-source connector, [`cloudflared`](https://github.com/cloudflare/cloudflared), was built to be highly available without any additional configuration requirements. When you run a tunnel, `cloudflared` establishes four outbound-only connections between the origin server and the Cloudflare network. These four connections are made to four different servers spread across at least two distinct data centers. This model ensures high availability and mitigates the risk of individual connection failures. This means in event a single connection, server, or data center goes offline, your resources will remain available. - -## `cloudflared` replicas - -Cloudflare Tunnel allows users to deploy additional instances of our connector, `cloudflared`, for availability and failover scenarios. We refer to these unique instances as replicas. Each replica establishes four new connections which serve as additional points of ingress to your origin, should you need them. Each of the replicas will point to the same tunnel. This ensures that your network remains up in the event a single host running `cloudflared` goes down. - -```mermaid -graph LR - C((Cloudflare)) - subgraph E[Private network] - cf1["cloudflared
(Tunnel-1 replica)"] - cf2["cloudflared
(Tunnel-1 replica)"] - S1[Application] - cf1-->S1 - cf2-->S1 - end - C -- "Connections x 4
"--> cf1 - C --> cf1 - C --> cf1 - C --> cf1 - C -- Connections x 4--> cf2 - C --> cf2 - C --> cf2 - C --> cf2 -``` - -By design, replicas do not offer any level of traffic steering (random, hash, or round-robin). Instead, when a request arrives to Cloudflare, it will be forwarded to the replica that is geographically closest. If that distance calculation is unsuccessful or the connection fails, we will retry others, but there is no guarantee about which connection is chosen. - -### When to use `cloudflared` replicas - -- To provide additional points of availability for a single tunnel. -- To allocate failover nodes within your network. -- To update the configuration of a tunnel [without downtime](/cloudflare-tunnel/downloads/update-cloudflared/#update-with-multiple-cloudflared-instances). - -For setup instructions, refer to [Deploy cloudflared replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/deploy-replicas/). - -## Cloudflare Load Balancers - -[Cloudflare Load Balancing](/load-balancing/) proactively steers traffic away from unhealthy origins and intelligently distributes the traffic load based on your choice of [steering algorithms](/load-balancing/understand-basics/traffic-steering/). Unlike [`cloudflared` replicas](#cloudflared-replicas) which all use the same tunnel, a typical load balancer setup requires creating multiple tunnels. Most customers will create one tunnel per data center and one load balancer pool per tunnel. - -```mermaid -graph LR - accTitle: Load balancing traffic to applications behind Cloudflare Tunnel - - A[Internet] --> C{Cloudflare
Load Balancer} - C -- Tunnel 1 --> cf1 - C -- Tunnel 2 --> cf2 - subgraph F[Data center 2] - cf2[cloudflared
server] - S3[App server] - S4[App server] - cf2-->S3 - cf2-->S4 - end - subgraph E[Data center 1] - cf1[cloudflared
server] - S1[App server] - S2[App server] - cf1-->S1 - cf1-->S2 - end -``` - -### When to use load balancers - -- To intelligently steer traffic based on latency, geolocation, or other signals. -- To implement failover logic if a tunnel reaches an inactive state. -- To get a [health alert](/notifications/notification-available/#load-balancing) when a tunnel reaches an inactive state. -- To distribute traffic more evenly across your Cloudflare Tunnel-accessible origins or endpoints. - -For setup instructions, refer to [Public load balancers](/cloudflare-tunnel/routing/load-balancers/). - -:::note -For private network load balancing with WARP clients and Cloudflare WAN, refer to [Private Network Load Balancing](/load-balancing/private-network/) and [Cloudflare Tunnel for SASE](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/). -::: \ No newline at end of file diff --git a/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements.mdx b/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements.mdx deleted file mode 100644 index f6ebea9ca0601aa..000000000000000 --- a/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements.mdx +++ /dev/null @@ -1,109 +0,0 @@ ---- -pcx_content_type: concept -title: System requirements -sidebar: - order: 6 ---- - -import { Render, TabItem, Tabs, TunnelCalculator } from "~/components"; - -Our connector, `cloudflared`, was designed to be lightweight and flexible enough to be effectively deployed on Raspberry Pi, your laptop or a server in a data center. - -## Recommendations - -For most use cases, we recommend the following baseline configuration: - -- Run a [`cloudflared` replica](/cloudflare-tunnel/configure-tunnels/tunnel-availability/#cloudflared-replicas) on two dedicated host machines per network location. Using two hosts enables server-side redundancy. -- Size each host with minimum 4GB of RAM and 4 CPU cores. -- Allocate 50,000 [ports](#number-of-ports) to the `cloudflared` process on each host. - -This setup is usually sufficient to handle moderate traffic loads. The actual amount of resources used by `cloudflared` will depend on many variables, including the number of requests per second, bandwidth, network path, and hardware. As traffic increases beyond your existing [tunnel capacity](#estimated-throughput), you can scale your tunnel by adding an additional `cloudflared` host in that location. - -### Number of ports - -When `cloudflared` receives a request, it uses the ports on the host machine to evaluate and forward the request to your origin service. Every machine by system design is hardware-limited to a maximum 65,535 ports. Additionally, each service on the machine has a limited number of ports that it can consume. For this reason, we recommend the following deployment model: - -- `cloudflared` should be deployed on a dedicated host machine. This model is typically appropriate, but there may be serverless or clustered workflows where a dedicated host is not possible. -- The host machine should allocate 50,000 ports to be available for use by the `cloudflared` service. The remaining ports are reserved for system administrative processes. - - - -To increase the number of ports available to `cloudflared` on Linux: - -If your machine has a `/etc/sysctl.d/` directory: - -```sh -echo 'net.ipv4.ip_local_port_range = 11000 60999' | sudo tee -a /etc/sysctl.d/99-cloudflared.conf -sudo sysctl -p /etc/sysctl.d/99-cloudflared.conf -``` - -Otherwise: - -```sh -echo 'net.ipv4.ip_local_port_range = 11000 60999' | sudo tee -a /etc/sysctl.conf -sudo sysctl -p /etc/sysctl.conf -``` - - - -To increase the number of ports available to `cloudflared` on Windows, set the [dynamic port range](https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/tcp-ip-port-exhaustion-troubleshooting) for TCP and UDP: - -```txt -netsh int ipv4 set dynamicport tcp start=11000 num=50000 -netsh int ipv4 set dynamicport udp start=11000 num=50000 -netsh int ipv6 set dynamicport tcp start=11000 num=50000 -netsh int ipv6 set dynamicport udp start=11000 num=50000 -``` - - - -### ulimits - -On Linux and macOS, `ulimit` settings determine the system resources available to a logged-in user. We recommend configuring the following ulimits on the `cloudflared` server: - -| ulimit | Description | Value | -| ------ | ------------------------------------------------ | -------- | -| `-n` | Maximum number of open files or file descriptors | ≥ 70,000 | - -To view your current ulimits, open a terminal and run: - -```sh -ulimit -a -``` - -To set the open files `ulimit`: - -```sh -ulimit -n 70000 -``` - -The command above sets the open files limit only for the current terminal session and will not persist after a reboot or new login. To apply this limit permanently, configure it using the persistent method appropriate for your operating system. - -## Estimated throughput - -Most traffic proxied by `cloudflared` falls in one of two categories: - -- TCP requests (more common, less resource intensive) -- UDP requests (less common, more resource intensive) - -TCP traffic uses and releases ports almost instantaneously. This means that in order to overload a `cloudflared` instance with 50,000 available ports, your organization would need to continuously generate 50,001 TCP requests per second. - -UDP traffic is more unique. DNS queries - usually the bulk of UDP traffic - are held by ports in `cloudflared` for five seconds. Non-DNS UDP traffic holds each port for the duration of the connection, which can be any amount of time. This means that in order to overload a `cloudflared` instance with 50,000 available ports, you would need to continuously generate either 10,000 DNS queries per second, or a cumulative 50,000 non-DNS UDP requests over a shorter time than your connection reset rate. - -### Calculate your tunnel capacity - -Our [baseline recommendations](#recommendations) serve as a starting point for a Cloudflare Tunnel deployment. Once you have a representative population of users engaging with your network for at least a week, you can customize tunnel sizing according to your own traffic patterns. - -To calculate your tunnel capacity: - -1. Set up a [metrics service](/cloudflare-one/tutorials/grafana/) when you run the tunnel. -2. After a week or so, query the following [tunnel metrics](/cloudflare-tunnel/monitor-tunnels/metrics/#cloudflared-metrics): - - `cloudflared_tcp_total_sessions` - - `cloudflared_udp_total_sessions` -3. Compute the average **TCP requests per second** and **Non-DNS UDP requests per second** by dividing total sessions by total time. -4. If applicable, obtain the average **DNS requests per second** from your DNS resolver. -5. Input your values into our sizing calculator: - - - -You can use these results to determine if your tunnel is appropriately sized. To increase your tunnel capacity, add identical host machines running [`cloudflared` replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/#cloudflared-replicas). diff --git a/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-permissions.mdx b/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-permissions.mdx deleted file mode 100644 index af0b75e0e5dde4a..000000000000000 --- a/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-permissions.mdx +++ /dev/null @@ -1,185 +0,0 @@ ---- -pcx_content_type: how-to -title: Tunnel permissions -description: | - Manage tunnel tokens and control who can run your remotely-managed tunnels. -sidebar: - order: 10 ---- - -import { TabItem, Tabs, Render, APIRequest } from "~/components"; - -A remotely-managed tunnel only requires the tunnel token to run. Anyone with access to the token will be able to run the tunnel. - -## Get the tunnel token - -To get the token for a remotely-managed tunnel: - - - -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels**. -2. Select a `cloudflared` tunnel and select **Edit**. -3. Copy the `cloudflared` installation command. -4. Paste the installation command into any text editor. The token value is of the form `eyJhIjoiNWFiNGU5Z...` - - - - -Make a `GET` request to the [Cloudflare Tunnel token](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/token/methods/get/) endpoint: - - - -```sh output -{ - "success": true, - "errors": [], - "messages": [], - "result": "eyJhIjoiNWFiNGU5Z..." -} -``` - -The token value can be found in the `result`. - - - - - - - - - - - -## Rotate a token without service disruption - -Cloudflare recommends rotating the tunnel token at a regular cadence to reduce the risk of token compromise. You can rotate a token with minimal disruption to users as long as the tunnel is served by at least two [`cloudflared` replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/). To ensure service availability, we recommend performing token rotations outside of working hours or in a maintenance window. - -To rotate a tunnel token: - -1. Refresh the token on Cloudflare: - - - -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels**. -2. Select a `cloudflared` tunnel and select **Edit**. -3. Select **Refresh token**. -4. Copy the `cloudflared` installation command for your operating system. This command contains the new token. - - - - 1. Generate a random base64 string (minimum size 32 bytes) to use as a tunnel secret: - - ```sh - openssl rand -base64 32 - ``` - - ```sh output - AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg= - ``` - -2. Make a `PATCH` request to the [Cloudflare Tunnel](/api/resources/zero_trust/subresources/tunnels/methods/edit/) endpoint: - - - - -After refreshing the token, `cloudflared` can no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic. - -2. On half of your `cloudflared` replicas, update `cloudflared` to use the new token. For example, on a Linux host: - - ```sh - sudo cloudflared service install - ``` - -3. Restart `cloudflared`: - - ```sh - sudo systemctl restart cloudflared.service - ``` - -4. Confirm that the service started correctly: - - ```sh - sudo systemctl status cloudflared - ``` - - While these replicas are connecting to Cloudflare with the new token, traffic will automatically route through the other replicas. - -5. Wait 10 minutes for traffic to route through the new connectors. - -6. Repeat steps 2, 3, and 4 for the second half of the replicas. - -The tunnel token is now fully rotated. The old token is no longer in use. - -## Rotate a compromised token - -If your tunnel token is compromised, we recommend taking the following steps: - -1. Refresh the token using the dashboard or API. Refer to Step 1 of [Rotate a token without service disruption](#rotate-a-token-without-service-disruption). -2. [Delete all connections](/api/resources/zero_trust/subresources/tunnels/subresources/connections/methods/delete/) between `cloudflared` and Cloudflare: - - - - This will clean up any unauthorized connections and prevent users from connecting to your network. - -3. On each `cloudflared` replica, update `cloudflared` to use the new token. For example, on a Linux host: - - ```sh - sudo cloudflared service install - ``` - -4. Restart `cloudflared`: - - ```sh - sudo systemctl restart cloudflared.service - ``` - -5. Confirm that the service started correctly: - ```sh - sudo systemctl status cloudflared - ``` - -The tunnel token is now fully rotated. The old token is no longer in use. - -## Account-scoped roles - - diff --git a/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx b/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx deleted file mode 100644 index d4a2342bd8be647..000000000000000 --- a/src/content/docs/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx +++ /dev/null @@ -1,325 +0,0 @@ ---- -pcx_content_type: reference -title: Tunnel with firewall -description: | - Configure firewall rules to allow `cloudflared` egress traffic while blocking all ingress, implementing a positive security model. -sidebar: - order: 3 ---- - -You can implement a positive security model with Cloudflare Tunnel by blocking all ingress traffic and allowing only egress traffic from `cloudflared`. Only the services specified in your tunnel configuration will be exposed to the outside world. - -## Ports - -The parameters below can be configured for egress traffic inside of a firewall. - -How you configure your firewall depends on the firewall type: - -- If your firewall supports domain-based rules (FQDN allowlists), you can allow outbound connections to the hostnames listed below. -- If your firewall requires IP-based rules, allow outbound connections to all listed IP addresses for each domain. - -Ensure port `7844` is allowed for both TCP and UDP protocols (for `http2` and `quic`). - -### Required for tunnel operation - -`cloudflared` connects to Cloudflare's global network on port `7844`. To use Cloudflare Tunnel, your firewall must allow outbound connections to the following destinations on port `7844` (via UDP if using the `quic` protocol or TCP if using the `http2` protocol). - -#### `region1.v2.argotunnel.com` - -| IPv4 | IPv6 | Port | Protocols | -| ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | -| `198.41.192.167` `198.41.192.67` `198.41.192.57` `198.41.192.107` `198.41.192.27` `198.41.192.7` `198.41.192.227` `198.41.192.47` `198.41.192.37` `198.41.192.77` | `2606:4700:a0::1` `2606:4700:a0::2` `2606:4700:a0::3` `2606:4700:a0::4` `2606:4700:a0::5` `2606:4700:a0::6` `2606:4700:a0::7` `2606:4700:a0::8` `2606:4700:a0::9` `2606:4700:a0::10` | 7844 | TCP/UDP (`http2`/`quic`) | - -#### `region2.v2.argotunnel.com` - -| IPv4 | IPv6 | Port | Protocols | -| ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | -| `198.41.200.13` `198.41.200.193` `198.41.200.33` `198.41.200.233` `198.41.200.53` `198.41.200.63` `198.41.200.113` `198.41.200.73` `198.41.200.43` `198.41.200.23` | `2606:4700:a8::1` `2606:4700:a8::2` `2606:4700:a8::3` `2606:4700:a8::4` `2606:4700:a8::5` `2606:4700:a8::6` `2606:4700:a8::7` `2606:4700:a8::8` `2606:4700:a8::9` `2606:4700:a8::10` | 7844 | TCP/UDP (`http2`/`quic`) | - -#### `_v2-origintunneld._tcp.argotunnel.com` - -| IPv4 | IPv6 | Port | Protocols | -| -------------- | -------------- | ---- | ------------- | -| Not applicable | Not applicable | 7844 | TCP (`http2`) | - -This rule is only required for firewalls that enforce SNI. - -#### `cftunnel.com` - -| IPv4 | IPv6 | Port | Protocols | -| -------------- | -------------- | ---- | ------------------------ | -| Not applicable | Not applicable | 7844 | TCP/UDP (`http2`/`quic`) | - -This rule is only required for firewalls that enforce SNI. - -#### `h2.cftunnel.com` - -| IPv4 | IPv6 | Port | Protocols | -| -------------- | -------------- | ---- | ------------- | -| Not applicable | Not applicable | 7844 | TCP (`http2`) | - -This rule is only required for firewalls that enforce SNI. - -#### `quic.cftunnel.com` - -| IPv4 | IPv6 | Port | Protocols | -| -------------- | -------------- | ---- | ------------ | -| Not applicable | Not applicable | 7844 | UDP (`quic`) | - -This rule is only required for firewalls that enforce SNI. - -### Region US - -When using the [US region](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#region), ensure your firewall allows outbound connections to these US-region destinations on port `7844` (TCP/UDP) for tunnel operation. - -#### `us-region1.v2.argotunnel.com` - -| IPv4 | IPv6 | Port | Protocol | -| ------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | -| `198.41.218.1` `198.41.218.2` `198.41.218.3` `198.41.218.4` `198.41.218.5` `198.41.218.6` `198.41.218.7` `198.41.218.8` `198.41.218.9` `198.41.218.10` | `2606:4700:a1::1` `2606:4700:a1::2` `2606:4700:a1::3` `2606:4700:a1::4` `2606:4700:a1::5` `2606:4700:a1::6` `2606:4700:a1::7` `2606:4700:a1::8` `2606:4700:a1::9` `2606:4700:a1::10` | 7844 | TCP/UDP (`http2`/`quic`) | - -#### `us-region2.v2.argotunnel.com` - -| IPv4 | IPv6 | Port | Protocol | -| ------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | -| `198.41.219.1` `198.41.219.2` `198.41.219.3` `198.41.219.4` `198.41.219.5` `198.41.219.6` `198.41.219.7` `198.41.219.8` `198.41.219.9` `198.41.219.10` | `2606:4700:a9::1` `2606:4700:a9::2` `2606:4700:a9::3` `2606:4700:a9::4` `2606:4700:a9::5` `2606:4700:a9::6` `2606:4700:a9::7` `2606:4700:a9::8` `2606:4700:a9::9` `2606:4700:a9::10` | 7844 | TCP/UDP (`http2`/`quic`) | - -### Optional - -Opening port `443` enables some optional features. Failure to allow these connections may prompt a log error, but `cloudflared` will still run correctly. - -#### `api.cloudflare.com` - -Allows `cloudflared` to query if software updates are available. - -| IPv4 | IPv6 | Port | Protocols | -| --------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ----------- | -| `104.19.192.29` `104.19.192.177` `104.19.192.175` `104.19.193.29` `104.19.192.174` `104.19.192.176` | `2606:4700:300a::6813:c0af` `2606:4700:300a::6813:c01d` `2606:4700:300a::6813:c0ae` `2606:4700:300a::6813:c11d` `2606:4700:300a::6813:c0b0` `2606:4700:300a::6813:c0b1` | 443 | TCP (HTTPS) | - -#### `update.argotunnel.com` - -Allows `cloudflared` to query if software updates are available. - -| IPv4 | IPv6 | Port | Protocols | -| ------------------------------- | --------------------------------------------- | ---- | ----------- | -| `104.18.25.129` `104.18.24.129` | `2606:4700::6812:1881` `2606:4700::6812:1981` | 443 | TCP (HTTPS) | - -#### `github.com` - -Allows `cloudflared` to download the latest release and perform a software update. - -| IPv4 | IPv6 | Port | Protocols | -| ------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | ---- | ----------- | -| [GitHub's IPs](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) | [GitHub's IPs](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) | 443 | TCP (HTTPS) | - -#### `.cloudflareaccess.com` - -Allows `cloudflared` to validate the Access JWT. Only required if the [`access`](https://developers.cloudflare.com/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#access) setting is enabled. - -| IPv4 | IPv6 | Port | Protocols | -| ------------------------------- | ------------------------------------------------------- | ---- | ----------- | -| `104.19.194.29` `104.19.195.29` | `2606:4700:300a::6813:c31d` `2606:4700:300a::6813:c21d` | 443 | TCP (HTTPS) | - -#### `pqtunnels.cloudflareresearch.com` - -Allows `cloudflared` to report [post-quantum key exchange](https://blog.cloudflare.com/post-quantum-tunnel/) errors to Cloudflare. - -| IPv4 | IPv6 | Port | Protocols | -| --------------------------- | ------------------------------------------- | ---- | ----------- | -| `104.18.4.64` `104.18.5.64` | `2606:4700::6812:540` `2606:4700::6812:440` | 443 | TCP (HTTPS) | - -#### `cfd-features.argotunnel.com` - -| IPv4 | IPv6 | Port | Protocols | -| -------------- | -------------- | ---- | ------------ | -| Not applicable | Not applicable | Not applicable | Not applicable | - -Performing a DNS query for a `TXT` record to this hostname allows `cloudflared` to determine which version of [UDP datagram](/changelog/2025-07-15-udp-improvements/) to use when connecting via the `quic` protocol. If your firewall filters egress DNS queries by FQDN, you may need to allow queries for this domain to ensure optimal `quic` performance. - -## Firewall configuration - -### Cloud VM firewall - -If you host your services on a virtual machine (VM) instance in a cloud provider, you may set up instance-level firewall rules to block all ingress traffic and allow only egress traffic. For example, on Google Cloud Platform (GCP), you may delete all ingress rules, leaving only the relevant egress rules. This is because GCP's firewall denies ingress traffic unless it matches an explicit rule. - -### OS firewall - -Alternatively, you may use operating system (OS)-level firewall rules to block all ingress traffic and allow only egress traffic. For example, if your server runs on Linux, you may use `iptables` to set up firewall rules: - -1. Check your current firewall rules. - - ```sh - sudo iptables -L - ``` - -2. Allow `localhost` to communicate with itself. - - ```sh - sudo iptables -A INPUT -i lo -j ACCEPT - ``` - -3. Allow already established connection and related traffic. - - ```sh - sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - ``` - -4. Allow new SSH connections. - - ```sh - sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT - ``` - -5. Drop all other ingress traffic. - :::caution[Warning] - - Be very careful with the following command. If you did not preserve the current SSH connection or allow new SSH connections, you would be logged out and unable to SSH back into the system again. - ::: - - ```sh - sudo iptables -A INPUT -j DROP - ``` - -6. After setting the firewall rules, use this command to check the current `iptables` settings: - - ```sh - sudo iptables -L - ``` - -7. Run your tunnel and check that all configured services are still accessible to the outside world via the tunnel, but not via the external IP address of the server. - -8. By default, rules you add via the `iptables` command are stored only in memory and do not persist on reboot. There are many different ways to save and reload your firewall rules, depending on your Linux distribution. For example, on Debian you can use the [`iptables-persistent`](https://packages.debian.org/sid/iptables-persistent) package: - - ```sh - sudo apt install iptables-persistent - sudo netfilter-persistent save - ``` - -## Test connectivity - -### Test with dig - -To test your connectivity to Cloudflare, you can use the `dig` command to query the hostnames listed above. Note that `cloudflared` defaults to connecting with IPv4. - -```sh -dig A region1.v2.argotunnel.com -``` - -```sh output -;; ANSWER SECTION: -region1.v2.argotunnel.com. 86400 IN A 198.41.192.167 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.67 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.57 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.107 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.27 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.7 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.227 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.47 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.37 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.77 -... -``` - -```sh -dig AAAA region1.v2.argotunnel.com -``` - -```sh output -... -;; ANSWER SECTION: -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::1 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::2 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::3 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::4 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::5 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::6 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::7 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::8 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::9 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::10 -... -``` - -```sh -dig A region2.v2.argotunnel.com -``` - -```sh output -;; ANSWER SECTION: -region2.v2.argotunnel.com. 86400 IN A 198.41.200.13 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.193 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.33 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.233 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.53 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.63 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.113 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.73 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.43 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.23 -... -``` - -```sh -dig AAAA region2.v2.argotunnel.com -``` - -```sh output -... -;; ANSWER SECTION: -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::1 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::2 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::3 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::4 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::5 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::6 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::7 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::8 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::9 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::10 -... -``` - -### Test with PowerShell - -On Windows, you can use PowerShell commands if `dig` is not available. - -To test DNS: - -```powershell -Resolve-DnsName -Name _v2-origintunneld._tcp.argotunnel.com SRV -``` - -```txt output -Name Type TTL Section NameTarget Priority Weight Port ----- ---- --- ------- ---------- -------- ------ ---- -_v2-origintunneld._tcp.argotunnel.com SRV 112 Answer region2.v2.argotunnel.com 2 1 7844 -_v2-origintunneld._tcp.argotunnel.com SRV 112 Answer region1.v2.argotunnel.com 1 1 7844 -``` - -To test ports: - -```powershell -tnc region1.v2.argotunnel.com -port 443 -``` - -```txt output -ComputerName : region1.v2.argotunnel.com -RemoteAddress : 198.41.192.227 -RemotePort : 443 -InterfaceAlias : Ethernet -SourceAddress : 10.0.2.15 -TcpTestSucceeded : True -``` - -```powershell -tnc region1.v2.argotunnel.com -port 7844 -``` - -```txt output -ComputerName : region1.v2.argotunnel.com -RemoteAddress : 198.41.192.227 -RemotePort : 7844 -InterfaceAlias : Ethernet -SourceAddress : 10.0.2.15 -TcpTestSucceeded : True -``` diff --git a/src/content/docs/cloudflare-tunnel/deployment-guides/aws.mdx b/src/content/docs/cloudflare-tunnel/deployment-guides/aws.mdx deleted file mode 100644 index 638daed50b40795..000000000000000 --- a/src/content/docs/cloudflare-tunnel/deployment-guides/aws.mdx +++ /dev/null @@ -1,147 +0,0 @@ ---- -pcx_content_type: how-to -title: AWS -sidebar: - order: 2 -head: - - tag: title - content: Deploy cloudflared in AWS ---- - -import { Render } from "~/components"; -import SubtractIPCalculator from "~/components/SubtractIPCalculator.tsx"; - -This guide covers how to connect an Amazon Web Services (AWS) virtual machine to Cloudflare using our lightweight connector, `cloudflared`. - -We will deploy: - -- An EC2 virtual machine that runs a basic HTTP server. -- A Cloudflare Tunnel that allows users to connect to the service via either a public hostname or a private IP address. - - - -### Prerequisites - -To complete the following procedure, you will need to: - -- [Add a website to Cloudflare](/fundamentals/manage-domains/add-site/) -- [Deploy the WARP client](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/) on an end-user device - -## 1. Create a VM instance in AWS - -1. From the AWS console, go to **Compute** > **EC2** > **Instances** - -2. Select **Launch instance**. - -3. Name your VM instance. In this example we will name it `http-test-server`. - -4. For \*_Amazon Machine Image (AMI)_ choose your desired operating system and specifications. For this example, we will use _Ubuntu Server 24.04 LTS (HVM), SSD Volume Type_. - -5. For **Instance type:**, you can select _t2.micro_ which is available on the free tier. - -6. In **Key pair (login)**, create a new key pair to use for SSH. You will need to download the `.pem` file onto your local machine. - -7. In **Network settings**, select **Create security group**. - -8. Turn on the following Security Group rules: - - **Allow SSH traffic from _My IP_** to prevent the instance from being publicly accessible. - - **Allow HTTPS traffic from the internet** - - **Allow HTTP traffic from the internet** - -9. Select **Launch instance**. - -10. Once the instance is up and running, go to the **Instances** summary page and copy its **Public IPv4 DNS** hostname (for example, `ec2-44-202-59-16.compute-1.amazonaws.com`). - -11. To log in to the instance over SSH, open a terminal and run the following commands: - -```sh -cd Downloads -``` - -``` -chmod 400 "YourKeyPair.pem" -``` - -```sh -ssh -i "YourKeyPair.pem" ubuntu@ec2-44-202-59-16.compute-1.amazonaws.com -``` - -12. Run `sudo su` to gain full admin rights to the instance. - -13. For testing purposes, you can deploy a basic Apache web server on port `80`: - -```bash -$ apt update - -$ apt -y install apache2 - -$ cat < /var/www/html/index.html -

Hello Cloudflare!

-

This page was created for a Cloudflare demo.

- -EOF -``` - -14. To verify that the Apache server is running, open a browser and go to `http://ec2-44-202-59-16.compute-1.amazonaws.com` (make sure to connect over `http`, not `https`). You should see the **Hello Cloudflare!** test page. - -## 2. Create a Cloudflare Tunnel - - - -## 3. Connect using a public hostname - - - -## 4. Connect using a private IP - -[Private network routes](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/) allow users to connect to your virtual private cloud (VPC) using the WARP client. To add a private network route for your Cloudflare Tunnel: - -1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Networks** > **Routes**. -2. In the **CIDR** tab, enter the **Private IPv4 address** of your AWS instance (for example, `172.31.19.0`). You can expand the IP range later if necessary. -3. In your [Split Tunnel configuration](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the private IP is routing through WARP. For example, if you are using Split Tunnels in **Exclude** mode, delete `172.16.0.0/12`. We recommend re-adding the IPs that are not explicitly used by your AWS instance. - - To determine which IP addresses to re-add, subtract your AWS instance IPs from `172.16.0.0/12`: - - - - Add the results back to your Split Tunnel Exclude mode list. - -4. To test on a user device: - 1. [Log in to the WARP client](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/). - 2. Open a terminal window and connect to the service using its private IP: - - ```sh - $ curl 172.31.19.0 -

Hello Cloudflare!

-

This page was created for a Cloudflare demo.

- - ``` - -You can optionally [create Gateway network policies](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/#4-recommended-filter-network-traffic-with-gateway) to control who can access the instance via its private IP. - -:::caution - - - -::: - -## Firewall configuration - -To secure your AWS instance, you can configure your [Security Group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) to deny all inbound traffic and allow only outbound traffic to the [Cloudflare Tunnel IP addresses](/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/#required-for-tunnel-operation). All Security Group rules are Allow rules; traffic that does not match a rule is blocked. Therefore, you can delete all inbound rules and leave only the relevant outbound rules. - -:::note - -If you delete the inbound rule for port `22`, you will be unable to SSH back into the instance. -::: - -After configuring your Security Group rules, verify that you can still access the service through Cloudflare Tunnel via its [public hostname](#3-connect-using-a-public-hostname) or [private IP](#4-connect-using-a-private-ip). The service should no longer be accessible from outside Cloudflare Tunnel -- for example, if you go to `http://ec2-44-202-59-16.compute-1.amazonaws.com` the test page should no longer load. diff --git a/src/content/docs/cloudflare-tunnel/deployment-guides/azure.mdx b/src/content/docs/cloudflare-tunnel/deployment-guides/azure.mdx deleted file mode 100644 index 48d5c14dff4d469..000000000000000 --- a/src/content/docs/cloudflare-tunnel/deployment-guides/azure.mdx +++ /dev/null @@ -1,118 +0,0 @@ ---- -pcx_content_type: how-to -title: Azure -sidebar: - order: 3 ---- - -import { Render } from "~/components"; - -The purpose of this guide is to walk through some best practices for accessing private resources on Azure by deploying Cloudflare's lightweight connector, `cloudflared`. - -We will walk through how to initialize a service on a Linux VM in Azure, and route to it from another VM running `cloudflared`. This deployment guide does not take into account routing beyond basic security groups and default VPCs. - - - -## Prerequisites - -- In [Cloudflare One](https://one.dash.cloudflare.com/), create a Cloudflare One account. -- [Enroll an end-user device](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/) into your Cloudflare One account. - -## Create your environment - -Make sure you sign up for Azure and create a new subscription. - -1. First, create your first resource group. - - ![Azure group](~/assets/images/cloudflare-one/connections/connect-apps/azure-1.png) - -2. In addition, create your first keypair as well. You will be using the keypair to SSH into your Virtual Machine. - - ![Azure keypair](~/assets/images/cloudflare-one/connections/connect-apps/azure-2.png) - -3. Next, define your inbound and outbound ports to the VM. If these ports are not configured properly, the solution will not function as intended. For testing purposes, we will leave access open. - - ![Azure keypair](~/assets/images/cloudflare-one/connections/connect-apps/azure-3.png) - -Create two Ubuntu 20.04 LTS VMs, and make sure you record their internal IP addresses. Azure by default uses the `10.0.0.0/8` subnet. - -## Deploy `cloudflared` - -1. SSH into your Azure instance using the command line. - - ```sh - cd Downloads - ``` - - ```sh - ssh -i azureuser@20.115.124.241 - ``` - -2. Run `sudo su` to gain full admin rights to the Virtual Machine. - -3. Install `cloudflared` on your instance. In this example, we are running a Debian-based instance, so use the Debian package of `cloudflared`: - - - -4. Run the following command to authenticate `cloudflared` with your Cloudflare account. The command will launch a browser window where you will be prompted to log in with your Cloudflare account and pick any zone you have added to Cloudflare. - - ```sh - cloudflared tunnel login - ``` - -5. Create a tunnel. - - ```sh - cloudflared tunnel create Azure-01 - ``` - -## Complete tunnel configuration - -1. Make a directory for your configuration file. - - ```sh - mkdir /etc/cloudflared - ``` - - ```sh - cd /etc/cloudflared - ``` - -2. Build a configuration file. Before moving forward and entering vim, copy your Tunnel ID and credentials path to a notepad. - - ```sh - vim config.yml - ``` - -3. Type `i` to begin editing the file and copy-paste the following settings in it. - - ```txt - tunnel: - credentials-file: /root/.cloudflared/.json - protocol: quic - warp-routing: - enabled: true - logfile: /var/log/cloudflared.log - #cloudflared to the origin debug - loglevel: debug - #cloudflared to cloudflare debug - transport-loglevel: info - ``` - -4. Press `esc` and then enter `:x` to save and exit. - -5. Run `cloudflared` as a service. - -```sh -cloudflared service install -``` - -```sh -systemctl start cloudflared -``` - -```sh -systemctl status cloudflared -``` - -Next, visit Cloudflare One and ensure your new tunnel shows as **active**. Optionally, begin creating [Access policies](/cloudflare-one/access-controls/policies/) to secure your private resources. diff --git a/src/content/docs/cloudflare-tunnel/deployment-guides/google-cloud-platform.mdx b/src/content/docs/cloudflare-tunnel/deployment-guides/google-cloud-platform.mdx deleted file mode 100644 index 44c04fc50a8cdc1..000000000000000 --- a/src/content/docs/cloudflare-tunnel/deployment-guides/google-cloud-platform.mdx +++ /dev/null @@ -1,121 +0,0 @@ ---- -pcx_content_type: how-to -title: GCP -sidebar: - order: 5 ---- - -import { Render } from "~/components"; -import SubtractIPCalculator from "~/components/SubtractIPCalculator.tsx"; - -This guide covers how to connect a Google Cloud Project (GCP) virtual machine to Cloudflare using our lightweight connector, `cloudflared`. - -We will deploy: - -- A Google Cloud Project (GCP) virtual machine that runs a basic HTTP server. -- A Cloudflare Tunnel that allows users to connect to the service via either a public hostname or a private IP address. - - - -### Prerequisites - -To complete the following procedure, you will need to: - -- [Add a website to Cloudflare](/fundamentals/manage-domains/add-site/) -- [Deploy the WARP client](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/) on an end-user device - -## 1. Create a VM instance in GCP - -1. In your [Google Cloud Console](https://console.cloud.google.com/), [create a new project](https://developers.google.com/workspace/guides/create-project). - -2. Go to **Compute Engine** > **VM instances**. - -3. Select **Create instance**. - -4. Name your VM instance. In this example we will name it `http-test-server`. - -5. Choose your desired operating system and specifications. For this example, you can use the following settings: - - **Machine family:** General Purpose - - **Series:** E2 - - **Machine type:** e2-micro - - **Boot disk image:** Debian GNU/Linux 12 - - **Firewalls**: Allow HTTP and HTTPS traffic - -6. Under **Advanced options** > **Management** > **Automation**, add the following startup script. This example deploys a basic Apache web server on port `80`. - - ```bash - #!/bin/bash - apt update - apt -y install apache2 - cat < /var/www/html/index.html -

Hello Cloudflare!

-

This page was created for a Cloudflare demo.

- - EOF - ``` - -7. Select **Create**. - -8. The operating system automatically starts the Apache HTTP server. To verify that the server is running: - 1. Copy the **External IP** for the VM instance. - 2. Open a browser and go to `http://`. You should see the **Hello Cloudflare!** test page. - -9. To login to the VM instance, open the dropdown next to **SSH** and select _Open in browser window_. - -## 2. Create a Cloudflare Tunnel - - - -## 3. Connect using a public hostname - - - -## 4. Connect using a private IP - -To configure a private network route for your Cloudflare Tunnel: - -1. In the **CIDR** tab, enter the **Internal IP** of your GCP VM instance (for example, `10.0.0.2`). You can expand the IP range later if necessary. -2. In your [Split Tunnel configuration](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the internal IP is routing through WARP. For example, if you are using Split Tunnels in **Exclude** mode, delete `10.0.0.0/8`. We recommend re-adding the IPs that are not explicitly used by your GCP VM. - - To determine which IP addresses to re-add, subtract your GCP instance IPs from `10.0.0.0/8`: - - - - Add the results back to your Split Tunnel Exclude mode list. - -3. To test on a user device: - 1. [Log in to the WARP client](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/). - 2. Open a terminal window and connect to the service using its private IP: - - ```sh - curl 10.0.0.2 - ``` - - ```sh output -

Hello Cloudflare!

-

This page was created for a Cloudflare demo.

- - ``` - -You can optionally [create Gateway network policies](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/#4-recommended-filter-network-traffic-with-gateway) to control who can access the VM via its private IP. - -## Firewall configuration - -To secure your VM instance, you can [configure your VPC firewall rules](https://cloud.google.com/firewall/docs/using-firewalls) to deny all ingress traffic and allow only egress traffic to the [Cloudflare Tunnel IP addresses](/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/#required-for-tunnel-operation). Since GCP denies ingress traffic by [default](https://cloud.google.com/firewall/docs/firewalls#default_firewall_rules), you can delete all ingress rules and leave only the relevant egress rules. - -:::note - -If you delete the default `allow-ssh` rule, you will be unable to SSH back into the VM. -::: - -After configuring your VPC firewall rules, verify that you can still access the service through Cloudflare Tunnel via its [public hostname](#3-connect-using-a-public-hostname) or [private IP](#4-connect-using-a-private-ip). The service should no longer be accessible from outside Cloudflare Tunnel -- for example, if you go to `http://` the test page should no longer load. diff --git a/src/content/docs/cloudflare-tunnel/deployment-guides/index.mdx b/src/content/docs/cloudflare-tunnel/deployment-guides/index.mdx deleted file mode 100644 index c2001e98cc26863..000000000000000 --- a/src/content/docs/cloudflare-tunnel/deployment-guides/index.mdx +++ /dev/null @@ -1,12 +0,0 @@ ---- -pcx_content_type: navigation -title: Environments -sidebar: - order: 6 ---- - -import { DirectoryListing } from "~/components" - -Learn how to deploy Cloudflare Tunnel in specific environments: - - diff --git a/src/content/docs/cloudflare-tunnel/deployment-guides/kubernetes.mdx b/src/content/docs/cloudflare-tunnel/deployment-guides/kubernetes.mdx deleted file mode 100644 index ab93122a8e96c65..000000000000000 --- a/src/content/docs/cloudflare-tunnel/deployment-guides/kubernetes.mdx +++ /dev/null @@ -1,337 +0,0 @@ ---- -pcx_content_type: how-to -title: Kubernetes -sidebar: - order: 6 ---- - -import { Render } from "~/components"; - -[Kubernetes](https://kubernetes.io/) is a container orchestration tool that is used to deploy applications onto physical or virtual machines, scale the deployment to meet traffic demands, and push updates without downtime. The Kubernetes cluster, or environment, where the application instances are running is connected internally through a private network. You can install the `cloudflared` daemon inside of the Kubernetes cluster in order to connect applications inside of the cluster to Cloudflare. - -This guide will cover how to expose a Kubernetes service to the public Internet using a [remotely-managed](/cloudflare-tunnel/get-started/tunnel-useful-terms/#remotely-managed-tunnel) Cloudflare Tunnel. For the purposes of this example, we will deploy a basic web application alongside `cloudflared` in Google Kubernetes Engine (GKE). The same principles apply to any other Kubernetes environment (such as `minikube`, `kubeadm`, or a cloud-based Kubernetes service) where `cloudflared` can connect to Cloudflare's network. - - - -:::note[Locally-managed tunnels] -If you are looking to set up a [locally-managed tunnel](/cloudflare-tunnel/get-started/tunnel-useful-terms/#locally-managed-tunnel) in Kubernetes, refer to the [example code in GitHub](https://github.com/cloudflare/argo-tunnel-examples/tree/master/named-tunnel-k8s). -::: - -## Architecture - -![Diagram showing how a user connects to Kubernetes services through Cloudflare Tunnel](~/assets/images/cloudflare-one/connections/connect-apps/kubernetes-tunnel.png) - -As shown in the diagram, we recommend setting up `cloudflared` as an adjacent [deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) to the application deployments. Having a separate Kubernetes deployment for `cloudflared` allows you to scale `cloudflared` independently of the application. In the `cloudflared` deployment, you can spin up [multiple replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/) running the same Cloudflare Tunnel — there is no need to build a dedicated tunnel for each `cloudflared` pod. Each `cloudflared` replica / pod can reach all Kubernetes services in the cluster. - -:::note -We do not recommend using `cloudflared` in autoscaling setups because downscaling (removing replicas) will break existing user connections to that replica. Additionally, `cloudflared` does not load balance across replicas; replicas are strictly for high availability. To load balance traffic to your nodes, you can use [Cloudflare Load Balancer](/load-balancing/private-network/) or a third-party load balancer. -::: - -Once the cluster is connected to Cloudflare, you can configure Cloudflare Tunnel routes to control how `cloudflared` will proxy traffic to services within the cluster. For example, you may wish to publish certain Kubernetes applications to the Internet and restrict other applications to internal WARP client users. - -## Prerequisites - -To complete the following procedure, you will need: -- [A Google Cloud Project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project) -- [A zone on Cloudflare](/fundamentals/manage-domains/add-site/) - -## 1. Create a GKE cluster - -To create a new Kubernetes cluster in Google Cloud: - -1. Open [Google Cloud](https://console.cloud.google.com/) and go to **Kubernetes Engine**. -2. In **Clusters**, select **Create**. -3. Name the cluster. In this example, we will name it `cloudflare-tunnel`. -4. (Optional) Choose your desired region and other cluster specifications. For this example, we will use the default specifications. -5. Select **Create**. -6. To connect to the cluster: - 1. Select the three-dot menu. - 2. Select **Connect**. - 3. Select **Run in Cloud Shell** to open a terminal in the browser. - 4. Select **Authorize**. - 5. Press `Enter` to run the pre-populated `gcloud` command. - 6. (Recommended) In the Cloud Shell menu, select **Open Editor** to launch the built-in IDE. -7. In the Cloud Shell terminal, run the following command to check the cluster status: - ```sh - kubectl get all - ``` - ```sh output - NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE - service/kubernetes ClusterIP 34.118.224.1 443/TCP 15m - ``` - -## 2. Create pods for the web app - -A pod represents an instance of a running process in the cluster. In this example, we will deploy the [httpbin](https://httpbin.org/) application with two pods and make the pods accessible inside the cluster at `httpbin-service:80`. - -1. Create a folder for your Kubernetes manifest files: - - ```sh - mkdir tunnel-example - ``` - -2. Change into the directory: - - ```sh - cd tunnel-example - ``` - -4. In the `tunnel-example` directory, create a new file called `httpbin.yaml`. This file defines the Kubernetes deployment for the httpbin app. - - ```yaml title="httpbin.yaml" - apiVersion: apps/v1 - kind: Deployment - metadata: - name: httpbin-deployment - namespace: default - spec: - replicas: 2 - selector: - matchLabels: - app: httpbin - template: - metadata: - labels: - app: httpbin - spec: - containers: - - name: httpbin - image: kennethreitz/httpbin:latest - imagePullPolicy: IfNotPresent - ports: - - containerPort: 80 - ``` - -5. Create a new `httpbinsvc.yaml` file. This file defines a Kubernetes service that allows other apps in the cluster (such as `cloudflared`) to access the set of httpbin pods. - - ```yaml title="httpbinsvc.yaml" - apiVersion: v1 - kind: Service - metadata: - name: httpbin-service - namespace: default - spec: - type: LoadBalancer - selector: - app: httpbin - ports: - - port: 80 - targetPort: 80 - ``` - -6. Use the following command to run the application inside the cluster: - - ```sh - kubectl create -f httpbin.yaml -f httpbinsvc.yaml - ``` - -7. Check the status of your deployment: - - ```sh - kubectl get all - ``` - - ```sh output - NAME READY STATUS RESTARTS AGE - pod/httpbin-deployment-bc6689c5d-b5ftk 1/1 Running 0 79s - pod/httpbin-deployment-bc6689c5d-cbd9m 1/1 Running 0 79s - - NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE - service/httpbin-service LoadBalancer 34.118.225.147 34.75.201.60 80:31967/TCP 79s - service/kubernetes ClusterIP 34.118.224.1 443/TCP 24h - - NAME READY UP-TO-DATE AVAILABLE AGE - deployment.apps/httpbin-deployment 2/2 2 2 79s - - NAME DESIRED CURRENT READY AGE - replicaset.apps/httpbin-deployment-bc6689c5d 2 2 2 79s - ``` - -## 3. Create a tunnel - -To create a Cloudflare Tunnel: - -1. Open a new browser tab and log in to [Cloudflare One](https://one.dash.cloudflare.com). - -2. Go to **Networks** > **Connectors** > **Cloudflare Tunnels**. - -3. Select **Create a tunnel**. - -4. Choose **Cloudflared** for the connector type and select **Next**. - -5. Enter a name for your tunnel (for example, `gke-tunnel`). - -6. Select **Save tunnel**. - -7. Under **Choose an environment**, select **Docker**. - - Applications must be packaged into a containerized image before you can run it in Kubernetes. Therefore, we will use the `cloudflared` Docker container image to deploy the tunnel in Kubernetes. - -8. Instead of running the installation command, copy just the token value rather than the whole command. The token value is of the form `eyJhIjoiNWFiNGU5Z...` You will need the token for the Kubernetes manifest file. - -Leave the Cloudflare Tunnel browser tab open while we focus on the Kubernetes deployment. - -## 4. Store the tunnel token - -`cloudflared` uses a tunnel token to run a remotely-managed Cloudflare Tunnel. You can store the tunnel token in a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/). - -1. In GKE Cloud Shell, create a `tunnel-token.yaml` file with the following content. Make sure to replace `` with your tunnel token (`eyJhIjoiNWFiNGU5Z...`). - - ```yaml title="tunnel-token.yaml" - apiVersion: v1 - kind: Secret - metadata: - name: tunnel-token - stringData: - token: - ``` - -2. Create the secret: - - ```sh - kubectl create -f tunnel-token.yaml - ``` - -3. Check the newly created secret: - - ```sh - kubectl get secrets - ``` - - ```sh output - NAME TYPE DATA AGE - tunnel-token Opaque 1 100s - ``` - -## 5. Create pods for cloudflared - -To run the Cloudflare Tunnel in Kubernetes: - -1. Create a Kubernetes deployment for a remotely-managed Cloudflare Tunnel: - - ```yaml title="tunnel.yaml" - apiVersion: apps/v1 - kind: Deployment - metadata: - name: cloudflared-deployment - namespace: default - spec: - replicas: 2 - selector: - matchLabels: - pod: cloudflared - template: - metadata: - labels: - pod: cloudflared - spec: - securityContext: - sysctls: - # Allows ICMP traffic (ping, traceroute) to resources behind cloudflared. - - name: net.ipv4.ping_group_range - value: "65532 65532" - containers: - - image: cloudflare/cloudflared:latest - name: cloudflared - env: - # Defines an environment variable for the tunnel token. - - name: TUNNEL_TOKEN - valueFrom: - secretKeyRef: - name: tunnel-token - key: token - command: - # Configures tunnel run parameters - - cloudflared - - tunnel - - --no-autoupdate - - --loglevel - - info - - --metrics - - 0.0.0.0:2000 - - run - livenessProbe: - httpGet: - # Cloudflared has a /ready endpoint which returns 200 if and only if - # it has an active connection to Cloudflare's network. - path: /ready - port: 2000 - failureThreshold: 1 - initialDelaySeconds: 10 - periodSeconds: 10 - ``` - -2. Deploy `cloudflared` to the cluster: - - ```sh - kubectl create -f tunnel.yaml - ``` - - Kubernetes will install the `cloudflared` image on two pods and run the tunnel using the command `cloudflared tunnel --no-autoupdate --loglevel info --metrics 0.0.0.0:2000 run`. `cloudflared` will consume the tunnel token from the `TUNNEL_TOKEN` environment variable. - -3. Check the status of your cluster: - - ```sh - kubectl get all - ``` - - ```sh output - NAME READY STATUS RESTARTS AGE - pod/cloudflared-deployment-6d5f9f9666-85l5w 1/1 Running 0 21s - pod/cloudflared-deployment-6d5f9f9666-wb96x 1/1 Running 0 21s - pod/httpbin-deployment-bc6689c5d-b5ftk 1/1 Running 0 3m36s - pod/httpbin-deployment-bc6689c5d-cbd9m 1/1 Running 0 3m36s - - NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE - service/httpbin-service LoadBalancer 34.118.225.147 34.75.201.60 80:31967/TCP 3m36s - service/kubernetes ClusterIP 34.118.224.1 443/TCP 24h - - NAME READY UP-TO-DATE AVAILABLE AGE - deployment.apps/cloudflared-deployment 2/2 2 2 22s - deployment.apps/httpbin-deployment 2/2 2 2 3m37s - - NAME DESIRED CURRENT READY AGE - replicaset.apps/cloudflared-deployment-6d5f9f9666 2 2 2 22s - replicaset.apps/httpbin-deployment-bc6689c5d 2 2 2 3m37s - ``` - -You should see two `cloudflared` pods and two `httpbin` pods with a `Running` status. If your `cloudflared` pods keep restarting, check the `command` syntax in `tunnel.yaml` and make sure that the [tunnel run parameters](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/) are in the correct order. - -## 6. Verify tunnel status - -To print logs for a `cloudflared` instance: - -```sh -kubectl logs pod/cloudflared-deployment-6d5f9f9666-85l5w -``` - -```sh output -2025-06-11T22:00:47Z INF Starting tunnel tunnelID=64c359b6-e111-40ec-a3a9-199c2a656613 -2025-06-11T22:00:47Z INF Version 2025.6.0 (Checksum 72f233bb55199093961bf099ad62d491db58819df34b071ab231f622deff33ce) -2025-06-11T22:00:47Z INF GOOS: linux, GOVersion: go1.24.2, GoArch: amd64 -2025-06-11T22:00:47Z INF Settings: map[loglevel:debug metrics:0.0.0.0:2000 no-autoupdate:true token:*****] -2025-06-11T22:00:47Z INF Generated Connector ID: aff7c4a0-85a3-4ac9-8475-1e0aa1af8d94 -2025-06-11T22:00:47Z DBG Fetched protocol: quic -2025-06-11T22:00:47Z INF Initial protocol quic -... -``` - -## 7. Add a tunnel route - -Now that the tunnel is up and running, we can use the Zero Trust dashboard to route the httpbin service through the tunnel. - -1. Switch to the browser tab where you were configuring Cloudflare Tunnel. - -2. Go to the **Route tunnel** step. - -3. In the **Public hostnames** tab, enter a hostname for the application (for example, `httpbin..com`). - -4. Under **Service**, enter `http://httpbin-service`. `httpbin-service` is the name of the Kubernetes service defined in `httpbinsvc.yaml`. - -5. Select **Complete setup**. - -## 8. Test the connection - -To test, open a new browser tab and go to `httpbin..com`. You should see the httpbin homepage. - -You can optionally [create an Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to control who can access the service. diff --git a/src/content/docs/cloudflare-tunnel/downloads/copyrights.mdx b/src/content/docs/cloudflare-tunnel/downloads/copyrights.mdx deleted file mode 100644 index 9fb542b9bfb5637..000000000000000 --- a/src/content/docs/cloudflare-tunnel/downloads/copyrights.mdx +++ /dev/null @@ -1,1195 +0,0 @@ ---- -pcx_content_type: reference -title: Copyrights -sidebar: - order: 102 -head: [] -description: View associated copyrights. - ---- - -*** - -[https://github.com/BurntSushi/toml](https://github.com/BurntSushi/toml) - -The MIT License (MIT) - -Copyright (c) 2013 TOML authors - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. - -*** - -[https://github.com/Sirupsen/logrus](https://github.com/Sirupsen/logrus) - -The MIT License (MIT) - -Copyright (c) 2014 Simon Eskildsen - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. - -*** - -[https://github.com/beorn7/perks/](https://github.com/beorn7/perks/) - -Copyright (C) 2013 Blake Mizerany - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -"Software"), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -*** - -[https://github.com/certifi/gocertifi](https://github.com/certifi/gocertifi) - -This Source Code Form is subject to the terms of the Mozilla Public License, -v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain -one at [http://mozilla.org/MPL/2.0/](http://mozilla.org/MPL/2.0/). - -*** - -[https://github.com/coreos/go-oidc/](https://github.com/coreos/go-oidc/) -[https://github.com/coreos/go-systemd/](https://github.com/coreos/go-systemd/) - -Apache License -Version 2.0, January 2004 -[http://www.apache.org/licenses/](http://www.apache.org/licenses/) - -TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - -1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - -2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - -3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - -4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - -5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - -6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - -7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - -8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - -9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - -END OF TERMS AND CONDITIONS - -APPENDIX: How to apply the Apache License to your work. - -``` - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. -``` - -Copyright [yyyy] [name of copyright owner] - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - -``` - http://www.apache.org/licenses/LICENSE-2.0 -``` - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - -*** - -[https://github.com/facebookgo/grace](https://github.com/facebookgo/grace) - -BSD License - -For grace software - -Copyright (c) 2015, Facebook, Inc. All rights reserved. - -Redistribution and use in source and binary forms, with or without modification, -are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name Facebook nor the names of its contributors may be used to - endorse or promote products derived from this software without specific - prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR -ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON -ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -*** - -[https://github.com/getsentry/raven-go](https://github.com/getsentry/raven-go) - -Copyright (c) 2013 Apollic Software, LLC. All rights reserved. -Copyright (c) 2015 Functional Software, Inc. All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - -* Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. -* Redistributions in binary form must reproduce the above - copyright notice, this list of conditions and the following disclaimer - in the documentation and/or other materials provided with the - distribution. -* Neither the name of Apollic Software, LLC nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -*** - -[https://github.com/glycerine/rbtree](https://github.com/glycerine/rbtree) - -Copyright (C) 2012 Yasushi Saito - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. - -*** - -[https://github.com/golang/protobuf](https://github.com/golang/protobuf) - -Go support for Protocol Buffers - Google's data interchange format - -Copyright 2010 The Go Authors. All rights reserved. -[https://github.com/golang/protobuf](https://github.com/golang/protobuf) - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - -``` -* Redistributions of source code must retain the above copyright -``` - -notice, this list of conditions and the following disclaimer. \* Redistributions in binary form must reproduce the above -copyright notice, this list of conditions and the following disclaimer -in the documentation and/or other materials provided with the -distribution. \* Neither the name of Google Inc. nor the names of its -contributors may be used to endorse or promote products derived from -this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -*** - -[https://github.com/lib/pq](https://github.com/lib/pq) - -Copyright (c) 2011-2013, 'pq' Contributors -Portions Copyright (C) 2011 Blake Mizerany - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -*** - -[https://godoc.org/github.com/matttproud/golang\\\_protobuf\\\_extensions/pbutil](https://godoc.org/github.com/matttproud/golang\\_protobuf\\_extensions/pbutil) - -``` - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ -``` - -TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - -1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - -2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - -3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - -4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - -5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - -6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - -7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - -8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - -9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - -END OF TERMS AND CONDITIONS - -APPENDIX: How to apply the Apache License to your work. - -``` - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. -``` - -Copyright [yyyy] [name of copyright owner] - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - -``` - http://www.apache.org/licenses/LICENSE-2.0 -``` - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - -*** - -[https://github.com/mitchellh/go-homedir](https://github.com/mitchellh/go-homedir) - -The MIT License (MIT) - -Copyright (c) 2013 Mitchell Hashimoto - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. - -*** - -[https://github.com/pkg/errors](https://github.com/pkg/errors) - -Copyright (c) 2015, Dave Cheney [dave@cheney.net](mailto:dave@cheney.net) -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -*** - -[https://github.com/prometheus/client\_golang](https://github.com/prometheus/client_golang) -[https://github.com/prometheus/client\_model](https://github.com/prometheus/client_model) -[https://github.com/prometheus/common](https://github.com/prometheus/common) -[https://github.com/prometheus/procfs](https://github.com/prometheus/procfs) - -``` - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ -``` - -TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - -1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - -2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - -3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - -4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - -5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - -6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - -7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - -8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - -9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - -END OF TERMS AND CONDITIONS - -APPENDIX: How to apply the Apache License to your work. - -``` - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. -``` - -Copyright \[yyyy] \[name of copyright owner] - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - -``` - http://www.apache.org/licenses/LICENSE-2.0 -``` - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - -*** - -[https://github.com/urfave/cli](https://github.com/urfave/cli) - -MIT License - -Copyright (c) 2016 Jeremy Saenz & Contributors - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - -*** - -[https://github.com/go-yaml/yaml](https://github.com/go-yaml/yaml) - -``` - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ -``` - -TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - -1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - -2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - -3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - -4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - -5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - -6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - -7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - -8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - -9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - -END OF TERMS AND CONDITIONS - -APPENDIX: How to apply the Apache License to your work. - -``` - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. -``` - -Copyright [yyyy] [name of copyright owner] - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - -``` - http://www.apache.org/licenses/LICENSE-2.0 -``` - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - -*** - -[https://zombiezen.com/go/capnproto2](https://zombiezen.com/go/capnproto2) - -go-capnproto is licensed under the terms of the MIT license reproduced below. - -\=============================================================================== - -Copyright (C) 2014 the go-capnproto authors and contributors. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. - -\=============================================================================== diff --git a/src/content/docs/cloudflare-tunnel/downloads/license.mdx b/src/content/docs/cloudflare-tunnel/downloads/license.mdx deleted file mode 100644 index 532f3d32b2f57b9..000000000000000 --- a/src/content/docs/cloudflare-tunnel/downloads/license.mdx +++ /dev/null @@ -1,220 +0,0 @@ ---- -pcx_content_type: reference -title: License -sidebar: - order: 51 - ---- - -Apache License -Version 2.0, January 2004 -[http://www.apache.org/licenses/](http://www.apache.org/licenses/) - -``` -TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - -1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - -2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - -3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - -4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - -5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - -6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - -7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - -8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - -9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - -END OF TERMS AND CONDITIONS - -APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - -Copyright [yyyy] [name of copyright owner] - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -``` - -## Runtime Library Exception to the Apache 2.0 License: - -``` -As an exception, if you use this Software to compile your source code and -portions of this Software are embedded into the binary product as a result, -you may redistribute such product without providing attribution as would -otherwise be required by Sections 4(a), 4(b) and 4(d) of the License. -``` diff --git a/src/content/docs/cloudflare-tunnel/faq.mdx b/src/content/docs/cloudflare-tunnel/faq.mdx deleted file mode 100644 index f5db10ba0a8f742..000000000000000 --- a/src/content/docs/cloudflare-tunnel/faq.mdx +++ /dev/null @@ -1,79 +0,0 @@ ---- -pcx_content_type: faq -title: FAQ -structured_data: true -sidebar: - order: 12 -description: Review frequently asked questions about Cloudflare Tunnel. ---- - -import { Render } from "~/components"; - -## Can I create a Tunnel for an apex domain? - -Yes. With [Named Tunnels](https://blog.cloudflare.com/argo-tunnels-that-live-forever/) you can create a CNAME at the apex that points to the named tunnel. - -## Does Cloudflare Tunnel support Websockets? - -Yes. Cloudflare Tunnel has full support for Websockets. - -## Does Cloudflare Tunnel support gRPC? - -Yes. - -## How can Tunnel be used with Partial DNS (CNAME Setup)? - -Cloudflare offers two modes of setup: [Full Setup](/dns/zone-setups/full-setup/), in which the domain uses Cloudflare DNS nameservers, and [Partial Setup](/dns/zone-setups/partial-setup/) (also known as CNAME setup) in which the domain uses non-Cloudflare DNS servers. - -The best experience with Cloudflare Tunnel is using Full Setup because Cloudflare manages DNS for the domain and can automatically configure DNS records for newly started Tunnels. - -You can still use Tunnel with Partial Setup. You will need to create a new DNS record with your current DNS provider for each new hostname connected through Cloudflare Tunnel. The DNS record should be of type CNAME or ALIAS if it is on the root of the domain. The name of the record should be the subdomain it corresponds to (for example, `example.com` or `tunnel.example.com`) and the value of the record should be `subdomain.domain.tld.cdn.cloudflare.net` (for example, `example.com.cdn.cloudflare.net` or `tunnel.example.com.cdn.cloudflare.net`). - -## How can origin servers be secured when using Tunnel? - -Tunnel can expose web applications to the Internet that sit behind a NAT or firewall. Thus, you can keep your web server otherwise completely locked down. To double check that your origin web server is not responding to requests outside Cloudflare while Tunnel is running you can run netcat in the command line: - -```sh -netcat -zv [your-server's-ip-address] 80 -netcat -zv [your-server's-ip-address] 443 -``` - -If your server is still responding on those ports, you will see: - -```txt -[ip-address] 80 (http) open -``` - -If your server is correctly locked down, you will see: - -```txt -[ip-address] 443 (https): Connection refused -``` - -## What records are created for routing to a Named Tunnel's hostname? - -Named Tunnels can be routed via DNS records, in which case we use CNAME records to point to `.cfargotunnel.com`; or as Load Balancing endpoints, which also point to `.cfargotunnel.com`. - -## Does Cloudflare Tunnel send visitor IPs to my origin? - -No. When using Cloudflare Tunnel, all requests to the origin are made internally between `cloudflared` and the origin. - -To log external visitor IPs, you will need to [configure an alternative method](/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/). - -## Why does the name 'warp' and 'argo' appear in some legacy materials? - -Cloudflare Tunnel was previously named Warp during the beta phase. As Warp was added to the Argo product family, we changed the name to Argo Tunnel to match. Once we no longer required users to purchase Argo to create Tunnels, we renamed Argo Tunnel to Cloudflare Tunnel. - -## Is it possible to restore a deleted tunnel? - -No. You cannot undo a tunnel deletion. If the tunnel was locally-managed, its [configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/) will still be present and you can create a new tunnel with the same configuration. If the tunnel was remotely-managed, both the tunnel and its configuration are permanently deleted. - -## How do I contact support? - -Before contacting the Cloudflare support team: - -1. Take note of any specific error messages and/or problematic behaviors. -2. Make sure that `cloudflared` is updated to the [latest version](https://github.com/cloudflare/cloudflared). -3. Gather any relevant error/access logs from your server. -4. If needed, set [`--loglevel`](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#loglevel) to `debug`, so the Cloudflare support team can get more info from the `cloudflared.log` file. -5. Include your [Cloudflare Tunnel diagnostic logs](/cloudflare-tunnel/troubleshoot/diag-logs/) (`cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip`). diff --git a/src/content/docs/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx b/src/content/docs/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx deleted file mode 100644 index a5cbb0fe24fb465..000000000000000 --- a/src/content/docs/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx +++ /dev/null @@ -1,204 +0,0 @@ ---- -title: Create a tunnel (API) -pcx_content_type: how-to -sidebar: - order: 2 ---- - -import { Render, APIRequest } from "~/components"; - -Follow this guide to set up a Cloudflare Tunnel using the API. - - - -## Create an API token - -[Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: - -| Type | Item | Permission | -| ------- | ----------------- | ---------- | -| Account | Cloudflare Tunnel | Edit | -| Zone | DNS | Edit | - -## 2. Create a tunnel - -Make a `POST` request to the [Cloudflare Tunnel](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/methods/create/) endpoint: - - - -```sh output -{ - "success": true, - "errors": [], - "messages": [], - "result": { - "id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", - "account_tag": "699d98642c564d2e855e9661899b7252", - "created_at": "2025-02-18T22:41:43.534395Z", - "deleted_at": null, - "name": "example-tunnel", - "connections": [], - "conns_active_at": null, - "conns_inactive_at": "2025-02-18T22:41:43.534395Z", - "tun_type": "cfd_tunnel", - "metadata": {}, - "status": "inactive", - "remote_config": true, - "credentials_file": { - "AccountTag": "699d98642c564d2e855e9661899b7252", - "TunnelID": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", - "TunnelName": "api-tunnel", - "TunnelSecret": "bTSquyUGwLQjYJn8cI8S1h6M6wUc2ajIeT7JotlxI7TqNqdKFhuQwX3O8irSnb==" - }, - "token": "eyJhIjoiNWFiNGU5Z..." - } -} -``` - -Copy the `id` and `token` values shown in the output. You will need these values to configure and run the tunnel. - -## 3. Publish an application - -Before you publish an application through your tunnel, you must: - -- [Add a website to Cloudflare](/fundamentals/manage-domains/add-site/). -- [Change your domain nameservers to Cloudflare](/dns/zone-setups/full-setup/setup/). - -Follow these steps to publish an application to the Internet. - -1. Make a [`PUT` request](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/configurations/methods/update/) to route your [local service URL](/cloudflare-tunnel/routing/protocols/) to a public hostname. For example, - - - :::note - If you add a multi-level subdomain (more than one level of subdomain), you must [order an Advanced Certificate for the hostname](/cloudflare-one/faq/troubleshooting/#i-see-this-site-cant-provide-a-secure-connection). - ::: - - Your ingress rules must include a catch-all rule at the end. In this example, `cloudflared` will respond with a 404 status code when the request does not match any of the previous hostnames. - -2. [Create a DNS record](/api/resources/dns/subresources/records/methods/create/) for your application: - - - - This DNS record allows Cloudflare to proxy `app.example.com` traffic to your Cloudflare Tunnel (`.cfargotunnel.com`). - -This application will be publicly available on the Internet once you [run the tunnel](#4-install-and-run-the-tunnel). Cloudflare will automatically proxy traffic through its network, applying your configured CDN, WAF, and security settings. - -:::note -To connect a private network through your tunnel for Zero Trust access, refer to [Cloudflare Tunnel for SASE](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api/#3b-connect-a-network). -::: - -## 4. Install and run the tunnel - -Install `cloudflared` on your server and run the tunnel using the `token` value obtained in [2. Create a tunnel](#2-create-a-tunnel). You can also get the tunnel token using the [Cloudflare Tunnel token](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/token/methods/get/) endpoint. - - - -## 5. Verify tunnel status - -To check if the tunnel is serving traffic: - - - -```sh output -{ - "success": true, - "errors": [], - "messages": [], - "result": { - "id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", - "account_tag": "699d98642c564d2e855e9661899b7252", - "created_at": "2025-02-18T22:41:43.534395Z", - "deleted_at": null, - "name": "example-tunnel", - "connections": [ - { - "colo_name": "bos01", - "uuid": "2xz99mfm-a59e-4924-gyh9-z9vafaw6k0i2", - "id": "2xz99mfm-a59e-4924-gyh9-z9vafaw6k0i2", - "is_pending_reconnect": false, - "origin_ip": "10.1.0.137", - "opened_at": "2025-02-19T19:11:12.101642Z", - "client_id": "4xh4eb3f-cz0j-2aso-hu6i-36207018771a", - "client_version": "2025.2.0" - }, - { - "colo_name": "phl01", - "uuid": "axe2socu-2fb5-3akx-b860-898zyes3cs9q", - "id": "axe2socu-2fb5-3akx-b860-898zyes3cs9q", - "is_pending_reconnect": false, - "origin_ip": "10.1.0.137", - "opened_at": "2025-02-19T19:11:12.006297Z", - "client_id": "4xh4eb3f-cz0j-2aso-hu6i-36207018771a", - "client_version": "2025.2.0" - }, - { - "colo_name": "phl01", - "uuid": "9b5y0wm9-ca7f-ibq6-8ff4-sm53xekfyym1", - "id": "9b5y0wm9-ca7f-ibq6-8ff4-sm53xekfyym1", - "is_pending_reconnect": false, - "origin_ip": "10.1.0.137", - "opened_at": "2025-02-19T19:11:12.004721Z", - "client_id": "4xh4eb3f-cz0j-2aso-hu6i-36207018771a", - "client_version": "2025.2.0" - }, - { - "colo_name": "bos01", - "uuid": "g6cdeiz1-80f5-3akx-b18b-3y0ggktoxwkd", - "id": "g6cdeiz1-80f5-3akx-b18b-3y0ggktoxwkd", - "is_pending_reconnect": false, - "origin_ip": "10.1.0.137", - "opened_at": "2025-02-19T19:11:12.110765Z", - "client_id": "4xh4eb3f-cz0j-2aso-hu6i-36207018771a", - "client_version": "2025.2.0" - } - ], - "conns_active_at": "2025-02-19T19:11:12.004721Z", - "conns_inactive_at": null, - "tun_type": "cfd_tunnel", - "metadata": {}, - "status": "healthy", - "remote_config": true - } -} -``` - -A healthy tunnel will have four connections to Cloudflare's network. diff --git a/src/content/docs/cloudflare-tunnel/get-started/create-remote-tunnel.mdx b/src/content/docs/cloudflare-tunnel/get-started/create-remote-tunnel.mdx deleted file mode 100644 index 0c02abccff1a126..000000000000000 --- a/src/content/docs/cloudflare-tunnel/get-started/create-remote-tunnel.mdx +++ /dev/null @@ -1,99 +0,0 @@ ---- -title: Create a tunnel (dashboard) -pcx_content_type: how-to -sidebar: - order: 1 ---- - -import { Render, Stream, Details } from "~/components"; - -Follow this step-by-step guide to create your first [remotely-managed tunnel](/cloudflare-tunnel/get-started/tunnel-useful-terms/#remotely-managed-tunnel) using the Cloudflare dashboard. - -## Prerequisites - - - -## 1. Create a tunnel - - - -1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels**. - -2. Select **Create Tunnel**. - -3. Enter a name for your tunnel. We suggest choosing a name that reflects the type of resources you want to connect through this tunnel (for example, `enterprise-VPC-01`). - -4. Select **Create Tunnel**. - -5. Under **Setup Environment**, select the operating system and architecture for the machine where you would like to install `cloudflared`. You can install `cloudflared` on your origin server or on any other machine on your network that can connect to the origin server. - -6. To install `cloudflared`, copy the commands shown under **Install and Run** and paste them into a terminal window. Run the commands. - -7. Once the tunnel is successfully connected, select **Continue**. - -Your tunnel should appear on the **Tunnels** page with a `Healthy` status. If your tunnel status is `Inactive`, `Down`, or `Degraded`, refer to the [troubleshooting documentation](/cloudflare-tunnel/troubleshoot/common-errors/#tunnel-status) for recommended next steps. - -## 2. Publish an application - -Now that you have connected your infrastructure to Cloudflare, you can expose your applications to the Internet via a domain on Cloudflare. - -:::note[Prerequisites] -Before you publish an application through your tunnel, you must [add a website to Cloudflare](/fundamentals/manage-domains/add-site/). -::: - -To add a published application route: - -1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels** and select your tunnel. - -2. Under **Routes**, select **Add route**. - -3. Select **Published application**. - -4. Under **Hostname**, enter a subdomain and select a domain from the drop-down menu. - :::note - If you add a multi-level subdomain (more than one level of subdomain), you must [order an Advanced Certificate for the hostname](/cloudflare-one/faq/troubleshooting/#i-see-this-site-cant-provide-a-secure-connection). - ::: - -5. For **Service URL**, enter your application's [local address and port](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/protocols/). - - For example, if you have an HTTP application on port `80` running on the same machine as `cloudflared`, enter `http://localhost:80`. If your application is running on a different machine from the `cloudflared` host, enter `http://:80`. - -
- To set up a lightweight HTTP application for testing, run the following commands on your `cloudflared` host: - - 1. Install Docker on your system: - ```sh - sudo apt update && sudo apt upgrade -y - sudo apt install -y docker.io - ``` - - 2. Start Docker for this session only: - ```sh - sudo systemctl start docker - ``` - - 3. Pull the [HTTPBin image](https://httpbin.org/) and run it locally: - ```sh - docker run -p 80:80 kennethreitz/httpbin - ``` - - This command maps port `80` on the `cloudflared` host to the container's internal port `80`. HTTPBin is now running at `http://localhost:80`. -
- -6. Select **Add route**. - -Anyone on the Internet can now access the HTTP/HTTPS application at the specified hostname. Cloudflare will automatically proxy traffic through its network, applying any CDN, WAF, and security settings that you have configured for your domain. - -:::note[Non-HTTP applications] -Non-HTTP services (such as SSH or TCP) require users to install client-side software. Refer to the [protocols reference](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/protocols/) for more information. -::: - -## Next steps - -- Troubleshoot [common errors](/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors/) such as `502 Bad Gateway`. -- Review configuration options for your tunnel. -- Deploy multiple `cloudflared` replicas for high availability and automatic failover. diff --git a/src/content/docs/cloudflare-tunnel/get-started/index.mdx b/src/content/docs/cloudflare-tunnel/get-started/index.mdx deleted file mode 100644 index c013e2b4bc20b99..000000000000000 --- a/src/content/docs/cloudflare-tunnel/get-started/index.mdx +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Get started -pcx_content_type: navigation -sidebar: - order: 1 -head: - - tag: title - content: Set up your first tunnel - ---- - -import { DirectoryListing, GlossaryTooltip } from "~/components" - -To create and manage tunnels, you will need to install and authenticate cloudflared on your origin server. `cloudflared` is what connects your server to Cloudflare's global network. - - diff --git a/src/content/docs/cloudflare-tunnel/get-started/tunnel-useful-terms.mdx b/src/content/docs/cloudflare-tunnel/get-started/tunnel-useful-terms.mdx deleted file mode 100644 index ab9063230e48f50..000000000000000 --- a/src/content/docs/cloudflare-tunnel/get-started/tunnel-useful-terms.mdx +++ /dev/null @@ -1,44 +0,0 @@ ---- -pcx_content_type: reference -title: Useful terms -sidebar: - order: 4 ---- - -Review terminology for Cloudflare Tunnels. - -## Tunnel - -A tunnel is a secure, outbound-only pathway you can establish between your origin and Cloudflare's global network. Each tunnel you create will be assigned a [name](#tunnel-name) and a [UUID](#tunnel-uuid). - -## Tunnel UUID - -A tunnel UUID is an alphanumeric, unique ID assigned to a tunnel. The tunnel UUID can be used whenever you need to reference a specific tunnel. - -## Tunnel name - -A tunnel name is a unique, user-friendly identifier that you choose for a tunnel. Since a tunnel can proxy traffic to multiple services, tunnel names do not need to be hostnames. For example, you can assign your tunnel a name that represents your application/network, a particular server, or the cloud environment where it runs. - -## Connector - -The connector, referred to as `cloudflared`, establishes connectivity from your origin server to the Cloudflare global network. Our connector offers high availability by creating four long-lived connections to two distinct data centers within Cloudflare's global network. This built-in redundancy means that if an individual connection, server, or data center goes down, your origin remains available. - -## Replica - -You can create and configure a tunnel once and run that tunnel through multiple, unique instances of the connector, `cloudflared`. These instances are known as replicas. DNS records and Cloudflare Load Balancers will still point to the tunnel and its DNS Record (`UUID.cfargotunnel.com`), while that tunnel sends traffic to the multiple instances of `cloudflared` that run through it. Today, there is no guarantee about which replica will be chosen. Replicas are often deployed to provide tunnels with high availability in the event a given host running `cloudflared` is interrupted or taken offline. - -## Remotely-managed tunnel - -A remotely-managed tunnel is a [tunnel](#tunnel) that was created in [Cloudflare One](https://one.dash.cloudflare.com/) under **Networks** > **Tunnels**. Tunnel configuration is stored in Cloudflare, which allows you to manage the tunnel from the dashboard or using the [API](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/configurations/methods/get/). - -## Locally-managed tunnel - -A locally-managed tunnel is a [tunnel](#tunnel) that was created by running `cloudflared tunnel create ` on the command line. Tunnel configuration is stored in your local [cloudflared directory](#default-cloudflared-directory). For terminology specific to locally-managed tunnels, refer to the [Locally-managed tunnel glossary](/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms/). - -## Quick tunnels - -Quick tunnels, when run, will generate a URL that consists of a random subdomain of the website `trycloudflare.com`, and point traffic to localhost on port `8080`. If you have a web service running at that address, users who visit the generated subdomain will be able to visit your web service through Cloudflare's network. Refer to [TryCloudflare](/cloudflare-tunnel/other-tunnel-types/quick-tunnels/) for more information on how to run quick tunnels. - -## Virtual networks - -A [virtual network](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) is a software abstraction that allows you to logically segregate resources on your private network. Virtual networks are especially useful for exposing resources which have overlapping IP routes. To connect to a resource, end users would select a virtual network in their WARP client settings before entering the destination IP. diff --git a/src/content/docs/cloudflare-tunnel/index.mdx b/src/content/docs/cloudflare-tunnel/index.mdx deleted file mode 100644 index 9a47cccd3a07496..000000000000000 --- a/src/content/docs/cloudflare-tunnel/index.mdx +++ /dev/null @@ -1,69 +0,0 @@ ---- -pcx_content_type: overview -title: Cloudflare Tunnel -sidebar: - order: 1 -description: Connect your origin servers, APIs, and services to Cloudflare without a publicly routable IP address. ---- - -import { - CardGrid, - Description, - LinkTitleCard, - Plan, - Stream, -} from "~/components"; - - - Connect your origin servers, APIs, and services to Cloudflare without a - publicly routable IP address. - - - - -Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (`cloudflared`) creates [outbound-only connections](#outbound-only-connections) to Cloudflare's global network. This way, your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare. - - - -## How it works - -`cloudflared` establishes [outbound connections](#outbound-only-connections) (tunnels) between your resources and Cloudflare's global network. Tunnels are persistent objects that route traffic to DNS records. Within the same tunnel, you can run as many `cloudflared` processes (connectors) as needed. These processes will establish connections to Cloudflare and send traffic to the nearest Cloudflare data center. - -![How an HTTP request reaches an origin connected with Cloudflare Tunnel](~/assets/images/cloudflare-one/connections/connect-apps/handshake.jpg) - -### Outbound-only connections - -Cloudflare Tunnel uses an outbound-only connection model to enable bidirectional communication. When you install and run `cloudflared`, it initiates an outbound connection through your firewall from the origin to the Cloudflare global network. - -Once the connection is established, traffic flows in both directions over the tunnel between your origin and Cloudflare. Most firewalls allow outbound traffic by default. `cloudflared` takes advantage of this standard by connecting out to the Cloudflare network from the server you installed `cloudflared` on. You can then [configure your firewall](/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/) to allow only these outbound connections and block all inbound traffic, effectively blocking access to your origin from anything other than Cloudflare. - -## Use cases - -Cloudflare Tunnel connects your applications and services to Cloudflare. Common use cases include: - -- **Secure origin connectivity** — Eliminate publicly routable origin IPs. All traffic to your origin flows through Cloudflare, allowing you to apply CDN caching, WAF rules, Bot Management, and DDoS protection. -- **Public ingress routing** — Publish internal applications to the Internet by mapping public hostnames to local services, with support for HTTP, HTTPS, TCP, SSH, RDP, and other protocols. -- **Workers VPC connectivity** — Enable Cloudflare Workers to securely access private databases, APIs, and services through your tunnel. -- **Load Balancer origins** — Use tunnels as origin endpoints in Cloudflare Load Balancer pools for high availability and intelligent traffic steering across your infrastructure. - -:::note[Looking for Zero Trust private network access?] -For [Secure Access Service Edge (SASE)](https://www.cloudflare.com/learning/access-management/what-is-sase/) use cases such as VPN replacement, access to private IPs and hostnames, and network traffic filtering, refer to the [Cloudflare One documentation](/cloudflare-one/networks/connectors/cloudflare-tunnel/). -::: - -## Next steps - - - - - Create your first tunnel using the dashboard or API. - - - - Download and install cloudflared on your server. - - - diff --git a/src/content/docs/cloudflare-tunnel/integrations/access.mdx b/src/content/docs/cloudflare-tunnel/integrations/access.mdx deleted file mode 100644 index df054015acdaf8d..000000000000000 --- a/src/content/docs/cloudflare-tunnel/integrations/access.mdx +++ /dev/null @@ -1,42 +0,0 @@ ---- -pcx_content_type: integration-guide -title: Cloudflare Access -sidebar: - order: 4 -description: Secure applications published through Cloudflare Tunnel by adding Cloudflare Access as an identity-aware authentication layer. ---- - -[Cloudflare Access](/cloudflare-one/access-controls/) provides an identity-aware proxy that authenticates and authorizes every request to your applications. When combined with Cloudflare Tunnel, Access lets you publish internal web applications to the Internet while ensuring that only authorized users can reach them. - -## How it works - -Cloudflare Tunnel creates an outbound-only connection from your origin to Cloudflare's global network, making your application available on a public hostname without opening inbound ports. Cloudflare Access sits in front of that hostname and requires users to authenticate with a configured identity provider (IdP) before the request is forwarded through the tunnel to your origin. - -The typical request flow is: - -1. A user visits the application's public hostname (for example, `app.example.com`). -2. Cloudflare Access intercepts the request and redirects the user to your identity provider for authentication. -3. After the user authenticates, Access evaluates your [Access policies](/cloudflare-one/access-controls/policies/) to determine whether the user is allowed. -4. If allowed, Access issues a signed [JSON Web Token (JWT)](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/) and forwards the request through the tunnel to `cloudflared`. -5. (Optional) `cloudflared` validates the JWT using the [`access` origin parameter](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#access) before proxying the request to your origin application. - -This architecture eliminates the need for a VPN and ensures that your origin server is never directly exposed to the Internet. - -## Limitations - -- Cloudflare Access authentication applies to HTTP and HTTPS applications exposed via public hostnames. For non-HTTP protocols (such as SSH, RDP, or SMB), refer to the protocol-specific [use cases](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/). -- JWT validation at the tunnel level (the `access` origin parameter) only applies to L7 requests on public hostname routes. It does not apply to private network routes. - -## Get started - -For step-by-step instructions on publishing an application through a tunnel and securing it with Access, refer to [Publish a self-hosted application to the Internet](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). - -To set up a tunnel for your origin, refer to [Create a remotely-managed tunnel](/cloudflare-tunnel/get-started/create-remote-tunnel/). - -## Related resources - -- [Access policies](/cloudflare-one/access-controls/policies/) — Configure rules based on identity, device posture, location, and more. -- [Identity providers](/cloudflare-one/integrations/identity-providers/) — Integrate your IdP (Okta, Azure AD, Google Workspace, and others) with Cloudflare Access. -- [Validate Access JWTs](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) — Verify the Access JWT in your application code for end-to-end authentication. -- [`access` origin parameter](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#access) — Configure `cloudflared` to validate Access JWTs before proxying traffic. -- [Secure application delivery design guide](/reference-architecture/design-guides/secure-application-delivery/) — Reference architecture combining Tunnel, Access, and other Cloudflare services. diff --git a/src/content/docs/cloudflare-tunnel/integrations/index.mdx b/src/content/docs/cloudflare-tunnel/integrations/index.mdx deleted file mode 100644 index ab4eb17072ea44d..000000000000000 --- a/src/content/docs/cloudflare-tunnel/integrations/index.mdx +++ /dev/null @@ -1,53 +0,0 @@ ---- -pcx_content_type: navigation -title: Integrations -sidebar: - order: 5 -description: Use Cloudflare Tunnel with other Cloudflare products and services. ---- - -import { DirectoryListing, LinkTitleCard, CardGrid } from "~/components"; - -Cloudflare Tunnel integrates with several Cloudflare products to provide secure origin connectivity, private network access, and high availability for your applications. - - - -## Additional integrations - -The following products also integrate with Cloudflare Tunnel. Refer to each product's documentation for setup instructions. - - - - - Use Tunnel to securely connect your key server to Cloudflare without exposing - it to the public Internet. - - - - Establish TLS 1.3 tunnels with post-quantum key agreement between your data - centers and Cloudflare. - - - - Restrict tunnel connectivity to specific regions for data residency - requirements. - - - - Use Tunnel as a fallback origin for SaaS provider architectures with Regional - Services. - - - diff --git a/src/content/docs/cloudflare-tunnel/integrations/load-balancing.mdx b/src/content/docs/cloudflare-tunnel/integrations/load-balancing.mdx deleted file mode 100644 index 93c18c034e9e77a..000000000000000 --- a/src/content/docs/cloudflare-tunnel/integrations/load-balancing.mdx +++ /dev/null @@ -1,40 +0,0 @@ ---- -pcx_content_type: integration-guide -title: Load Balancing -sidebar: - order: 2 -description: Use Cloudflare Tunnel as origin endpoints in Load Balancer pools for high availability and intelligent traffic steering. ---- - -[Cloudflare Load Balancing](/load-balancing/) distributes traffic across multiple origins using health checks, steering algorithms, and failover logic. When combined with Cloudflare Tunnel, you can load balance traffic to origins that do not have publicly routable IP addresses. - -## How it works - -Each Cloudflare Tunnel is assigned a subdomain of `cfargotunnel.com` using the tunnel's UUID. You add this subdomain as an [endpoint address](/load-balancing/understand-basics/load-balancing-components/#endpoints) in a Load Balancer pool, and specify the application hostname in the [endpoint host header](/load-balancing/additional-options/override-http-host-headers/). - -This allows Cloudflare to steer traffic across multiple tunnels — typically one tunnel per data center or cloud region — using latency-based, geolocation, or other [steering algorithms](/load-balancing/understand-basics/traffic-steering/). - -## Architecture patterns - -### Single tunnel with replicas - -For basic high availability, deploy multiple [`cloudflared` replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/#cloudflared-replicas) of the same tunnel. Cloudflare routes requests to the geographically closest replica. This approach does not require Load Balancing. - -### Multiple tunnels with Load Balancer - -For intelligent traffic steering and health-check-based failover, create separate tunnels per data center and add each as an endpoint in a Load Balancer pool. This provides: - -- Active health monitoring per tunnel -- Automatic failover when a tunnel becomes unhealthy -- Traffic distribution based on your chosen steering algorithm -- Session affinity options - -## Get started - -For step-by-step setup instructions, refer to [Public load balancers](/cloudflare-tunnel/routing/load-balancers/). - -## Related resources - -- [Tunnel availability and failover](/cloudflare-tunnel/configure-tunnels/tunnel-availability/) — When to use replicas versus load balancers. -- [Load Balancing with Tunnel](/load-balancing/additional-options/cloudflare-tunnel/) — Load Balancing product documentation for tunnel endpoints. -- [Load Balancing reference architecture](/reference-architecture/architectures/load-balancing/) — Design patterns for load balancing with tunnels. diff --git a/src/content/docs/cloudflare-tunnel/integrations/spectrum.mdx b/src/content/docs/cloudflare-tunnel/integrations/spectrum.mdx deleted file mode 100644 index 1749163be4b6a9b..000000000000000 --- a/src/content/docs/cloudflare-tunnel/integrations/spectrum.mdx +++ /dev/null @@ -1,27 +0,0 @@ ---- -pcx_content_type: integration-guide -title: Spectrum -sidebar: - order: 3 -description: Route Spectrum application traffic through Cloudflare Tunnel for HTTP and HTTPS origins. ---- - -[Cloudflare Spectrum](/spectrum/) extends Cloudflare's DDoS protection and traffic acceleration to non-HTTP protocols such as TCP and UDP. You can route Spectrum application traffic to origins connected via Cloudflare Tunnel. - -## How it works - -You can route traffic from a Spectrum application to a Cloudflare Tunnel origin using either: - -- A **DNS record** — Create a CNAME record pointing to `.cfargotunnel.com` and configure the Spectrum application to use that hostname. -- A **Load Balancer** — Add the tunnel as an endpoint in a Load Balancer pool, then configure the Spectrum application to use the load balancer. - -## Limitations - -Cloudflare Tunnel integration with Spectrum is only supported for **HTTP and HTTPS** applications. Direct TCP connections (such as connecting to a tunnel UUID subdomain over raw TCP) are not supported. - -For the full list of limitations, refer to the [Spectrum limitations documentation](/spectrum/reference/limitations/). - -## Related resources - -- [DNS records for tunnel routing](/cloudflare-tunnel/routing/dns/) — Create CNAME records for your tunnel. -- [Public load balancers](/cloudflare-tunnel/routing/load-balancers/) — Add tunnel endpoints to load balancer pools. diff --git a/src/content/docs/cloudflare-tunnel/integrations/workers-vpc.mdx b/src/content/docs/cloudflare-tunnel/integrations/workers-vpc.mdx deleted file mode 100644 index bc38fdfdee23719..000000000000000 --- a/src/content/docs/cloudflare-tunnel/integrations/workers-vpc.mdx +++ /dev/null @@ -1,33 +0,0 @@ ---- -pcx_content_type: integration-guide -title: Workers VPC -sidebar: - order: 1 -description: Use Cloudflare Tunnel with Workers VPC to access private databases, APIs, and services from Cloudflare Workers. ---- - -[Workers VPC](/workers-vpc/) enables Cloudflare Workers to access private resources — such as databases, internal APIs, and other services — in your infrastructure. Cloudflare Tunnel serves as the connectivity layer, establishing a secure outbound connection from your private network to Cloudflare. - -## How it works - -1. You deploy `cloudflared` in your private network (for example, within a VPC on AWS, GCP, or Azure). -2. `cloudflared` creates an outbound-only tunnel to Cloudflare's global network, exposing the private IP ranges of your services. -3. Workers VPC bindings in your Worker code connect to these private services through the tunnel, without requiring any public endpoints. - -This architecture allows Workers to reach internal databases, REST APIs, gRPC services, and other TCP-based resources that are not exposed to the Internet. - -## Get started - -To set up Tunnel for Workers VPC: - -1. [Create a Cloudflare Tunnel](/cloudflare-tunnel/get-started/create-remote-tunnel/) and install `cloudflared` in your private network. -2. Follow the [Workers VPC getting started guide](/workers-vpc/get-started/) to configure VPC Services and bind them to your Worker. - -For detailed tunnel configuration specific to Workers VPC, refer to the [Workers VPC tunnel documentation](/workers-vpc/configuration/tunnel/). - -## Related resources - -- [Workers VPC hardware requirements](/workers-vpc/configuration/tunnel/hardware-requirements/) — Sizing guidance for `cloudflared` replicas in Workers VPC deployments. -- [Connect to a private API](/workers-vpc/examples/private-api/) — Example of accessing a private API from a Worker via Tunnel. -- [Connect to a private S3 bucket](/workers-vpc/examples/private-s3-bucket/) — Example of accessing a private S3 bucket from a Worker via Tunnel. -- [Hyperdrive + Tunnel](/hyperdrive/configuration/connect-to-private-database/) — Connect Hyperdrive to a private database using Cloudflare Tunnel. diff --git a/src/content/docs/cloudflare-tunnel/monitor-tunnels/index.mdx b/src/content/docs/cloudflare-tunnel/monitor-tunnels/index.mdx deleted file mode 100644 index a6ba333ef5b74eb..000000000000000 --- a/src/content/docs/cloudflare-tunnel/monitor-tunnels/index.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -pcx_content_type: navigation -title: Monitor tunnels -sidebar: - order: 9 - ---- - -import { DirectoryListing } from "~/components" - - diff --git a/src/content/docs/cloudflare-tunnel/monitor-tunnels/logs.mdx b/src/content/docs/cloudflare-tunnel/monitor-tunnels/logs.mdx deleted file mode 100644 index 7fc558f84c8f20c..000000000000000 --- a/src/content/docs/cloudflare-tunnel/monitor-tunnels/logs.mdx +++ /dev/null @@ -1,94 +0,0 @@ ---- -pcx_content_type: reference -title: Log streams -sidebar: - order: 1 -head: - - tag: title - content: Tunnel log streams ---- - -Tunnel logs record all activity between a `cloudflared` instance and Cloudflare's global network, as well as all activity between `cloudflared` and your origin server. These logs allow you to investigate connectivity or performance issues with a Cloudflare Tunnel. You can configure your server to store persistent logs, or you can stream real-time logs from any client machine. - -## View logs on the server - -If you have access to the origin server, you can use the [`--loglevel` flag](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#loglevel) to enable logging when you start the tunnel. By default, `cloudflared` prints logs to stdout and does not store logs on the server. You can optionally use the [`--logfile` flag](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#logfile) to write your logs to a file. - -To enable logs for a locally-managed tunnel: - -```sh -cloudflared tunnel --loglevel info --logfile cloudflared.log run -``` - -To enable logs for a remotely-managed tunnel, add `--loglevel info` and `--logfile ` to your system service as shown in [Add tunnel run parameters](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/#update-tunnel-run-parameters). - -## View logs on your local machine - -You can view real-time logs for a Cloudflare Tunnel via the dashboard or from any machine that has `cloudflared` installed. With remote log streams, you do not need to SSH into the server that is running the tunnel. To get remote logs, the tunnel must be active and able to receive requests. - -### Dashboard - -:::note -Tunnel log streams require [edit permissions](/fundamentals/manage-members/roles/) for Cloudflare Tunnel. Due to the sensitive nature of these logs, read-only roles (such as `Zero Trust Read Only`) do not have access. -::: - -Dashboard log streams are only available for remotely-managed tunnels. To view logs from the dashboard: - -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels** and select a remotely-managed tunnel. -2. In the sidebar, select the **Connector ID** for the `cloudflared` instance you want to view. -3. Select **Begin log stream**. - -### CLI - -The `cloudflared` daemon can stream logs from any tunnel in your account to the local command line. `cloudflared` must be installed on both your local machine and the origin server. - -#### View logs - -1. On your local machine, authenticate `cloudflared` to your Cloudflare One account: - - ```sh - cloudflared tunnel login - ``` - -2. Run `cloudflared tail` for a specific tunnel: - - ```sh - cloudflared tail - ``` - - For a more structured view of the JSON message, you can pipe the output to tools like [jq](https://stedolan.github.io/jq/): - - ```sh - cloudflared tail --output=json | jq . - ``` - -#### Filter logs - -You can filter logs by event type (`--event`), event level (`--level`), or sampling rate (`-sampling`) to reduce the volume of logs streamed from the origin. This helps mitigate the performance impact on the origin, especially when the origin is normally under high load. For example: - -```sh -cloudflared tail --level debug -``` - -| Flag | Description | Allowed values | Default value | -| ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | ------------- | -| `--event` | Filter by the type of event / request. | `cloudflared`, `http`, `tcp`, `udp` | All events | -| `--level` | Return logs at this level and above. Works independently of the [`--loglevel`](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#loglevel) setting on the server. | `debug`, `info`, `warn`, `error`, `fatal` | `debug` | -| `--sampling` | Sample a fraction of the total logs. | Number from `0.0` to `1.0` | `1.0` | -| | | | | - -#### View logs for a replica - -If you are running multiple `cloudflared` instances for the same tunnel (also known as [replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/)), you must specify an individual instance to stream logs from: - -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels** and select your tunnel. -2. Find the **Connector ID** for the `cloudflared` instance you want to view. -3. Specify the Connector ID in `cloudflared tail`: - ```sh - cloudflared tail --connector-id - ``` - -### Performance considerations - -- The logging session will only be held open for one hour. All logging systems introduce some level of performance overhead, and this limit helps prevent long term impact to your tunnel's end-to-end latencies. -- When streaming logs for a high throughput tunnel, Cloudflare intentionally prioritizes service stability over log delivery. To reduce the number of dropped logs, try [requesting fewer logs](#filter-logs). To ensure that you are seeing all logs, [view logs on the server](/cloudflare-tunnel/monitor-tunnels/logs/#view-logs-on-the-server) instead of streaming the logs remotely. diff --git a/src/content/docs/cloudflare-tunnel/monitor-tunnels/metrics.mdx b/src/content/docs/cloudflare-tunnel/monitor-tunnels/metrics.mdx deleted file mode 100644 index bb1b6c26390ad3f..000000000000000 --- a/src/content/docs/cloudflare-tunnel/monitor-tunnels/metrics.mdx +++ /dev/null @@ -1,111 +0,0 @@ ---- -pcx_content_type: concept -title: Metrics -sidebar: - order: 7 -head: - - tag: title - content: Tunnel metrics ---- - -Tunnel metrics show a Cloudflare Tunnel's throughput and resource usage over time. When you run a tunnel, `cloudflared` will spin up a Prometheus metrics endpoint — an HTTP server that exposes metrics in [Prometheus](https://prometheus.io/docs/introduction/overview/) format. You can use the Prometheus toolkit on a remote machine to scrape metrics data from the `cloudflared` server. - -## Default metrics server address - -In non-containerized environments, `cloudflared` starts the metrics server on `127.0.0.1:/metrics`, where `` is the first available port in the range `20241` to `20245`. In case of all ports being unavailable then the fallback is to bind to a random port. In containerized environments such as Docker and Kubernetes, the default address is `0.0.0.0:/metrics`. - -To determine the default port being used by a `cloudflared` instance, you can check your [Tunnel logs](/cloudflare-tunnel/monitor-tunnels/logs/) around the time when the tunnel started. For example: - -```text -2024-12-19T21:17:58Z INF Starting metrics server on 127.0.0.1:20241/metrics -``` - -## Configure the metrics server address - -To serve metrics on a custom IP address and port, perform these steps on the `cloudflared` host: - -1. Run the tunnel using the [--metrics](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#metrics) flag. Here is an example command for a locally-managed tunnel: - - ```sh - cloudflared tunnel --metrics 127.0.0.1:60123 run my-tunnel - ``` - - To learn how to add the `--metrics` flag to a remotely-managed tunnel, refer to [Configure a remotely-managed tunnel](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/#update-tunnel-run-parameters). - - :::note - If you plan to fetch metrics from another machine on the local network, replace `127.0.0.1` with the internal IP of the `cloudflared` server (for example, `198.168.x.x`). To serve metrics on all available network interfaces, use `0.0.0.0`. - ::: - -2. Verify that the metrics server is running by going to `http://localhost:60123/metrics`. This will only work if you configured a localhost IP (`127.0.0.1` or `0.0.0.0`). - -You can now export the metrics to Prometheus and Grafana in order to visualize and query the data. Refer to our [tutorial](/cloudflare-one/tutorials/grafana/) for instructions on getting started with these tools. - -## Available metrics - -### cloudflared metrics - -| Name | Description | Type | Labels | -| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ------- | ------------------------------------------ | -| `build_info` | Build and version information. | GAUGE | `goversion`, `revision`, `type`, `version` | -| `cloudflared_config_local_config_pushes` | Number of local configuration pushes to Cloudflare. | COUNTER | | -| `cloudflared_config_local_config_pushes_errors` | Number of errors that occurred during local configuration pushes. | COUNTER | | -| `cloudflared_orchestration_config_version` | Configuration version. | GAUGE | | -| `cloudflared_tcp_active_sessions` | Concurrent number of TCP sessions that are being proxied to any origin. | GAUGE | | -| `cloudflared_tcp_total_sessions` | Total number of TCP sessions that have been proxied to any origin. | COUNTER | | -| `cloudflared_tunnel_active_streams` | Total number of active streams. | GAUGE | | -| `cloudflared_tunnel_concurrent_requests_per_tunnel` | Concurrent number of requests proxied through each tunnel. | GAUGE | | -| `cloudflared_tunnel_ha_connections` | Number of active HA connections. | GAUGE | | -| `cloudflared_tunnel_request_errors` | Number of errors proxying to origin. | COUNTER | | -| `cloudflared_tunnel_server_locations` | Where each tunnel is connected to. `1` means current location, `0` means previous locations. | GAUGE | `connection_id`, `edge_location` | -| `cloudflared_tunnel_timer_retries` | Unacknowledged heart beats count. | GAUGE | | -| `cloudflared_tunnel_total_requests` | Number of requests proxied through all tunnels. | COUNTER | | -| `cloudflared_tunnel_tunnel_authenticate_success` | Number of successful tunnel authentication events. | COUNTER | | -| `cloudflared_tunnel_tunnel_register_success` | Number of successful tunnel registrations. | COUNTER | `rpcName` | -| `cloudflared_udp_active_sessions` | Concurrent number of UDP sessions that are being proxied to any origin. | GAUGE | | -| `cloudflared_udp_total_sessions` | Total number of UDP sessions that have been proxied to any origin. | COUNTER | | -| `coredns_panics_total` | Number of panics. | COUNTER | | -| `quic_client_closed_connections` | Number of connections that have been closed. | COUNTER | | -| `quic_client_latest_rtt` | Latest round-trip time (RTT) measured on a connection. | GAUGE | `conn_index` | -| `quic_client_lost_packets` | Number of packets that have been lost from a connection. | COUNTER | `conn_index`, `reason` | -| `quic_client_min_rtt` | Lowest RTT measured on a connection in ms. | GAUGE | `conn_index` | -| `quic_client_packet_too_big_dropped` | Number of packets received from origin that are too big to send to Cloudflare and are dropped as a result. | COUNTER | | -| `quic_client_smoothed_rtt` | Smoothed RTT calculated for a connection in ms. | GAUGE | `conn_index` | -| `quic_client_total_connections` | Number of connections initiated. For all QUIC metrics, client means the side initiating the connection. | COUNTER | | - -### Prometheus metrics - -| Name | Description | Type | Labels | -| -------------------------------------------- | -------------------------------------------- | ------- | ------ | -| `promhttp_metric_handler_requests_in_flight` | Current number of scrapes being served. | GAUGE | | -| `promhttp_metric_handler_requests_total` | Total number of scrapes by HTTP status code. | COUNTER | `code` | -| | | | | - -### Go runtime metrics - -| Name | Description | Type | Labels | -| ---------------------------------- | ------------------------------------------------------------------ | ------- | --------- | -| `go_gc_duration_seconds` | A summary of the pause duration of garbage collection cycles. | SUMMARY | | -| `go_goroutines` | Number of goroutines that currently exist. | GAUGE | | -| `go_info` | Information about the Go environment. | GAUGE | `version` | -| `go_memstats_alloc_bytes` | Number of bytes allocated and still in use. | GAUGE | | -| `go_memstats_alloc_bytes_total` | Total number of bytes allocated, even if freed. | COUNTER | | -| `go_memstats_buck_hash_sys_bytes` | Number of bytes used by the profiling bucket hash table. | GAUGE | | -| `go_memstats_frees_total` | Total number of frees. | COUNTER | | -| `go_memstats_gc_sys_bytes` | Number of bytes used for garbage collection system metadata. | GAUGE | | -| `go_memstats_heap_alloc_bytes` | Number of heap bytes allocated and still in use. | GAUGE | | -| `go_memstats_heap_idle_bytes` | Number of heap bytes waiting to be used. | GAUGE | | -| `go_memstats_heap_inuse_bytes` | Number of heap bytes that are in use. | GAUGE | | -| `go_memstats_heap_objects` | Number of allocated objects. | GAUGE | | -| `go_memstats_heap_released_bytes` | Number of heap bytes released to OS. | GAUGE | | -| `go_memstats_heap_sys_bytes` | Number of heap bytes obtained from system. | GAUGE | | -| `go_memstats_last_gc_time_seconds` | Number of seconds since 1970 of last garbage collection. | GAUGE | | -| `go_memstats_lookups_total` | Total number of pointer lookups. | COUNTER | | -| `go_memstats_mallocs_total` | Total number of mallocs. | COUNTER | | -| `go_memstats_mcache_inuse_bytes` | Number of bytes in use by mcache structures. | GAUGE | | -| `go_memstats_mcache_sys_bytes` | Number of bytes used for mcache structures obtained from system. | GAUGE | | -| `go_memstats_mspan_inuse_bytes` | Number of bytes in use by mspan structures. | GAUGE | | -| `go_memstats_mspan_sys_bytes` | Number of bytes used for mspan structures obtained from system. | GAUGE | | -| `go_memstats_next_gc_bytes` | Number of heap bytes when next garbage collection will take place. | GAUGE | | -| `go_memstats_other_sys_bytes` | Number of bytes used for other system allocations. | GAUGE | | -| `go_memstats_stack_inuse_bytes` | Number of bytes in use by the stack allocator. | GAUGE | | -| | | | | diff --git a/src/content/docs/cloudflare-tunnel/monitor-tunnels/notifications.mdx b/src/content/docs/cloudflare-tunnel/monitor-tunnels/notifications.mdx deleted file mode 100644 index 4b5b1524dcb249a..000000000000000 --- a/src/content/docs/cloudflare-tunnel/monitor-tunnels/notifications.mdx +++ /dev/null @@ -1,19 +0,0 @@ ---- -pcx_content_type: concept -title: Notifications -sidebar: - order: 1 - ---- - -import { AvailableNotifications } from "~/components" - -Administrators can receive an alert when Cloudflare Tunnels in an account change their health or deployment status. Notifications can be delivered via email, webhook, and third-party services. - -## Manage notifications - -Tunnel notifications are configured on the [Cloudflare dashboard](https://dash.cloudflare.com/). For more information, refer to [Create a notification](/notifications/get-started/#create-a-notification). - -## Available notifications - - diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel.mdx b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel.mdx deleted file mode 100644 index 635b4ac80929cb3..000000000000000 --- a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel.mdx +++ /dev/null @@ -1,212 +0,0 @@ ---- -title: Create a locally-managed tunnel -pcx_content_type: how-to -sidebar: - order: 1 ---- - -import { Render, TabItem, Tabs } from "~/components"; - -Follow this step-by-step guide to get your first tunnel up and running using the CLI. - - - -## Prerequisites - -Before you start, make sure you: - -- [Add a website to Cloudflare](/fundamentals/manage-domains/add-site/). -- [Change your domain nameservers to Cloudflare](/dns/zone-setups/full-setup/setup/). - -## 1. Download and install `cloudflared` - - - -1. Download `cloudflared` on your machine. Visit the [downloads](/cloudflare-tunnel/downloads/) page to find the right package for your OS. - -2. Rename the executable to `cloudflared.exe` - -3. In PowerShell, change directory to your Downloads folder and run `.\cloudflared.exe --version`. It should output the version of `cloudflared`. Note that `cloudflared.exe` could be `cloudflared-windows-amd64.exe` or `cloudflared-windows-386.exe` if you have not renamed it. - -```powershell -PS C:\Users\Administrator\Downloads\cloudflared-stable-windows-amd64> .\cloudflared.exe --version -``` - - - -To download and install `cloudflared`: - -```sh -brew install cloudflared -``` - -Alternatively, you can [download the latest Darwin amd64 release](/cloudflare-tunnel/downloads/) directly. - - - -**Debian and Ubuntu APT** - -Use the apt package manager to install `cloudflared` on compatible machines. - - - -**RHEL RPM** - -Use the rpm package manager to install `cloudflared` on compatible machines. - -1. Add Cloudflare's repository: - -```sh -curl -fsSl https://pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo -``` - -2. Update repositories and install cloudflared: - -```sh -sudo yum update && sudo yum install cloudflared -``` - -**Arch Linux** - -`cloudflared` is in the Arch Linux [`community` repository](https://wiki.archlinux.org/title/official_repositories#community). -Use `pacman` to install `cloudflared` on compatible machines. - -```sh -pacman -Syu cloudflared -``` - -**Other** - -Alternatively you can download the `cloudflared` binary or the linux packages to your machine and install manually. Visit the [downloads](/cloudflare-tunnel/downloads/) page to find the right package for your OS. - - - -To build the latest version of `cloudflared` from source: - -```sh -git clone https://github.com/cloudflare/cloudflared.git -cd cloudflared -make cloudflared -go install github.com/cloudflare/cloudflared/cmd/cloudflared -``` - -Depending on where you installed `cloudflared`, you can move it to a known path as well. - -```sh -mv /root/cloudflared/cloudflared /usr/bin/cloudflared -``` - - - -## 2. Authenticate `cloudflared` - -```sh -cloudflared tunnel login -``` - -Running this command will: - -- Open a browser window and prompt you to log in to your Cloudflare account. After logging in to your account, select your hostname. -- Generate an account certificate, the [cert.pem file](/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms/#certpem), in the [default `cloudflared` directory](/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms/#default-cloudflared-directory). - -## 3. Create a tunnel and give it a name - -```sh -cloudflared tunnel create -``` - -Running this command will: - -- Create a tunnel by establishing a persistent relationship between the [name you provide](/cloudflare-tunnel/get-started/tunnel-useful-terms/#tunnel-name) and a [UUID](/cloudflare-tunnel/get-started/tunnel-useful-terms/#tunnel-uuid) for your tunnel. At this point, no connection is active within the tunnel yet. -- Generate a [tunnel credentials file](/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms/#credentials-file) in the [default `cloudflared` directory](/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms/#certpem). -- Create a subdomain of `.cfargotunnel.com`. - -From the output of the command, take note of the tunnel's UUID and the path to your tunnel's credentials file. - -Confirm that the tunnel has been successfully created by running: - -```sh -cloudflared tunnel list -``` - -## 4. Create a configuration file - -1. In your `.cloudflared` directory, create a [`config.yml` file](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/) using any text editor. This file will configure the tunnel to route traffic from a given origin to the hostname of your choice. - -2. Add the following fields to the file: - -**If you are connecting an application:** - -```yml -url: http://localhost:8000 -tunnel: -credentials-file: /root/.cloudflared/.json -``` - -**If you are connecting a private network:** - -```yml -tunnel: -credentials-file: /root/.cloudflared/.json -warp-routing: - enabled: true -``` - -3. Confirm that the configuration file has been successfully created by running: - - ```sh - cat config.yml - ``` - -## 5. Start routing traffic - -1. Now assign a `CNAME` record that points traffic to your tunnel subdomain: - - If you are connecting an application, route the service to a [published application](/cloudflare-tunnel/routing/): - - ```sh - cloudflared tunnel route dns - ``` - - - If you are connecting a [private network](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/), route an IP address or CIDR through the tunnel: - - ```sh - cloudflared tunnel route ip add - ``` - -2. Confirm that the route has been successfully established: - - ```sh - cloudflared tunnel route ip show - ``` - -## 6. Run the tunnel - -Run the tunnel to proxy incoming traffic from the tunnel to any number of services running locally on your origin. - -```sh -cloudflared tunnel run -``` - -If your configuration file has a custom name or is not in the `.cloudflared` directory, add the `--config` flag and specify the path. - -```sh -cloudflared tunnel --config /path/your-config-file.yml run -``` - -:::note - -Cloudflare Tunnel can install itself as a system service on Linux and Windows and as a launch agent on macOS. For more information, refer to [run as a service](/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/). - -::: - -## 7. Check the tunnel - -Your tunnel configuration is complete! If you want to get information on the tunnel you just created, you can run: - -```sh -cloudflared tunnel info -``` - -You can now [route traffic](/cloudflare-tunnel/routing/) to your tunnel using Cloudflare DNS or [determine who can reach your tunnel](/cloudflare-one/access-controls/policies/) with Cloudflare Access. - - diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-useful-commands.mdx b/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-useful-commands.mdx deleted file mode 100644 index a68c96fe0f90c1b..000000000000000 --- a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-useful-commands.mdx +++ /dev/null @@ -1,42 +0,0 @@ ---- -pcx_content_type: reference -title: Useful commands -sidebar: - order: 6 ---- - -This page lists the most commonly used commands for managing local tunnels. - -To view all CLI commands, refer to the CLI help text in your terminal. For example, to view all options for the `cloudflared tunnel` subcommand, type `cloudflared tunnel help`. - -## Manage tunnels - -| Command | Description | -| ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `cloudflared tunnel login` | Prompts a browser window where you can authenticate your tunnel to your Cloudflare account. | -| `cloudflared tunnel list` | Displays all active tunnels, their creation time, and associated connections. Use the `-d` flag to include deleted tunnels. | -| `cloudflared tunnel create ` | Creates a tunnel, registers it with the Cloudflare edge and generates a credential file to run this tunnel. | -| `cloudflared tunnel route` | Routes traffic through a tunnel. | -| `cloudflared tunnel route lb ` | Adds a tunnel as an endpoint in a [load balancer pool](/cloudflare-tunnel/routing/public-load-balancers/). A new load balancer and pool will be created if necessary.
  • ``: the public-facing hostname of the load balancer, for example `lb.example.com`
  • ``: the name of the [pool](/load-balancing/pools/create-pool/#create-a-pool) that will contain the tunnel endpoint
To load balance traffic to a [published application](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/#file-structure-for-published-applications), you will also need to specify the application hostname in the [endpoint host header](/load-balancing/additional-options/override-http-host-headers/) using the dashboard or API. | -| `cloudflared tunnel route ip add ` | Adds any network route space (represented as a CIDR) to your routing table. That network space becomes reachable for requests egressing from a user's machine as long as it is using Cloudflare WARP and is enrolled in the same account that is running the tunnel chosen here. Further, those requests will be proxied to the specified tunnel, and reach an IP in the given CIDR, as long as that IP is reachable from the tunnel. To assign the IP route to a specific [Virtual Network](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/), use the `--vnet` option. | -| `cloudflared tunnel route ip show` (or `list`) | Shows your organization's private routing table. You can use additional flags to filter the results. | -| `cloudflared tunnel route ip delete` | Deletes the row for a given CIDR from your routing table. That portion of your network will no longer be reachable by the WARP client. | -| `cloudflared tunnel route ip get ` | Checks which row of the routing table will be used to proxy a given IP. This helps check and validate your configuration. | -| `cloudflared tunnel route dns` | Creates a DNS CNAME record hostname that points to the tunnel. | -| `cloudflared tunnel --config path/config.yaml run ` | Runs a tunnel, creating highly available connections between your server and the Cloudflare edge. You can provide name or UUID of the tunnel to run either as the last command line argument or in the configuration file using `tunnel: `. | -| `cloudflared tunnel info ` | Displays details about the active connectors for a given tunnel identified by name of UUID. | -| `cloudflared tunnel cleanup ` | Deletes connections for tunnels with the given UUIDs or names. This is useful if you get an error trying to delete or run a tunnel after `cloudflared` is not shut down gracefully (for example, if a `kill` command is issued). | -| `cloudflared tunnel cleanup --connector-id ` | Disconnects and deletes a [cloudflared replica](/cloudflare-tunnel/configure-tunnels/tunnel-availability/) with the given connector ID. You can view all replicas for a tunnel by running `cloudflared tunnel info `. | -| `cloudflared tunnel delete ` | Deletes tunnels with the given name or UUID. A tunnel cannot be deleted if it has active connections. To delete the tunnel unconditionally, use the `-f` flag. | -| `cloudflared tunnel vnet add ` | Creates a Virtual Network to which IP routes can be assigned. To make this Virtual Network the default for your Zero Trust organization, use the `-d` flag. | -| `cloudflared tunnel vnet delete ` | Deletes the Virtual Network with the given name or UUID. Before you can delete a Virtual Network, you must first delete all IP routes assigned to the Virtual Network. | -| `cloudflared tunnel vnet list` | Displays all active Virtual Networks, the default Virtual Network, and their creation times. | -| `cloudflared tail ` | Start a session to livestream logs from a specific tunnel. For more information, refer to [Tunnel logs](/cloudflare-tunnel/monitor-tunnels/logs/). | - -## Manage `cloudflared` - -| Command | Description | -| --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `cloudflared update` | Looks for a new version on the official download server. If a new version exists, it updates the agent binary and quits. Otherwise, no action is performed. This command only works if `cloudflared` was installed from GitHub binaries or from source. For more information, refer to the [update instructions](/cloudflare-tunnel/downloads/update-cloudflared/). | -| `cloudflared version` | Prints the `cloudflared` version number and build date. | -| `cloudflared help` | Shows a list of all top-level commands for `cloudflared`. | diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/quick-tunnels.mdx b/src/content/docs/cloudflare-tunnel/other-tunnel-types/quick-tunnels.mdx deleted file mode 100644 index 3e4bc5c0e19d1b4..000000000000000 --- a/src/content/docs/cloudflare-tunnel/other-tunnel-types/quick-tunnels.mdx +++ /dev/null @@ -1,54 +0,0 @@ ---- -pcx_content_type: concept -title: Quick Tunnels -sidebar: - order: 5 ---- - -:::note -Quick Tunnels are intended for testing and development only. For production use, [create a remotely-managed tunnel](/cloudflare-tunnel/get-started/). -::: - -Developers can use the TryCloudflare tool to experiment with Cloudflare Tunnel without adding a site to Cloudflare's DNS. TryCloudflare will launch a process that generates a random subdomain on `trycloudflare.com`. Requests to that subdomain will be proxied through the Cloudflare network to your web server running on localhost. - -## Use TryCloudflare - -1. Follow [these instructions](/cloudflare-tunnel/downloads/) to install `cloudflared`. If you have an older copy, update to 2020.5.1 or later. -2. Launch a web server that is available over localhost to `cloudflared`. -3. Run the following terminal command to start a free tunnel. - -```sh -cloudflared tunnel --url http://localhost:8080 -``` - -`cloudflared` will generate a random subdomain when connecting to the Cloudflare network and print it in the terminal for you to use and share. The output will serve traffic from the server on your local machine to the public Internet, using Cloudflare's Argo Smart Routing, at a public URL. - -:::note - -TryCloudflare quick tunnels are currently not supported if a `config.yaml` configuration file is present in the `.cloudflared` directory. It may be necessary to rename that file temporarily to use the feature. -::: - -## FAQ - -### What are some example use cases for TryCloudflare? - -- Create a web server for a project on your laptop that you want to share with others on different networks -- Test browser compatibility for a new site by creating a free Tunnel and testing the link in different browsers -- Run speed tests from different regions by using a tool like Pingdom or WebPageTest to connect to the randomly-generated subdomain created by TryCloudflare - -### Why does Cloudflare provide this service for free? - -- We want more users to experience the speed and security improvements of Cloudflare Tunnel (and Argo Smart Routing). We hope you test it with TryCloudflare and decide to add it to your production sites. -- Cloudflare's features historically require you to own a domain, set that domain's DNS to Cloudflare's nameservers, and configure its DNS records before you can begin to use any services. We hope to make more and more of our products available to trial without that burden. -- We don't guarantee any SLA or uptime of TryCloudflare - we plan to test new Cloudflare Tunnel features and improvements on these free tunnels. This provides us with a group of connections to test before we deploy to production customers. Free tunnels are meant to be used for testing and development, not for deploying a production website. - -### Limitations - -- Quick Tunnels are subject to a hard limit on the number of concurrent requests that can be proxied at any point in time. Currently, this limit is 200 in-flight requests. If a Quick Tunnel hits this limit, the HTTP response will return a `429` status code. -- Quick Tunnels do not support Server-Sent Events (SSE). - -These limitations only apply to Quick Tunnels. To avoid these limitations, [sign up](https://dash.cloudflare.com/sign-up) for a Cloudflare account and [create a Cloudflare Tunnel](/cloudflare-tunnel/get-started/). - -### Legal - -Your installation of cloudflared software constitutes a symbol of your signature indicating that you accept the terms of the [Cloudflare License](/cloudflare-tunnel/downloads/license/), [Terms](https://www.cloudflare.com/terms/) and [Privacy Policy](https://www.cloudflare.com/privacypolicy/). diff --git a/src/content/docs/cloudflare-tunnel/routing/dns.mdx b/src/content/docs/cloudflare-tunnel/routing/dns.mdx deleted file mode 100644 index 6e226926e26d312..000000000000000 --- a/src/content/docs/cloudflare-tunnel/routing/dns.mdx +++ /dev/null @@ -1,60 +0,0 @@ ---- -pcx_content_type: how-to -title: DNS records -sidebar: - order: 2 ---- - -import { Render, TabItem, Tabs, DashButton } from "~/components"; - -When you create a tunnel, Cloudflare generates a subdomain of `cfargotunnel.com` with the UUID of the created tunnel. You can treat `.cfargotunnel.com` as if it were an origin target in the Cloudflare dashboard. - -Unlike publicly routable IP addresses, `.cfargotunnel.com` will only proxy traffic for a DNS record in the same Cloudflare account. The Tunnel UUID is not secret information; if someone discovers your subdomain UUID, they will not be able to create a DNS record in another account or system to proxy traffic to the address. - -## Create a DNS record for the tunnel - - - -To create a new DNS record for your tunnel: - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and go to the **DNS Records** page for your domain. - - - -2. Select **Add record**. -3. Input the following information: - - **Type**: _CNAME_ - - **Name**: Subdomain of your application - - **Target**: `.cfargotunnel.com` -4. Select **Save**. - -![Example of fields completed to create a new CNAME record.](~/assets/images/cloudflare-one/connections/connect-apps/dns/dns-record.png) - - - - - -You can create a new DNS record directly from `cloudflared`: - -```sh -cloudflared tunnel route dns www.app.com -``` - -This command create a `CNAME` record that points to the tunnel subdomain, but will not proxy traffic if the tunnel is not currently running. - -:::note - -To create DNS records using `cloudflared`, the [`cert.pem`](/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms/#certpem) file must be installed on your system. -::: - - - - - -The DNS record is distinct from the state of the tunnel. You can create DNS records that point to a tunnel that is not currently running. If the tunnel stops running, the DNS record will not be deleted. If you point the DNS record to a tunnel not currently running, visitors will see a `1016` error message. - -Additionally, you can create multiple DNS records that point to the same tunnel subdomain. If you are routing traffic from multiple hostnames to multiple services, you will need to create a `CNAME` entry for each hostname. The CNAME entries will share the same target. - -## Optional Cloudflare settings - -The application will default to the Cloudflare settings of the hostname in your account that includes the Cloudflare Tunnel DNS record, including [cache rules](/cache/how-to/cache-rules/) and [firewall policies](/firewall/). You can changes these settings for your hostname in Cloudflare's dashboard. diff --git a/src/content/docs/cloudflare-tunnel/routing/index.mdx b/src/content/docs/cloudflare-tunnel/routing/index.mdx deleted file mode 100644 index 7c96dcc4b6c85b0..000000000000000 --- a/src/content/docs/cloudflare-tunnel/routing/index.mdx +++ /dev/null @@ -1,10 +0,0 @@ ---- -pcx_content_type: concept -title: Public ingress routing -sidebar: - order: 4 ---- - -Cloudflare Tunnel allows you to publish local applications to the Internet via a public hostname. For example, you can [add a published application route](/cloudflare-tunnel/get-started/create-remote-tunnel/#2-publish-an-application) that points `docs.example.com` to `https://localhost:8080`. Anyone can now view your application by going to `docs.example.com` in their web browser. Traffic to published applications flows through Cloudflare's network, where your configured CDN cache, WAF rules, Bot Management, and DDoS protection settings are applied. - -Cloudflare can route traffic to your Cloudflare Tunnel using a [DNS record](/cloudflare-tunnel/routing/dns/) or [Cloudflare Load Balancer](/cloudflare-tunnel/routing/load-balancers/). You can configure either option from the Cloudflare dashboard by pointing a DNS `CNAME` record or a load balancer pool to your Cloudflare Tunnel subdomain (`.cfargotunnel.com`). You can also associate these records with your tunnel from `cloudflared` directly. diff --git a/src/content/docs/cloudflare-tunnel/routing/load-balancers.mdx b/src/content/docs/cloudflare-tunnel/routing/load-balancers.mdx deleted file mode 100644 index 0915ebba7d3ab3b..000000000000000 --- a/src/content/docs/cloudflare-tunnel/routing/load-balancers.mdx +++ /dev/null @@ -1,209 +0,0 @@ ---- -pcx_content_type: concept -title: Public load balancers -sidebar: - order: 3 ---- - -import { Render, DashButton, Details } from "~/components"; - -A [public load balancer](/load-balancing/load-balancers/) allows you to distribute traffic across the servers that are running your [published applications](/cloudflare-tunnel/routing/). - -When you add a [published application route](/cloudflare-tunnel/get-started/create-remote-tunnel/#2-publish-an-application) to your Cloudflare Tunnel, Cloudflare generates a subdomain of `cfargotunnel.com` with the UUID of the created tunnel. You can add the application to a load balancer pool by using `.cfargotunnel.com` as the [endpoint address](/load-balancing/understand-basics/load-balancing-components/#endpoints) and specifying the application hostname (`app.example.com`) in the [endpoint host header](/load-balancing/additional-options/override-http-host-headers/). Load Balancer does not support directly adding `app.example.com` as an endpoint if the service is behind Cloudflare Tunnel. - -## Create a public load balancer - -### Prerequisites - -- A Cloudflare Tunnel with a [published application route](/cloudflare-tunnel/get-started/create-remote-tunnel/#2-publish-an-application) - -### Create a load balancer - -To create a load balancer for Cloudflare Tunnel published applications: - -1. In the Cloudflare dashboard, go to the **Load Balancing** page. - - -2. Select **Create load balancer**. -3. Select **Public load balancer**. -4. Under **Select website**, select the domain of your published application route. -5. On the **Hostname** page, enter a hostname for the load balancer (for example, `lb.example.com`). -6. On the **Pools** page, select **Create a pool**. -7. Enter a descriptive name for the pool. For example, if you are configuring one pool per tunnel, the pool name can match your tunnel name. -8. To add a tunnel endpoint to the pool, configure the following fields: - - **Endpoint Name**: Name of the server that is running the application - - **Endpoint Address**: `.cfargotunnel.com`, where `` is replaced by your Tunnel ID. You can find the **Tunnel ID** in [Cloudflare One](https://one.dash.cloudflare.com) under **Networks** > **Connectors** > **Cloudflare Tunnels**. - - **Header value**: Hostname of your published application route (such as `app.example.com`). To find the hostname value, open your Cloudflare Tunnel configuration and go to the **Published application routes** tab. - - **Weight**: Assign a [weight](/load-balancing/understand-basics/traffic-steering/origin-level-steering/#weights) to the endpoint. If you only have one endpoint, enter `1`. - :::note - A single origin pool cannot have the same Tunnel UUID referenced twice. - ::: -9. On the **Pools** page, choose a **Fallback pool**. Refer to [Global traffic steering](/load-balancing/understand-basics/traffic-steering/steering-policies/) for information on how the load balancer routes traffic to pools. -10. (Recommended) On the **Monitors** page, attach a monitor to the tunnel endpoint. For example, if your application is HTTP or HTTPS, you can create an HTTPS monitor to poll the application: - - **Type**: _HTTPS_ - - **Path**: `/` - - **Port**: `443` - - **Expected Code(s)**: `200` - - **Header Name**: `Host` - - **Value**: `app.example.com` - - :::note - TCP monitors are not supported for tunnel endpoints. For a workaround, refer to [Monitors and TCP tunnel origins](#monitors-and-tcp-tunnel-origins). - ::: - -11. Save and deploy the load balancer. -12. To test the load balancer, access the application using the load balancer hostname (`lb.example.com`). - -Refer to the [Load Balancing documentation](/load-balancing/) for more details on load balancer settings and configurations. - -### Optional Cloudflare settings - -The application will default to the Cloudflare settings for the load balancer hostname, including [Rules](/rules/), [Cache Rules](/cache/how-to/cache-rules/) and [WAF rules](/waf/). You can change the settings for your hostname in the [Cloudflare dashboard](https://dash.cloudflare.com/). - -## Common architectures - -Review common load balancing configurations for published applications behind Cloudflare Tunnel. - -### One app per load balancer - -For this example, assume we have a web application that runs on servers in two different data centers. We want to connect the application to Cloudflare so that users can access the application from anywhere in the world. Additionally, we want Cloudflare to load balance between the servers such that if the primary server fails, the secondary server receives all traffic. - -```mermaid -graph LR - subgraph LB["Public load balancer
app.example.com "] - subgraph P1[Pool 2] - E1(["**Endpoint:** <UUID_1>.cfargotunnel.com
**Host header**: server2.example.com"]) - end - subgraph P2[Pool 1] - E2(["**Endpoint:** <UUID_2>.cfargotunnel.com
**Host header**: server1.example.com"]) - end - end - R@{ shape: text, label: "app.example.com" } - R--> LB - P1 -- Tunnel 1 --> cf1 - P2 -- Tunnel 2 --> cf2 - subgraph D2[Private network] - subgraph r1[Region eu-west-1] - cf1@{ shape: processes, label: "cloudflared
**Route:** server2.example.com" } - S1(["Server 2
10.0.0.1:80"]) - cf1-->S1 - end - subgraph r2[Region us-east-1] - cf2@{ shape: processes, label: "cloudflared
**Route:** server1.example.com" } - S3(["Server 1
10.0.0.2:80"]) - cf2-->S3 - end - end - - style r1 stroke-dasharray: 5 5 - style r2 stroke-dasharray: 5 5 -``` - -As shown in the diagram, a typical setup includes: -- A dedicated Cloudflare Tunnel per data center. -- One load balancer pool per tunnel. The load balancer hostname is set to the user-facing application hostname (`app.example.com`). -- One load balancer endpoint per pool. The endpoint host header is set to the `cloudflared` published application hostname (`server1.example.com`) -- At least two `cloudflared` [replicas](#session-affinity-and-replicas) per tunnel in their respective data centers, in case a `cloudflared` host machine goes down. - -Users can now connect to the application using the load balancer hostname (`app.example.com`). Note that this configuration is only valid for [Active-Passive failover](/load-balancing/load-balancers/common-configurations/#active---passive-failover), since each pool only supports one endpoint per tunnel. - -### Multiple apps per load balancer - -The following diagram illustrates how to steer traffic to two different applications on a private network using a single load balancer. - -```mermaid -graph LR - subgraph LB["Public load balancer
lb.example.com"] - subgraph P1[Pool for App 1] - E1(["**Endpoint:** <UUID_1>.cfargotunnel.com
**Host header**: app1.example.com"]) - E2(["**Endpoint:** <UUID_2>.cfargotunnel.com
**Host header**: app1.example.com"]) - end - subgraph P2[Pool for App 2] - E3(["**Endpoint:** <UUID_1>.cfargotunnel.com
**Host header**: app2.example.com"]) - E4(["**Endpoint:** <UUID_2>.cfargotunnel.com
**Host header**: app2.example.com"]) - end - end - R@{ shape: text, label: "app1.example.com
app2.example.com" } - R--> LB - E1 -- Tunnel 1 -->cf1 - E3 -- Tunnel 1 --> cf1 - E2 -- Tunnel 2 --> cf2 - E4 -- Tunnel 2 --> cf2 - - subgraph N[Private network] - cf2[cloudflared
**Route:** app1.example.com
**Route:** app2.example.com] - S3(["App 1
10.0.0.1:80"]) - cf2-->S3 - cf2-->S1 - cf1[cloudflared
**Route:** app1.example.com
**Route:** app2.example.com] - S1(["App 2
10.0.0.2:80"]) - cf1-->S1 - cf1-->S3 - end -``` - -This load balancing setup includes: - -- Two Cloudflare Tunnels with identical routes to both applications. -- One load balancer pool per application. -- Each load balancer pool has an endpoint per tunnel. -- A [DNS record](#dns-records) for each application that points to the load balancer hostname. - -Users can now access all applications through the load balancer. Since there are multiple tunnel endpoints per pool, this configuration supports [Active-Active Failover](/load-balancing/load-balancers/common-configurations/#active---active-failover). Active-Active uses all available endpoints in the pool to process requests simultaneously, providing better performance and scalability by load balancing traffic across them. - -#### DNS records - -When you configure a published application route via the dashboard, Cloudflare will automatically generate a `CNAME` DNS record that points the application hostname (`app1.example.com`) to the tunnel subdomain (`.cfargotunnel.com`). You can [edit these DNS records](/dns/manage-dns-records/how-to/create-dns-records/#edit-dns-records) so that they point to the load balancer hostname instead. - -:::note -Tunnel routes configured via the API or CLI require [manually creating DNS records](/cloudflare-tunnel/routing/dns/). -::: - -Here is an example of what your DNS records will look like before and after setting up [Multiple apps per load balancer](#multiple-apps-per-load-balancer): - -**Before**: -| Type | Name | Content | -| ---- | ---- | ------- | -| CNAME | app1 | `.cfargotunnel.com` | -| CNAME | app2 | `.cfargotunnel.com` | -| CNAME | app1 | `.cfargotunnel.com` | -| CNAME | app2 | `.cfargotunnel.com` | - -**After**: -| Type | Name | Content | -| ---- | ---- | ------- | -| LB | `lb.example.com` | n/a | -| CNAME | app1 | `lb.example.com` | -| CNAME | app2 | `lb.example.com` | - -## Known limitations - -### Monitors and TCP tunnel origins - -If you have a tunnel to a port or SSH port, do not set up a [TCP monitor](/load-balancing/monitors/). Instead, set up a health check endpoint on the `cloudflared` host and create an HTTPS monitor. For example, you can use `cloudflared` to return a fixed HTTP status response: - -1. In your Cloudflare Tunnel, [add a published application route](/cloudflare-tunnel/get-started/create-remote-tunnel/#2-publish-an-application) to represent the health check endpoint: - - **Hostame**: Enter a hostname for the health check endpoint (for example, `health-check.example.com`) - - **Service Type**: _HTTP_STATUS_ - - **HTTP Status Code**: `200` -2. From the **Load Balancing** page, [create a monitor](/load-balancing/monitors/create-monitor/) with the following properties: - - **Type**: _HTTPS_ - - **Path**: `/` - - **Port**: `443` - - **Expected Code(s)**: `200` - - **Header Name**: `Host` - - **Value**: `health-check.example.com` - -You can now assign this monitor to your load balancer endpoint. The monitor will only verify that your server is reachable. It does not check whether the server is running and accepting requests. - -### Session affinity and replicas - -The load balancer does not distinguish between [replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/) of the same tunnel. If you run the same tunnel UUID on two separate hosts, the load balancer treats both hosts as a single endpoint. To maintain [session affinity](/load-balancing/understand-basics/session-affinity/) between a client and a particular host, you will need to connect each host to Cloudflare using a different tunnel UUID. - -### Local connection preference - -If you notice traffic imbalances across endpoints in different locations, you may have to adjust your load balancer setup. - -When an end user sends a request to your application, Cloudflare routes their traffic using [Anycast routing](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/) and their request typically goes to the nearest Cloudflare data center. Cloudflare Tunnel will prefer to serve the request using `cloudflared` connections in the same data center. This behavior can impact how connections are weighted and traffic is distributed. - -If you are running [`cloudflared` replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/), switch to separate Cloudflare tunnels so that you can have more granular control over [traffic steering](/load-balancing/understand-basics/traffic-steering/). diff --git a/src/content/docs/cloudflare-tunnel/routing/protocols.mdx b/src/content/docs/cloudflare-tunnel/routing/protocols.mdx deleted file mode 100644 index 9bc4d86fb6677d0..000000000000000 --- a/src/content/docs/cloudflare-tunnel/routing/protocols.mdx +++ /dev/null @@ -1,24 +0,0 @@ ---- -pcx_content_type: reference -title: Protocols for published applications -sidebar: - order: 4 - label: Protocols -tableOfContents: false ---- - -When you [add a published application route](/cloudflare-tunnel/get-started/create-remote-tunnel/#2-publish-an-application) to a Cloudflare Tunnel, you are instructing Cloudflare to proxy requests for your public hostname to a service running privately behind `cloudflared`. The table below lists the service types that can route to a public hostname. Non-HTTP services will require [installing `cloudflared` on the client](/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/) for end users to connect. - -| Service type | Description | Example `service` value | -| ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | -| HTTP | Incoming requests to Cloudflare over HTTPS are proxied to the local web service via HTTP. | `http://localhost:8000` | -| HTTPS | Incoming requests to Cloudflare over HTTPS are proxied directly to the local web service. You can [disable TLS verification](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#notlsverify) if your origin uses self-signed certificates. | `https://localhost:8000` | -| UNIX | Just like HTTP, but using a Unix socket instead. | `unix:/home/production/echo.sock` | -| TCP | Enables TCP streams over a Websocket connection. `cloudflared` will take the packets received from the Websocket and reach out to the origin using TCP. To [connect to the public hostname over arbitrary TCP](/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/arbitrary-tcp/), the user needs to run `cloudflared access tcp`, and there are no guarantees on how long the TCP tunnel will live. For long-lived connections, we recommend using [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/) instead. | `tcp://localhost:2222` | -| SSH | Enables SSH streams over a Websocket connection. `cloudflared` will take the packets received from the Websocket and reach out to the origin using SSH. To [connect to the public hostname over SSH](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-cloudflared-authentication/), the client needs to run `cloudflared access ssh`, and there are no guarantees on how long the SSH connection will last. For long-lived connections, we recommend using [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) instead. | `ssh://localhost:22` | -| RDP | Similar to TCP but for RDP streams only. For more information, refer to [Connect to RDP with client-side cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-cloudflared-authentication/). | `rdp://localhost:3389` | -| UNIX + TLS | Just like HTTPS, but using a Unix socket instead. | `unix+tls:/home/production/echo.sock` | -| SMB | Similar to TCP but for SMB streams only. For more information, refer to [Connect to SMB with client-side cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb/#connect-to-smb-server-with-cloudflared-access). | `smb://localhost:445` | -| HTTP_STATUS | Responds to all requests with the given HTTP status. | `http_status:404` | -| BASTION | `cloudflared` will act like a jumphost, allowing access to any local address. | `bastion` | -| HELLO_WORLD | Test server for validating your Cloudflare Tunnel connection (for [locally managed tunnels](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/#file-structure-for-published-applications) only). | `hello_world` | diff --git a/src/content/docs/cloudflare-tunnel/troubleshoot/common-errors.mdx b/src/content/docs/cloudflare-tunnel/troubleshoot/common-errors.mdx deleted file mode 100644 index 4ec3bdaafbe7205..000000000000000 --- a/src/content/docs/cloudflare-tunnel/troubleshoot/common-errors.mdx +++ /dev/null @@ -1,160 +0,0 @@ ---- -pcx_content_type: reference -title: Common errors -sidebar: - order: 2 ---- - -import { Tabs, TabItem, GlossaryTooltip, Render } from "~/components"; - -This section covers the most common errors you might encounter when connecting resources with Cloudflare Tunnel. If you do not see your issue listed below, refer to the [troubleshooting FAQ](/cloudflare-one/faq/troubleshooting/), view your [Tunnel logs](/cloudflare-tunnel/monitor-tunnels/logs/), or [contact Cloudflare Support](/support/contacting-cloudflare-support/). - -## Tunnel status - -You can check your tunnel's connection status either from Cloudflare One (by going to **Networks** > **Connectors** > **Cloudflare Tunnels**) or by running the `cloudflared tunnel list` command. Each tunnel displays a status that reflects its current connection state: - - - -:::note[Tunnel status scope] - -The tunnel status only reflects the connection between `cloudflared` and the Cloudflare network. Tunnel status does not indicate whether `cloudflared` can successfully reach your internal services. As a result, a tunnel can appear `Healthy` while users are still unable to connect to an application. -::: - -## I see `cloudflared service is already installed`. - -If you see this error when installing a remotely-managed tunnel, ensure that no other `cloudflared` instances are running as a service on this machine. Only a single instance of `cloudflared` may run as a service on any given machine. Instead, we recommend adding additional routes to your existing tunnel. Alternatively, you can run `sudo cloudflared service uninstall` to uninstall `cloudflared`. - -## I see `An A, AAAA, or CNAME record with that host already exists`. - -If you are unable to save your tunnel's public hostname, choose a different hostname or delete the existing DNS record. [Check the DNS records](/dns/manage-dns-records/how-to/create-dns-records/) for your domain from the [Cloudflare dashboard](https://dash.cloudflare.com). - -## Tunnel credentials file doesn't exist or is not a file. - -If you encounter the following error when running a tunnel, double check your `config.yml` file and ensure that the `credentials-file` points to the correct location. You may need to change `/root/` to your home directory. - -```sh -cloudflared tunnel run -``` - -```sh output -2021-06-04T06:21:16Z INF Starting tunnel tunnelID=928655cc-7f95-43f2-8539-2aba6cf3592d -Tunnel credentials file '/root/.cloudflared/928655cc-7f95-43f2-8539-2aba6cf3592d.json' doesn't exist or is not a file -``` - -## My tunnel fails to authenticate. - -To start using Cloudflare Tunnel, a super administrator in the Cloudflare account must first log in through `cloudflared login`. The client will launch a browser window and prompt the user to select a hostname in their Cloudflare account. Once selected, Cloudflare generates a certificate that consists of three components: - -- The public key of the origin certificate for that hostname -- The private key of the origin certificate for that domain -- A token that is unique to Cloudflare Tunnel - -Those three components are bundled into a single PEM file that is downloaded one time during that login flow. The host certificate is valid for the root domain and any subdomain one-level deep. Cloudflare uses that certificate file to authenticate `cloudflared` to create DNS records for your domain in Cloudflare. - -The third component, the token, consists of the zone ID (for the selected domain) and an API token scoped to the user who first authenticated with the login command. When user permissions change (if that user is removed from the account or becomes an admin of another account, for example), Cloudflare rolls the user's API key. However, the certificate file downloaded through `cloudflared` retains the older API key and can cause authentication failures. The user will need to login once more through `cloudflared` to regenerate the certificate. Alternatively, the administrator can create a dedicated service user to authenticate. - -## I see an error: x509: certificate signed by unknown authority. - -This means the origin is using a certificate that `cloudflared` does not trust. For example, you may get this error if you are using SSL/TLS inspection in a proxy between your server and Cloudflare. To solve this: - -- Add the certificate to the system certificate pool. -- Use the `--origin-ca-pool` flag and specify the path to the certificate. -- Use the `--no-tls-verify` flag to stop `cloudflared` checking the certificate for a trust chain. - -## I see an error 1033 when attempting to run a tunnel. - - - -For more information, refer to the [comprehensive list](/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/) of Cloudflare 1xxx errors. - -## I see `ERR_TOO_MANY_REDIRECTS` when attempting to connect to an Access self-hosted app. - -This error occurs when `cloudflared` does not recognize the SSL/TLS certificate presented by your origin. To resolve the issue, set the [origin server name](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#originservername) parameter to the hostname on your origin certificate. Here is an example of a locally-managed tunnel configuration: - -```txt -ingress: - - hostname: test.example.com - service: https://localhost:443 - originRequest: - originServerName: test.example.com -``` - -## `cloudflared access` shows an error `websocket: bad handshake`. - -This means that your `cloudflared access` client is unable to reach your `cloudflared tunnel` origin. -To diagnose this, you should look at the `cloudflared tunnel` logs. A very often root cause is that the `cloudflared tunnel` is unable to proxy to your origin (e.g. because the ingress is mis-configured, or the origin is down, or because the origin HTTPS certificate cannot be validated by `cloudflared tunnel`). -If `cloudflared tunnel` has no logs, it means Cloudflare Edge is not even able to route the websocket traffic to it. - -There are a few different possible root causes behind the `websocket: bad handshake` error: - -- Your `cloudflared tunnel` is either not running or not connected to Cloudflare Edge. - -- WebSockets are not [enabled](/network/websockets/#enable-websockets). - -- Your Cloudflare account has Universal SSL enabled but your SSL/TLS encryption mode is set to **Off (not secure)**. To resolve: - 1. On the Cloudflare dashboard for your zone, go to **SSL/TLS** > **Overview**. - 2. Ensure that your SSL/TLS encryption mode is set to either **Flexible**, **Full** or **Full (strict)**. - -- Your requests are blocked by [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/). To resolve, make sure you set **Definitely automated** to _Allow_ in the bot fight mode settings. - -- Your SSH or RDP Access application has the [Binding Cookie](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#binding-cookie) enabled. To disable the cookie, go to **Access controls** > **Applications** and edit the application settings. - -- One or more [Workers routes](/workers/configuration/routing/routes/) are overlapping with the tunnel hostname, and the Workers do not properly handle the traffic. To resolve, you could either exclude your tunnel from the Worker route by not defining a route that includes the tunnel's hostname or update your Worker to only handle specific paths and forward all other requests to the origin, for example, by using `return fetch(req)`. - -## My tunnel randomly disconnects. - -Long-lived connections initiated through Cloudflare One, such as SSH sessions, can last up to eight hours. However, disruptions along the service path may result in more frequent disconnects. Often, these disconnects are caused by regularly scheduled maintenance events such as data center, server, or service updates and restarts. If you believe these events are not the cause of disconnects in your environment, collect the relevant [WARP logs](/cloudflare-one/team-and-resources/devices/warp/troubleshooting/warp-logs/) and [Tunnel logs](/cloudflare-tunnel/monitor-tunnels/logs/) and contact Support. - -## Tunnel connections fail with SSL error. - -If `cloudflared` returns error `error="remote error: tls: handshake failure"`, check to make sure the hostname in question is covered by a SSL certificate. If using a multi-level subdomain, an advanced certificate may be required as the Universal SSL will not cover more than one level of subdomain. This may surface in the browser as `ERR_SSL_VERSION_OR_CIPHER_MISMATCH`. - -## Tunnel connections fail with `Too many open files` error. - -If your [Cloudflare Tunnel logs](/cloudflare-tunnel/monitor-tunnels/logs/) returns a `socket: too many open files` error, it means that `cloudflared` has exhausted the open files limit on your machine. The maximum number of open files, or file descriptors, is an operating system setting that determines how many files a process is allowed to open. To increase the open file limit, you will need to [configure ulimit settings](/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements/#ulimits) on the machine running `cloudflared`. - -## I see `failed to sufficiently increase receive buffer size` in my cloudflared logs. - -This buffer size increase is reported by the [quic-go library](https://github.com/quic-go/quic-go) leveraged by [cloudflared](https://github.com/cloudflare/cloudflared). You can learn more about the log message in the [quic-go repository](https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes). This log message is generally not impactful and can be safely ignored when troubleshooting. However, if you have deployed `cloudflared` within a unique, high-bandwidth environment then buffer size can be manually overridden for testing purposes. - -To set the maximum receive buffer size on Linux: - -1. Create a new file under `/etc/sysctl.d/`: - -```sh -sudo vi 98-core-rmem-max.conf -``` - -2. In the file, define the desired buffer size: - -```txt -net.core.rmem_max=2500000 -``` - -3. Reboot the host machine running `cloudflared`. - -4. To validate that these changes have taken effect, use the `grep` command: - -```sh -sudo sysctl -a | grep net.core.rmem_max -``` - -```sh output -net.core.rmem_max = 2500000 -``` - -## `ping` and `traceroute` commands do not work. - -To ping an IP address behind Cloudflare Tunnel, your system must allow ICMP traffic through `cloudflared`. For configuration instructions, refer to the [ICMP proxy documentation](/cloudflare-one/traffic-policies/proxy/#icmp). - -## Cloudflare Tunnel is buffering my streaming response instead of streaming it live. - -Proxied traffic through Cloudflare Tunnel is buffered by default unless the origin server includes the response header `Content-Type: text/event-stream`. The `Content-Type: text/event-stream` response header tells `cloudflared` to stream data as it arrives instead of buffering the entire response. - -## I see `Error: This route's network is inside an existing subnet's network at "100.96.0.0/12"`. - -This error occurs when you try to add a CIDR route that falls within Cloudflare WARP's CGNAT IP range. The `100.96.0.0/12` range, which covers addresses from `100.96.0.1` to `100.111.255.254`, is reserved for internal WARP routing and cannot be added as a Cloudflare Tunnel route. To connect your private network, you will need to change its IP/CIDR so that it does not overlap with `100.96.0.0/12`. - -## Troubleshooting - -[Troubleshooting](/cloudflare-one/faq/troubleshooting/) - Browse other Cloudflare One-related troubleshooting errors and solutions. diff --git a/src/content/docs/cloudflare-tunnel/troubleshoot/connectivity-prechecks.mdx b/src/content/docs/cloudflare-tunnel/troubleshoot/connectivity-prechecks.mdx deleted file mode 100644 index 5d82acaad120c61..000000000000000 --- a/src/content/docs/cloudflare-tunnel/troubleshoot/connectivity-prechecks.mdx +++ /dev/null @@ -1,329 +0,0 @@ ---- -pcx_content_type: how-to -title: Connectivity pre-checks ---- - -import { Render, TabItem, Tabs } from "~/components"; - -This guide helps you validate connectivity between your environment and [Cloudflare Tunnel endpoints](/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/) before deploying [Cloudflare Tunnel](/cloudflare-tunnel/). You will run DNS and network checks from the same host machine that will run `cloudflared` to help you identify issues that may prevent `cloudflared` from connecting to Cloudflare Tunnel endpoints. - -Running these checks before you install `cloudflared` sets your deployment up for success and narrows down the cause of any later connectivity issues. - -This guide is structured as follows: - -1. [Before you start](#before-you-start): Read prerequisites and terminology. - -2. [DNS test with dig](#2-dns-test-with-dig): Confirm that DNS resolves Cloudflare Tunnel endpoints to the expected IPs. - -3. [Test network connectivity](#3-test-network-connectivity): Verify that your firewall allows outbound traffic on port `7844` (TCP and UDP). - -4. [Get help](/cloudflare-tunnel/troubleshoot/connectivity-prechecks/#4-get-help): What to collect and who to contact if tests fail. - -## 1. Before you start - -### Prerequisites - -You must have: - -- A host machine connected to the Internet where you plan to run `cloudflared`. The tests must run from the same environment where `cloudflared` will run (same network, same firewall path). - -- A terminal session with permission to run `dig` and `nc` (netcat), or similar software. - -`cloudflared` is platform-agnostic and supports a wide range of operating systems. For details, refer to [Tunnel system requirements](/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements/). - -### Terminology - -When troubleshooting connectivity to Cloudflare, it is important to distinguish between: - -- Host machine: The server or virtual machine (VM) where you will run `cloudflared`. - -- Environment: The broader setup containing the host machine (network and firewall configuration). - -Cloudflare Tunnel errors can originate from the environment (for example, DNS or firewall policies), even though they surface as `cloudflared` errors on the host machine. This guide focuses on the environment, not on `cloudflared` itself. - -`cloudflared` establishes [outbound-only connections](/cloudflare-tunnel/#outbound-only-connection) to Cloudflare's global network over port `7844`. The specific destinations and ports are documented in [Tunnel with firewall](/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/). - -## 2. DNS test with dig - -Cloudflare Tunnel requires outbound connectivity to `region1.v2.argotunnel.com` and `region2.v2.argotunnel.com` (or to the equivalent `us-region1` and `us-region2` endpoints when using only the [US region](/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/#region-us)). - -For a successful and healthy deployment, `cloudflared` should have [four active replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/) with connectivity to both regions (that is, both `region1.v2.argotunnel.com` and `region2.v2.argotunnel.com`, or both `us-region1` and `us-region2`). - -First, you need to verify that your DNS resolver returns the expected IP addresses for Cloudflare Tunnel endpoints. - -### 2.1. Test DNS with your current resolver - -Depending on whether you are testing a global region or the US region, run one of the following commands: - - - - -```sh -dig A region1.v2.argotunnel.com -``` - -```sh output -;; ANSWER SECTION: -region1.v2.argotunnel.com. 86400 IN A 198.41.192.167 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.67 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.57 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.107 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.27 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.7 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.227 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.47 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.37 -region1.v2.argotunnel.com. 86400 IN A 198.41.192.77 -... -``` - -```sh -dig AAAA region1.v2.argotunnel.com -``` - -```sh output -;; ANSWER SECTION: -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::1 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::2 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::3 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::4 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::5 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::6 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::7 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::8 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::9 -region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::10 -... -``` - -```sh -dig A region2.v2.argotunnel.com -``` - -```sh output -;; ANSWER SECTION: -region2.v2.argotunnel.com. 86400 IN A 198.41.200.13 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.193 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.33 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.233 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.53 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.63 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.113 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.73 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.43 -region2.v2.argotunnel.com. 86400 IN A 198.41.200.23 -... -``` - -```sh -dig AAAA region2.v2.argotunnel.com -``` - -```sh output -;; ANSWER SECTION: -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::1 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::2 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::3 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::4 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::5 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::6 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::7 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::8 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::9 -region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::10 -... -``` - - - - -```sh -dig A us-region1.v2.argotunnel.com -``` - -```sh output -;; ANSWER SECTION: -us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.1 -us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.2 -us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.3 -us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.4 -us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.5 -us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.6 -us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.7 -us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.8 -us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.9 -us-region1.v2.argotunnel.com. 86400 IN A 198.41.218.10 -... -``` - -```sh -dig AAAA us-region1.v2.argotunnel.com -``` - -```sh output -;; ANSWER SECTION: -us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::1 -us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::2 -us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::3 -us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::4 -us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::5 -us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::6 -us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::7 -us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::8 -us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::9 -us-region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a1::10 -... -``` - -```sh -dig A us-region2.v2.argotunnel.com -``` - -```sh output -;; ANSWER SECTION: -us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.1 -us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.2 -us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.3 -us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.4 -us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.5 -us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.6 -us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.7 -us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.8 -us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.9 -us-region2.v2.argotunnel.com. 86400 IN A 198.41.219.10 -... -``` - -```sh -dig AAAA us-region2.v2.argotunnel.com -``` - -```sh output -;; ANSWER SECTION: -us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::1 -us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::2 -us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::3 -us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::4 -us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::5 -us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::6 -us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::7 -us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::8 -us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::9 -us-region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a9::10 -... -``` - - - - -The `ANSWER SECTION` should include the expected IP addresses for Cloudflare Tunnel endpoints. - -If you receive: - -- Status `NOERROR` with valid IP addresses - Your DNS resolver is successfully returning addresses for the Tunnel hostname. Continue to [Test network connectivity](#3-test-network-connectivity). - -- Status `SERVFAIL`, `NXDOMAIN`, or an empty answer - Your DNS resolver cannot resolve the Tunnel endpoint. Continue to [Compare against `1.1.1.1`](#compare-against-1111). - -### 2.2. Compare against `1.1.1.1` - -If your original `dig` response is empty or does not match the documented IPs, test again using Cloudflare's public resolver `1.1.1.1`: - -```sh -dig A region1.v2.argotunnel.com @1.1.1.1 -``` -#### If only `1.1.1.1` works - -If `1.1.1.1` returns the correct IPs, but your original resolver does not, your local DNS resolver is misconfigured or blocked. - -To resolve: - -- Configure the host machine to use `1.1.1.1` as its resolver. -- If you must keep using your existing resolver, then investigate with your system administrator or ISP why it is returning different IPs. A recursive resolver should return the same response as the authoritative DNS server. If this cannot be fixed, the issue lies within your local environment and must be resolved before deploying Cloudflare Tunnel. - -#### If neither resolver works - -If neither your original resolver nor `1.1.1.1` returns an answer, your firewall may be blocking DNS queries to Cloudflare Tunnel endpoints. - -To resolve: - -- Check for firewall rules blocking DNS traffic altogether (UDP on port `53`) or specific DNS queries related to Cloudflare. -- If you are behind a managed DNS or security appliance, contact that provider to understand why queries to `region1.v2.argotunnel.com` and other Cloudflare Tunnel endpoints are blocked. - -Once DNS resolution returns the expected IPs from your DNS resolver, proceed to connectivity testing in step 3. - -## 3. Test network connectivity - -After confirming that your DNS resolver returns the correct IPs, test whether your host machine can send packets to Cloudflare on port `7844` using both UDP and TCP. - -Choose one of the IPs from your `dig` output (for example, `198.41.192.167`) and run the following tests. - -### 3.1. Test UDP connectivity - -```sh -nc -uvz -w 3 198.41.192.167 7844 -``` - -Example output: - -```sh -Connection to 198.41.192.167 port 7844 [udp/*] succeeded! -``` - -### 3.2. Test TCP connectivity - -```sh -nc -vz -w 3 198.41.192.167 7844 -``` - -Example output: - -```sh -Connection to 198.41.192.167 port 7844 [tcp/*] succeeded! -``` - -### 3.3 Interpret results - -These tests answer two key questions: - -- Can the host machine send a UDP packet to Cloudflare Tunnel endpoints? -- Can the host machine send a TCP packet to Cloudflare Tunnel endpoints? - -If either protocol succeeds, `cloudflared` can use that protocol to establish the tunnel. - -You have already confirmed DNS is working in the previous steps. These connectivity tests now verify whether your environment allows traffic to Cloudflare on port `7844`. By default, `cloudflared` automatically falls back to whichever protocol is available. - -If a [protocol](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#protocol) is blocked but you force `cloudflared` to use it (for example, forcing QUIC when UDP is blocked), the tunnel will fail to connect. - -#### Both UDP and TCP succeed - -Your firewall allows outbound traffic and return traffic to Cloudflare's tunnel endpoint on port `7844`. `cloudflared` can connect using either `quic` (UDP) or `http2` (TCP). If both UDP and TCP succeed and your DNS test in the previous section was successful, you can successfully deploy Cloudflare Tunnel in this environment. - -#### UDP succeeds, TCP fails - -Outbound UDP is allowed, but TCP on port `7844` is blocked or inspected. - -`cloudflared` will only be able to connect using `quic`. If you force `http2` in your configuration while TCP is blocked, the tunnel will fail. - -To resolve: Either allow TCP on your local network firewall on port `7844` or stop forcing `http2` to allow `cloudflared` to connect over `QUIC` instead. Refer to the [Protocol](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#protocol) parameter documentation for more information. - -#### TCP succeeds, UDP fails - -Outbound TCP is allowed, but UDP on port `7844` is blocked. - -`cloudflared` will only be able to connect using `http2`. If you force `quic` while UDP is blocked, the tunnel will fail. - -To resolve: Either allow UDP on the local network firewall on port `7844` or stop forcing QUIC to allow `cloudflared` to connect over HTTP/2 instead. Refer to the [Protocol](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#protocol) parameter documentation for more information. - -#### Both UDP and TCP fail - -Packets are being dropped somewhere between the host and the [Cloudflare Tunnel endpoints](/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/). - -This usually indicates a firewall policy or upstream security control that does not allow outbound traffic (or return traffic) on port `7844`. - -To resolve: Allow all traffic over port `7844` on the local network firewall. If this does not resolve the issue, troubleshoot with your ISP or service provider. - -## 4. Get help - -If either DNS or network test failed, it will likely be a problem in your local environment. You will need to debug with your administrator, ISP or cloud provider. If you believe the issue is with Cloudflare, please provide detailed information when contacting support. - - diff --git a/src/content/docs/cloudflare-tunnel/troubleshoot/diag-logs.mdx b/src/content/docs/cloudflare-tunnel/troubleshoot/diag-logs.mdx deleted file mode 100644 index 03b3247a39ba28e..000000000000000 --- a/src/content/docs/cloudflare-tunnel/troubleshoot/diag-logs.mdx +++ /dev/null @@ -1,134 +0,0 @@ ---- -pcx_content_type: how-to -title: Tunnel diagnostic logs -sidebar: - order: 1 - label: Diagnostic logs ---- - -import { Details, Render } from "~/components"; - -Cloudflare Tunnel generates a set of diagnostic logs that can be used to troubleshoot issues with `cloudflared`. A diagnostic report collects data from a single instance of `cloudflared` running on the local machine. - -## Get diagnostic logs - -The steps for getting diagnostic logs depend on your `cloudflared` deployment environment. - -### Prerequisites - -- `cloudflared` version 2024.12.2 or later installed on the host - -### Host environment - -These instructions apply to remotely-managed and locally-managed tunnels running directly on the host machine. - -1. (Linux only) To include network diagnostics in the logs, allow the `cloudflared` user to create RAW and PACKET sockets without root permissions: - - ```sh - sudo setcap cap_net_raw+ep /usr/bin/traceroute && sudo setcap cap_net_raw+ep /usr/bin/traceroute - ``` - - If you do not set `cap_net_raw`, then traceroute data will be unavailable. - -2. Get diagnostic logs: - - ```sh - cloudflared tunnel diag - ``` - - If multiple instances of `cloudflared` are running on the same host, specify the [metrics server IP and port](/cloudflare-tunnel/monitor-tunnels/metrics/#configure-the-metrics-server-address) for the instance you want to diagnose. For example: - - ```sh - cloudflared tunnel diag --metrics 127.0.0.1:20241 - ``` - -This command will output the status of each diagnostic task and place a `cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip` file in your working directory. - -### Docker - -`cloudflared` reads diagnostic data from the [tunnel metrics server](/cloudflare-tunnel/monitor-tunnels/metrics/). To get diagnostic logs, the metrics server must be exposed from the Docker container and reachable from the host machine. - -1. Determine the [metrics server port](/cloudflare-tunnel/monitor-tunnels/metrics/#default-metrics-server-address) for the `cloudflared` instance running in Docker. - -2. Ensure the container is deployed with port forwarding enabled. The diagnostic feature will request information from the Docker instance using local port `20241`, therefore you should forward port `20241` to the container port obtained in Step 1: - - ```sh - docker run -d -p 20241: docker.io/cloudflare/cloudflared tunnel ... - ``` - -3. Verify that you can reach the metrics server address from the Docker host environment: - - ```sh - curl localhost:20241/diag/tunnel - ``` - - This command should return a JSON: - ```json - { - "tunnelID": "ef96b330-a7f5-4bce-a00e-827ce5be077f", - "connectorID": "d236670a-9f74-422f-adf1-030f5c5f0523", - "connections": [ - { "isConnected": true, "protocol": 1, "edgeAddress": "198.41.192.167"}, - {"isConnected": true, "protocol": 1, "edgeAddress": "198.41.200.113", "index": 1}, - {"isConnected": true, "protocol": 1, "edgeAddress": "198.41.192.47", "index": 2}, - {"isConnected": true, "protocol": 1, "edgeAddress": "198.41.200.73", "index": 3} - ], - "icmp_sources": ["192.168.1.243", "fe80::c59:bd4a:e815:ed6"] - } - ``` - -4. Run the diagnostic using the Docker container ID: - - ```sh - cloudflared tunnel diag --diag-container-id= - ``` - - Alternatively, you can specify the container's name instead of its ID: - ```sh - cloudflared tunnel diag --diag-container-id= - ``` - - Running the diagnostic command with the container ID allows `cloudflared` to collect information from the Docker environment such as logs and container details. - -This command will output the status of each diagnostic task and place a `cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip` file in your working directory. - -### Kubernetes - -The diagnostic feature will request data from the [tunnel metrics server](/cloudflare-tunnel/monitor-tunnels/metrics/) using ports `20241` to `20245`. You will need to use port forwarding to allow the local `cloudflared` instance to connect to the metrics server on one of these ports. - -1. Determine the tunnel's [metrics server port](/cloudflare-tunnel/monitor-tunnels/metrics/#default-metrics-server-address). - -2. Enable port forwarding: - - ```sh - kubectl port-forward : - ``` - - - ``: Name of the pod where the tunnel is running - - `` is any local port in the range `20241` to `20245`. - - `` is the Kubernetes pod port for the `cloudflared` instance you want to diagnose (obtained in Step 1). - - For example, if you set the metrics server address to `0.0.0.0:12345`: - - ```sh - kubectl port-forward cloudflared-6d4897585b-r8kfz 20244:12345 - ``` - Connections made to local port `20244` are forwarded to port `12345` of the pod that is running the tunnel. - -3. Run the diagnostic: - - ```sh - cloudflared tunnel diag --diag-pod-id= - ``` - - If the pod has multiple applications/services running and `cloudflared` is not the first in the pod, you must specify either the container ID or name: - - ```sh - cloudflared tunnel diag --diag-pod-id= --diag-container-id= - ``` - -This command will output the status of each diagnostic task and place a `cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip` file in your working directory. - -## cloudflared-diag files - - diff --git a/src/content/docs/cloudflare-tunnel/troubleshoot/index.mdx b/src/content/docs/cloudflare-tunnel/troubleshoot/index.mdx deleted file mode 100644 index 1dd6edca659a470..000000000000000 --- a/src/content/docs/cloudflare-tunnel/troubleshoot/index.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -pcx_content_type: navigation -title: Troubleshoot tunnels -sidebar: - order: 10 - ---- - -import { DirectoryListing } from "~/components" - - diff --git a/src/content/docs/reference-architecture/design-guides/extending-cloudflares-benefits-to-saas-providers-end-customers.mdx b/src/content/docs/reference-architecture/design-guides/extending-cloudflares-benefits-to-saas-providers-end-customers.mdx index 62117b87fce67f9..bc07236d8165e63 100644 --- a/src/content/docs/reference-architecture/design-guides/extending-cloudflares-benefits-to-saas-providers-end-customers.mdx +++ b/src/content/docs/reference-architecture/design-guides/extending-cloudflares-benefits-to-saas-providers-end-customers.mdx @@ -1,7 +1,7 @@ --- title: Extend Cloudflare's benefits to SaaS providers' end-customers pcx_content_type: design-guide -products: [cloudflare-tunnel, cloudflare-for-saas, load-balancing, data-localization] +products: [tunnel, cloudflare-for-saas, load-balancing, data-localization] sidebar: order: 1 label: Cloudflare's benefits for SaaS providers @@ -53,7 +53,7 @@ The following products are used to deliver this solution. | [DDoS Protection](/ddos-protection/) | Volumetric attack protection is automatically enabled for [proxied](/dns/proxy-status/) hostnames. | | [Regional Services](/data-localization/regional-services/) (part of the Data Localization Suite) | Restrict inspection of data (processing) to only those data centers within jurisdictional boundaries. | | [Load Balancer](/load-balancing/) | Distributes traffic across your endpoints, which reduces endpoint strain and latency and improves the experience for end users. | -| [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/) | Secure method to connect to customers' networks and servers without creating holes in [firewalls](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/). cloudflared is the daemon (software) installed on origin servers to create a secure tunnel from applications back to Cloudflare. | +| [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/) | Secure method to connect to customers' networks and servers without creating holes in [firewalls](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/). cloudflared is the daemon (software) installed on origin servers to create a secure tunnel from applications back to Cloudflare. | ## Cloudflare for SaaS examples diff --git a/src/content/docs/cloudflare-tunnel/changelog.mdx b/src/content/docs/tunnel/changelog.mdx similarity index 94% rename from src/content/docs/cloudflare-tunnel/changelog.mdx rename to src/content/docs/tunnel/changelog.mdx index 2caa3481ce737b7..401a93ac55cd38b 100644 --- a/src/content/docs/cloudflare-tunnel/changelog.mdx +++ b/src/content/docs/tunnel/changelog.mdx @@ -2,7 +2,7 @@ pcx_content_type: changelog title: Changelog sidebar: - order: 13 + order: 11 description: Review recent changes to Cloudflare Tunnel. --- diff --git a/src/content/docs/tunnel/configuration.mdx b/src/content/docs/tunnel/configuration.mdx new file mode 100644 index 000000000000000..622e57bc30367f6 --- /dev/null +++ b/src/content/docs/tunnel/configuration.mdx @@ -0,0 +1,570 @@ +--- +title: Configuration +pcx_content_type: reference +sidebar: + order: 4 +--- + +import { + DashButton, + Details, + Render, + Tabs, + TabItem, + TunnelCalculator, + APIRequest, +} from "~/components"; + +This page covers the runtime configuration for `cloudflared` tunnels, including high availability, firewall rules, tokens, and all supported parameters. + +## Replicas and high availability + +When you run a tunnel, `cloudflared` establishes four outbound-only, [post-quantum encrypted](/ssl/post-quantum-cryptography/) connections to at least two distinct Cloudflare data centers. If any connection, server, or data center goes offline, your resources remain available. + +A replica is an additional `cloudflared` instance that points to the same tunnel. Each replica creates four new connections, providing additional ingress points to your origin. You can run up to 25 replicas (100 connections) per tunnel. Traffic routes to the geographically closest replica. + +```mermaid +graph LR + C((Cloudflare)) + subgraph E[Your network] + cf1["cloudflared
(replica 1)"] + cf2["cloudflared
(replica 2)"] + S1[Application] + cf1-->S1 + cf2-->S1 + end + C -- "Connections x 4"--> cf1 + C --> cf1 + C --> cf1 + C --> cf1 + C -- "Connections x 4"--> cf2 + C --> cf2 + C --> cf2 + C --> cf2 +``` + +To deploy a replica for a remotely-managed tunnel: + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels**. + + + +2. Select your tunnel, then select **Edit**. +3. Select the operating system of the host where you want to deploy a replica. +4. Copy the installation command and run it on the host. + +For locally-managed tunnels, run `cloudflared tunnel run ` on an additional host using the same tunnel credentials. + +:::note +For intelligent traffic steering, failover logic, or health alerts, use [Cloudflare Load Balancing](/tunnel/routing/#load-balancing) instead of replicas. +::: + +## Firewall rules + +`cloudflared` connects outbound to Cloudflare on port `7844`. Your firewall must allow egress to the following destinations. Block all ingress traffic for a positive security model — only the services in your tunnel configuration will be exposed. + +### Required ports + +#### `region1.v2.argotunnel.com` + +| IPv4 | IPv6 | Port | Protocols | +| ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | +| `198.41.192.167` `198.41.192.67` `198.41.192.57` `198.41.192.107` `198.41.192.27` `198.41.192.7` `198.41.192.227` `198.41.192.47` `198.41.192.37` `198.41.192.77` | `2606:4700:a0::1` `2606:4700:a0::2` `2606:4700:a0::3` `2606:4700:a0::4` `2606:4700:a0::5` `2606:4700:a0::6` `2606:4700:a0::7` `2606:4700:a0::8` `2606:4700:a0::9` `2606:4700:a0::10` | 7844 | TCP/UDP (`http2`/`quic`) | + +#### `region2.v2.argotunnel.com` + +| IPv4 | IPv6 | Port | Protocols | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | +| `198.41.200.13` `198.41.200.193` `198.41.200.33` `198.41.200.233` `198.41.200.53` `198.41.200.63` `198.41.200.113` `198.41.200.73` `198.41.200.43` `198.41.200.23` | `2606:4700:a8::1` `2606:4700:a8::2` `2606:4700:a8::3` `2606:4700:a8::4` `2606:4700:a8::5` `2606:4700:a8::6` `2606:4700:a8::7` `2606:4700:a8::8` `2606:4700:a8::9` `2606:4700:a8::10` | 7844 | TCP/UDP (`http2`/`quic`) | + +
+ +When using the [`--region us`](#region) flag, allow outbound connections to these destinations instead. + +#### `us-region1.v2.argotunnel.com` + +| IPv4 | IPv6 | Port | Protocol | +| ------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | +| `198.41.218.1` `198.41.218.2` `198.41.218.3` `198.41.218.4` `198.41.218.5` `198.41.218.6` `198.41.218.7` `198.41.218.8` `198.41.218.9` `198.41.218.10` | `2606:4700:a1::1` `2606:4700:a1::2` `2606:4700:a1::3` `2606:4700:a1::4` `2606:4700:a1::5` `2606:4700:a1::6` `2606:4700:a1::7` `2606:4700:a1::8` `2606:4700:a1::9` `2606:4700:a1::10` | 7844 | TCP/UDP (`http2`/`quic`) | + +#### `us-region2.v2.argotunnel.com` + +| IPv4 | IPv6 | Port | Protocol | +| ------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | +| `198.41.219.1` `198.41.219.2` `198.41.219.3` `198.41.219.4` `198.41.219.5` `198.41.219.6` `198.41.219.7` `198.41.219.8` `198.41.219.9` `198.41.219.10` | `2606:4700:a9::1` `2606:4700:a9::2` `2606:4700:a9::3` `2606:4700:a9::4` `2606:4700:a9::5` `2606:4700:a9::6` `2606:4700:a9::7` `2606:4700:a9::8` `2606:4700:a9::9` `2606:4700:a9::10` | 7844 | TCP/UDP (`http2`/`quic`) | + +
+ +
+ +If your firewall enforces Server Name Indication (SNI), also allow these hostnames on port `7844`: + +| Hostname | Port | Protocols | +| --------------------------------------- | ---- | ------------------------ | +| `_v2-origintunneld._tcp.argotunnel.com` | 7844 | TCP (`http2`) | +| `cftunnel.com` | 7844 | TCP/UDP (`http2`/`quic`) | +| `h2.cftunnel.com` | 7844 | TCP (`http2`) | +| `quic.cftunnel.com` | 7844 | UDP (`quic`) | + +
+ +
+ +Opening port `443` enables optional features like software auto-updates and Access JWT validation. `cloudflared` runs correctly without these connections. + +| Destination | Purpose | +| --------------------------------------- | ----------------------------------------- | +| `api.cloudflare.com` | Software update checks | +| `update.argotunnel.com` | Software update checks | +| `github.com` | Download latest release | +| `.cloudflareaccess.com` | Access JWT validation (if Access enabled) | +| `pqtunnels.cloudflareresearch.com` | Post-quantum error reporting | +| `cfd-features.argotunnel.com` (DNS TXT) | UDP datagram version negotiation | + +
+ +To verify your firewall allows tunnel traffic, refer to [Connectivity pre-checks](/tunnel/troubleshooting/#connectivity-pre-checks). + +## Tunnel tokens + +A remotely-managed tunnel only requires a token to run. Anyone with the token can run the tunnel. + +### Get the token + + + + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels**. + + + +2. Select a tunnel and select **Edit**. +3. Copy the `cloudflared` installation command — the token is the `eyJ...` string. + + + + + + + + + +### Rotate a token + +Rotate tokens regularly to reduce the risk of compromise. For tunnels with multiple [replicas](#replicas-and-high-availability), rotate outside working hours and update replicas in batches. + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels**, select your tunnel, select **Edit**, then select **Refresh token**. Copy the new installation command. + +2. On each replica, update and restart: + + ```sh + sudo cloudflared service install + sudo systemctl restart cloudflared.service + ``` + +After refreshing, `cloudflared` cannot establish new connections with the old token. Existing connectors remain active until restarted. + +
+ +If your tunnel token is compromised, immediately refresh the token (step 1 above), then force-disconnect all existing connections: + + + +Then update and restart all replicas with the new token. + +
+ +### Account-scoped roles + + + +## Run parameters + +These flags apply to the `cloudflared tunnel run` command. For remotely-managed tunnels, add them to the tunnel service. For locally-managed tunnels, add them to your [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/) as key/value pairs. + +The most commonly used parameters: + +| Parameter | Default | Description | +| ------------------------- | ----------------- | -------------------------------------------------------- | +| [`--loglevel`](#loglevel) | `info` | Log verbosity: `debug`, `info`, `warn`, `error`, `fatal` | +| [`--logfile`](#logfile) | stdout | Path to write log output | +| [`--metrics`](#metrics) | `127.0.0.1:2024x` | Prometheus metrics endpoint address | +| [`--protocol`](#protocol) | `auto` | Connection protocol: `auto`, `quic`, `http2` | +| [`--region`](#region) | global | Route through US-only data centers with `us` | +| [`--token`](#token) | — | Tunnel token (remotely-managed tunnels) | + +
+ +### `autoupdate-freq` + +| Syntax | Default | Environment Variable | +| ---------------------------------------------------------------- | ------- | -------------------- | +| `cloudflared tunnel --autoupdate-freq run ` | `24h` | — | + +Configures the frequency of automatic `cloudflared` updates. On successful update, the old process gracefully shuts down after handling outstanding requests. + +### `config` + +| Syntax | Default | +| ------------------------------------------------------- | --------------------------- | +| `cloudflared tunnel --config run ` | `~/.cloudflared/config.yml` | + +Specifies the path to a configuration file in YAML format. Locally-managed tunnels only. + +### `edge-bind-address` + +| Syntax | Environment Variable | +| ---------------------------------------------------------------- | -------------------------- | +| `cloudflared tunnel --edge-bind-address run ` | `TUNNEL_EDGE_BIND_ADDRESS` | + +Specifies the outgoing IP address used to connect to the Cloudflare global network. Useful when you have multiple network interfaces. + +### `edge-ip-version` + +| Syntax | Default | Environment Variable | +| ------------------------------------------------------------------- | ------- | ------------------------ | +| `cloudflared tunnel --edge-ip-version run ` | `4` | `TUNNEL_EDGE_IP_VERSION` | + +IP version used to connect to Cloudflare. Available values: `auto`, `4`, `6`. + +### `grace-period` + +| Syntax | Default | Environment Variable | +| --------------------------------------------------------------- | ------- | --------------------- | +| `cloudflared tunnel --grace-period run ` | `30s` | `TUNNEL_GRACE_PERIOD` | + +After receiving SIGINT/SIGTERM, `cloudflared` waits this long for in-progress requests to complete before shutting down. + +### `logfile` + +| Syntax | Environment Variable | +| -------------------------------------------------------- | -------------------- | +| `cloudflared tunnel --logfile run ` | `TUNNEL_LOGFILE` | + +Saves application log to the specified file. + +### `loglevel` + +| Syntax | Default | Environment Variable | +| ---------------------------------------------------------- | ------- | -------------------- | +| `cloudflared tunnel --loglevel run ` | `info` | `TUNNEL_LOGLEVEL` | + +Log verbosity. Available values: `debug`, `info`, `warn`, `error`, `fatal`. At `debug` level, request URLs, methods, and headers are logged, which can expose sensitive information. + +### `metrics` + +| Syntax | Environment Variable | +| ----------------------------------------------------------- | -------------------- | +| `cloudflared tunnel --metrics run ` | `TUNNEL_METRICS` | + +Exposes a Prometheus endpoint for [usage metrics](/tunnel/monitoring/#metrics). + +### `no-autoupdate` + +| Syntax | Environment Variable | +| ------------------------------------------------------- | -------------------- | +| `cloudflared tunnel --no-autoupdate run ` | `NO_AUTOUPDATE` | + +Disables automatic updates. Does not apply if `cloudflared` was installed via a package manager. + +### `origincert` + +| Syntax | Default | Environment Variable | +| ----------------------------------------------------------- | ------------------------- | -------------------- | +| `cloudflared tunnel --origincert run ` | `~/.cloudflared/cert.pem` | `TUNNEL_ORIGIN_CERT` | + +Specifies the account certificate for your zone. Locally-managed tunnels only. + +### `pidfile` + +| Syntax | Environment Variable | +| -------------------------------------------------------- | -------------------- | +| `cloudflared tunnel --pidfile run ` | `TUNNEL_PIDFILE` | + +Writes the application PID to the specified file after the first successful connection. + +### `post-quantum` + +| Syntax | Environment Variable | +| ------------------------------------------------------ | --------------------- | +| `cloudflared tunnel run --post-quantum ` | `TUNNEL_POST_QUANTUM` | + +Forces post-quantum key agreements with no fallback. By default, `quic` connections use [post-quantum cryptography](/ssl/post-quantum-cryptography/) but fall back to non-PQ if there are connection issues. Not supported with `http2`. + +### `protocol` + +| Syntax | Default | Environment Variable | +| ---------------------------------------------------------- | ------- | --------------------------- | +| `cloudflared tunnel --protocol run ` | `auto` | `TUNNEL_TRANSPORT_PROTOCOL` | + +Connection protocol. Available values: `auto`, `http2`, `quic`. The `auto` value selects `quic`, falling back to `http2` if UDP is unavailable. + +### `region` + +| Syntax | Environment Variable | +| -------------------------------------------------------- | -------------------- | +| `cloudflared tunnel --region run ` | `TUNNEL_REGION` | + +Routes connections through US-only data centers. The only available value is `us`. Omit for the global region. + +### `retries` + +| Syntax | Default | Environment Variable | +| --------------------------------------------------------- | ------- | -------------------- | +| `cloudflared tunnel --retries run ` | `5` | `TUNNEL_RETRIES` | + +Maximum connection/protocol error retries with exponential backoff. + +### `tag` + +| Syntax | Environment Variable | +| ------------------------------------------------------- | -------------------- | +| `cloudflared tunnel --tag run ` | `TUNNEL_TAG` | + +Custom tags to identify the tunnel. Specify multiple with additional `--tag` flags. + +### `token` + +| Syntax | Environment Variable | +| ----------------------------------------------- | -------------------- | +| `cloudflared tunnel run --token ` | `TUNNEL_TOKEN` | + +Associates the `cloudflared` instance with a specific tunnel. Remotely-managed tunnels only. + +### `token-file` + +| Syntax | Environment Variable | +| -------------------------------------------- | -------------------- | +| `cloudflared tunnel run --token-file ` | `TUNNEL_TOKEN_FILE` | + +Reads the tunnel token from a file. Remotely-managed tunnels only. Requires `2025.4.0` or later. + +
+ +## Origin parameters + +Origin configuration parameters control how `cloudflared` proxies traffic to your origin server. For remotely-managed tunnels, configure these in the dashboard. For locally-managed tunnels, add them to your [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/). + +The most commonly used parameters: + +| Parameter | Default | Description | +| --------------------------------------- | ------- | ----------------------------------------- | +| [`originServerName`](#originservername) | `""` | Hostname expected from origin certificate | +| [`noTLSVerify`](#notlsverify) | `false` | Disable TLS certificate verification | +| [`httpHostHeader`](#httphostheader) | `""` | Override HTTP Host header | +| [`connectTimeout`](#connecttimeout) | `30s` | TCP connection timeout to origin | + +
+ +### `originServerName` + +Hostname that `cloudflared` expects from your origin server certificate. If empty, the expected hostname is the service URL. + +| Default | UI name | +| ------- | ------------------ | +| `""` | Origin Server Name | + +### `matchSNItoHost` + +When `true`, `cloudflared` sets the SNI during TLS handshake to the hostname of the incoming request. Useful for origins hosting multiple services. + +| Default | UI name | +| ------- | ----------------- | +| `false` | Match SNI to Host | + +### `caPool` + +Path to the CA for your origin server certificate (`.pem` or `.crt`). Only needed if not signed by Cloudflare. + +| Default | UI name | +| ------- | -------------------------- | +| `""` | Certificate Authority Pool | + +### `noTLSVerify` + +When `true`, TLS verification is disabled and any certificate from the origin is accepted. + +| Default | UI name | +| ------- | ------------- | +| `false` | No TLS Verify | + +### `tlsTimeout` + +Timeout for completing a TLS handshake to your origin server. + +| Default | UI name | +| ------- | ----------- | +| `10s` | TLS Timeout | + +### `http2Origin` + +When `true`, `cloudflared` connects to your origin using HTTP/2.0 instead of HTTP/1.1. + +| Default | UI name | +| ------- | ---------------- | +| `false` | HTTP2 connection | + +
+ +
+ +### `httpHostHeader` + +Sets the HTTP `Host` header on requests sent to the local service. + +| Default | UI name | +| ------- | ---------------- | +| `""` | HTTP Host Header | + +### `disableChunkedEncoding` + +When `true`, chunked transfer encoding is disabled. Useful for WSGI servers. + +| Default | UI name | +| ------- | ------------------------ | +| `false` | Disable Chunked Encoding | + +
+ +
+ +### `connectTimeout` + +Timeout for establishing a new TCP connection to your origin (excludes TLS). + +| Default | UI name | +| ------- | --------------- | +| `30s` | Connect Timeout | + +### `noHappyEyeballs` + +When `true`, disables the Happy Eyeballs algorithm for IPv4/IPv6 fallback. + +| Default | UI name | +| ------- | ----------------- | +| `false` | No Happy Eyeballs | + +### `proxyType` + +Type of proxy server that translates HTTP traffic into TCP. Valid options: `""` (standard) or `"socks"` (SOCKS5). + +| Default | UI name | +| ------- | ---------- | +| `""` | Proxy Type | + +### `proxyAddress` + +Listen address for the proxy server. Locally-managed tunnels only. + +| Default | +| ----------- | +| `127.0.0.1` | + +### `proxyPort` + +Listen port for the proxy server. `0` means random. Locally-managed tunnels only. + +| Default | +| ------- | +| `0` | + +### `keepAliveTimeout` + +Timeout after which an idle keepalive connection is discarded. + +| Default | UI name | +| ------- | ------------------------------- | +| `1m30s` | Idle Connection Expiration Time | + +### `keepAliveConnections` + +Maximum number of idle keepalive connections to your origin. + +| Default | UI name | +| ------- | ---------------------- | +| `100` | Keep Alive Connections | + +### `tcpKeepAlive` + +Interval for TCP keepalive packets to the origin. + +| Default | UI name | +| ------- | ----------------------- | +| `30s` | TCP Keep Alive Interval | + +
+ +
+ +### `access` + +Requires `cloudflared` to validate the [Cloudflare Access JWT](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) before proxying traffic. To configure in a [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/#origin-configuration): + +```yml +access: + required: true + teamName: + audTag: + - +``` + +| Default | UI name | +| ------- | ------------------- | +| `""` | Protect with Access | + +
+ +## System requirements + +`cloudflared` is lightweight enough to run on a Raspberry Pi or a data center server. Tunnel throughput is primarily limited by the number of ports configured in system software, not hardware. + +**Baseline recommendations:** Run a `cloudflared` replica on two dedicated hosts per location with a minimum of 4 GB RAM and 4 CPU cores. Allocate 50,000 ports per host. + +
+ + + +```sh +echo 'net.ipv4.ip_local_port_range = 11000 60999' | sudo tee /etc/sysctl.d/99-cloudflared.conf +sudo sysctl -p /etc/sysctl.d/99-cloudflared.conf +``` + + + +```txt +netsh int ipv4 set dynamicport tcp start=11000 num=50000 +netsh int ipv4 set dynamicport udp start=11000 num=50000 +netsh int ipv6 set dynamicport tcp start=11000 num=50000 +netsh int ipv6 set dynamicport udp start=11000 num=50000 +``` + + + +**ulimits (Linux/macOS):** Set the open file descriptor limit to at least 70,000 with `ulimit -n 70000`. Configure persistently for your OS. + +
+ +
+ +Use the [metrics endpoint](/tunnel/monitoring/#cloudflared-metrics) to measure `cloudflared_tcp_total_sessions` and `cloudflared_udp_total_sessions`, then input your values: + + + +To increase tunnel capacity, add identical hosts running `cloudflared` replicas. + +
+ +## Cipher suites + +`cloudflared` uses the Go TLS library. All tunnel connections use TLS 1.3 and post-quantum encryption by default. + +| Protocol | Cipher suites | +| -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| TLS 1.3 | `TLS_AES_128_GCM_SHA256`, `TLS_AES_256_GCM_SHA384`, `TLS_CHACHA20_POLY1305_SHA256` | +| TLS 1.2 | `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`, `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` | diff --git a/src/content/docs/cloudflare-tunnel/deployment-guides/ansible.mdx b/src/content/docs/tunnel/deployment-guides/ansible.mdx similarity index 90% rename from src/content/docs/cloudflare-tunnel/deployment-guides/ansible.mdx rename to src/content/docs/tunnel/deployment-guides/ansible.mdx index c8e6a79ec2fb011..d0e978ba3da093e 100644 --- a/src/content/docs/cloudflare-tunnel/deployment-guides/ansible.mdx +++ b/src/content/docs/tunnel/deployment-guides/ansible.mdx @@ -9,16 +9,14 @@ import { Render } from "~/components"; Ansible is a software tool that enables at scale management of infrastructure. Ansible is agentless — all it needs to function is the ability to SSH to the target and Python installed on the target. -Ansible works alongside Terraform to streamline the Cloudflare Tunnel setup process. In this guide, you will use Terraform to deploy an SSH server on Google Cloud and create a [locally-managed tunnel](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/) that makes the server available over the Internet. Terraform will automatically run an Ansible playbook that installs and configures `cloudflared` on the server. - - +Ansible works alongside Terraform to streamline the Cloudflare Tunnel setup process. In this guide, you will use Terraform to deploy an SSH server on Google Cloud and create a [locally-managed tunnel](/tunnel/other-tunnel-types/local-management/create-local-tunnel/) that makes the server available over the Internet. Terraform will automatically run an Ansible playbook that installs and configures `cloudflared` on the server. ## Prerequisites To complete the steps in this guide, you will need: - [A Google Cloud Project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project) and [GCP CLI installed and authenticated](https://cloud.google.com/sdk/docs/install). -- [Basic knowledge of Terraform](/cloudflare-tunnel/deployment-guides/terraform/) and [Terraform installed](https://developer.hashicorp.com/terraform/tutorials/certification-associate-tutorials/install-cli). +- [Basic knowledge of Terraform](/tunnel/deployment-guides/terraform/) and [Terraform installed](https://developer.hashicorp.com/terraform/tutorials/certification-associate-tutorials/install-cli). - [A zone on Cloudflare](/fundamentals/manage-domains/add-site/). - [A Cloudflare API token](/fundamentals/api/get-started/create-token/) with `Cloudflare Tunnel` and `DNS` permissions. @@ -135,7 +133,7 @@ The following configuration will modify settings in your Cloudflare account. ### Configure GCP resources -The following configuration defines the specifications for the GCP virtual machine and installs Python3 on the machine. Python3 allows Ansible to configure the GCP instance instead of having to run a [startup script](/cloudflare-tunnel/deployment-guides/terraform/#create-a-startup-script) on boot. +The following configuration defines the specifications for the GCP virtual machine and installs Python3 on the machine. Python3 allows Ansible to configure the GCP instance instead of having to run a [startup script](/tunnel/deployment-guides/terraform/#create-a-startup-script) on boot. 1. In your configuration directory, create a `.tf` file: @@ -204,7 +202,7 @@ The following configuration defines the specifications for the GCP virtual machi ### Export variables to Ansible -The following Terraform resource exports the [tunnel token](/cloudflare-tunnel/configure-tunnels/tunnel-permissions/) and other variables to `tf_ansible_vars_file.yml`. Ansible will use the tunnel token to configure and run `cloudflared` on the server. +The following Terraform resource exports the [tunnel token](/tunnel/configuration/#tunnel-tokens) and other variables to `tf_ansible_vars_file.yml`. Ansible will use the tunnel token to configure and run `cloudflared` on the server. 1. In your configuration directory, create a new `tf` file: @@ -301,7 +299,7 @@ Once you have created the configuration files, you can deploy them through Terra terraform apply ``` -It may take several minutes for the GCP instance and tunnel to come online. You can view your new tunnel in [Cloudflare One](https://one.dash.cloudflare.com) under **Networks** > **Connectors** > **Cloudflare Tunnels**. +It may take several minutes for the GCP instance and tunnel to come online. You can view your new tunnel in the [Cloudflare dashboard](https://dash.cloudflare.com/) under **Networking** > **Tunnels**. ## 7. Test the connection diff --git a/src/content/docs/tunnel/deployment-guides/aws.mdx b/src/content/docs/tunnel/deployment-guides/aws.mdx new file mode 100644 index 000000000000000..92726ead86c85f6 --- /dev/null +++ b/src/content/docs/tunnel/deployment-guides/aws.mdx @@ -0,0 +1,70 @@ +--- +pcx_content_type: how-to +title: AWS +sidebar: + order: 2 +head: + - tag: title + content: Deploy cloudflared in AWS +--- + +This guide covers how to connect an Amazon Web Services (AWS) EC2 instance to Cloudflare using `cloudflared` and publish a web application through a Cloudflare Tunnel. + +### Prerequisites + +- [Add a website to Cloudflare](/fundamentals/manage-domains/add-site/) + +## 1. Create an EC2 instance + +1. From the AWS console, go to **Compute** > **EC2** > **Instances**. +2. Select **Launch instance**. +3. Choose an AMI (for example, _Ubuntu Server 24.04 LTS_) and instance type (for example, _t2.micro_). +4. In **Key pair (login)**, create or select a key pair for SSH access. +5. In **Network settings**, create a security group that allows SSH from your IP and HTTP/HTTPS from the internet. +6. Select **Launch instance**. +7. Once the instance is running, copy its **Public IPv4 DNS** from the Instances summary page. +8. SSH into the instance: + + ```sh + ssh -i "YourKeyPair.pem" ubuntu@ + ``` + +9. Start a web server on port `80` (or use your own application): + + ```sh + sudo apt update && sudo apt -y install apache2 + ``` + +## 2. Create a tunnel + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels**. +2. Select **Create Tunnel** and enter a name (for example, `aws-tunnel`). +3. Select **Create Tunnel**. +4. Under **Setup Environment**, select **Debian 64-bit**. +5. Copy the install commands and run them on your EC2 instance. +6. Once the tunnel connects, select **Continue**. + +## 3. Publish an application + +1. Under **Routes**, select **Add route** > **Published application**. +2. Enter a hostname (for example, `app.example.com`). +3. Under **Service**, enter `http://localhost:80`. +4. Select **Add route**. + +To test, open a browser and go to the hostname you configured. You should see your web server's page. + +You can optionally add [Cloudflare Access](/tunnel/integrations/#cloudflare-access) to control who can reach the service. + +:::note[Looking for private network access?] +To connect to your EC2 instance via private IP using the WARP client, refer to the [Cloudflare One Tunnel documentation](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/). +::: + +## Firewall configuration + +To secure your AWS instance, configure your [Security Group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) to deny all inbound traffic and allow only outbound traffic to the [Cloudflare Tunnel IP addresses](/tunnel/configuration/#required-ports). Delete all inbound rules except SSH (if needed) and keep only the relevant outbound rules. + +:::note +If you delete the inbound rule for port `22`, you will be unable to SSH back into the instance. +::: + +After configuring your security group, verify the application is still accessible through the tunnel hostname. Direct access to the EC2 public IP should no longer work. diff --git a/src/content/docs/tunnel/deployment-guides/azure.mdx b/src/content/docs/tunnel/deployment-guides/azure.mdx new file mode 100644 index 000000000000000..05ec6941ad9b126 --- /dev/null +++ b/src/content/docs/tunnel/deployment-guides/azure.mdx @@ -0,0 +1,72 @@ +--- +pcx_content_type: how-to +title: Azure +sidebar: + order: 3 +head: + - tag: title + content: Deploy cloudflared in Azure +--- + +This guide covers how to connect an Azure Virtual Machine to Cloudflare using `cloudflared` and publish a web application through a Cloudflare Tunnel. + +### Prerequisites + +- [Add a website to Cloudflare](/fundamentals/manage-domains/add-site/) + +## 1. Create a Virtual Machine + +1. In the Azure portal, go to **Virtual Machines** > **Create** > **Azure virtual machine**. +2. Select a **Resource group** or create a new one. +3. Enter a name for the VM and select a region. +4. For **Image**, select _Ubuntu Server 24.04 LTS_. +5. For **Size**, select an appropriate size (for example, _Standard_B1s_). +6. Under **Administrator account**, select **SSH public key** and enter your key pair. +7. Under **Inbound port rules**, allow SSH (`22`). +8. Select **Review + create**, then **Create**. +9. Once the VM is running, copy its **Public IP address** from the VM overview page. +10. SSH into the instance: + + ```sh + ssh -i "your-key.pem" azureuser@ + ``` + +11. Start a web server on port `80` (or use your own application): + + ```sh + sudo apt update && sudo apt -y install apache2 + ``` + +## 2. Create a tunnel + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels**. +2. Select **Create Tunnel** and enter a name (for example, `azure-tunnel`). +3. Select **Create Tunnel**. +4. Under **Setup Environment**, select **Debian 64-bit**. +5. Copy the install commands and run them on your Azure VM. +6. Once the tunnel connects, select **Continue**. + +## 3. Publish an application + +1. Under **Routes**, select **Add route** > **Published application**. +2. Enter a hostname (for example, `app.example.com`). +3. Under **Service**, enter `http://localhost:80`. +4. Select **Add route**. + +To test, open a browser and go to the hostname you configured. You should see the Apache default page. + +You can optionally add [Cloudflare Access](/tunnel/integrations/#cloudflare-access) to control who can reach the service. + +:::note[Looking for private network access?] +To connect to your Azure VM via private IP using the WARP client, refer to the [Cloudflare One Tunnel documentation](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/). +::: + +## Firewall configuration + +To secure your Azure VM, configure your [Network Security Group (NSG)](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview) to deny all inbound traffic and allow only outbound traffic to the [Cloudflare Tunnel IP addresses](/tunnel/configuration/#required-ports). Delete all inbound rules except SSH (if needed) and keep only the relevant outbound rules. + +:::note +If you delete the inbound rule for port `22`, you will be unable to SSH back into the VM. +::: + +After configuring your NSG, verify the application is still accessible through the tunnel hostname. Direct access to the Azure public IP should no longer work. diff --git a/src/content/docs/tunnel/deployment-guides/google-cloud-platform.mdx b/src/content/docs/tunnel/deployment-guides/google-cloud-platform.mdx new file mode 100644 index 000000000000000..32c720f9df5fc42 --- /dev/null +++ b/src/content/docs/tunnel/deployment-guides/google-cloud-platform.mdx @@ -0,0 +1,65 @@ +--- +pcx_content_type: how-to +title: GCP +sidebar: + order: 5 +--- + +This guide covers how to connect a Google Cloud Platform (GCP) virtual machine to Cloudflare using `cloudflared` and publish a web application through a Cloudflare Tunnel. + +### Prerequisites + +- [A Google Cloud Project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project) +- [A zone on Cloudflare](/fundamentals/manage-domains/add-site/) + +## 1. Create a VM instance + +1. In your [Google Cloud Console](https://console.cloud.google.com/), go to **Compute Engine** > **VM instances**. +2. Select **Create instance**. +3. Choose your desired specifications (for example, e2-micro with Debian GNU/Linux 12). +4. Under **Advanced options** > **Management** > **Automation**, add a startup script for your application. For testing: + + ```bash + #!/bin/bash + apt update && apt -y install apache2 + cat < /var/www/html/index.html +

Hello Cloudflare!

+ EOF + ``` + +5. Select **Create**. +6. Verify the server is running by visiting `http://` in a browser. + +## 2. Create a tunnel + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels**. +2. Select **Create Tunnel** and enter a name (for example, `gcp-tunnel`). +3. Select **Create Tunnel**. +4. Under **Setup Environment**, select **Debian 64-bit**. +5. SSH into your VM and run the install commands shown in the dashboard. +6. Once the tunnel connects, select **Continue**. + +## 3. Publish an application + +1. Under **Routes**, select **Add route** > **Published application**. +2. Enter a hostname (for example, `app.example.com`). +3. Under **Service**, enter `http://localhost:80`. +4. Select **Add route**. + +To test, open a browser and go to the hostname you configured. + +You can optionally add [Cloudflare Access](/tunnel/integrations/#cloudflare-access) to control who can reach the service. + +:::note[Looking for private network access?] +To connect to your VM via private IP using the WARP client, refer to the [Cloudflare One Tunnel documentation](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/). +::: + +## Firewall configuration + +To secure your VM, [configure your VPC firewall rules](https://cloud.google.com/firewall/docs/using-firewalls) to deny all ingress traffic and allow only egress traffic to the [Cloudflare Tunnel IP addresses](/tunnel/configuration/#required-ports). GCP denies ingress by [default](https://cloud.google.com/firewall/docs/firewalls#default_firewall_rules), so delete all ingress rules and keep only the relevant egress rules. + +:::note +If you delete the default `allow-ssh` rule, you will be unable to SSH back into the VM. +::: + +After configuring your firewall, verify the application is still accessible through the tunnel hostname. Direct access to the VM external IP should no longer work. diff --git a/src/content/docs/tunnel/deployment-guides/index.mdx b/src/content/docs/tunnel/deployment-guides/index.mdx new file mode 100644 index 000000000000000..b9af7e62b25a1c1 --- /dev/null +++ b/src/content/docs/tunnel/deployment-guides/index.mdx @@ -0,0 +1,12 @@ +--- +pcx_content_type: navigation +title: Deployment guides +sidebar: + order: 8 +--- + +import { DirectoryListing } from "~/components"; + +Deploy Cloudflare Tunnel in your environment — from cloud VMs to Kubernetes clusters, with Infrastructure as Code support. + + diff --git a/src/content/docs/tunnel/deployment-guides/kubernetes.mdx b/src/content/docs/tunnel/deployment-guides/kubernetes.mdx new file mode 100644 index 000000000000000..f7ea342173e9cc1 --- /dev/null +++ b/src/content/docs/tunnel/deployment-guides/kubernetes.mdx @@ -0,0 +1,310 @@ +--- +pcx_content_type: how-to +title: Kubernetes +sidebar: + order: 6 +--- + +This guide covers how to expose a Kubernetes service to the Internet using a remotely-managed Cloudflare Tunnel. The example uses Google Kubernetes Engine (GKE), but the same principles apply to any Kubernetes environment (`minikube`, `kubeadm`, EKS, AKS, or other managed services). + +:::note[Locally-managed tunnels] +For locally-managed tunnels in Kubernetes, refer to the [example code in GitHub](https://github.com/cloudflare/argo-tunnel-examples/tree/master/named-tunnel-k8s). +::: + +## Architecture + +![Diagram showing how a user connects to Kubernetes services through Cloudflare Tunnel](~/assets/images/cloudflare-one/connections/connect-apps/kubernetes-tunnel.png) + +As shown in the diagram, we recommend setting up `cloudflared` as an adjacent [deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) to the application deployments. Having a separate Kubernetes deployment for `cloudflared` allows you to scale `cloudflared` independently of the application. In the `cloudflared` deployment, you can spin up [multiple replicas](/tunnel/configuration/#replicas-and-high-availability) running the same Cloudflare Tunnel — there is no need to build a dedicated tunnel for each `cloudflared` pod. Each `cloudflared` replica / pod can reach all Kubernetes services in the cluster. + +:::note +We do not recommend using `cloudflared` in autoscaling setups because downscaling (removing replicas) will break existing user connections to that replica. Additionally, `cloudflared` does not load balance across replicas; replicas are strictly for high availability. To load balance traffic to your nodes, you can use [Cloudflare Load Balancer](/load-balancing/private-network/) or a third-party load balancer. +::: + +Once the cluster is connected to Cloudflare, you can configure tunnel routes to proxy traffic to any service within the cluster. + +## Prerequisites + +To complete the following procedure, you will need: + +- [A Google Cloud Project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project) +- [A zone on Cloudflare](/fundamentals/manage-domains/add-site/) + +## 1. Create a GKE cluster + +To create a new Kubernetes cluster in Google Cloud: + +1. Open [Google Cloud](https://console.cloud.google.com/) and go to **Kubernetes Engine**. +2. In **Clusters**, select **Create**. +3. Name the cluster. In this example, we will name it `cloudflare-tunnel`. +4. (Optional) Choose your desired region and other cluster specifications. For this example, we will use the default specifications. +5. Select **Create**. +6. To connect to the cluster: + 1. Select the three-dot menu. + 2. Select **Connect**. + 3. Select **Run in Cloud Shell** to open a terminal in the browser. + 4. Select **Authorize**. + 5. Press `Enter` to run the pre-populated `gcloud` command. + 6. (Recommended) In the Cloud Shell menu, select **Open Editor** to launch the built-in IDE. +7. In the Cloud Shell terminal, run the following command to check the cluster status: + `sh +kubectl get all +` + `sh output +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +service/kubernetes ClusterIP 34.118.224.1 443/TCP 15m +` + +## 2. Create pods for the web app + +A pod represents an instance of a running process in the cluster. In this example, we will deploy the [httpbin](https://httpbin.org/) application with two pods and make the pods accessible inside the cluster at `httpbin-service:80`. + +1. Create a folder for your Kubernetes manifest files: + + ```sh + mkdir tunnel-example + ``` + +2. Change into the directory: + + ```sh + cd tunnel-example + ``` + +3. In the `tunnel-example` directory, create a new file called `httpbin.yaml`. This file defines the Kubernetes deployment for the httpbin app. + + ```yaml title="httpbin.yaml" + apiVersion: apps/v1 + kind: Deployment + metadata: + name: httpbin-deployment + namespace: default + spec: + replicas: 2 + selector: + matchLabels: + app: httpbin + template: + metadata: + labels: + app: httpbin + spec: + containers: + - name: httpbin + image: kennethreitz/httpbin:latest + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + ``` + +4. Create a new `httpbinsvc.yaml` file. This file defines a Kubernetes service that allows other apps in the cluster (such as `cloudflared`) to access the set of httpbin pods. + + ```yaml title="httpbinsvc.yaml" + apiVersion: v1 + kind: Service + metadata: + name: httpbin-service + namespace: default + spec: + type: LoadBalancer + selector: + app: httpbin + ports: + - port: 80 + targetPort: 80 + ``` + +5. Use the following command to run the application inside the cluster: + + ```sh + kubectl create -f httpbin.yaml -f httpbinsvc.yaml + ``` + +6. Check the status of your deployment: + + ```sh + kubectl get all + ``` + + ```sh output + NAME READY STATUS RESTARTS AGE + pod/httpbin-deployment-bc6689c5d-b5ftk 1/1 Running 0 79s + pod/httpbin-deployment-bc6689c5d-cbd9m 1/1 Running 0 79s + + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + service/httpbin-service LoadBalancer 34.118.225.147 34.75.201.60 80:31967/TCP 79s + service/kubernetes ClusterIP 34.118.224.1 443/TCP 24h + + NAME READY UP-TO-DATE AVAILABLE AGE + deployment.apps/httpbin-deployment 2/2 2 2 79s + + NAME DESIRED CURRENT READY AGE + replicaset.apps/httpbin-deployment-bc6689c5d 2 2 2 79s + ``` + +## 3. Create a tunnel + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels**. +2. Select **Create Tunnel** and enter a name (for example, `gke-tunnel`). +3. Select **Create Tunnel**. +4. Under **Setup Environment**, select **Docker**. +5. Copy the tunnel token — the `eyJhIjoiNWFiNGU5Z...` value shown in the installation command. You will use this token in the Kubernetes manifest. + +## 4. Store the tunnel token + +`cloudflared` uses a tunnel token to run a remotely-managed Cloudflare Tunnel. You can store the tunnel token in a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/). + +1. In GKE Cloud Shell, create a `tunnel-token.yaml` file with the following content. Make sure to replace `` with your tunnel token (`eyJhIjoiNWFiNGU5Z...`). + + ```yaml title="tunnel-token.yaml" + apiVersion: v1 + kind: Secret + metadata: + name: tunnel-token + stringData: + token: + ``` + +2. Create the secret: + + ```sh + kubectl create -f tunnel-token.yaml + ``` + +3. Check the newly created secret: + + ```sh + kubectl get secrets + ``` + + ```sh output + NAME TYPE DATA AGE + tunnel-token Opaque 1 100s + ``` + +## 5. Create pods for cloudflared + +To run the Cloudflare Tunnel in Kubernetes: + +1. Create a Kubernetes deployment for a remotely-managed Cloudflare Tunnel: + +```yaml title="tunnel.yaml" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cloudflared-deployment + namespace: default +spec: + replicas: 2 + selector: + matchLabels: + pod: cloudflared + template: + metadata: + labels: + pod: cloudflared + spec: + securityContext: + sysctls: + # Allows ICMP traffic (ping, traceroute) to resources behind cloudflared. + - name: net.ipv4.ping_group_range + value: "65532 65532" + containers: + - image: cloudflare/cloudflared:latest + name: cloudflared + env: + # Defines an environment variable for the tunnel token. + - name: TUNNEL_TOKEN + valueFrom: + secretKeyRef: + name: tunnel-token + key: token + command: + # Configures tunnel run parameters + - cloudflared + - tunnel + - --no-autoupdate + - --loglevel + - info + - --metrics + - 0.0.0.0:2000 + - run + livenessProbe: + httpGet: + # Cloudflared has a /ready endpoint which returns 200 if and only if + # it has an active connection to Cloudflare's network. + path: /ready + port: 2000 + failureThreshold: 1 + initialDelaySeconds: 10 + periodSeconds: 10 +``` + +2. Deploy `cloudflared` to the cluster: + + ```sh + kubectl create -f tunnel.yaml + ``` + + Kubernetes will install the `cloudflared` image on two pods and run the tunnel using the command `cloudflared tunnel --no-autoupdate --loglevel info --metrics 0.0.0.0:2000 run`. `cloudflared` will consume the tunnel token from the `TUNNEL_TOKEN` environment variable. + +3. Check the status of your cluster: + + ```sh + kubectl get all + ``` + + ```sh output + NAME READY STATUS RESTARTS AGE + pod/cloudflared-deployment-6d5f9f9666-85l5w 1/1 Running 0 21s + pod/cloudflared-deployment-6d5f9f9666-wb96x 1/1 Running 0 21s + pod/httpbin-deployment-bc6689c5d-b5ftk 1/1 Running 0 3m36s + pod/httpbin-deployment-bc6689c5d-cbd9m 1/1 Running 0 3m36s + + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + service/httpbin-service LoadBalancer 34.118.225.147 34.75.201.60 80:31967/TCP 3m36s + service/kubernetes ClusterIP 34.118.224.1 443/TCP 24h + + NAME READY UP-TO-DATE AVAILABLE AGE + deployment.apps/cloudflared-deployment 2/2 2 2 22s + deployment.apps/httpbin-deployment 2/2 2 2 3m37s + + NAME DESIRED CURRENT READY AGE + replicaset.apps/cloudflared-deployment-6d5f9f9666 2 2 2 22s + replicaset.apps/httpbin-deployment-bc6689c5d 2 2 2 3m37s + ``` + +You should see two `cloudflared` pods and two `httpbin` pods with a `Running` status. If your `cloudflared` pods keep restarting, check the `command` syntax in `tunnel.yaml` and make sure that the [tunnel run parameters](/tunnel/configuration/#run-parameters) are in the correct order. + +## 6. Verify tunnel status + +To print logs for a `cloudflared` instance: + +```sh +kubectl logs pod/cloudflared-deployment-6d5f9f9666-85l5w +``` + +```sh output +2025-06-11T22:00:47Z INF Starting tunnel tunnelID=64c359b6-e111-40ec-a3a9-199c2a656613 +2025-06-11T22:00:47Z INF Version 2025.6.0 (Checksum 72f233bb55199093961bf099ad62d491db58819df34b071ab231f622deff33ce) +2025-06-11T22:00:47Z INF GOOS: linux, GOVersion: go1.24.2, GoArch: amd64 +2025-06-11T22:00:47Z INF Settings: map[loglevel:debug metrics:0.0.0.0:2000 no-autoupdate:true token:*****] +2025-06-11T22:00:47Z INF Generated Connector ID: aff7c4a0-85a3-4ac9-8475-1e0aa1af8d94 +2025-06-11T22:00:47Z DBG Fetched protocol: quic +2025-06-11T22:00:47Z INF Initial protocol quic +... +``` + +## 7. Add a tunnel route + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels** and select your tunnel. +2. Under **Routes**, select **Add route** > **Published application**. +3. Enter a hostname for the application (for example, `httpbin..com`). +4. Under **Service**, enter `http://httpbin-service` — the name of the Kubernetes service defined in `httpbinsvc.yaml`. +5. Select **Add route**. + +## 8. Test the connection + +To test, open a new browser tab and go to `httpbin..com`. You should see the httpbin homepage. + +You can optionally add [Cloudflare Access](/tunnel/integrations/#cloudflare-access) to control who can reach the service. diff --git a/src/content/docs/cloudflare-tunnel/deployment-guides/terraform.mdx b/src/content/docs/tunnel/deployment-guides/terraform.mdx similarity index 84% rename from src/content/docs/cloudflare-tunnel/deployment-guides/terraform.mdx rename to src/content/docs/tunnel/deployment-guides/terraform.mdx index 2dc49be0b73b52b..23911b29fec9776 100644 --- a/src/content/docs/cloudflare-tunnel/deployment-guides/terraform.mdx +++ b/src/content/docs/tunnel/deployment-guides/terraform.mdx @@ -12,23 +12,16 @@ description: Learn how to deploy a Cloudflare Tunnel using Terraform and our import { Tabs, TabItem, Render } from "~/components"; -[Terraform](https://www.terraform.io/) is an infrastructure as code software tool that allows you to deploy services from different providers using a standardized configuration syntax. When creating a Terraform configuration file, you define the final state of the configuration rather than the step-by-step procedure. This allows you to easily deploy, modify, and manage your Tunnels alongside your other infrastructure. +[Terraform](https://www.terraform.io/) is an infrastructure as code tool that lets you define and manage your tunnels alongside other infrastructure. This guide deploys: -In this guide, you will use Terraform to deploy: - -- A Google Cloud Project (GCP) virtual machine that runs an HTTP test server +- A GCP virtual machine that runs a web server - A Cloudflare Tunnel that makes the server available over the Internet -- A Cloudflare Access policy that defines who can connect to the server - - +- (Optional) A Cloudflare Access policy that defines who can connect ## Prerequisites -To complete the following procedure, you will need: - - [A Google Cloud Project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project) - [A zone on Cloudflare](/fundamentals/manage-domains/add-site/) -- Enabled [one-time PIN login](/cloudflare-one/integrations/identity-providers/one-time-pin/) or integrated an [identity provider](/cloudflare-one/integrations/identity-providers/) ## 1. Install Terraform @@ -159,22 +152,22 @@ The following configuration will modify settings in your Cloudflare account. proxied = true } - # Configures tunnel with a published application for clientless access. - resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" { - tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id - account_id = var.cloudflare_account_id - config = { - ingress = [ - { - hostname = "http_app.${var.cloudflare_zone}" - service = "http://httpbin:80" - }, - { - service = "http_status:404" - } - ] - } - } + # Configures tunnel with a published application for clientless access. + resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" { + tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id + account_id = var.cloudflare_account_id + config = { + ingress = [ + { + hostname = "http_app.${var.cloudflare_zone}" + service = "http://httpbin:80" + }, + { + service = "http_status:404" + } + ] + } + } # (Optional) Routes internal IP of GCP instance through the tunnel for private network access using WARP. resource "cloudflare_zero_trust_tunnel_cloudflared_route" "example_tunnel_route" { @@ -243,20 +236,20 @@ The following configuration will modify settings in your Cloudflare account. proxied = true } - # Configures tunnel with a published application for clientless access. - resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" { - tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id - account_id = var.cloudflare_account_id - config { - ingress_rule { - hostname = "${cloudflare_record.http_app.hostname}" - service = "http://httpbin:80" - } - ingress_rule { - service = "http_status:404" - } - } - } + # Configures tunnel with a published application for clientless access. + resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" { + tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id + account_id = var.cloudflare_account_id + config { + ingress_rule { + hostname = "${cloudflare_record.http_app.hostname}" + service = "http://httpbin:80" + } + ingress_rule { + service = "http_status:404" + } + } + } # (Optional) Route internal IP of GCP instance through the tunnel for private network access using WARP. resource "cloudflare_zero_trust_tunnel_route" "example_tunnel_route" { @@ -393,7 +386,7 @@ The following configuration defines the specifications for the GCP virtual machi The following script will install `cloudflared` and run the tunnel as a service. This example also installs a lightweight HTTP application that you can use to test connectivity. :::note -If you would prefer to manually install the tunnel, refer to [Install and run the tunnel](/cloudflare-tunnel/get-started/create-remote-tunnel-api/#4-install-and-run-the-tunnel). +If you would prefer to manually install the tunnel, refer to [Install and run the tunnel](/tunnel/setup/#4-install-and-run-the-tunnel). ::: 1. In your configuration directory, create a Terraform template file: @@ -441,7 +434,7 @@ If you would prefer to manually install the tunnel, refer to [Install and run th -It may take several minutes for the GCP instance and tunnel to come online. You can view your new tunnel, Access application, and Access policy in [Cloudflare One](https://one.dash.cloudflare.com). The new DNS records are available in the [Cloudflare dashboard](/dns/manage-dns-records/how-to/create-dns-records/). +It may take several minutes for the GCP instance and tunnel to come online. You can view your new tunnel in the [Cloudflare dashboard](https://dash.cloudflare.com/) under **Networking** > **Tunnels**. :::note[Remove Terraform resources] @@ -450,14 +443,12 @@ If you need to roll back the configuration, run `terraform destroy` to delete ev ## 7. Test the connection -1. In **Networks** > **Connectors** > **Cloudflare Tunnels**, verify that your tunnel is active. +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels** and verify that your tunnel is **Active**. -2. In **Access controls** > **Applications**, verify that your Cloudflare email is allowed by the Access policy. +2. (Optional) If you configured Access, go to **Security** > **Access** > **Applications** and verify that your Cloudflare email is allowed by the Access policy. 3. From any device, open a browser and go to `http_app.` (for example, `http_app.example.com`). - You will see the Access login page if you have not recently logged in. - -4. Log in with your Cloudflare email. + If you configured Access, you will see the Access login page. Log in with your Cloudflare email. - You should see the [HTTPBin](https://httpbin.org/) homepage. +4. You should see the HTTPBin homepage, confirming that your tunnel is routing traffic correctly. diff --git a/src/content/docs/cloudflare-tunnel/downloads/index.mdx b/src/content/docs/tunnel/downloads/index.mdx similarity index 91% rename from src/content/docs/cloudflare-tunnel/downloads/index.mdx rename to src/content/docs/tunnel/downloads/index.mdx index 06eb9a8cdfd9933..9ebc0394867281b 100644 --- a/src/content/docs/cloudflare-tunnel/downloads/index.mdx +++ b/src/content/docs/tunnel/downloads/index.mdx @@ -2,10 +2,10 @@ pcx_content_type: reference title: Downloads sidebar: - order: 2 + order: 9 --- -Cloudflare Tunnel requires the installation of a lightweight server-side daemon, `cloudflared`, to connect your infrastructure to Cloudflare. If you are [creating a tunnel through the dashboard](/cloudflare-tunnel/get-started/create-remote-tunnel/), you can simply copy-paste the installation command shown in the dashboard. +Cloudflare Tunnel requires the installation of a lightweight daemon, `cloudflared`, to connect your infrastructure to Cloudflare. If you are [creating a tunnel through the dashboard](/tunnel/setup/), you can copy-paste the installation command shown in the dashboard. To download and install `cloudflared` manually, use one of the following links. @@ -69,4 +69,4 @@ A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.c Cloudflare supports versions of `cloudflared` that are within one year of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. For example, as of January 2023 Cloudflare will support `cloudflared` version 2023.1.1 to cloudflared 2022.1.1. -To update `cloudflared`, refer to [these instructions](/cloudflare-tunnel/downloads/update-cloudflared/). +To update `cloudflared`, refer to [these instructions](/tunnel/downloads/update-cloudflared/). diff --git a/src/content/docs/cloudflare-tunnel/downloads/update-cloudflared.mdx b/src/content/docs/tunnel/downloads/update-cloudflared.mdx similarity index 73% rename from src/content/docs/cloudflare-tunnel/downloads/update-cloudflared.mdx rename to src/content/docs/tunnel/downloads/update-cloudflared.mdx index 13654dc2da5a255..89ca144f9a00843 100644 --- a/src/content/docs/cloudflare-tunnel/downloads/update-cloudflared.mdx +++ b/src/content/docs/tunnel/downloads/update-cloudflared.mdx @@ -7,11 +7,11 @@ sidebar: import { TabItem, Tabs, Render } from "~/components"; -Updates will cause `cloudflared` to restart which will impact traffic currently being served. You can perform zero-downtime upgrades by using Cloudflare's [Load Balancer product](/cloudflare-tunnel/downloads/update-cloudflared/#update-with-cloudflare-load-balancer) or by using [multiple `cloudflared` instances](/cloudflare-tunnel/downloads/update-cloudflared/#update-with-multiple-cloudflared-instances). +Updates will cause `cloudflared` to restart which will impact traffic currently being served. You can perform zero-downtime upgrades by using Cloudflare's [Load Balancer product](/tunnel/downloads/update-cloudflared/#update-with-cloudflare-load-balancer) or by using [multiple `cloudflared` instances](/tunnel/downloads/update-cloudflared/#update-with-multiple-cloudflared-instances). ## Update the `cloudflared` service -Refer to the following commands to update `cloudflared` for a [remotely-managed tunnel](/cloudflare-tunnel/get-started/create-remote-tunnel/) created through the dashboard or a [locally-managed tunnel](/cloudflare-tunnel/other-tunnel-types/local-management/). Locally-managed tunnels must be set up to [run as a service](/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/) for the following commands to execute successfully. +Refer to the following commands to update `cloudflared` for a [remotely-managed tunnel](/tunnel/setup/) created through the dashboard or a [locally-managed tunnel](/tunnel/other-tunnel-types/local-management/). Locally-managed tunnels must be set up to [run as a service](/tunnel/other-tunnel-types/local-management/as-a-service/) for the following commands to execute successfully. @@ -92,9 +92,9 @@ sudo systemctl restart cloudflared.service -**If you created a remotely-managed tunnel using the [dashboard](/cloudflare-tunnel/get-started/create-remote-tunnel/):** +**If you created a remotely-managed tunnel using the [dashboard](/tunnel/setup/):** -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels**. +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels**. 2. Select your tunnel and select **Edit**. 3. Select **Docker** and copy the installation command shown in the dashboard. The copied command will contain your token. 4. Paste this command into a terminal window. @@ -107,15 +107,15 @@ Cloudflare recommends creating remotely-managed tunnels when working with Docker ::: -**If you created a remotely or locally-managed tunnel using the [API](/cloudflare-tunnel/get-started/create-remote-tunnel-api/), run the following command:** +**If you created a remotely or locally-managed tunnel using the [API](/tunnel/setup/), run the following command:** ```sh docker run --pull always cloudflare/cloudflared:latest tunnel --no-autoupdate run --token ``` -**If you created a locally-managed tunnel using the [CLI](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/#2-authenticate-cloudflared):** +**If you created a locally-managed tunnel using the [CLI](/tunnel/other-tunnel-types/local-management/create-local-tunnel/#2-authenticate-cloudflared):** -1. Mount your local `.cloudflared` [directory](/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms/#default-cloudflared-directory) into the Docker container using a volume. +1. Mount your local `.cloudflared` [directory](/tunnel/other-tunnel-types/local-management/local-tunnel-terms/#default-cloudflared-directory) into the Docker container using a volume. 2. Run the following command to update `cloudflared`: @@ -139,9 +139,9 @@ If you installed `cloudflared` with a package manager, you must update it using You can update `cloudflared` without downtime by using Cloudflare's Load Balancer product with your Cloudflare Tunnel deployment. -1. Install a new instance of `cloudflared` and [create](/cloudflare-tunnel/get-started/) a new Tunnel. +1. Install a new instance of `cloudflared` and [create](/tunnel/setup/) a new Tunnel. 2. Configure the instance to point traffic to the same locally-available service as your current, active instance of `cloudflared`. -3. [Add the address](/cloudflare-tunnel/routing/public-load-balancers/) of the new instance of `cloudflared` into your Load Balancer pool as priority 2. +3. [Add the address](/tunnel/routing/public-load-balancers/) of the new instance of `cloudflared` into your Load Balancer pool as priority 2. 4. Swap the priority such that the new instance is now priority 1 and monitor to confirm traffic is being served. 5. Once confirmed, you can remove the older version from the Load Balancer pool. @@ -149,9 +149,9 @@ You can update `cloudflared` without downtime by using Cloudflare's Load Balance If you are not using Cloudflare's Load Balancer, you can use multiple instances of `cloudflared` to update without the risk of downtime. -1. Install a new instance of `cloudflared` and [create](/cloudflare-tunnel/get-started/) a new Tunnel. +1. Install a new instance of `cloudflared` and [create](/tunnel/setup/) a new Tunnel. 2. Configure the instance to point traffic to the same locally-available service as your current, active instance of `cloudflared`. -3. In the Cloudflare DNS dashboard, [replace](/cloudflare-tunnel/routing/dns/) the address of the current instance of `cloudflared` with the address of the new instance. Save the record. +3. In the Cloudflare DNS dashboard, [replace](/tunnel/routing/#dns-records) the address of the current instance of `cloudflared` with the address of the new instance. Save the record. 4. Remove the now-inactive instance of `cloudflared`. :::note[Traffic handling] diff --git a/src/content/docs/tunnel/faq.mdx b/src/content/docs/tunnel/faq.mdx new file mode 100644 index 000000000000000..4fd2eef16419618 --- /dev/null +++ b/src/content/docs/tunnel/faq.mdx @@ -0,0 +1,50 @@ +--- +pcx_content_type: faq +title: FAQ +structured_data: true +sidebar: + order: 10 +description: Review frequently asked questions about Cloudflare Tunnel. +--- + +import { Render } from "~/components"; + +## Can I create a tunnel for an apex domain? + +Yes. Create a CNAME record at the apex that points to `.cfargotunnel.com`. Refer to [DNS records](/tunnel/routing/#dns-records) for details. + +## Does Cloudflare Tunnel support WebSockets? + +Yes. Cloudflare Tunnel has full support for WebSockets. + +## Does Cloudflare Tunnel support gRPC? + +Yes. + +## How can Tunnel be used with Partial DNS (CNAME Setup)? + +The best experience with Cloudflare Tunnel is using [Full Setup](/dns/zone-setups/full-setup/) because Cloudflare manages DNS and can automatically configure records for new tunnels. + +You can still use Tunnel with [Partial Setup](/dns/zone-setups/partial-setup/). Create a CNAME or ALIAS record with your DNS provider for each hostname. The record value should be `subdomain.domain.tld.cdn.cloudflare.net` (for example, `tunnel.example.com.cdn.cloudflare.net`). + +## How can I verify my origin is not publicly reachable? + +After deploying a tunnel, confirm that your origin does not respond to direct requests. Refer to [Firewall rules](/tunnel/configuration/#firewall-rules) for guidance on locking down your origin. + +## Does Cloudflare Tunnel send visitor IPs to my origin? + +No. All requests to the origin are made internally between `cloudflared` and the origin. To log external visitor IPs, [configure an alternative method](/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/). + +## Is it possible to restore a deleted tunnel? + +No. You cannot undo a tunnel deletion. If the tunnel was locally-managed, its [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/) will still be present and you can create a new tunnel with the same configuration. If the tunnel was remotely-managed, both the tunnel and its configuration are permanently deleted. + +## How do I contact support? + +Before contacting the Cloudflare support team: + +1. Take note of any specific error messages and/or problematic behaviors. +2. Make sure that `cloudflared` is updated to the [latest version](https://github.com/cloudflare/cloudflared). +3. Gather any relevant error/access logs from your server. +4. If needed, set [`--loglevel`](/tunnel/configuration/#loglevel) to `debug`, so the Cloudflare support team can get more info from the `cloudflared.log` file. +5. Include your [Cloudflare Tunnel diagnostic logs](/tunnel/monitoring/#diagnostic-logs) (`cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip`). diff --git a/src/content/docs/tunnel/index.mdx b/src/content/docs/tunnel/index.mdx new file mode 100644 index 000000000000000..834922c437d6bdc --- /dev/null +++ b/src/content/docs/tunnel/index.mdx @@ -0,0 +1,76 @@ +--- +pcx_content_type: overview +title: Cloudflare Tunnel +sidebar: + order: 1 +description: Securely connect your origin servers, APIs, and services to Cloudflare with post-quantum encrypted tunnels — no public IPs required. +--- + +import { + CardGrid, + Description, + LinkTitleCard, + Plan, + Stream, +} from "~/components"; + + + Securely connect your origin servers, APIs, and services to Cloudflare with + post-quantum encrypted tunnels — no public IPs required. + + + + +Cloudflare Tunnel connects your infrastructure to Cloudflare through an outbound-only, [post-quantum encrypted](/ssl/post-quantum-cryptography/) connection. Instead of exposing a public IP, you install a lightweight daemon called `cloudflared` on your server. It creates a persistent tunnel to Cloudflare's global network, so all traffic to your origins flows through Cloudflare — where CDN caching, WAF, Bot Management, and DDoS protection are applied automatically. + +No open inbound ports. No public IPs. No attack surface. + + + +## How it works + +1. Install `cloudflared` on your server or network. +2. `cloudflared` establishes outbound, post-quantum encrypted connections to Cloudflare — no inbound ports or firewall changes required. +3. Map public hostnames to local services (for example, `app.example.com` to `http://localhost:8080`). +4. Traffic flows through Cloudflare's network to your origin, with full CDN and security applied. + +Each tunnel maintains four long-lived connections to two Cloudflare data centers for built-in redundancy. You can run multiple `cloudflared` [replicas](/tunnel/configuration/#replicas-and-high-availability) for additional high availability. + +![How an HTTP request reaches an origin connected with Cloudflare Tunnel](~/assets/images/cloudflare-one/connections/connect-apps/handshake.jpg) + +## Use cases + +- **Secure origin connectivity** — Eliminate public origin IPs. All traffic flows through Cloudflare with CDN, WAF, and DDoS protection applied. +- **Public ingress routing** — Publish internal applications to the internet by mapping public hostnames to local services. Supports HTTP, HTTPS, TCP, SSH, RDP, and [more](/tunnel/routing/#supported-protocols). +- **Workers VPC** — Enable [Cloudflare Workers](/workers-vpc/) to securely access private databases, APIs, and services through your tunnel. +- **Load Balancing** — Use tunnels as origin endpoints in [Cloudflare Load Balancer](/load-balancing/) pools for high availability and intelligent traffic steering. + +:::note[Looking for Zero Trust and private networking?] +For VPN replacement, private network access, and network traffic filtering, refer to the [Cloudflare One Tunnel documentation](/cloudflare-one/networks/connectors/cloudflare-tunnel/). +::: + +## Get started + + + + + Set up a tunnel in under 5 minutes using the dashboard or API. + + + + DNS records, protocols, and load balancing for published applications. + + + + Cloudflare One, Workers VPC, Load Balancing, Access, and more. + + + + Replicas, firewall rules, tokens, and runtime parameters. + + + diff --git a/src/content/docs/tunnel/integrations.mdx b/src/content/docs/tunnel/integrations.mdx new file mode 100644 index 000000000000000..2a61f7c31f74290 --- /dev/null +++ b/src/content/docs/tunnel/integrations.mdx @@ -0,0 +1,89 @@ +--- +pcx_content_type: reference +title: Integrations +sidebar: + order: 6 +description: Use Cloudflare Tunnel with Cloudflare One, Workers VPC, Load Balancing, Access, Spectrum, and other Cloudflare services. +--- + +import { LinkTitleCard, CardGrid } from "~/components"; + +Cloudflare Tunnel integrates with other Cloudflare products to extend connectivity, security, and availability for your applications. + +## Cloudflare One (private networking) + +Beyond publishing public applications, Cloudflare Tunnel is the connectivity layer for [Cloudflare One](/cloudflare-one/) — Cloudflare's SASE platform. The same post-quantum encrypted tunnels that serve your public applications can also serve private traffic when combined with the [WARP client](/cloudflare-one/team-and-resources/devices/warp/): + +- **Private applications** — Expose internal web apps, SSH servers, RDP hosts, and other services to authenticated users without making them publicly reachable. Cloudflare Access enforces identity-based policies at the edge. +- **Private networks** — Route entire IP ranges (RFC 1918, custom CIDRs) through a tunnel, replacing site-to-site VPNs. Users on WARP-enrolled devices reach private IPs as if they were on the corporate network. +- **Network traffic filtering** — Apply DNS, HTTP, and network-level policies through [Cloudflare Gateway](/cloudflare-one/traffic-policies/) to all traffic flowing through the tunnel. + +If you are using Cloudflare Tunnel for Zero Trust network access, VPN replacement, or private network connectivity, refer to the [Cloudflare One Tunnel documentation](/cloudflare-one/networks/connectors/cloudflare-tunnel/) for setup and configuration. + +## Workers VPC + +[Workers VPC](/workers-vpc/) enables Cloudflare Workers to access private resources — databases, internal APIs, and other services — in your infrastructure. Cloudflare Tunnel serves as the connectivity layer, establishing a post-quantum encrypted outbound connection from your private network to Cloudflare. + +**Get started:** [Create a tunnel](/tunnel/setup/) and then follow the [Workers VPC guide](/workers-vpc/get-started/) to configure VPC Services. + +**Related:** [Hardware requirements](/workers-vpc/configuration/tunnel/hardware-requirements/) | [Connect to a private API](/workers-vpc/examples/private-api/) | [Hyperdrive + Tunnel](/hyperdrive/configuration/connect-to-private-database/) + +## Load Balancing + +[Cloudflare Load Balancing](/load-balancing/) distributes traffic across multiple origins using health checks, steering algorithms, and failover logic. Combined with Tunnel, you can load balance traffic to origins without publicly routable IP addresses. + +Each tunnel is assigned a subdomain (`.cfargotunnel.com`). Add this as an endpoint in a Load Balancer pool with the application hostname as the host header. + +**Get started:** Refer to [Load Balancing setup](/tunnel/routing/#load-balancing) for step-by-step instructions. + +**Related:** [Tunnel replicas](/tunnel/configuration/#replicas-and-high-availability) | [Load Balancing docs](/load-balancing/) | [Reference architecture](/reference-architecture/architectures/load-balancing/) + +## Cloudflare Access + +[Cloudflare Access](/cloudflare-one/access-controls/) provides an identity-aware proxy that authenticates every request to your applications. Combined with Tunnel, Access lets you publish internal web applications to the internet while ensuring only authorized users can reach them. + +**Get started:** [Publish a self-hosted application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). + +**Related:** [Identity providers](/cloudflare-one/integrations/identity-providers/) | [Validate Access JWTs](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) + +## Spectrum + +[Cloudflare Spectrum](/spectrum/) extends DDoS protection and traffic acceleration to non-HTTP protocols. You can route Spectrum application traffic to origins connected via Tunnel using a DNS CNAME record or Load Balancer. + +Spectrum integration with Tunnel is only supported for **HTTP and HTTPS** applications. For the full list of limitations, refer to the [Spectrum limitations documentation](/spectrum/reference/limitations/). + +## Additional integrations + + + + + Connect your key server to Cloudflare without exposing it to the internet. + + + + TLS 1.3 tunnels with post-quantum key agreement between your data centers and + Cloudflare. + + + + Restrict tunnel connectivity to specific regions for data residency + requirements. + + + + Use Tunnel as a fallback origin for SaaS architectures with Regional Services. + + + diff --git a/src/content/docs/tunnel/monitoring.mdx b/src/content/docs/tunnel/monitoring.mdx new file mode 100644 index 000000000000000..7b9e512c3248b45 --- /dev/null +++ b/src/content/docs/tunnel/monitoring.mdx @@ -0,0 +1,218 @@ +--- +title: Monitoring +pcx_content_type: reference +sidebar: + order: 5 +--- + +import { + AvailableNotifications, + DashButton, + Details, + Render, +} from "~/components"; + +Cloudflare Tunnel exposes logs, metrics, and diagnostic tools to help you monitor tunnel health and resolve issues. + +## Tunnel health + +You can check your tunnel connection status in the [Cloudflare dashboard](https://dash.cloudflare.com/) by going to **Networking** > **Tunnels**, or by running `cloudflared tunnel list`. + + + + + +:::note[Tunnel status scope] +The tunnel status only reflects the connection between `cloudflared` and the Cloudflare network. It does not indicate whether `cloudflared` can reach your internal services. A tunnel can appear **Healthy** while users are unable to connect to an application. +::: + +### Notifications + +Administrators can receive alerts when tunnels change health or deployment status. Notifications can be delivered by email, webhook, or third-party services. + +To configure tunnel notifications, refer to [Create a notification](/notifications/get-started/#create-a-notification). + + + +## Logs + +Tunnel logs record all activity between `cloudflared` and the Cloudflare global network, and all activity between `cloudflared` and your origin server. + +### Server-side logs + +If you have access to the origin server, use the [`--loglevel`](/tunnel/configuration/#loglevel) flag to set the log level when you start the tunnel. By default, `cloudflared` prints logs to stdout and does not persist them. Use the [`--logfile`](/tunnel/configuration/#logfile) flag to write logs to a file. + +For a locally-managed tunnel: + +```sh +cloudflared tunnel --loglevel info --logfile cloudflared.log run +``` + +For a remotely-managed tunnel, add `--loglevel info` and `--logfile ` to your system service as described in [Run parameters](/tunnel/configuration/#run-parameters). + +### Remote log streaming (CLI) + +You can stream real-time logs from a running tunnel without SSH access to the server. `cloudflared` must be installed on your local machine. + +1. Authenticate `cloudflared`: + + ```sh + cloudflared tunnel login + ``` + +2. Stream logs: + + ```sh + cloudflared tail + ``` + + Add `--output=json` and pipe to [jq](https://stedolan.github.io/jq/) for structured output. Use `--level`, `--event`, or `--sampling` flags to filter by severity, event type, or sample rate. + + For [replicas](/tunnel/configuration/#replicas-and-high-availability), specify which instance to stream from with `--connector-id `. + +:::note +Dashboard-based log streaming is available in the [Cloudflare One dashboard](https://one.dash.cloudflare.com/) under **Networks** > **Connectors** > **Cloudflare Tunnels**. +::: + +## Metrics + +When you run a tunnel, `cloudflared` exposes a [Prometheus](https://prometheus.io/docs/introduction/overview/) metrics endpoint. You can scrape this endpoint from a remote machine using the Prometheus toolkit. + +### Default metrics server address + +In non-containerized environments, `cloudflared` starts the metrics server on `127.0.0.1:/metrics`, where `` is the first available port in the range `20241` to `20245`. If all ports are unavailable, `cloudflared` binds to a random port. In containerized environments (Docker, Kubernetes), the default address is `0.0.0.0:/metrics`. + +Check your [tunnel logs](#server-side-logs) to find the default port: + +```text +2024-12-19T21:17:58Z INF Starting metrics server on 127.0.0.1:20241/metrics +``` + +### Configure a custom address + +To serve metrics on a custom IP and port, use the [`--metrics`](/tunnel/configuration/#metrics) flag: + +```sh +cloudflared tunnel --metrics 127.0.0.1:60123 run my-tunnel +``` + +To add the `--metrics` flag to a remotely-managed tunnel, refer to [Run parameters](/tunnel/configuration/#run-parameters). + +:::note +To fetch metrics from another machine on the local network, replace `127.0.0.1` with the internal IP of the `cloudflared` server (for example, `192.168.x.x`). To serve metrics on all interfaces, use `0.0.0.0`. +::: + +Verify the metrics server is running by opening `http://localhost:60123/metrics`. You can then export the data to Prometheus and Grafana. Refer to the [Grafana tutorial](/cloudflare-one/tutorials/grafana/) for setup instructions. + +### cloudflared metrics + +| Name | Description | Type | Labels | +| --------------------------------------------------- | ------------------------------------------------------------------------------- | ------- | ------------------------------------------ | +| `build_info` | Build and version information. | GAUGE | `goversion`, `revision`, `type`, `version` | +| `cloudflared_tcp_active_sessions` | Concurrent TCP sessions being proxied to any origin. | GAUGE | | +| `cloudflared_tcp_total_sessions` | Total TCP sessions proxied to any origin. | COUNTER | | +| `cloudflared_tunnel_active_streams` | Total number of active streams. | GAUGE | | +| `cloudflared_tunnel_concurrent_requests_per_tunnel` | Concurrent requests proxied through each tunnel. | GAUGE | | +| `cloudflared_tunnel_ha_connections` | Number of active HA connections. | GAUGE | | +| `cloudflared_tunnel_request_errors` | Number of errors proxying to origin. | COUNTER | | +| `cloudflared_tunnel_server_locations` | Where each tunnel is connected. `1` means current location, `0` means previous. | GAUGE | `connection_id`, `edge_location` | +| `cloudflared_tunnel_timer_retries` | Unacknowledged heartbeat count. | GAUGE | | +| `cloudflared_tunnel_total_requests` | Total requests proxied through all tunnels. | COUNTER | | +| `cloudflared_udp_active_sessions` | Concurrent UDP sessions being proxied to any origin. | GAUGE | | +| `cloudflared_udp_total_sessions` | Total UDP sessions proxied to any origin. | COUNTER | | +| `quic_client_latest_rtt` | Latest round-trip time (RTT) measured on a connection. | GAUGE | `conn_index` | +| `quic_client_smoothed_rtt` | Smoothed RTT for a connection in ms. | GAUGE | `conn_index` | + +
+ +| Name | Description | Type | Labels | +| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------- | ------- | ---------------------- | +| `cloudflared_config_local_config_pushes` | Number of local configuration pushes to Cloudflare. | COUNTER | | +| `cloudflared_config_local_config_pushes_errors` | Number of errors during local configuration pushes. | COUNTER | | +| `cloudflared_orchestration_config_version` | Configuration version. | GAUGE | | +| `cloudflared_tunnel_tunnel_authenticate_success` | Number of successful tunnel authentication events. | COUNTER | | +| `cloudflared_tunnel_tunnel_register_success` | Number of successful tunnel registrations. | COUNTER | `rpcName` | +| `coredns_panics_total` | Number of panics. | COUNTER | | +| `quic_client_closed_connections` | Number of connections that have been closed. | COUNTER | | +| `quic_client_lost_packets` | Number of packets lost from a connection. | COUNTER | `conn_index`, `reason` | +| `quic_client_min_rtt` | Lowest RTT measured on a connection in ms. | GAUGE | `conn_index` | +| `quic_client_packet_too_big_dropped` | Packets received from origin too big to send to Cloudflare, dropped. | COUNTER | | +| `quic_client_total_connections` | Number of connections initiated. For all QUIC metrics, client means the side initiating the connection. | COUNTER | | +| `promhttp_metric_handler_requests_in_flight` | Current number of scrapes being served. | GAUGE | | +| `promhttp_metric_handler_requests_total` | Total number of scrapes by HTTP status code. | COUNTER | `code` | + +
+ +## Diagnostic logs + +Cloudflare Tunnel generates diagnostic reports that collect data from a single `cloudflared` instance running on the local machine. This requires `cloudflared` version 2024.12.2 or later. + +### Generate diagnostics + +1. (Linux only) To include network diagnostics, allow the `cloudflared` user to create raw and packet sockets without root permissions: + + ```sh + sudo setcap cap_net_raw+ep /usr/bin/traceroute && sudo setcap cap_net_raw+ep /usr/bin/traceroute + ``` + + If you do not set `cap_net_raw`, traceroute data will be unavailable. + +2. Generate diagnostic logs: + + ```sh + cloudflared tunnel diag + ``` + + If multiple `cloudflared` instances run on the same host, specify the [metrics server address](#configure-a-custom-address): + + ```sh + cloudflared tunnel diag --metrics 127.0.0.1:20241 + ``` + +This command outputs the status of each diagnostic task and places a `cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip` file in your working directory. + +
+ +`cloudflared` reads diagnostic data from the [metrics server](#metrics). Expose the metrics server from the Docker container so the host machine can reach it. + +1. Deploy the container with port forwarding to the metrics port: + + ```sh + docker run -d -p 20241: docker.io/cloudflare/cloudflared tunnel ... + ``` + +2. Verify the metrics server is reachable: + + ```sh + curl localhost:20241/diag/tunnel + ``` + +3. Run the diagnostic using the Docker container ID or name: + + ```sh + cloudflared tunnel diag --diag-container-id= + ``` + +
+ +
+ +Use port forwarding to connect to the metrics server. Forward a local port in the range `20241`-`20245` to the container metrics port: + +```sh +kubectl port-forward : +``` + +Then run: + +```sh +cloudflared tunnel diag --diag-pod-id= +``` + +If the pod has multiple containers and `cloudflared` is not the first, add `--diag-container-id=`. + +
+ +### Diagnostic file contents + + diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/index.mdx b/src/content/docs/tunnel/other-tunnel-types/index.mdx similarity index 51% rename from src/content/docs/cloudflare-tunnel/other-tunnel-types/index.mdx rename to src/content/docs/tunnel/other-tunnel-types/index.mdx index de32fa78e5b51f1..fac7095fa7fa3b2 100644 --- a/src/content/docs/cloudflare-tunnel/other-tunnel-types/index.mdx +++ b/src/content/docs/tunnel/other-tunnel-types/index.mdx @@ -2,12 +2,13 @@ pcx_content_type: navigation title: Other tunnel types sidebar: - order: 11 + order: 9 + label: Advanced --- import { DirectoryListing } from "~/components"; -Cloudflare recommends creating a [remotely-managed tunnel](/cloudflare-tunnel/get-started/) for most use cases. Remotely-managed tunnels store their configuration on Cloudflare, which allows you to manage the tunnel from any machine using the dashboard, API, or Terraform. +Cloudflare recommends creating a [remotely-managed tunnel](/tunnel/setup/) for most use cases. Remotely-managed tunnels store their configuration on Cloudflare, which allows you to manage the tunnel from any machine using the dashboard, API, or Terraform. The following pages cover alternative tunnel workflows that are intended for specific scenarios such as local development, testing, or legacy configurations. diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/index.mdx b/src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/index.mdx similarity index 100% rename from src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/index.mdx rename to src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/index.mdx diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/linux.mdx b/src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/linux.mdx similarity index 70% rename from src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/linux.mdx rename to src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/linux.mdx index 17871b6b2d0167d..44367766ac9ed36 100644 --- a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/linux.mdx +++ b/src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/linux.mdx @@ -12,11 +12,11 @@ You can install `cloudflared` as a system service on Linux. ## Prerequisites -Before you install Cloudflare Tunnel as a service on Linux, follow Steps 1 through 4 of the [Tunnel CLI setup guide](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/). At this point you should have a named tunnel and a `config.yml` file in your `.cloudflared` directory. +Before you install Cloudflare Tunnel as a service on Linux, follow Steps 1 through 4 of the [Tunnel CLI setup guide](/tunnel/other-tunnel-types/local-management/create-local-tunnel/). At this point you should have a named tunnel and a `config.yml` file in your `.cloudflared` directory. ## 1. Configure `cloudflared` as a service -By default, Cloudflare Tunnel expects all of the configuration to exist in the `$HOME/.cloudflared/config.yml` [configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/). At a minimum you must specify the following arguments to run as a service: +By default, Cloudflare Tunnel expects all of the configuration to exist in the `$HOME/.cloudflared/config.yml` [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/). At a minimum you must specify the following arguments to run as a service: | Argument | Description | | ------------------ | ---------------------------------------------------- | @@ -54,7 +54,7 @@ By default, Cloudflare Tunnel expects all of the configuration to exist in the ` ## Next steps -You can now [route traffic through your tunnel](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/#5-start-routing-traffic). If you add IP routes or otherwise change the configuration, restart the service to load the new configuration: +You can now [route traffic through your tunnel](/tunnel/other-tunnel-types/local-management/create-local-tunnel/#5-start-routing-traffic). If you add IP routes or otherwise change the configuration, restart the service to load the new configuration: ```sh systemctl restart cloudflared diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/macos.mdx b/src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/macos.mdx similarity index 72% rename from src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/macos.mdx rename to src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/macos.mdx index cbd0856bc9f776a..d0e98526d3c9a1a 100644 --- a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/macos.mdx +++ b/src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/macos.mdx @@ -12,11 +12,11 @@ You can install `cloudflared` as a system service on macOS. ## Prerequisites -Before you install Cloudflare Tunnel as a service on your OS, follow Steps 1 through 4 of the [Tunnel CLI setup guide](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/). At this point you should have a named tunnel and a `config.yml` file in your `$HOME/.cloudflared` directory. +Before you install Cloudflare Tunnel as a service on your OS, follow Steps 1 through 4 of the [Tunnel CLI setup guide](/tunnel/other-tunnel-types/local-management/create-local-tunnel/). At this point you should have a named tunnel and a `config.yml` file in your `$HOME/.cloudflared` directory. ## 1. Configure `cloudflared` as a service -By default, Cloudflare Tunnel expects all of the configuration to exist in the `$HOME/.cloudflared/config.yml` [configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/). At a minimum you must specify the following arguments to run as a service: +By default, Cloudflare Tunnel expects all of the configuration to exist in the `$HOME/.cloudflared/config.yml` [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/). At a minimum you must specify the following arguments to run as a service: | Argument | Description | | ------------------ | ---------------------------------------------------- | @@ -59,7 +59,7 @@ The output will be logged to `/Library/Logs/com.cloudflare.cloudflared.err.log` ## Next steps -You can now [route traffic through your tunnel](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/#5-start-routing-traffic). If you add IP routes or otherwise change the configuration, restart the service to load the new configuration: +You can now [route traffic through your tunnel](/tunnel/other-tunnel-types/local-management/create-local-tunnel/#5-start-routing-traffic). If you add IP routes or otherwise change the configuration, restart the service to load the new configuration: ```sh sudo launchctl stop com.cloudflare.cloudflared diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/windows.mdx b/src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/windows.mdx similarity index 81% rename from src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/windows.mdx rename to src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/windows.mdx index 68ed5e26553a872..ef34862fd345a28 100644 --- a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/as-a-service/windows.mdx +++ b/src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/windows.mdx @@ -12,7 +12,7 @@ You can install `cloudflared` as a system service on Windows. ## Configure `cloudflared` as a service -By default, Cloudflare Tunnel expects all of the configuration to exist in the `%USERPROFILE%\.cloudflared\config.yml` [configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/). At a minimum you must specify the following arguments to run as a service: +By default, Cloudflare Tunnel expects all of the configuration to exist in the `%USERPROFILE%\.cloudflared\config.yml` [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/). At a minimum you must specify the following arguments to run as a service: | Argument | Description | | ------------------ | ---------------------------------------------------- | @@ -21,7 +21,7 @@ By default, Cloudflare Tunnel expects all of the configuration to exist in the ` ## Run `cloudflared` as a service -1. [Download](/cloudflare-tunnel/downloads/) the latest `cloudflared` version. +1. [Download](/tunnel/downloads/) the latest `cloudflared` version. 2. Create a new directory: @@ -63,9 +63,9 @@ By default, Cloudflare Tunnel expects all of the configuration to exist in the ` cloudflared.exe tunnel create ``` - This will generate a [credentials file](/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms/#credentials-file) in `.json` format. + This will generate a [credentials file](/tunnel/other-tunnel-types/local-management/local-tunnel-terms/#credentials-file) in `.json` format. -10. [Create a configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/#4-create-a-configuration-file) with the following content: +10. [Create a configuration file](/tunnel/other-tunnel-types/local-management/create-local-tunnel/#4-create-a-configuration-file) with the following content: ```txt tunnel: @@ -124,7 +124,7 @@ By default, Cloudflare Tunnel expects all of the configuration to exist in the ` ## Next steps -You can now [route traffic through your tunnel](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/#5-start-routing-traffic). If you add IP routes or otherwise change the configuration, restart the service to load the new configuration: +You can now [route traffic through your tunnel](/tunnel/other-tunnel-types/local-management/create-local-tunnel/#5-start-routing-traffic). If you add IP routes or otherwise change the configuration, restart the service to load the new configuration: ```bash sc stop cloudflared diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file.mdx b/src/content/docs/tunnel/other-tunnel-types/local-management/configuration-file.mdx similarity index 88% rename from src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file.mdx rename to src/content/docs/tunnel/other-tunnel-types/local-management/configuration-file.mdx index 130d95dfa2fb5e8..784c2967ad7b622 100644 --- a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file.mdx +++ b/src/content/docs/tunnel/other-tunnel-types/local-management/configuration-file.mdx @@ -7,13 +7,13 @@ sidebar: :::note -[Quick tunnels](/cloudflare-tunnel/get-started/tunnel-useful-terms/#quick-tunnels) do not need a configuration file. +[Quick tunnels](/tunnel/faq/#quick-tunnels) do not need a configuration file. ::: -Locally-managed tunnels run as an instance of `cloudflared` on your machine. You can configure `cloudflared` properties by modifying [command line parameters](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/) or by editing the tunnel [configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/create-local-tunnel/#4-create-a-configuration-file). +Locally-managed tunnels run as an instance of `cloudflared` on your machine. You can configure `cloudflared` properties by modifying [command line parameters](/tunnel/configuration/#run-parameters) or by editing the tunnel [configuration file](/tunnel/other-tunnel-types/local-management/create-local-tunnel/#4-create-a-configuration-file). -The CLI provides a quick way to handle configurations if you are connecting a single service through `cloudflared`. The tunnel configuration file is useful if you are connecting multiple services and need to configure properties or exceptions for specific origins. In the configuration file, you can define top-level properties for your `cloudflared` instance as well as [origin-specific properties](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/). For a full list of configuration options, type `cloudflared tunnel help` in your terminal. +The CLI provides a quick way to handle configurations if you are connecting a single service through `cloudflared`. The tunnel configuration file is useful if you are connecting multiple services and need to configure properties or exceptions for specific origins. In the configuration file, you can define top-level properties for your `cloudflared` instance as well as [origin-specific properties](/tunnel/configuration/#origin-parameters). For a full list of configuration options, type `cloudflared tunnel help` in your terminal. In the absence of a configuration file, `cloudflared` will proxy outbound traffic through port `8080`. @@ -74,7 +74,7 @@ You can also enter regular expressions for the `path` key. For example, if `host ### Services -In addition to HTTP, `cloudflared` supports protocols like SSH, RDP, arbitrary TCP services, and Unix sockets. You can also route traffic to the built-in `hello_world` test server or respond to traffic with an HTTP status. For a full list of supported service types, refer to [Protocols for published applications](/cloudflare-tunnel/routing/protocols/). +In addition to HTTP, `cloudflared` supports protocols like SSH, RDP, arbitrary TCP services, and Unix sockets. You can also route traffic to the built-in `hello_world` test server or respond to traffic with an HTTP status. For a full list of supported service types, refer to [Protocols for published applications](/tunnel/routing/#supported-protocols). ```yml tunnel: 6ff42ae2-765d-4adf-8112-31c55c1551ef @@ -96,7 +96,7 @@ ingress: ### Origin configuration -If you need to proxy traffic to multiple origins within one instance of `cloudflared`, you can define the way `cloudflared` sends requests to each service by specifying [configuration options](/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/) as part of your ingress rules. +If you need to proxy traffic to multiple origins within one instance of `cloudflared`, you can define the way `cloudflared` sends requests to each service by specifying [configuration options](/tunnel/configuration/#origin-parameters) as part of your ingress rules. In the following example, the top-level configuration `connectTimeout: 30s` sets a 30-second connection timeout for all services within that instance of `cloudflared`. The ingress rule for `service: localhost:8002` then configures an exception to the top-level configuration by setting `connectTimeout` for that service at `10s`. The 30-second connection timeout still applies to all other services. @@ -150,7 +150,7 @@ Matched rule #3 ## Update a configuration file -When making changes to the configuration file for a given tunnel, we suggest relying on [`cloudflared` replicas](/cloudflare-tunnel/configure-tunnels/tunnel-availability/) to propagate the new configuration with minimal downtime. +When making changes to the configuration file for a given tunnel, we suggest relying on [`cloudflared` replicas](/tunnel/configuration/#replicas-and-high-availability) to propagate the new configuration with minimal downtime. 1. Have a `cloudflared` instance running with the original version of the configuration file. 2. Start a `cloudflared` replica running with the updated version of the configuration file. diff --git a/src/content/docs/tunnel/other-tunnel-types/local-management/create-local-tunnel.mdx b/src/content/docs/tunnel/other-tunnel-types/local-management/create-local-tunnel.mdx new file mode 100644 index 000000000000000..ffeb729ccd6cc26 --- /dev/null +++ b/src/content/docs/tunnel/other-tunnel-types/local-management/create-local-tunnel.mdx @@ -0,0 +1,88 @@ +--- +title: Create a locally-managed tunnel +pcx_content_type: how-to +sidebar: + order: 1 +--- + +Follow this step-by-step guide to create and run a locally-managed tunnel using the CLI. + +:::tip +If your server is behind a restrictive firewall, verify it can reach Cloudflare on port `7844` before proceeding. Refer to [Connectivity pre-checks](/tunnel/troubleshooting/#connectivity-pre-checks). +::: + +## Prerequisites + +- [Add a website to Cloudflare](/fundamentals/manage-domains/add-site/). +- [Change your domain nameservers to Cloudflare](/dns/zone-setups/full-setup/setup/). +- [Install `cloudflared`](/tunnel/downloads/) on your server. + +## 1. Authenticate `cloudflared` + +```sh +cloudflared tunnel login +``` + +This opens a browser window where you log in to your Cloudflare account and select your hostname. After authenticating, `cloudflared` generates a [cert.pem file](/tunnel/other-tunnel-types/local-management/local-tunnel-terms/#certpem) in the [default `cloudflared` directory](/tunnel/other-tunnel-types/local-management/local-tunnel-terms/#default-cloudflared-directory). + +## 2. Create a tunnel + +```sh +cloudflared tunnel create +``` + +This creates a persistent relationship between the name you provide and a UUID, generates a [tunnel credentials file](/tunnel/other-tunnel-types/local-management/local-tunnel-terms/#credentials-file), and creates a subdomain at `.cfargotunnel.com`. + +Take note of the tunnel UUID and credentials file path from the output. + +Confirm the tunnel was created: + +```sh +cloudflared tunnel list +``` + +## 3. Create a configuration file + +In your `.cloudflared` directory, create a [`config.yml` file](/tunnel/other-tunnel-types/local-management/configuration-file/): + +```yml +url: http://localhost:8000 +tunnel: +credentials-file: /root/.cloudflared/.json +``` + +## 4. Route traffic to the tunnel + +Create a DNS CNAME record that points traffic to your tunnel: + +```sh +cloudflared tunnel route dns +``` + +## 5. Run the tunnel + +```sh +cloudflared tunnel run +``` + +If your configuration file has a custom name or is not in the `.cloudflared` directory, add the `--config` flag: + +```sh +cloudflared tunnel --config /path/your-config-file.yml run +``` + +:::note +`cloudflared` can install itself as a system service on Linux and Windows and as a launch agent on macOS. For more information, refer to [Run as a service](/tunnel/other-tunnel-types/local-management/as-a-service/). +::: + +## 6. Verify the tunnel + +```sh +cloudflared tunnel info +``` + +Your tunnel is now running. For routing options, refer to [Routing](/tunnel/routing/). To add identity-based access controls, refer to [Cloudflare Access integration](/tunnel/integrations/#cloudflare-access). + +:::note[Looking for private network routing?] +For WARP-to-tunnel private network access, refer to the [Cloudflare One Tunnel documentation](/cloudflare-one/networks/connectors/cloudflare-tunnel/). +::: diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/index.mdx b/src/content/docs/tunnel/other-tunnel-types/local-management/index.mdx similarity index 59% rename from src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/index.mdx rename to src/content/docs/tunnel/other-tunnel-types/local-management/index.mdx index b186217c40e2652..a974a682e68c44e 100644 --- a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/index.mdx +++ b/src/content/docs/tunnel/other-tunnel-types/local-management/index.mdx @@ -10,7 +10,7 @@ import { DirectoryListing } from "~/components"; A locally-managed tunnel is a Cloudflare Tunnel created by running `cloudflared tunnel create ` on the command line. Tunnel configuration is stored in your local [cloudflared directory](#default-cloudflared-directory). :::note -Cloudflare recommends setting up a [remotely-managed tunnel](/cloudflare-tunnel/get-started/create-remote-tunnel/). Remotely-managed configurations are stored on Cloudflare, which allows you to manage the tunnel from any machine using the dashboard, API, or Terraform. +Cloudflare recommends setting up a [remotely-managed tunnel](/tunnel/setup/). Remotely-managed configurations are stored on Cloudflare, which allows you to manage the tunnel from any machine using the dashboard, API, or Terraform. ::: diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms.mdx b/src/content/docs/tunnel/other-tunnel-types/local-management/local-tunnel-terms.mdx similarity index 84% rename from src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms.mdx rename to src/content/docs/tunnel/other-tunnel-types/local-management/local-tunnel-terms.mdx index 361ac6acff7ab4d..ad3a0bdfbffed91 100644 --- a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/local-tunnel-terms.mdx +++ b/src/content/docs/tunnel/other-tunnel-types/local-management/local-tunnel-terms.mdx @@ -5,7 +5,7 @@ sidebar: order: 10 --- -This page contains terminology specific to locally-managed Cloudflare Tunnels. For general Tunnel terminology, refer to the [Get started section](/cloudflare-tunnel/get-started/tunnel-useful-terms/). +This page contains terminology specific to locally-managed Cloudflare Tunnels. For general Tunnel terminology, refer to the [Get started section](/tunnel/faq/). ## Default `cloudflared` directory @@ -18,18 +18,18 @@ This page contains terminology specific to locally-managed Cloudflare Tunnels. F ## Configuration file -This is a YAML file that functions as the operating manual for `cloudflared`. `cloudflared` will automatically look for the configuration file in the [default `cloudflared` directory](#default-cloudflared-directory), but you can store your configuration file in any directory. It is recommended to always specify the file path for your configuration file whenever you reference it. By creating a configuration file, you can have fine-grained control over how their instance of `cloudflared` will operate. This includes operations like what you want `cloudflared` to do with traffic (for example, proxy websockets to port `xxxx` or SSH to port `yyyy`), where `cloudflared` should search for authorization (credentials file, tunnel token), and what mode it should run in (for example, [`warp-routing`](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/)). In the absence of a configuration file, cloudflared will proxy outbound traffic through port `8080`. For more information on how to create, store, and structure a configuration file, refer to the [dedicated instructions](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/). +This is a YAML file that functions as the operating manual for `cloudflared`. `cloudflared` will automatically look for the configuration file in the [default `cloudflared` directory](#default-cloudflared-directory), but you can store your configuration file in any directory. It is recommended to always specify the file path for your configuration file whenever you reference it. By creating a configuration file, you can have fine-grained control over how their instance of `cloudflared` will operate. This includes operations like what you want `cloudflared` to do with traffic (for example, proxy websockets to port `xxxx` or SSH to port `yyyy`), where `cloudflared` should search for authorization (credentials file, tunnel token), and what mode it should run in (for example, [`warp-routing`](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/)). In the absence of a configuration file, cloudflared will proxy outbound traffic through port `8080`. For more information on how to create, store, and structure a configuration file, refer to the [dedicated instructions](/tunnel/other-tunnel-types/local-management/configuration-file/). ## Cert.pem -This is the certificate file issued by Cloudflare when you run `cloudflared tunnel login`. This file uses a certificate to authenticate your instance of `cloudflared` and it is required when you create new tunnels, delete existing tunnels, change DNS records, or configure tunnel routing from cloudflared. This file is not required to perform actions such as running an existing tunnel or managing tunnel routing from the Cloudflare dashboard. Refer to the [Tunnel permissions page](/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-permissions/) for more details on when this file is needed. +This is the certificate file issued by Cloudflare when you run `cloudflared tunnel login`. This file uses a certificate to authenticate your instance of `cloudflared` and it is required when you create new tunnels, delete existing tunnels, change DNS records, or configure tunnel routing from cloudflared. This file is not required to perform actions such as running an existing tunnel or managing tunnel routing from the Cloudflare dashboard. Refer to the [Tunnel permissions page](/tunnel/other-tunnel-types/local-management/tunnel-permissions/) for more details on when this file is needed. The `cert.pem` origin certificate is valid for at least 10 years, and the service token it contains is valid until revoked. ## Credentials file -This file is created when you run `cloudflared tunnel create `. It stores your tunnel's credentials in JSON format, and is unique to each tunnel. This file functions as a token authenticating the tunnel it is associated with. Refer to the [Tunnel permissions page](/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-permissions/) for more details on when this file is needed. +This file is created when you run `cloudflared tunnel create `. It stores your tunnel's credentials in JSON format, and is unique to each tunnel. This file functions as a token authenticating the tunnel it is associated with. Refer to the [Tunnel permissions page](/tunnel/other-tunnel-types/local-management/tunnel-permissions/) for more details on when this file is needed. ## Ingress rule -Ingress rules let you specify which local services traffic should be proxied to. If a rule does not specify a path, all paths will be matched. Ingress rules can be listed in your [configuration file](/cloudflare-tunnel/other-tunnel-types/local-management/configuration-file/) or when running `cloudflared tunnel ingress`. +Ingress rules let you specify which local services traffic should be proxied to. If a rule does not specify a path, all paths will be matched. Ingress rules can be listed in your [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/) or when running `cloudflared tunnel ingress`. diff --git a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-permissions.mdx b/src/content/docs/tunnel/other-tunnel-types/local-management/tunnel-permissions.mdx similarity index 94% rename from src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-permissions.mdx rename to src/content/docs/tunnel/other-tunnel-types/local-management/tunnel-permissions.mdx index 84e40c030e2b60d..9a70f3101c89a47 100644 --- a/src/content/docs/cloudflare-tunnel/other-tunnel-types/local-management/tunnel-permissions.mdx +++ b/src/content/docs/tunnel/other-tunnel-types/local-management/tunnel-permissions.mdx @@ -20,7 +20,7 @@ Refer to the table below for a comparison between the two files and the purposes | **Purpose** | Authenticates your instance of `cloudflared` against your Cloudflare account | Authenticates the tunnel it is associated with | | **Scope** | Account-wide | Tunnel-specific | | **File type** | `.pem` | `.json` | -| **Stored in** | [Default directory](/cloudflare-tunnel/get-started/tunnel-useful-terms/#default-cloudflared-directory) | [Default directory](/cloudflare-tunnel/get-started/tunnel-useful-terms/#default-cloudflared-directory) | +| **Stored in** | [Default directory](/tunnel/faq/#default-cloudflared-directory) | [Default directory](/tunnel/faq/#default-cloudflared-directory) | | **Issued when running** | `cloudflared tunnel login` | `cloudflared tunnel create ` | | **Valid for** | At least 10 years, and the service token it contains is valid until revoked | Does not expire | | **Needed to** | Manage tunnels (for example, create, route, delete and list tunnels) | Run a tunnel. Create a config file. | diff --git a/src/content/docs/tunnel/other-tunnel-types/local-management/tunnel-useful-commands.mdx b/src/content/docs/tunnel/other-tunnel-types/local-management/tunnel-useful-commands.mdx new file mode 100644 index 000000000000000..9a99a94ef1e5623 --- /dev/null +++ b/src/content/docs/tunnel/other-tunnel-types/local-management/tunnel-useful-commands.mdx @@ -0,0 +1,37 @@ +--- +pcx_content_type: reference +title: Useful commands +sidebar: + order: 6 +--- + +This page lists the most commonly used commands for managing local tunnels. + +To view all CLI commands, refer to the CLI help text in your terminal. For example, to view all options for the `cloudflared tunnel` subcommand, type `cloudflared tunnel help`. + +## Manage tunnels + +| Command | Description | +| ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `cloudflared tunnel login` | Prompts a browser window where you can authenticate your tunnel to your Cloudflare account. | +| `cloudflared tunnel list` | Displays all active tunnels, their creation time, and associated connections. Use the `-d` flag to include deleted tunnels. | +| `cloudflared tunnel create ` | Creates a tunnel, registers it with the Cloudflare edge, and generates a credential file to run this tunnel. | +| `cloudflared tunnel route dns ` | Creates a DNS CNAME record that points to the tunnel. | +| `cloudflared tunnel --config path/config.yaml run ` | Runs a tunnel, creating highly available connections between your server and the Cloudflare edge. | +| `cloudflared tunnel info ` | Displays details about the active connectors for a given tunnel. | +| `cloudflared tunnel cleanup ` | Deletes connections for tunnels with the given UUIDs or names. This is useful if `cloudflared` was not shut down gracefully (for example, if a `kill` command was issued). | +| `cloudflared tunnel cleanup --connector-id ` | Disconnects and deletes a [cloudflared replica](/tunnel/configuration/#replicas-and-high-availability) with the given connector ID. | +| `cloudflared tunnel delete ` | Deletes tunnels with the given name or UUID. A tunnel cannot be deleted if it has active connections. Use the `-f` flag to delete unconditionally. | +| `cloudflared tail ` | Start a session to livestream logs from a specific tunnel. For more information, refer to [Tunnel logs](/tunnel/monitoring/#logs). | + +:::note +For private network routing commands (`tunnel route ip`, `tunnel vnet`), refer to the [Cloudflare One Tunnel documentation](/cloudflare-one/networks/connectors/cloudflare-tunnel/). +::: + +## Manage `cloudflared` + +| Command | Description | +| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `cloudflared update` | Looks for a new version on the official download server. If a new version exists, updates the agent binary and quits. For more information, refer to [Update cloudflared](/tunnel/downloads/update-cloudflared/). | +| `cloudflared version` | Prints the `cloudflared` version number and build date. | +| `cloudflared help` | Shows a list of all top-level commands for `cloudflared`. | diff --git a/src/content/docs/tunnel/other-tunnel-types/quick-tunnels.mdx b/src/content/docs/tunnel/other-tunnel-types/quick-tunnels.mdx new file mode 100644 index 000000000000000..852cdb68eea3d59 --- /dev/null +++ b/src/content/docs/tunnel/other-tunnel-types/quick-tunnels.mdx @@ -0,0 +1,39 @@ +--- +pcx_content_type: concept +title: Quick Tunnels +sidebar: + order: 5 +--- + +:::note +Quick Tunnels are intended for testing and development only. For production use, [create a remotely-managed tunnel](/tunnel/setup/). +::: + +Quick Tunnels let you expose a local web server to the internet without a Cloudflare account. `cloudflared` generates a random subdomain on `trycloudflare.com` and proxies requests through Cloudflare's network to your localhost. + +## Use a Quick Tunnel + +1. [Install `cloudflared`](/tunnel/downloads/). +2. Start a local web server. +3. Run: + +```sh +cloudflared tunnel --url http://localhost:8080 +``` + +`cloudflared` will print the generated URL in the terminal. Traffic to that URL is proxied to your local server. + +:::note +Quick Tunnels are not supported if a `config.yaml` file is present in the `.cloudflared` directory. Rename that file temporarily to use this feature. +::: + +## Limitations + +- Maximum of 200 concurrent in-flight requests. Exceeding this limit returns a `429` status code. +- Server-Sent Events (SSE) are not supported. + +To avoid these limitations, [create a tunnel](/tunnel/setup/) with a Cloudflare account. + +### Legal + +Your installation of `cloudflared` software constitutes a symbol of your signature indicating that you accept the terms of the [Cloudflare License](https://github.com/cloudflare/cloudflared/blob/master/LICENSE), [Terms](https://www.cloudflare.com/terms/) and [Privacy Policy](https://www.cloudflare.com/privacypolicy/). diff --git a/src/content/docs/tunnel/routing.mdx b/src/content/docs/tunnel/routing.mdx new file mode 100644 index 000000000000000..40c9ee8b7eba752 --- /dev/null +++ b/src/content/docs/tunnel/routing.mdx @@ -0,0 +1,191 @@ +--- +pcx_content_type: concept +title: Routing +sidebar: + order: 3 +--- + +import { TabItem, Tabs, DashButton, Details } from "~/components"; + +Cloudflare Tunnel routes traffic from Cloudflare's network to services running behind `cloudflared`. When you [publish an application](/tunnel/setup/#publish-an-application), you map a public hostname to a local service — for example, `app.example.com` to `http://localhost:8080` — and Cloudflare applies CDN caching, WAF, and DDoS protection before forwarding the request to your origin. + +![Multiple outbound connections from cloudflared are spread across Cloudflare data centers for reliability and failover.](~/assets/images/reference-architecture/cloudflare-one-reference-architecture-images/cf1-ref-arch-7.svg) + +## Published applications + +A published application is a hostname-to-service mapping defined in your tunnel configuration. Each mapping tells `cloudflared` which local service should receive traffic for a given public hostname. + +You can publish multiple applications on a single tunnel. For each application, specify: + +- **Public hostname** — The domain or subdomain that users visit (for example, `app.example.com`). +- **Service** — The local address or socket where the application is running (for example, `http://localhost:8080`). + +When you add a route through the dashboard, Cloudflare automatically creates a DNS record pointing the hostname to your tunnel subdomain (`.cfargotunnel.com`). + +## Supported protocols + +The table below lists the service types you can route to a public hostname. Non-HTTP services require [installing `cloudflared` on the client](/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/) for end users to connect. + +| Service type | Description | Example `service` value | +| ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------- | +| HTTP | Proxies incoming HTTPS requests to your local web service over HTTP. | `http://localhost:8000` | +| HTTPS | Proxies incoming HTTPS requests directly to your local web service. You can [disable TLS verification](/tunnel/configuration/#notlsverify) for self-signed certificates. | `https://localhost:8000` | +| UNIX | Same as HTTP, but uses a Unix socket. | `unix:/home/production/echo.sock` | +| UNIX + TLS | Same as HTTPS, but uses a Unix socket. | `unix+tls:/home/production/echo.sock` | +| TCP | Streams TCP over a WebSocket connection. End users run `cloudflared access tcp` to connect. For long-lived connections, use [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/) instead. | `tcp://localhost:2222` | +| SSH | Streams SSH over a WebSocket connection. End users run `cloudflared access ssh` to [connect](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-cloudflared-authentication/). For long-lived connections, use [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) instead. | `ssh://localhost:22` | +| RDP | Streams RDP over a WebSocket connection. Refer to [Connect to RDP with client-side cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-cloudflared-authentication/). | `rdp://localhost:3389` | +| SMB | Streams SMB over a WebSocket connection. Refer to [Connect to SMB with client-side cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb/#connect-to-smb-server-with-cloudflared-access). | `smb://localhost:445` | +| HTTP_STATUS | Responds to all requests with a fixed HTTP status code. | `http_status:404` | +| BASTION | Allows `cloudflared` to act as a jump host, providing access to any local address. | `bastion` | +| HELLO_WORLD | Test server for validating your tunnel connection ([locally managed tunnels](/tunnel/other-tunnel-types/local-management/configuration-file/#file-structure-for-published-applications) only). | `hello_world` | + +## DNS records + +When you create a tunnel, Cloudflare generates a subdomain at `.cfargotunnel.com`. You point a CNAME record at this subdomain to route traffic from your hostname to the tunnel. + +The `cfargotunnel.com` subdomain only proxies traffic for DNS records in the same Cloudflare account. If someone discovers your tunnel UUID, they cannot create a DNS record in another account to proxy traffic through it. + +### Create a DNS record + + + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and go to **DNS Records** for your domain. + + + +2. Select **Add record**. +3. Enter the following values: + - **Type**: _CNAME_ + - **Name**: Subdomain of your application + - **Target**: `.cfargotunnel.com` +4. Select **Save**. + +![Example of fields completed to create a new CNAME record.](~/assets/images/cloudflare-one/connections/connect-apps/dns/dns-record.png) + + + + + +Run the following command to create a CNAME record pointing to your tunnel subdomain: + +```sh +cloudflared tunnel route dns www.app.com +``` + +This creates a CNAME record but does not proxy traffic unless the tunnel is running. + +:::note +To create DNS records using `cloudflared`, the [`cert.pem`](/tunnel/other-tunnel-types/local-management/local-tunnel-terms/#certpem) file must be installed on your system. +::: + + + + + +The DNS record and the tunnel are independent. You can create DNS records that point to a tunnel that is not running. If a tunnel stops, the DNS record is not deleted — visitors will see a `1016` error. + +You can also create multiple DNS records pointing to the same tunnel subdomain. If you route traffic from multiple hostnames to multiple services, create a CNAME entry for each hostname. All entries share the same target. + +## Load balancing + +Use a [public load balancer](/load-balancing/load-balancers/) to distribute traffic across servers running your published applications. This provides health-check-based failover and intelligent traffic steering across regions. + +```mermaid +graph LR + accTitle: Load balancing traffic to applications behind Cloudflare Tunnel + + A[Internet] --> C{Cloudflare
Load Balancer} + C -- Tunnel 1 --> cf1 + C -- Tunnel 2 --> cf2 + subgraph F[Data center 2] + cf2[cloudflared] + S3[App server] + S4[App server] + cf2-->S3 + cf2-->S4 + end + subgraph E[Data center 1] + cf1[cloudflared] + S1[App server] + S2[App server] + cf1-->S1 + cf1-->S2 + end +``` + +### Replicas versus load balancers + +Running multiple `cloudflared` [replicas](/tunnel/configuration/#replicas-and-high-availability) on the same tunnel UUID provides basic redundancy — if one host fails, other replicas continue serving traffic. However, the load balancer treats all replicas of the same tunnel UUID as a single endpoint. + +For granular traffic steering and [session affinity](/load-balancing/understand-basics/session-affinity/), connect each host using a different tunnel UUID so the load balancer can address them independently. + +### Add a tunnel to a load balancer pool + +Prerequisites: a Cloudflare Tunnel with at least one [published application route](/tunnel/setup/#publish-an-application). + +1. In the Cloudflare dashboard, go to the **Load Balancing** page. + + + +2. Select **Create load balancer**, then select **Public load balancer**. +3. Under **Select website**, select the domain of your published application route. +4. On the **Hostname** page, enter a hostname for the load balancer (for example, `lb.example.com`). +5. On the **Pools** page, select **Create a pool** and enter a descriptive name. +6. Add a tunnel endpoint with the following values: + - **Endpoint Name**: Name of the server running the application + - **Endpoint Address**: `.cfargotunnel.com` (find the Tunnel ID in the [Cloudflare dashboard](https://dash.cloudflare.com/) under **Networking** > **Tunnels**) + - **Header value**: Hostname of your published application route (for example, `app.example.com`) + - **Weight**: `1` (if only one endpoint) + + :::note + A single origin pool cannot reference the same tunnel UUID twice. + ::: + +7. Choose a **Fallback pool**. Refer to [traffic steering policies](/load-balancing/understand-basics/traffic-steering/steering-policies/) for routing options. +8. (Recommended) On the **Monitors** page, attach a monitor to the endpoint. For an HTTP or HTTPS application, create an HTTPS monitor: + - **Type**: _HTTPS_ + - **Path**: `/` + - **Port**: `443` + - **Expected Code(s)**: `200` + - **Header Name**: `Host` + - **Value**: `app.example.com` +9. Save and deploy the load balancer. + +To test, access your application using the load balancer hostname (`lb.example.com`). + +
+ +TCP monitors are not supported for tunnel endpoints. Instead, create a health check endpoint on the `cloudflared` host and use an HTTPS monitor: + +1. [Add a published application route](/tunnel/setup/#publish-an-application) for the health check: + - **Hostname**: `health-check.example.com` + - **Service Type**: _HTTP_STATUS_ + - **HTTP Status Code**: `200` +2. [Create a monitor](/load-balancing/monitors/create-monitor/) with these settings: + - **Type**: _HTTPS_ + - **Path**: `/` + - **Port**: `443` + - **Expected Code(s)**: `200` + - **Header Name**: `Host` + - **Value**: `health-check.example.com` + +This monitor verifies that `cloudflared` is reachable. It does not check whether the upstream service is accepting requests. + +
+ +
+ +If you notice traffic imbalances across endpoints in different locations, you may need to adjust your load balancer configuration. + +Cloudflare uses [Anycast routing](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/) to direct end user requests to the nearest data center. `cloudflared` prefers to serve requests using connections in the same data center, which can affect how traffic is distributed across endpoints. + +If you run [replicas](/tunnel/configuration/#replicas-and-high-availability) on the same tunnel UUID, consider switching to separate tunnels for more granular control over [traffic steering](/load-balancing/understand-basics/traffic-steering/). + +
+ +## Cloudflare settings + +Published applications inherit the Cloudflare settings for their hostname, including [cache rules](/cache/how-to/cache-rules/), [WAF rules](/waf/), and other [Rules](/rules/) configurations. You can change these settings for each hostname in the [Cloudflare dashboard](https://dash.cloudflare.com/). + +If you use a load balancer, settings are applied to the load balancer hostname instead. diff --git a/src/content/docs/tunnel/setup.mdx b/src/content/docs/tunnel/setup.mdx new file mode 100644 index 000000000000000..4fbce0f31a4c872 --- /dev/null +++ b/src/content/docs/tunnel/setup.mdx @@ -0,0 +1,173 @@ +--- +title: Setup +pcx_content_type: get-started +sidebar: + order: 2 +head: + - tag: title + content: Set up Cloudflare Tunnel +description: Create your first Cloudflare Tunnel and publish an application in under 5 minutes. +--- + +import { Render, Stream, Tabs, TabItem, APIRequest } from "~/components"; + +Create a Cloudflare Tunnel and publish your first application in under 5 minutes. + +## Prerequisites + +- A [Cloudflare account](https://dash.cloudflare.com/sign-up) +- A [domain on Cloudflare](/fundamentals/manage-domains/add-site/) (required to publish applications) +- A server or VM with internet access where you will install `cloudflared` + +:::tip +If your server is behind a restrictive firewall, verify it can reach Cloudflare on port `7844` before proceeding. Refer to [Connectivity pre-checks](/tunnel/troubleshooting/#connectivity-pre-checks). +::: + +## Create a tunnel + + + + + + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels**. + +2. Select **Create Tunnel**. + +3. Enter a name for your tunnel (for example, `production-web` or `staging-api`). + +4. Select **Create Tunnel**. + +5. Under **Setup Environment**, select the operating system and architecture of your server. + +6. Copy the install commands shown under **Install and Run** and run them in a terminal on your server. + +7. Once the tunnel connects, select **Continue**. + +Your tunnel should appear on the **Tunnels** page with a `Healthy` status. + + + + +1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: + + | Type | Item | Permission | + | ------- | ----------------- | ---------- | + | Account | Cloudflare Tunnel | Edit | + | Zone | DNS | Edit | + +2. Create a tunnel: + + + +3. Copy the `id` and `token` values from the response. You will need them to configure and run the tunnel. + + + + +## Publish an application + + + + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels** and select your tunnel. + +2. Under **Routes**, select **Add route**. + +3. Select **Published application**. + +4. Under **Hostname**, enter a subdomain and select a domain from the drop-down menu. + +5. For **Service URL**, enter the local address and port of your application. + + For example, if your web server runs on the same machine as `cloudflared`: + - HTTP on port 80: `http://localhost:80` + - HTTPS on port 443: `https://localhost:443` + + If the application runs on a different machine: `http://192.0.2.1:80` + +6. Select **Add route**. + + + + +1. Configure your tunnel's ingress rules: + + + + Your ingress rules must include a catch-all rule at the end. In this example, `cloudflared` will respond with a 404 status code when the request does not match any hostname. + +2. Create a DNS record for your application: + + .cfargotunnel.com", + }} + /> + +3. Install `cloudflared` on your server and run the tunnel using the `token` from the previous step: + + + + + + +Your application is now live at the hostname you configured. Cloudflare automatically proxies traffic through its network, applying CDN caching, WAF, and DDoS protection. + +:::note +Non-HTTP services (SSH, TCP, RDP) require `cloudflared` on the client side. Refer to the [protocols reference](/tunnel/routing/#supported-protocols) for details. +::: + +## Quick tunnels (development) + +For local development, you can instantly expose localhost without a Cloudflare account: + +```sh +cloudflared tunnel --url http://localhost:8080 +``` + +This generates a random `trycloudflare.com` subdomain that proxies traffic to your local server. Quick tunnels are for testing only — they have a 200 concurrent request limit and do not support Server-Sent Events (SSE). + +For production use, [create a tunnel](#create-a-tunnel) instead. + +## Next steps + +- [Routing](/tunnel/routing/) — Configure DNS records, load balancers, and protocol support. +- [Configuration](/tunnel/configuration/) — Deploy replicas, manage tokens, and tune performance. +- [Integrations](/tunnel/integrations/) — Connect with Workers VPC, Load Balancing, and Access. +- [Monitoring](/tunnel/monitoring/) — View logs, metrics, and diagnostics. +- [Troubleshooting](/tunnel/troubleshooting/) — Connectivity pre-checks and common errors. +- [Deployment guides](/tunnel/deployment-guides/) — Deploy on Kubernetes, AWS, GCP, Terraform, and more. diff --git a/src/content/docs/tunnel/troubleshooting.mdx b/src/content/docs/tunnel/troubleshooting.mdx new file mode 100644 index 000000000000000..d04e66ba22ceee5 --- /dev/null +++ b/src/content/docs/tunnel/troubleshooting.mdx @@ -0,0 +1,161 @@ +--- +title: Troubleshooting +pcx_content_type: troubleshooting +sidebar: + order: 8 +--- + +import { Details, GlossaryTooltip, Render, Tabs, TabItem } from "~/components"; + +Use this page to diagnose and resolve common issues with Cloudflare Tunnel. For tunnel health monitoring, logs, and metrics, refer to [Monitoring](/tunnel/monitoring/). + +## Connectivity pre-checks + +Before deploying a tunnel, validate that your environment can reach [Cloudflare Tunnel endpoints](/tunnel/configuration/#firewall-rules). Run these tests from the same host machine that will run `cloudflared`. + +### DNS resolution + +Cloudflare Tunnel requires outbound connectivity to `region1.v2.argotunnel.com` and `region2.v2.argotunnel.com` (or `us-region1` and `us-region2` for the [US region](/tunnel/configuration/#region)). + +Verify that your DNS resolver returns the expected IP addresses: + + + + +```sh +dig A region1.v2.argotunnel.com +``` + +```sh +dig A region2.v2.argotunnel.com +``` + +You should see IP addresses in the `198.41.192.x` and `198.41.200.x` ranges. + + + + +```sh +dig A us-region1.v2.argotunnel.com +``` + +```sh +dig A us-region2.v2.argotunnel.com +``` + +You should see IP addresses in the `198.41.218.x` and `198.41.219.x` ranges. + + + + +If you receive a `SERVFAIL`, `NXDOMAIN`, or empty answer, test against Cloudflare's public resolver: + +```sh +dig A region1.v2.argotunnel.com @1.1.1.1 +``` + +- **Only `1.1.1.1` works** — Your local DNS resolver is misconfigured or blocked. Configure the host to use `1.1.1.1`, or investigate with your system administrator. +- **Neither resolver works** — Your firewall may be blocking DNS queries (UDP port `53`). Check for firewall rules or contact your DNS provider. + +### Network connectivity + +After confirming DNS resolution, test whether your host can send packets to Cloudflare on port `7844`. Choose an IP from your `dig` output (for example, `198.41.192.167`). + +```sh +nc -uvz -w 3 198.41.192.167 7844 # UDP +nc -vz -w 3 198.41.192.167 7844 # TCP +``` + +| Result | Meaning | Action | +| ------------------------ | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------- | +| Both UDP and TCP succeed | `cloudflared` can connect using `quic` (UDP) or `http2` (TCP). | Deploy the tunnel. | +| UDP succeeds, TCP fails | TCP on port `7844` is blocked. `cloudflared` can only use `quic`. | Allow TCP on port `7844`, or do not force `http2` in your [protocol](/tunnel/configuration/#protocol) configuration. | +| TCP succeeds, UDP fails | UDP on port `7844` is blocked. `cloudflared` can only use `http2`. | Allow UDP on port `7844`, or do not force `quic` in your [protocol](/tunnel/configuration/#protocol) configuration. | +| Both fail | Packets are being dropped between the host and Cloudflare. | Allow all traffic over port `7844` on the local network firewall. If this does not resolve the issue, troubleshoot with your ISP or service provider. | + +### Get help + +If DNS or network tests fail, the problem is likely in your local environment. Debug with your administrator, ISP, or cloud provider. + + + +## Common errors + +If you do not see your issue below, refer to the [troubleshooting FAQ](/cloudflare-one/faq/troubleshooting/), view your [tunnel logs](/tunnel/monitoring/#logs), or [contact Cloudflare Support](/support/contacting-cloudflare-support/). + +### `cloudflared service is already installed` + +Only one instance of `cloudflared` may run as a service per machine. Add additional routes to your existing tunnel instead, or run `sudo cloudflared service uninstall` to remove the existing service. + +### `An A, AAAA, or CNAME record with that host already exists` + +Choose a different hostname for your tunnel, or delete the existing DNS record in the [Cloudflare dashboard](https://dash.cloudflare.com). + +### Tunnel credentials file does not exist + +If you see `Tunnel credentials file '/root/.cloudflared/.json' doesn't exist or is not a file`, verify that the `credentials-file` path in your `config.yml` points to the correct location. You may need to change `/root/` to your home directory. + +### Tunnel fails to authenticate + +If the authenticating user is removed from the account or their permissions change, Cloudflare rolls the API key. The certificate retains the old key and authentication fails. Run `cloudflared tunnel login` again to regenerate the certificate, or create a dedicated service user to authenticate. + +### `x509: certificate signed by unknown authority` + +The origin uses a certificate that `cloudflared` does not trust. To resolve: + +- Add the certificate to the system certificate pool. +- Use the `--origin-ca-pool` flag and specify the path to the certificate. +- Use the `--no-tls-verify` flag to skip certificate verification. + +### Error 1033 + + + +For more information, refer to [Cloudflare 1xxx errors](/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/). + +### `ERR_TOO_MANY_REDIRECTS` + +Set the [origin server name](/tunnel/configuration/#originservername) parameter to the hostname on your origin certificate: + +```txt +ingress: + - hostname: test.example.com + service: https://localhost:443 + originRequest: + originServerName: test.example.com +``` + +### `websocket: bad handshake` + +Your `cloudflared access` client cannot reach your `cloudflared tunnel` origin. Common causes: + +- The tunnel is not running or not connected to Cloudflare. +- WebSockets are not [enabled](/network/websockets/#enable-websockets). +- SSL/TLS encryption mode is set to **Off (not secure)**. Set it to **Flexible**, **Full**, or **Full (strict)** in **SSL/TLS** > **Overview**. +- Requests are blocked by [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/). +- One or more [Workers routes](/workers/configuration/routing/routes/) overlap with the tunnel hostname. + +### Tunnel connections fail with SSL error + +If `cloudflared` returns `error="remote error: tls: handshake failure"`, verify the hostname is covered by an SSL certificate. Multi-level subdomains may require an [advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/) because Universal SSL does not cover more than one level of subdomain. + +### `Too many open files` + +Increase the open file descriptor limit to at least 70,000 with `ulimit -n 70000` on the host running `cloudflared`. Configure the limit persistently for your operating system. + +### `failed to sufficiently increase receive buffer size` + +This message from the [quic-go library](https://github.com/quic-go/quic-go) is generally not impactful. For high-bandwidth environments, set the maximum receive buffer size on Linux: + +```sh +echo 'net.core.rmem_max=2500000' | sudo tee /etc/sysctl.d/98-core-rmem-max.conf +sudo sysctl -p /etc/sysctl.d/98-core-rmem-max.conf +``` + +### Streaming responses are buffered + +Proxied traffic through Cloudflare Tunnel is buffered by default unless the origin server includes the `Content-Type: text/event-stream` response header. This header tells `cloudflared` to stream data as it arrives instead of buffering the entire response. diff --git a/src/icons/tunnel.svg b/src/icons/tunnel.svg new file mode 100644 index 000000000000000..d953c3b96820184 --- /dev/null +++ b/src/icons/tunnel.svg @@ -0,0 +1 @@ + From 95e20fb95e041522642ca950113f16dd8016a0ac Mon Sep 17 00:00:00 2001 From: Nikita Cano Date: Fri, 20 Feb 2026 16:32:28 +0000 Subject: [PATCH 04/33] [Tunnel] Update CODEOWNERS path, remove stale cloudflare-tunnel redirects Update CODEOWNERS from /cloudflare-tunnel/ to /tunnel/. Remove redirects from /cloudflare-tunnel/* since that path was never merged to production. --- .github/CODEOWNERS | 2 +- public/__redirects | 9 ++------- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index f12fb50da7eccfa..c9756046204eab2 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -69,7 +69,7 @@ package.json @cloudflare/content-engineering /src/content/docs/cloudflare-one/access-controls/ @kennyj42 @ranbel @cloudflare/pcx-technical-writing /src/content/docs/cloudflare-one/team-and-resources/devices/ @ranbel @cloudflare/pcx-technical-writing /src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/ @nikitacano @ranbel @cloudflare/pcx-technical-writing -/src/content/docs/cloudflare-tunnel/ @nikitacano @ranbel @cloudflare/pcx-technical-writing +/src/content/docs/tunnel/ @nikitacano @ranbel @cloudflare/pcx-technical-writing /src/content/docs/cloudflare-one/cloud-and-saas-findings/ @cloudflare/pcx-technical-writing /src/content/docs/cloudflare-one/traffic-policies/ @cloudflare/pcx-technical-writing /src/content/docs/cloudflare-one/remote-browser-isolation/ @deadlypants1973 @cloudflare/pcx-technical-writing diff --git a/public/__redirects b/public/__redirects index 12e05b3001a0676..d2e507e1d210a3a 100644 --- a/public/__redirects +++ b/public/__redirects @@ -2374,8 +2374,7 @@ /cloudflare-one/email-security/settings/trusted-domains/ /cloudflare-one/email-security/settings/detection-settings/trusted-domains/ 301 /cloudflare-one/email-security/monitoring/search-email/ /cloudflare-one/email-security/investigation/search-email/ 301 -# Cloudflare Tunnel IA restructure (quick tunnels moved under other-tunnel-types) -/cloudflare-tunnel/quick-tunnels/ /tunnel/other-tunnel-types/quick-tunnels/ 301 + # ============================================================================ # DYNAMIC REDIRECTS @@ -2583,10 +2582,7 @@ # Network Flow (formerly Magic Network Monitoring) /magic-network-monitoring/* /network-flow/:splat 301 -# Cloudflare Tunnel IA restructure (locally-managed + quick tunnels moved under other-tunnel-types) -/cloudflare-tunnel/local-management/* /tunnel/other-tunnel-types/local-management/:splat 301 - -# Cloudflare Tunnel rename to /tunnel/ with flat structure +# Cloudflare Tunnel flat structure redirects /tunnel/get-started/create-remote-tunnel/ /tunnel/setup/ 301 /tunnel/get-started/create-remote-tunnel-api/ /tunnel/setup/ 301 /tunnel/get-started/ /tunnel/setup/ 301 @@ -2612,4 +2608,3 @@ /tunnel/troubleshoot/* /tunnel/troubleshooting/ 301 /tunnel/downloads/license/ https://github.com/cloudflare/cloudflared/blob/master/LICENSE 301 /tunnel/downloads/copyrights/ https://github.com/cloudflare/cloudflared 301 -/cloudflare-tunnel/* /tunnel/:splat 301 From 7ca2d6afdd13409d4a44ca7377ff64ded5a32eb8 Mon Sep 17 00:00:00 2001 From: Nikita Cano Date: Fri, 20 Feb 2026 16:43:35 +0000 Subject: [PATCH 05/33] [Tunnel] Add DashButton to setup page --- src/content/docs/tunnel/setup.mdx | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/content/docs/tunnel/setup.mdx b/src/content/docs/tunnel/setup.mdx index 4fbce0f31a4c872..0411a338c7fb182 100644 --- a/src/content/docs/tunnel/setup.mdx +++ b/src/content/docs/tunnel/setup.mdx @@ -9,7 +9,14 @@ head: description: Create your first Cloudflare Tunnel and publish an application in under 5 minutes. --- -import { Render, Stream, Tabs, TabItem, APIRequest } from "~/components"; +import { + DashButton, + Render, + Stream, + Tabs, + TabItem, + APIRequest, +} from "~/components"; Create a Cloudflare Tunnel and publish your first application in under 5 minutes. @@ -25,6 +32,8 @@ If your server is behind a restrictive firewall, verify it can reach Cloudflare ## Create a tunnel + + From a68bde7c219ad5df864f6a60b959753aa17f8f40 Mon Sep 17 00:00:00 2001 From: Nikita Cano Date: Fri, 20 Feb 2026 16:47:55 +0000 Subject: [PATCH 06/33] [Tunnel] Move DashButton inside Dashboard tab on setup page --- src/content/docs/tunnel/setup.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/tunnel/setup.mdx b/src/content/docs/tunnel/setup.mdx index 0411a338c7fb182..638aa504e04f597 100644 --- a/src/content/docs/tunnel/setup.mdx +++ b/src/content/docs/tunnel/setup.mdx @@ -32,11 +32,11 @@ If your server is behind a restrictive firewall, verify it can reach Cloudflare ## Create a tunnel - - + + Date: Fri, 20 Feb 2026 16:48:41 +0000 Subject: [PATCH 07/33] [Tunnel] Place DashButton inline with dashboard navigation steps --- src/content/docs/tunnel/setup.mdx | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/content/docs/tunnel/setup.mdx b/src/content/docs/tunnel/setup.mdx index 638aa504e04f597..2264e745d24b1cd 100644 --- a/src/content/docs/tunnel/setup.mdx +++ b/src/content/docs/tunnel/setup.mdx @@ -35,15 +35,13 @@ If your server is behind a restrictive firewall, verify it can reach Cloudflare - - -1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels**. +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels**. 2. Select **Create Tunnel**. @@ -90,7 +88,7 @@ Your tunnel should appear on the **Tunnels** page with a `Healthy` status. -1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels** and select your tunnel. +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels** and select your tunnel. 2. Under **Routes**, select **Add route**. From 84908e9de8040b0a06532f1043e63eb410731caa Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 20 Feb 2026 12:43:00 -0500 Subject: [PATCH 08/33] fix tabs --- src/content/docs/tunnel/setup.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/tunnel/setup.mdx b/src/content/docs/tunnel/setup.mdx index 2264e745d24b1cd..3d4175f60139382 100644 --- a/src/content/docs/tunnel/setup.mdx +++ b/src/content/docs/tunnel/setup.mdx @@ -32,7 +32,7 @@ If your server is behind a restrictive firewall, verify it can reach Cloudflare ## Create a tunnel - + + 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels** and select your tunnel. From 2fd65645e0b9af86a147daf05aa6cb49e9919fc1 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 20 Feb 2026 14:04:43 -0500 Subject: [PATCH 09/33] fix tile rename errors --- .../2025-11-11-cloudflared-proxy-dns.mdx | 4 ++-- .../leveraging-cloudflare-for-your-saas-applications.mdx | 3 +-- src/content/docs/tunnel/changelog.mdx | 2 +- src/content/learning-paths/clientless-access.json | 2 +- src/content/learning-paths/replace-vpn.json | 2 +- 5 files changed, 6 insertions(+), 7 deletions(-) diff --git a/src/content/changelog/cloudflare-tunnel-sase/2025-11-11-cloudflared-proxy-dns.mdx b/src/content/changelog/cloudflare-tunnel-sase/2025-11-11-cloudflared-proxy-dns.mdx index 4bf574c93c3f0b9..ed55552c54b68ae 100644 --- a/src/content/changelog/cloudflare-tunnel-sase/2025-11-11-cloudflared-proxy-dns.mdx +++ b/src/content/changelog/cloudflare-tunnel-sase/2025-11-11-cloudflared-proxy-dns.mdx @@ -2,7 +2,7 @@ title: cloudflared proxy-dns command will be removed starting February 2, 2026 description: To address a vulnerability in an underlying library, the `cloudflared proxy-dns` command will be removed from new `cloudflared` releases. Users are advised to migrate to the Cloudflare WARP client or WARP Connector. products: - - cloudflare-tunnel + - tunnel date: 2025-11-11 --- @@ -26,4 +26,4 @@ The preferred method for enabling DNS-over-HTTPS on user devices is the [Cloudfl For scenarios where installing a client on every device is not possible (such as servers, routers, or IoT devices), we recommend using the [WARP Connector](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/). -Instead of running `cloudflared proxy-dns` on a machine, you can install the WARP Connector on a single Linux host within your private network. This connector will act as a gateway, securely routing all DNS and network traffic from your [entire subnet](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-internet/) to Cloudflare for [filtering and logging](/cloudflare-one/traffic-policies/). \ No newline at end of file +Instead of running `cloudflared proxy-dns` on a machine, you can install the WARP Connector on a single Linux host within your private network. This connector will act as a gateway, securely routing all DNS and network traffic from your [entire subnet](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-internet/) to Cloudflare for [filtering and logging](/cloudflare-one/traffic-policies/). diff --git a/src/content/docs/reference-architecture/design-guides/leveraging-cloudflare-for-your-saas-applications.mdx b/src/content/docs/reference-architecture/design-guides/leveraging-cloudflare-for-your-saas-applications.mdx index 4b71c3e10f4b167..dc50f2c60a8f67d 100644 --- a/src/content/docs/reference-architecture/design-guides/leveraging-cloudflare-for-your-saas-applications.mdx +++ b/src/content/docs/reference-architecture/design-guides/leveraging-cloudflare-for-your-saas-applications.mdx @@ -1,8 +1,7 @@ --- title: Leveraging Cloudflare for your SaaS applications pcx_content_type: design-guide -products: - [cloudflare-for-saas, cloudflare-tunnel, load-balancing, data-localization] +products: [cloudflare-for-saas, tunnel, load-balancing, data-localization] sidebar: order: 1 label: Leveraging Cloudflare for your SaaS applications diff --git a/src/content/docs/tunnel/changelog.mdx b/src/content/docs/tunnel/changelog.mdx index 401a93ac55cd38b..02ba020f9d9492f 100644 --- a/src/content/docs/tunnel/changelog.mdx +++ b/src/content/docs/tunnel/changelog.mdx @@ -8,4 +8,4 @@ description: Review recent changes to Cloudflare Tunnel. import { ProductChangelog } from "~/components"; - + diff --git a/src/content/learning-paths/clientless-access.json b/src/content/learning-paths/clientless-access.json index 782a784ac1d29c4..59aa949705ea8dc 100644 --- a/src/content/learning-paths/clientless-access.json +++ b/src/content/learning-paths/clientless-access.json @@ -3,5 +3,5 @@ "path": "/learning-paths/clientless-access/concepts/", "description": "Learn how to set up clientless access to internal applications with Cloudflare Zero Trust.", "pcx_content_type": "learning-path", - "products": ["access", "cloudflare-tunnel", "browser-isolation"] + "products": ["access", "cloudflare-tunnel-sase", "browser-isolation"] } diff --git a/src/content/learning-paths/replace-vpn.json b/src/content/learning-paths/replace-vpn.json index 62cc34fb4920e38..6d1dfab70250e13 100644 --- a/src/content/learning-paths/replace-vpn.json +++ b/src/content/learning-paths/replace-vpn.json @@ -3,5 +3,5 @@ "path": "/learning-paths/replace-vpn/concepts/", "description": "Learn how to replace your VPN with Cloudflare Zero Trust.", "pcx_content_type": "learning-path", - "products": ["gateway", "cloudflare-tunnel", "zero-trust-warp"] + "products": ["gateway", "cloudflare-tunnel-sase", "zero-trust-warp"] } From e1f60ed8daf96457cb47b64cb2218bec64ee7458 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 20 Feb 2026 15:16:05 -0500 Subject: [PATCH 10/33] merge in 502 error --- src/content/docs/tunnel/troubleshooting.mdx | 78 +++++++++++++++++++++ 1 file changed, 78 insertions(+) diff --git a/src/content/docs/tunnel/troubleshooting.mdx b/src/content/docs/tunnel/troubleshooting.mdx index d04e66ba22ceee5..59e68690f5dd276 100644 --- a/src/content/docs/tunnel/troubleshooting.mdx +++ b/src/content/docs/tunnel/troubleshooting.mdx @@ -117,6 +117,84 @@ The origin uses a certificate that `cloudflared` does not trust. To resolve: For more information, refer to [Cloudflare 1xxx errors](/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/). +### 502 Bad Gateway + +A `502 Bad Gateway` error with `Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared` on a tunnel route means the tunnel itself is connected to the Cloudflare network, but `cloudflared` cannot reach the origin service defined in your ingress rule. Unlike [error 1033](#error-1033), which indicates the tunnel is not connected to Cloudflare, a 502 error indicates the problem is between `cloudflared` and your local service. + +To identify the specific cause, review your [tunnel logs](/tunnel/monitoring/#logs) for `error`-level messages. Common causes include: + +#### Origin service is not running + +If the origin service has stopped or never started, `cloudflared` logs will show an error similar to: + +```txt +error="dial tcp [::1]:8080: connect: connection refused" +``` + +To resolve, verify the service is running and listening on the expected port: + +```sh +curl -v http://localhost:8080 +``` + +If the service is not running, start or restart it. You can confirm the service is listening by running `ss -tlnp | grep ` (Linux) or `lsof -iTCP -sTCP:LISTEN -nP | grep ` (macOS). + +#### Origin service URL uses the wrong protocol + +If the origin expects HTTPS but the tunnel route specifies `http://`, or vice versa, `cloudflared` logs will show an error similar to: + +```txt +error="net/http: HTTP/1.x transport connection broken: malformed HTTP response \"\x15\x03\x01\x00\x02\x02\"" +``` + +To resolve, update the service URL in your tunnel route to match the [protocol](/tunnel/routing/#supported-protocols) your origin expects. For example, change `http://localhost:8080` to `https://localhost:8080`. If you are using a locally-managed tunnel, update your ingress rule in the [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/). + +#### Origin service URL points to the wrong port + +If the port in your tunnel route does not match the port your service is listening on, `cloudflared` will log a `connection refused` error for that port. Double-check the service URL in your ingress rule and compare it against the port your application is bound to. + +#### Origin uses a certificate that `cloudflared` does not trust + +If the origin presents a TLS certificate that `cloudflared` cannot verify, the logs will show an error similar to: + +```txt +error="x509: certificate is valid for example.com, not localhost" +``` + +This commonly occurs when the origin uses a self-signed certificate or when an SSL/TLS inspection proxy sits between `cloudflared` and the origin. + +To resolve, use one of the following approaches: + +- Set [`originServerName`](/tunnel/configuration/#originservername) to the hostname on the origin certificate in your tunnel route. If you are using a locally-managed tunnel, here is an example of a [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/): + + ```yml + ingress: + - hostname: app.example.com + service: https://localhost:443 + originRequest: + originServerName: app.example.com + ``` + +- Provide the CA certificate using [`caPool`](/tunnel/configuration/#capool): + + ```yml + ingress: + - hostname: app.example.com + service: https://localhost:443 + originRequest: + caPool: /path/to/ca-cert.pem + ``` + +- As a last resort, disable TLS verification with [`noTLSVerify`](/tunnel/configuration/#notlsverify). This is not recommended for production environments. + + ```yml + ingress: + - hostname: app.example.com + service: https://localhost:443 + originRequest: + noTLSVerify: true + ``` + ### `ERR_TOO_MANY_REDIRECTS` Set the [origin server name](/tunnel/configuration/#originservername) parameter to the hostname on your origin certificate: From 14e040e61b85c4cd8a859c998e29b52207d878ca Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 20 Feb 2026 15:42:09 -0500 Subject: [PATCH 11/33] edit Setup --- src/content/docs/tunnel/setup.mdx | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/content/docs/tunnel/setup.mdx b/src/content/docs/tunnel/setup.mdx index 3d4175f60139382..42a928abbd86787 100644 --- a/src/content/docs/tunnel/setup.mdx +++ b/src/content/docs/tunnel/setup.mdx @@ -41,7 +41,8 @@ If your server is behind a restrictive firewall, verify it can reach Cloudflare thumbnail="https://pub-d9bf66e086fb4b639107aa52105b49dd.r2.dev/tunnel%204_%20set%20up%20tunnel.png" /> -1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels**. +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels**. + 2. Select **Create Tunnel**. @@ -99,10 +100,10 @@ Your tunnel should appear on the **Tunnels** page with a `Healthy` status. 5. For **Service URL**, enter the local address and port of your application. For example, if your web server runs on the same machine as `cloudflared`: - - HTTP on port 80: `http://localhost:80` - - HTTPS on port 443: `https://localhost:443` + - HTTP on port `80`: `http://localhost:80` + - HTTPS on port `443`: `https://localhost:443` - If the application runs on a different machine: `http://192.0.2.1:80` + If your web server runs on a different machine: `http://192.0.2.1:80` 6. Select **Add route**. @@ -145,7 +146,7 @@ Your tunnel should appear on the **Tunnels** page with a `Healthy` status. }} /> -3. Install `cloudflared` on your server and run the tunnel using the `token` from the previous step: +3. Install `cloudflared` on your server and run the tunnel using the `token` obtained in [Create a tunnel](/tunnel/setup/#create-a-tunnel): From 819373811759e2ea51199abebd877c6d03c3f6a7 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 20 Feb 2026 15:56:16 -0500 Subject: [PATCH 12/33] protocols partial --- .../routing-to-tunnel/protocols.mdx | 24 ++++++++---------- src/content/docs/tunnel/routing.mdx | 25 +++++++------------ .../cloudflare-one/tunnel/protocols-table.mdx | 21 ++++++++++++++++ 3 files changed, 40 insertions(+), 30 deletions(-) create mode 100644 src/content/partials/cloudflare-one/tunnel/protocols-table.mdx diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/protocols.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/protocols.mdx index 3b05315f497600c..23dcae0a2db9ac2 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/protocols.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/protocols.mdx @@ -7,19 +7,15 @@ sidebar: tableOfContents: false --- +import { Render } from "~/components"; -When you [add a published application route](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2a-publish-an-application) to a Cloudflare Tunnel, you are instructing Cloudflare to proxy requests for your public hostname to a service running privately behind `cloudflared`. The table below lists the service types that can route to a public hostname. Non-HTTP services will require [installing `cloudflared` on the client](/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/) for end users to connect. +When you [add a published application route](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2a-publish-an-application) to a Cloudflare Tunnel, you are instructing Cloudflare to proxy requests for your public hostname to a service running privately behind `cloudflared`. -| Service type | Description | Example `service` value | -| ------------ | ----------- | ---------- | -| HTTP | Incoming requests to Cloudflare over HTTPS are proxied to the local web service via HTTP. | `http://localhost:8000` | -| HTTPS | Incoming requests to Cloudflare over HTTPS are proxied directly to the local web service. You can [disable TLS verification](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#notlsverify) if your origin uses self-signed certificates. | `https://localhost:8000` | -| UNIX | Just like HTTP, but using a Unix socket instead. | `unix:/home/production/echo.sock` | -| TCP | Enables TCP streams over a Websocket connection. `cloudflared` will take the packets received from the Websocket and reach out to the origin using TCP. To [connect to the public hostname over arbitrary TCP](/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/arbitrary-tcp/), the user needs to run `cloudflared access tcp`, and there are no guarantees on how long the TCP tunnel will live. For long-lived connections, we recommend using [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/) instead.| `tcp://localhost:2222` | -| SSH | Enables SSH streams over a Websocket connection. `cloudflared` will take the packets received from the Websocket and reach out to the origin using SSH. To [connect to the public hostname over SSH](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-cloudflared-authentication/), the client needs to run `cloudflared access ssh`, and there are no guarantees on how long the SSH connection will last. For long-lived connections, we recommend using [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) instead. | `ssh://localhost:22` | -| RDP | Similar to TCP but for RDP streams only. For more information, refer to [Connect to RDP with client-side cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-cloudflared-authentication/). | `rdp://localhost:3389` | -| UNIX + TLS | Just like HTTPS, but using a Unix socket instead. | `unix+tls:/home/production/echo.sock` | -| SMB | Similar to TCP but for SMB streams only. For more information, refer to [Connect to SMB with client-side cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb/#connect-to-smb-server-with-cloudflared-access). | `smb://localhost:445` | -| HTTP_STATUS | Responds to all requests with the given HTTP status. | `http_status:404` | -| BASTION | `cloudflared` will act like a jumphost, allowing access to any local address. | `bastion` -| HELLO_WORLD | Test server for validating your Cloudflare Tunnel connection (for [locally managed tunnels](/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/configuration-file/#file-structure-for-published-applications) only). | `hello_world` | + diff --git a/src/content/docs/tunnel/routing.mdx b/src/content/docs/tunnel/routing.mdx index 40c9ee8b7eba752..e711b2c95f957e0 100644 --- a/src/content/docs/tunnel/routing.mdx +++ b/src/content/docs/tunnel/routing.mdx @@ -5,7 +5,7 @@ sidebar: order: 3 --- -import { TabItem, Tabs, DashButton, Details } from "~/components"; +import { TabItem, Tabs, DashButton, Details, Render } from "~/components"; Cloudflare Tunnel routes traffic from Cloudflare's network to services running behind `cloudflared`. When you [publish an application](/tunnel/setup/#publish-an-application), you map a public hostname to a local service — for example, `app.example.com` to `http://localhost:8080` — and Cloudflare applies CDN caching, WAF, and DDoS protection before forwarding the request to your origin. @@ -24,21 +24,14 @@ When you add a route through the dashboard, Cloudflare automatically creates a D ## Supported protocols -The table below lists the service types you can route to a public hostname. Non-HTTP services require [installing `cloudflared` on the client](/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/) for end users to connect. - -| Service type | Description | Example `service` value | -| ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------- | -| HTTP | Proxies incoming HTTPS requests to your local web service over HTTP. | `http://localhost:8000` | -| HTTPS | Proxies incoming HTTPS requests directly to your local web service. You can [disable TLS verification](/tunnel/configuration/#notlsverify) for self-signed certificates. | `https://localhost:8000` | -| UNIX | Same as HTTP, but uses a Unix socket. | `unix:/home/production/echo.sock` | -| UNIX + TLS | Same as HTTPS, but uses a Unix socket. | `unix+tls:/home/production/echo.sock` | -| TCP | Streams TCP over a WebSocket connection. End users run `cloudflared access tcp` to connect. For long-lived connections, use [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/) instead. | `tcp://localhost:2222` | -| SSH | Streams SSH over a WebSocket connection. End users run `cloudflared access ssh` to [connect](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-cloudflared-authentication/). For long-lived connections, use [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) instead. | `ssh://localhost:22` | -| RDP | Streams RDP over a WebSocket connection. Refer to [Connect to RDP with client-side cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-cloudflared-authentication/). | `rdp://localhost:3389` | -| SMB | Streams SMB over a WebSocket connection. Refer to [Connect to SMB with client-side cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb/#connect-to-smb-server-with-cloudflared-access). | `smb://localhost:445` | -| HTTP_STATUS | Responds to all requests with a fixed HTTP status code. | `http_status:404` | -| BASTION | Allows `cloudflared` to act as a jump host, providing access to any local address. | `bastion` | -| HELLO_WORLD | Test server for validating your tunnel connection ([locally managed tunnels](/tunnel/other-tunnel-types/local-management/configuration-file/#file-structure-for-published-applications) only). | `hello_world` | + ## DNS records diff --git a/src/content/partials/cloudflare-one/tunnel/protocols-table.mdx b/src/content/partials/cloudflare-one/tunnel/protocols-table.mdx new file mode 100644 index 000000000000000..5c7b3a1e010c41f --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/protocols-table.mdx @@ -0,0 +1,21 @@ +--- +params: + - disableTlsVerificationURL + - locallyManagedTunnelsURL +--- + +The table below lists the service types you can route to a public hostname. Non-HTTP services require [installing `cloudflared` on the client](/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/) for end users to connect. + +| Service type | Description | Example `service` value | +| ------------ | ----------- | ----------------------- | +| HTTP | Proxies incoming HTTPS requests to your local web service over HTTP. | `http://localhost:8000` | +| HTTPS | Proxies incoming HTTPS requests directly to your local web service. You can disable TLS verification for self-signed certificates. | `https://localhost:8000` | +| UNIX | Same as HTTP, but uses a Unix socket. | `unix:/home/production/echo.sock` | +| UNIX + TLS | Same as HTTPS, but uses a Unix socket. | `unix+tls:/home/production/echo.sock` | +| TCP | Streams TCP over a WebSocket connection. End users run `cloudflared access tcp` to [connect](/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/arbitrary-tcp/). For long-lived connections, use [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/) instead. | `tcp://localhost:2222` | +| SSH | Streams SSH over a WebSocket connection. End users run `cloudflared access ssh` to [connect](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-cloudflared-authentication/). For long-lived connections, use [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) instead. | `ssh://localhost:22` | +| RDP | Streams RDP over a WebSocket connection. For more information, refer to [Connect to RDP with client-side cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-cloudflared-authentication/). | `rdp://localhost:3389` | +| SMB | Streams SMB over a WebSocket connection. For more information, refer to [Connect to SMB with client-side cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb/#connect-to-smb-server-with-cloudflared-access). | `smb://localhost:445` | +| HTTP_STATUS | Responds to all requests with a fixed HTTP status code. | `http_status:404` | +| BASTION | Allows `cloudflared` to act as a jump host, providing access to any local address. | `bastion` | +| HELLO_WORLD | Test server for validating your Cloudflare Tunnel connection (for locally managed tunnels only). | `hello_world` | From dcace43eb9d33b1dccfc640ca26e882451b45d9e Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 20 Feb 2026 16:08:49 -0500 Subject: [PATCH 13/33] DNS partial --- .../routing-to-tunnel/dns.mdx | 57 ++++--------------- src/content/docs/tunnel/routing.mdx | 50 +++------------- .../tunnel/dns-records-intro.mdx | 8 +++ .../cloudflare-one/tunnel/dns-records.mdx | 45 +++++++++++++++ 4 files changed, 72 insertions(+), 88 deletions(-) create mode 100644 src/content/partials/cloudflare-one/tunnel/dns-records-intro.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/dns-records.mdx diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns.mdx index 6f219052333e4b9..f9f5e8ff1aa7ba8 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns.mdx @@ -5,55 +5,20 @@ sidebar: order: 2 --- -import { Render, TabItem, Tabs, DashButton } from "~/components"; +import { Render } from "~/components"; -When you create a tunnel, Cloudflare generates a subdomain of `cfargotunnel.com` with the UUID of the created tunnel. You can treat `.cfargotunnel.com` as if it were an origin target in the Cloudflare dashboard. + -Unlike publicly routable IP addresses, `.cfargotunnel.com` will only proxy traffic for a DNS record in the same Cloudflare account. The Tunnel UUID is not secret information; if someone discovers your subdomain UUID, they will not be able to create a DNS record in another account or system to proxy traffic to the address. +## Create a DNS record -## Create a DNS record for the tunnel - - - -To create a new DNS record for your tunnel: - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and go to the **DNS Records** page for your domain. - - -2. Select **Add record**. -3. Input the following information: - - **Type**: _CNAME_ - - **Name**: Subdomain of your application - - **Target**: `.cfargotunnel.com` -4. Select **Save**. - -![Example of fields completed to create a new CNAME record.](~/assets/images/cloudflare-one/connections/connect-apps/dns/dns-record.png) - - - - - -You can create a new DNS record directly from `cloudflared`: - -```sh -cloudflared tunnel route dns www.app.com -``` - -This command create a `CNAME` record that points to the tunnel subdomain, but will not proxy traffic if the tunnel is not currently running. - -:::note - -To create DNS records using `cloudflared`, the [`cert.pem`](/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/local-tunnel-terms/#certpem) file must be installed on your system. -::: - - - - - -The DNS record is distinct from the state of the tunnel. You can create DNS records that point to a tunnel that is not currently running. If the tunnel stops running, the DNS record will not be deleted. If you point the DNS record to a tunnel not currently running, visitors will see a `1016` error message. - -Additionally, you can create multiple DNS records that point to the same tunnel subdomain. If you are routing traffic from multiple hostnames to multiple services, you will need to create a `CNAME` entry for each hostname. The CNAME entries will share the same target. + ## Optional Cloudflare settings -The application will default to the Cloudflare settings of the hostname in your account that includes the Cloudflare Tunnel DNS record, including [cache rules](/cache/how-to/cache-rules/) and [firewall policies](/firewall/). You can changes these settings for your hostname in Cloudflare's dashboard. +The application will default to the Cloudflare settings of the hostname in your account that includes the Cloudflare Tunnel DNS record, including [cache rules](/cache/how-to/cache-rules/) and [firewall policies](/firewall/). You can change these settings for your hostname in the Cloudflare dashboard. diff --git a/src/content/docs/tunnel/routing.mdx b/src/content/docs/tunnel/routing.mdx index e711b2c95f957e0..087c609747dfe4a 100644 --- a/src/content/docs/tunnel/routing.mdx +++ b/src/content/docs/tunnel/routing.mdx @@ -35,50 +35,16 @@ When you add a route through the dashboard, Cloudflare automatically creates a D ## DNS records -When you create a tunnel, Cloudflare generates a subdomain at `.cfargotunnel.com`. You point a CNAME record at this subdomain to route traffic from your hostname to the tunnel. - -The `cfargotunnel.com` subdomain only proxies traffic for DNS records in the same Cloudflare account. If someone discovers your tunnel UUID, they cannot create a DNS record in another account to proxy traffic through it. + ### Create a DNS record - - - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and go to **DNS Records** for your domain. - - - -2. Select **Add record**. -3. Enter the following values: - - **Type**: _CNAME_ - - **Name**: Subdomain of your application - - **Target**: `.cfargotunnel.com` -4. Select **Save**. - -![Example of fields completed to create a new CNAME record.](~/assets/images/cloudflare-one/connections/connect-apps/dns/dns-record.png) - - - - - -Run the following command to create a CNAME record pointing to your tunnel subdomain: - -```sh -cloudflared tunnel route dns www.app.com -``` - -This creates a CNAME record but does not proxy traffic unless the tunnel is running. - -:::note -To create DNS records using `cloudflared`, the [`cert.pem`](/tunnel/other-tunnel-types/local-management/local-tunnel-terms/#certpem) file must be installed on your system. -::: - - - - - -The DNS record and the tunnel are independent. You can create DNS records that point to a tunnel that is not running. If a tunnel stops, the DNS record is not deleted — visitors will see a `1016` error. - -You can also create multiple DNS records pointing to the same tunnel subdomain. If you route traffic from multiple hostnames to multiple services, create a CNAME entry for each hostname. All entries share the same target. + ## Load balancing diff --git a/src/content/partials/cloudflare-one/tunnel/dns-records-intro.mdx b/src/content/partials/cloudflare-one/tunnel/dns-records-intro.mdx new file mode 100644 index 000000000000000..f3c26351bc152ee --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/dns-records-intro.mdx @@ -0,0 +1,8 @@ +--- +{} + +--- + +When you create a tunnel, Cloudflare generates a subdomain at `.cfargotunnel.com`. You point a CNAME record at this subdomain to route traffic from your hostname to the tunnel. + +The `cfargotunnel.com` subdomain only proxies traffic for DNS records in the same Cloudflare account. If someone discovers your tunnel UUID, they cannot create a DNS record in another account to proxy traffic through it. diff --git a/src/content/partials/cloudflare-one/tunnel/dns-records.mdx b/src/content/partials/cloudflare-one/tunnel/dns-records.mdx new file mode 100644 index 000000000000000..b979813f188e136 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/dns-records.mdx @@ -0,0 +1,45 @@ +--- +params: + - certPemURL +--- + +import { TabItem, Tabs, DashButton } from "~/components"; + + + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and go to **DNS Records** for your domain. + + + +2. Select **Add record**. +3. Enter the following values: + - **Type**: _CNAME_ + - **Name**: Subdomain of your application + - **Target**: `.cfargotunnel.com` +4. Select **Save**. + +![Example of fields completed to create a new CNAME record.](~/assets/images/cloudflare-one/connections/connect-apps/dns/dns-record.png) + + + + + +Run the following command to create a CNAME record pointing to your tunnel subdomain: + +```sh +cloudflared tunnel route dns www.app.com +``` + +This creates a CNAME record but does not proxy traffic unless the tunnel is running. + +:::note +To create DNS records using `cloudflared`, the `cert.pem` file must be installed on your system. +::: + + + + + +The DNS record and the tunnel are independent. You can create DNS records that point to a tunnel that is not running. If a tunnel stops, the DNS record is not deleted — visitors will see a `1016` error. + +You can also create multiple DNS records pointing to the same tunnel subdomain. If you route traffic from multiple hostnames to multiple services, create a CNAME entry for each hostname. All entries share the same target. From 747db206369143c954c6b270ab67717410d2697c Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 20 Feb 2026 16:11:39 -0500 Subject: [PATCH 14/33] cloudflare settings partial --- .../cloudflare-tunnel/routing-to-tunnel/dns.mdx | 4 ++-- src/content/docs/tunnel/routing.mdx | 4 +--- .../cloudflare-one/tunnel/dns-cloudflare-settings.mdx | 8 ++++++++ 3 files changed, 11 insertions(+), 5 deletions(-) create mode 100644 src/content/partials/cloudflare-one/tunnel/dns-cloudflare-settings.mdx diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns.mdx index f9f5e8ff1aa7ba8..6969451441c04cd 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns.mdx @@ -19,6 +19,6 @@ import { Render } from "~/components"; }} /> -## Optional Cloudflare settings +## Cloudflare settings -The application will default to the Cloudflare settings of the hostname in your account that includes the Cloudflare Tunnel DNS record, including [cache rules](/cache/how-to/cache-rules/) and [firewall policies](/firewall/). You can change these settings for your hostname in the Cloudflare dashboard. + \ No newline at end of file diff --git a/src/content/docs/tunnel/routing.mdx b/src/content/docs/tunnel/routing.mdx index 087c609747dfe4a..f454fc089b285b9 100644 --- a/src/content/docs/tunnel/routing.mdx +++ b/src/content/docs/tunnel/routing.mdx @@ -145,6 +145,4 @@ If you run [replicas](/tunnel/configuration/#replicas-and-high-availability) on ## Cloudflare settings -Published applications inherit the Cloudflare settings for their hostname, including [cache rules](/cache/how-to/cache-rules/), [WAF rules](/waf/), and other [Rules](/rules/) configurations. You can change these settings for each hostname in the [Cloudflare dashboard](https://dash.cloudflare.com/). - -If you use a load balancer, settings are applied to the load balancer hostname instead. + diff --git a/src/content/partials/cloudflare-one/tunnel/dns-cloudflare-settings.mdx b/src/content/partials/cloudflare-one/tunnel/dns-cloudflare-settings.mdx new file mode 100644 index 000000000000000..2f2327ca51fb9e4 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/dns-cloudflare-settings.mdx @@ -0,0 +1,8 @@ +--- +{} + +--- + +Published applications inherit the Cloudflare settings for their hostname, including [cache rules](/cache/how-to/cache-rules/), [WAF rules](/waf/), and other [Rules](/rules/) configurations. You can change these settings for each hostname in the [Cloudflare dashboard](https://dash.cloudflare.com/). + +If you use a load balancer, settings are applied to the load balancer hostname instead. From 1e9f3fa021dc304f567e8c533d9a44089b83e37c Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 20 Feb 2026 16:18:33 -0500 Subject: [PATCH 15/33] fix mermaid indents --- .../tunnel-availability/index.mdx | 54 +++++++++---------- src/content/docs/tunnel/routing.mdx | 20 +++---- 2 files changed, 37 insertions(+), 37 deletions(-) diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/index.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/index.mdx index f8f753cbf141dd6..6a61945fe3354e3 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/index.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/index.mdx @@ -17,22 +17,22 @@ Cloudflare Tunnel allows users to deploy additional instances of our connector, ```mermaid graph LR - C((Cloudflare)) - subgraph E[Private network] - cf1["cloudflared
(Tunnel-1 replica)"] - cf2["cloudflared
(Tunnel-1 replica)"] - S1[Application] - cf1-->S1 - cf2-->S1 - end - C -- "Connections x 4
"--> cf1 - C --> cf1 - C --> cf1 - C --> cf1 - C -- Connections x 4--> cf2 - C --> cf2 - C --> cf2 - C --> cf2 + C((Cloudflare)) + subgraph E[Private network] + cf1["cloudflared
(Tunnel-1 replica)"] + cf2["cloudflared
(Tunnel-1 replica)"] + S1[Application] + cf1-->S1 + cf2-->S1 + end + C -- "Connections x 4
"--> cf1 + C --> cf1 + C --> cf1 + C --> cf1 + C -- Connections x 4--> cf2 + C --> cf2 + C --> cf2 + C --> cf2 ``` By design, replicas do not offer any level of traffic steering (random, hash, or round-robin). Instead, when a request arrives to Cloudflare, it will be forwarded to the replica that is geographically closest. If that distance calculation is unsuccessful or the connection fails, we will retry others, but there is no guarantee about which connection is chosen. @@ -51,26 +51,26 @@ For setup instructions, refer to [Deploy cloudflared replicas](/cloudflare-one/n ```mermaid graph LR - accTitle: Load balancing traffic to applications behind Cloudflare Tunnel + accTitle: Load balancing traffic to applications behind Cloudflare Tunnel A[Internet] --> C{Cloudflare
Load Balancer} B[WARP clients] --> C - M[Cloudflare WAN] --> C + M[Cloudflare WAN] --> C C -- Tunnel 1 --> cf1 C -- Tunnel 2 --> cf2 - subgraph F[Data center 2] - cf2[cloudflared
server] - S3[App server] + subgraph F[Data center 2] + cf2[cloudflared
server] + S3[App server] S4[App server] - cf2-->S3 - cf2-->S4 + cf2-->S3 + cf2-->S4 end - subgraph E[Data center 1] - cf1[cloudflared
server] + subgraph E[Data center 1] + cf1[cloudflared
server] S1[App server] S2[App server] - cf1-->S1 - cf1-->S2 + cf1-->S1 + cf1-->S2 end ``` diff --git a/src/content/docs/tunnel/routing.mdx b/src/content/docs/tunnel/routing.mdx index f454fc089b285b9..0c6cfcfef5ffdc5 100644 --- a/src/content/docs/tunnel/routing.mdx +++ b/src/content/docs/tunnel/routing.mdx @@ -52,24 +52,24 @@ Use a [public load balancer](/load-balancing/load-balancers/) to distribute traf ```mermaid graph LR - accTitle: Load balancing traffic to applications behind Cloudflare Tunnel + accTitle: Load balancing traffic to applications behind Cloudflare Tunnel A[Internet] --> C{Cloudflare
Load Balancer} C -- Tunnel 1 --> cf1 C -- Tunnel 2 --> cf2 - subgraph F[Data center 2] - cf2[cloudflared] - S3[App server] + subgraph F[Data center 2] + cf2[cloudflared] + S3[App server] S4[App server] - cf2-->S3 - cf2-->S4 + cf2-->S3 + cf2-->S4 end - subgraph E[Data center 1] - cf1[cloudflared] + subgraph E[Data center 1] + cf1[cloudflared] S1[App server] S2[App server] - cf1-->S1 - cf1-->S2 + cf1-->S1 + cf1-->S2 end ``` From d59d34d03ffec219c7bde5fe687b384860cbe237 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 20 Feb 2026 16:38:35 -0500 Subject: [PATCH 16/33] add context before how-to steps --- .../connectors/cloudflare-tunnel/routing-to-tunnel/dns.mdx | 2 +- src/content/docs/tunnel/setup.mdx | 4 ++++ .../tunnel/{dns-records.mdx => dns-records-create.mdx} | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-) rename src/content/partials/cloudflare-one/tunnel/{dns-records.mdx => dns-records-create.mdx} (96%) diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns.mdx index 6969451441c04cd..43a98b63631b858 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns.mdx @@ -12,7 +12,7 @@ import { Render } from "~/components"; ## Create a DNS record @@ -86,6 +88,8 @@ Your tunnel should appear on the **Tunnels** page with a `Healthy` status. ## Publish an application +To make an application accessible from the Internet, add a published application route to your tunnel. The tunnel route maps a public hostname to a local service. + diff --git a/src/content/partials/cloudflare-one/tunnel/dns-records.mdx b/src/content/partials/cloudflare-one/tunnel/dns-records-create.mdx similarity index 96% rename from src/content/partials/cloudflare-one/tunnel/dns-records.mdx rename to src/content/partials/cloudflare-one/tunnel/dns-records-create.mdx index b979813f188e136..b06e989a3fcb2df 100644 --- a/src/content/partials/cloudflare-one/tunnel/dns-records.mdx +++ b/src/content/partials/cloudflare-one/tunnel/dns-records-create.mdx @@ -5,6 +5,8 @@ params: import { TabItem, Tabs, DashButton } from "~/components"; +To create a DNS record for a Cloudflare Tunnel: + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and go to **DNS Records** for your domain. From 721b9862c82b5dec2593c17cec65966d1755f166 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 20 Feb 2026 16:39:48 -0500 Subject: [PATCH 17/33] LB partial --- .../public-load-balancers.mdx | 42 ++++-------------- src/content/docs/tunnel/routing.mdx | 44 ++++++------------- .../tunnel/load-balancer-create.mdx | 39 ++++++++++++++++ 3 files changed, 60 insertions(+), 65 deletions(-) create mode 100644 src/content/partials/cloudflare-one/tunnel/load-balancer-create.mdx diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers.mdx index d7cd7eebe825c5d..1d6666bf62a9f22 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers.mdx @@ -19,40 +19,14 @@ When you add a [published application route](/cloudflare-one/networks/connectors ### Create a load balancer -To create a load balancer for Cloudflare Tunnel published applications: - -1. In the Cloudflare dashboard, go to the **Load Balancing** page. - - -2. Select **Create load balancer**. -3. Select **Public load balancer**. -4. Under **Select website**, select the domain of your published application route. -5. On the **Hostname** page, enter a hostname for the load balancer (for example, `lb.example.com`). -6. On the **Pools** page, select **Create a pool**. -7. Enter a descriptive name for the pool. For example, if you are configuring one pool per tunnel, the pool name can match your tunnel name. -8. To add a tunnel endpoint to the pool, configure the following fields: - - **Endpoint Name**: Name of the server that is running the application - - **Endpoint Address**: `.cfargotunnel.com`, where `` is replaced by your Tunnel ID. You can find the **Tunnel ID** in [Cloudflare One](https://one.dash.cloudflare.com) under **Networks** > **Connectors** > **Cloudflare Tunnels**. - - **Header value**: Hostname of your published application route (such as `app.example.com`). To find the hostname value, open your Cloudflare Tunnel configuration and go to the **Published application routes** tab. - - **Weight**: Assign a [weight](/load-balancing/understand-basics/traffic-steering/origin-level-steering/#weights) to the endpoint. If you only have one endpoint, enter `1`. - :::note - A single origin pool cannot have the same Tunnel UUID referenced twice. - ::: -9. On the **Pools** page, choose a **Fallback pool**. Refer to [Global traffic steering](/load-balancing/understand-basics/traffic-steering/steering-policies/) for information on how the load balancer routes traffic to pools. -10. (Recommended) On the **Monitors** page, attach a monitor to the tunnel endpoint. For example, if your application is HTTP or HTTPS, you can create an HTTPS monitor to poll the application: - - **Type**: _HTTPS_ - - **Path**: `/` - - **Port**: `443` - - **Expected Code(s)**: `200` - - **Header Name**: `Host` - - **Value**: `app.example.com` - - :::note - TCP monitors are not supported for tunnel endpoints. For a workaround, refer to [Monitors and TCP tunnel origins](#monitors-and-tcp-tunnel-origins). - ::: - -11. Save and deploy the load balancer. -12. To test the load balancer, access the application using the load balancer hostname (`lb.example.com`). + **Connectors** > **Cloudflare Tunnels**" + }} +/> Refer to the [Load Balancing documentation](/load-balancing/) for more details on load balancer settings and configurations. diff --git a/src/content/docs/tunnel/routing.mdx b/src/content/docs/tunnel/routing.mdx index 0c6cfcfef5ffdc5..ebdb457d250ffc3 100644 --- a/src/content/docs/tunnel/routing.mdx +++ b/src/content/docs/tunnel/routing.mdx @@ -38,8 +38,9 @@ When you add a route through the dashboard, Cloudflare automatically creates a D ### Create a DNS record + - -2. Select **Create load balancer**, then select **Public load balancer**. -3. Under **Select website**, select the domain of your published application route. -4. On the **Hostname** page, enter a hostname for the load balancer (for example, `lb.example.com`). -5. On the **Pools** page, select **Create a pool** and enter a descriptive name. -6. Add a tunnel endpoint with the following values: - - **Endpoint Name**: Name of the server running the application - - **Endpoint Address**: `.cfargotunnel.com` (find the Tunnel ID in the [Cloudflare dashboard](https://dash.cloudflare.com/) under **Networking** > **Tunnels**) - - **Header value**: Hostname of your published application route (for example, `app.example.com`) - - **Weight**: `1` (if only one endpoint) - - :::note - A single origin pool cannot reference the same tunnel UUID twice. - ::: - -7. Choose a **Fallback pool**. Refer to [traffic steering policies](/load-balancing/understand-basics/traffic-steering/steering-policies/) for routing options. -8. (Recommended) On the **Monitors** page, attach a monitor to the endpoint. For an HTTP or HTTPS application, create an HTTPS monitor: - - **Type**: _HTTPS_ - - **Path**: `/` - - **Port**: `443` - - **Expected Code(s)**: `200` - - **Header Name**: `Host` - - **Value**: `app.example.com` -9. Save and deploy the load balancer. +:::note[Prerequisites] +A Cloudflare Tunnel with at least one [published application route](/tunnel/setup/#publish-an-application). +::: -To test, access your application using the load balancer hostname (`lb.example.com`). + **Tunnels**" + }} +/>
diff --git a/src/content/partials/cloudflare-one/tunnel/load-balancer-create.mdx b/src/content/partials/cloudflare-one/tunnel/load-balancer-create.mdx new file mode 100644 index 000000000000000..492d7edb9a1dfb2 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/load-balancer-create.mdx @@ -0,0 +1,39 @@ +--- +params: + - publishedAppRouteURL + - tunnelIdLocation +--- + +import { DashButton } from "~/components"; + +To create a load balancer for Cloudflare Tunnel published applications: + +1. In the Cloudflare dashboard, go to the **Load Balancing** page. + + + +2. Select **Create load balancer**, then select **Public load balancer**. +3. Under **Select website**, select the domain of your published application route. +4. On the **Hostname** page, enter a hostname for the load balancer (for example, `lb.example.com`). +5. On the **Pools** page, select **Create a pool** and enter a descriptive name. +6. Add a tunnel endpoint with the following values: + - **Endpoint Name**: Name of the server running the application + - **Endpoint Address**: `.cfargotunnel.com` (find the Tunnel ID in {props.tunnelIdLocation}) + - **Header value**: Hostname of your published application route (for example, `app.example.com`) + - **Weight**: `1` (if only one endpoint) + + :::note + A single origin pool cannot reference the same tunnel UUID twice. + ::: + +7. Choose a **Fallback pool**. Refer to [traffic steering policies](/load-balancing/understand-basics/traffic-steering/steering-policies/) for routing options. +8. (Recommended) On the **Monitors** page, attach a monitor to the endpoint. For an HTTP or HTTPS application, create an HTTPS monitor: + - **Type**: _HTTPS_ + - **Path**: `/` + - **Port**: `443` + - **Expected Code(s)**: `200` + - **Header Name**: `Host` + - **Value**: `app.example.com` +9. Save and deploy the load balancer. + +To test, access your application using the load balancer hostname (`lb.example.com`). From aaf2e74efa6b69bd9121ab58c33a574fa256a581 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 20 Feb 2026 16:47:21 -0500 Subject: [PATCH 18/33] more LB partials --- .../public-load-balancers.mdx | 34 ++++++++----------- src/content/docs/tunnel/routing.mdx | 34 ++++++++----------- .../tunnel/load-balancer-local-connection.mdx | 10 ++++++ .../tunnel/load-balancer-tcp-monitors.mdx | 20 +++++++++++ 4 files changed, 58 insertions(+), 40 deletions(-) create mode 100644 src/content/partials/cloudflare-one/tunnel/load-balancer-local-connection.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/load-balancer-tcp-monitors.mdx diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers.mdx index 1d6666bf62a9f22..6b0bd3ecea4cfbc 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers.mdx @@ -154,21 +154,13 @@ Here is an example of what your DNS records will look like before and after sett ### Monitors and TCP tunnel origins -If you have a tunnel to a port or SSH port, do not set up a [TCP monitor](/load-balancing/monitors/). Instead, set up a health check endpoint on the `cloudflared` host and create an HTTPS monitor. For example, you can use `cloudflared` to return a fixed HTTP status response: - -1. In your Cloudflare Tunnel, [add a published application route](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2a-publish-an-application) to represent the health check endpoint: - - **Hostame**: Enter a hostname for the health check endpoint (for example, `health-check.example.com`) - - **Service Type**: _HTTP_STATUS_ - - **HTTP Status Code**: `200` -2. From the **Load Balancing** page, [create a monitor](/load-balancing/monitors/create-monitor/) with the following properties: - - **Type**: _HTTPS_ - - **Path**: `/` - - **Port**: `443` - - **Expected Code(s)**: `200` - - **Header Name**: `Host` - - **Value**: `health-check.example.com` - -You can now assign this monitor to your load balancer endpoint. The monitor will only verify that your server is reachable. It does not check whether the server is running and accepting requests. + ### Session affinity and replicas @@ -176,8 +168,10 @@ The load balancer does not distinguish between [replicas](/cloudflare-one/networ ### Local connection preference -If you notice traffic imbalances across endpoints in different locations, you may have to adjust your load balancer setup. - -When an end user sends a request to your application, Cloudflare routes their traffic using [Anycast routing](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/) and their request typically goes to the nearest Cloudflare data center. Cloudflare Tunnel will prefer to serve the request using `cloudflared` connections in the same data center. This behavior can impact how connections are weighted and traffic is distributed. - -If you are running [`cloudflared` replicas](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/), switch to separate Cloudflare tunnels so that you can have more granular control over [traffic steering](/load-balancing/understand-basics/traffic-steering/). + diff --git a/src/content/docs/tunnel/routing.mdx b/src/content/docs/tunnel/routing.mdx index ebdb457d250ffc3..c961326cc90a65d 100644 --- a/src/content/docs/tunnel/routing.mdx +++ b/src/content/docs/tunnel/routing.mdx @@ -97,31 +97,25 @@ A Cloudflare Tunnel with at least one [published application route](/tunnel/setu
-TCP monitors are not supported for tunnel endpoints. Instead, create a health check endpoint on the `cloudflared` host and use an HTTPS monitor: - -1. [Add a published application route](/tunnel/setup/#publish-an-application) for the health check: - - **Hostname**: `health-check.example.com` - - **Service Type**: _HTTP_STATUS_ - - **HTTP Status Code**: `200` -2. [Create a monitor](/load-balancing/monitors/create-monitor/) with these settings: - - **Type**: _HTTPS_ - - **Path**: `/` - - **Port**: `443` - - **Expected Code(s)**: `200` - - **Header Name**: `Host` - - **Value**: `health-check.example.com` - -This monitor verifies that `cloudflared` is reachable. It does not check whether the upstream service is accepting requests. +
-If you notice traffic imbalances across endpoints in different locations, you may need to adjust your load balancer configuration. - -Cloudflare uses [Anycast routing](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/) to direct end user requests to the nearest data center. `cloudflared` prefers to serve requests using connections in the same data center, which can affect how traffic is distributed across endpoints. - -If you run [replicas](/tunnel/configuration/#replicas-and-high-availability) on the same tunnel UUID, consider switching to separate tunnels for more granular control over [traffic steering](/load-balancing/understand-basics/traffic-steering/). +
diff --git a/src/content/partials/cloudflare-one/tunnel/load-balancer-local-connection.mdx b/src/content/partials/cloudflare-one/tunnel/load-balancer-local-connection.mdx new file mode 100644 index 000000000000000..0afc09f39b747e6 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/load-balancer-local-connection.mdx @@ -0,0 +1,10 @@ +--- +params: + - replicasURL +--- + +If you notice traffic imbalances across endpoints in different locations, you may need to adjust your load balancer configuration. + +Cloudflare uses [Anycast routing](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/) to direct end user requests to the nearest data center. `cloudflared` prefers to serve requests using connections in the same data center, which can affect how traffic is distributed across endpoints. + +If you run `cloudflared` replicas on the same tunnel UUID, consider switching to separate tunnels for more granular control over [traffic steering](/load-balancing/understand-basics/traffic-steering/). diff --git a/src/content/partials/cloudflare-one/tunnel/load-balancer-tcp-monitors.mdx b/src/content/partials/cloudflare-one/tunnel/load-balancer-tcp-monitors.mdx new file mode 100644 index 000000000000000..00915193311f7b7 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/load-balancer-tcp-monitors.mdx @@ -0,0 +1,20 @@ +--- +params: + - publishedAppRouteURL +--- + +TCP monitors are not supported for tunnel endpoints. Instead, create a health check endpoint on the `cloudflared` host and use an HTTPS monitor. For example, you can use `cloudflared` to return a fixed HTTP status response: + +1. Add a published application route for the health check: + - **Hostname**: `health-check.example.com` + - **Service Type**: _HTTP_STATUS_ + - **HTTP Status Code**: `200` +2. [Create a monitor](/load-balancing/monitors/create-monitor/) with these settings: + - **Type**: _HTTPS_ + - **Path**: `/` + - **Port**: `443` + - **Expected Code(s)**: `200` + - **Header Name**: `Host` + - **Value**: `health-check.example.com` + +This monitor verifies that `cloudflared` is reachable. It does not check whether the upstream service is accepting requests. From 8cde6395dbc4083b05ca1f3e0127f2c336369fb3 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 20 Feb 2026 16:49:32 -0500 Subject: [PATCH 19/33] fix invalid link --- src/content/docs/tunnel/downloads/update-cloudflared.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/tunnel/downloads/update-cloudflared.mdx b/src/content/docs/tunnel/downloads/update-cloudflared.mdx index 89ca144f9a00843..2d5b0cc5e8ce471 100644 --- a/src/content/docs/tunnel/downloads/update-cloudflared.mdx +++ b/src/content/docs/tunnel/downloads/update-cloudflared.mdx @@ -141,7 +141,7 @@ You can update `cloudflared` without downtime by using Cloudflare's Load Balance 1. Install a new instance of `cloudflared` and [create](/tunnel/setup/) a new Tunnel. 2. Configure the instance to point traffic to the same locally-available service as your current, active instance of `cloudflared`. -3. [Add the address](/tunnel/routing/public-load-balancers/) of the new instance of `cloudflared` into your Load Balancer pool as priority 2. +3. [Add the address](/tunnel/routing/#add-a-tunnel-to-a-load-balancer-pool) of the new instance of `cloudflared` into your Load Balancer pool as priority 2. 4. Swap the priority such that the new instance is now priority 1 and monitor to confirm traffic is being served. 5. Once confirmed, you can remove the older version from the Load Balancer pool. From 89983b3177b03d4a3b2c48974d2c60e88daa3f79 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 20 Feb 2026 17:06:20 -0500 Subject: [PATCH 20/33] replica partials --- .../tunnel-availability/index.mdx | 22 +---------- src/content/docs/tunnel/configuration.mdx | 38 ++++++++----------- .../tunnel/cloudflared-replicas-diagram.mdx | 24 ++++++++++++ .../tunnel/dns-records-create.mdx | 2 +- 4 files changed, 42 insertions(+), 44 deletions(-) create mode 100644 src/content/partials/cloudflare-one/tunnel/cloudflared-replicas-diagram.mdx diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/index.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/index.mdx index 6a61945fe3354e3..17d9047bce641b4 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/index.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/index.mdx @@ -7,7 +7,7 @@ sidebar: order: 4 --- -import { Details, GlossaryTooltip } from "~/components"; +import { Details, GlossaryTooltip, Render } from "~/components"; Our lightweight and open-source connector, [`cloudflared`](https://github.com/cloudflare/cloudflared), was built to be highly available without any additional configuration requirements. When you run a tunnel, `cloudflared` establishes four outbound-only connections between the origin server and the Cloudflare network. These four connections are made to four different servers spread across at least two distinct data centers. This model ensures high availability and mitigates the risk of individual connection failures. This means in event a single connection, server, or data center goes offline, your resources will remain available. @@ -15,25 +15,7 @@ Our lightweight and open-source connector, [`cloudflared`](https://github.com/cl Cloudflare Tunnel allows users to deploy additional instances of our connector, `cloudflared`, for availability and failover scenarios. We refer to these unique instances as replicas. Each replica establishes four new connections which serve as additional points of ingress to your origin, should you need them. Each of the replicas will point to the same tunnel. This ensures that your network remains up in the event a single host running `cloudflared` goes down. -```mermaid -graph LR - C((Cloudflare)) - subgraph E[Private network] - cf1["cloudflared
(Tunnel-1 replica)"] - cf2["cloudflared
(Tunnel-1 replica)"] - S1[Application] - cf1-->S1 - cf2-->S1 - end - C -- "Connections x 4
"--> cf1 - C --> cf1 - C --> cf1 - C --> cf1 - C -- Connections x 4--> cf2 - C --> cf2 - C --> cf2 - C --> cf2 -``` + By design, replicas do not offer any level of traffic steering (random, hash, or round-robin). Instead, when a request arrives to Cloudflare, it will be forwarded to the replica that is geographically closest. If that distance calculation is unsuccessful or the connection fails, we will retry others, but there is no guarantee about which connection is chosen. diff --git a/src/content/docs/tunnel/configuration.mdx b/src/content/docs/tunnel/configuration.mdx index 622e57bc30367f6..3b816e3cacbb76a 100644 --- a/src/content/docs/tunnel/configuration.mdx +++ b/src/content/docs/tunnel/configuration.mdx @@ -23,25 +23,11 @@ When you run a tunnel, `cloudflared` establishes four outbound-only, [post-quant A replica is an additional `cloudflared` instance that points to the same tunnel. Each replica creates four new connections, providing additional ingress points to your origin. You can run up to 25 replicas (100 connections) per tunnel. Traffic routes to the geographically closest replica. -```mermaid -graph LR - C((Cloudflare)) - subgraph E[Your network] - cf1["cloudflared
(replica 1)"] - cf2["cloudflared
(replica 2)"] - S1[Application] - cf1-->S1 - cf2-->S1 - end - C -- "Connections x 4"--> cf1 - C --> cf1 - C --> cf1 - C --> cf1 - C -- "Connections x 4"--> cf2 - C --> cf2 - C --> cf2 - C --> cf2 -``` + + +### Deploy a replica + + To deploy a replica for a remotely-managed tunnel: @@ -49,12 +35,18 @@ To deploy a replica for a remotely-managed tunnel: -2. Select your tunnel, then select **Edit**. -3. Select the operating system of the host where you want to deploy a replica. -4. Copy the installation command and run it on the host. +2. Select your tunnel. +3. Select **Add a replica**. +4. Select the operating system of the host where you want to deploy a replica. +5. Copy the installation command and run it on the host. -For locally-managed tunnels, run `cloudflared tunnel run ` on an additional host using the same tunnel credentials. + + +To deploy a replica for a [locally-managed tunnel](/tunnel/other-tunnel-types/local-management/), run `cloudflared tunnel run ` on an additional host using the same [tunnel credentials](/tunnel/other-tunnel-types/local-management/#tunnel-permissions). + + + :::note For intelligent traffic steering, failover logic, or health alerts, use [Cloudflare Load Balancing](/tunnel/routing/#load-balancing) instead of replicas. ::: diff --git a/src/content/partials/cloudflare-one/tunnel/cloudflared-replicas-diagram.mdx b/src/content/partials/cloudflare-one/tunnel/cloudflared-replicas-diagram.mdx new file mode 100644 index 000000000000000..8e51e41f3ac6672 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/cloudflared-replicas-diagram.mdx @@ -0,0 +1,24 @@ +--- +{} + +--- + +```mermaid +graph LR + C((Cloudflare)) + subgraph E[Your network] + cf1["cloudflared
(Tunnel-1 replica)"] + cf2["cloudflared
(Tunnel-1 replica)"] + S1[Application] + cf1-->S1 + cf2-->S1 + end + C -- "Connections x 4
"--> cf1 + C --> cf1 + C --> cf1 + C --> cf1 + C -- Connections x 4--> cf2 + C --> cf2 + C --> cf2 + C --> cf2 +``` diff --git a/src/content/partials/cloudflare-one/tunnel/dns-records-create.mdx b/src/content/partials/cloudflare-one/tunnel/dns-records-create.mdx index b06e989a3fcb2df..5e148ac7da1aa5e 100644 --- a/src/content/partials/cloudflare-one/tunnel/dns-records-create.mdx +++ b/src/content/partials/cloudflare-one/tunnel/dns-records-create.mdx @@ -26,7 +26,7 @@ To create a DNS record for a Cloudflare Tunnel: -Run the following command to create a CNAME record pointing to your tunnel subdomain: +For locally-managed tunnels, run the following command to create a CNAME record pointing to your tunnel subdomain: ```sh cloudflared tunnel route dns www.app.com From 6d1f39ecadd3ed3900a4dfcea2de871892c40235 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 20 Feb 2026 17:30:09 -0500 Subject: [PATCH 21/33] firewall partials --- .../tunnel-with-firewall.mdx | 65 +++---------------- src/content/docs/tunnel/configuration.mdx | 39 ++--------- .../tunnel/firewall-required-ports.mdx | 16 +++++ .../tunnel/firewall-sni-hostnames.mdx | 13 ++++ .../tunnel/firewall-us-region-ports.mdx | 18 +++++ 5 files changed, 64 insertions(+), 87 deletions(-) create mode 100644 src/content/partials/cloudflare-one/tunnel/firewall-required-ports.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/firewall-sni-hostnames.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/firewall-us-region-ports.mdx diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx index c951531a484ff01..06c86f93630ec23 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx @@ -7,6 +7,8 @@ sidebar: order: 3 --- +import { Render } from "~/components"; + You can implement a positive security model with Cloudflare Tunnel by blocking all ingress traffic and allowing only egress traffic from `cloudflared`. Only the services specified in your tunnel configuration will be exposed to the outside world. ## Ports @@ -24,65 +26,18 @@ Ensure port `7844` is allowed for both TCP and UDP protocols (for `http2` and `q `cloudflared` connects to Cloudflare's global network on port `7844`. To use Cloudflare Tunnel, your firewall must allow outbound connections to the following destinations on port `7844` (via UDP if using the `quic` protocol or TCP if using the `http2` protocol). -#### `region1.v2.argotunnel.com` - -| IPv4 | IPv6 | Port | Protocols | -| ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | -| `198.41.192.167` `198.41.192.67` `198.41.192.57` `198.41.192.107` `198.41.192.27` `198.41.192.7` `198.41.192.227` `198.41.192.47` `198.41.192.37` `198.41.192.77` | `2606:4700:a0::1` `2606:4700:a0::2` `2606:4700:a0::3` `2606:4700:a0::4` `2606:4700:a0::5` `2606:4700:a0::6` `2606:4700:a0::7` `2606:4700:a0::8` `2606:4700:a0::9` `2606:4700:a0::10` | 7844 | TCP/UDP (`http2`/`quic`) | - -#### `region2.v2.argotunnel.com` - -| IPv4 | IPv6 | Port | Protocols | -| ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | -| `198.41.200.13` `198.41.200.193` `198.41.200.33` `198.41.200.233` `198.41.200.53` `198.41.200.63` `198.41.200.113` `198.41.200.73` `198.41.200.43` `198.41.200.23` | `2606:4700:a8::1` `2606:4700:a8::2` `2606:4700:a8::3` `2606:4700:a8::4` `2606:4700:a8::5` `2606:4700:a8::6` `2606:4700:a8::7` `2606:4700:a8::8` `2606:4700:a8::9` `2606:4700:a8::10` | 7844 | TCP/UDP (`http2`/`quic`) | - -#### `_v2-origintunneld._tcp.argotunnel.com` - -| IPv4 | IPv6 | Port | Protocols | -| -------------- | -------------- | ---- | ------------- | -| Not applicable | Not applicable | 7844 | TCP (`http2`) | - -This rule is only required for firewalls that enforce SNI. - -#### `cftunnel.com` - -| IPv4 | IPv6 | Port | Protocols | -| -------------- | -------------- | ---- | ------------------------ | -| Not applicable | Not applicable | 7844 | TCP/UDP (`http2`/`quic`) | - -This rule is only required for firewalls that enforce SNI. - -#### `h2.cftunnel.com` + -| IPv4 | IPv6 | Port | Protocols | -| -------------- | -------------- | ---- | ------------- | -| Not applicable | Not applicable | 7844 | TCP (`http2`) | - -This rule is only required for firewalls that enforce SNI. - -#### `quic.cftunnel.com` - -| IPv4 | IPv6 | Port | Protocols | -| -------------- | -------------- | ---- | ------------ | -| Not applicable | Not applicable | 7844 | UDP (`quic`) | - -This rule is only required for firewalls that enforce SNI. +#### SNI-enforcing firewalls + ### Region US -When using the [US region](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#region), ensure your firewall allows outbound connections to these US-region destinations on port `7844` (TCP/UDP) for tunnel operation. - -#### `us-region1.v2.argotunnel.com` - -| IPv4 | IPv6 | Port | Protocol | -| ------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | -| `198.41.218.1` `198.41.218.2` `198.41.218.3` `198.41.218.4` `198.41.218.5` `198.41.218.6` `198.41.218.7` `198.41.218.8` `198.41.218.9` `198.41.218.10` | `2606:4700:a1::1` `2606:4700:a1::2` `2606:4700:a1::3` `2606:4700:a1::4` `2606:4700:a1::5` `2606:4700:a1::6` `2606:4700:a1::7` `2606:4700:a1::8` `2606:4700:a1::9` `2606:4700:a1::10` | 7844 | TCP/UDP (`http2`/`quic`) | - -#### `us-region2.v2.argotunnel.com` - -| IPv4 | IPv6 | Port | Protocol | -| ------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | -| `198.41.219.1` `198.41.219.2` `198.41.219.3` `198.41.219.4` `198.41.219.5` `198.41.219.6` `198.41.219.7` `198.41.219.8` `198.41.219.9` `198.41.219.10` | `2606:4700:a9::1` `2606:4700:a9::2` `2606:4700:a9::3` `2606:4700:a9::4` `2606:4700:a9::5` `2606:4700:a9::6` `2606:4700:a9::7` `2606:4700:a9::8` `2606:4700:a9::9` `2606:4700:a9::10` | 7844 | TCP/UDP (`http2`/`quic`) | + ### Optional diff --git a/src/content/docs/tunnel/configuration.mdx b/src/content/docs/tunnel/configuration.mdx index 3b816e3cacbb76a..2deab7e31a56744 100644 --- a/src/content/docs/tunnel/configuration.mdx +++ b/src/content/docs/tunnel/configuration.mdx @@ -57,46 +57,21 @@ For intelligent traffic steering, failover logic, or health alerts, use [Cloudfl ### Required ports -#### `region1.v2.argotunnel.com` - -| IPv4 | IPv6 | Port | Protocols | -| ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | -| `198.41.192.167` `198.41.192.67` `198.41.192.57` `198.41.192.107` `198.41.192.27` `198.41.192.7` `198.41.192.227` `198.41.192.47` `198.41.192.37` `198.41.192.77` | `2606:4700:a0::1` `2606:4700:a0::2` `2606:4700:a0::3` `2606:4700:a0::4` `2606:4700:a0::5` `2606:4700:a0::6` `2606:4700:a0::7` `2606:4700:a0::8` `2606:4700:a0::9` `2606:4700:a0::10` | 7844 | TCP/UDP (`http2`/`quic`) | - -#### `region2.v2.argotunnel.com` - -| IPv4 | IPv6 | Port | Protocols | -| ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | -| `198.41.200.13` `198.41.200.193` `198.41.200.33` `198.41.200.233` `198.41.200.53` `198.41.200.63` `198.41.200.113` `198.41.200.73` `198.41.200.43` `198.41.200.23` | `2606:4700:a8::1` `2606:4700:a8::2` `2606:4700:a8::3` `2606:4700:a8::4` `2606:4700:a8::5` `2606:4700:a8::6` `2606:4700:a8::7` `2606:4700:a8::8` `2606:4700:a8::9` `2606:4700:a8::10` | 7844 | TCP/UDP (`http2`/`quic`) | +
-When using the [`--region us`](#region) flag, allow outbound connections to these destinations instead. - -#### `us-region1.v2.argotunnel.com` - -| IPv4 | IPv6 | Port | Protocol | -| ------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | -| `198.41.218.1` `198.41.218.2` `198.41.218.3` `198.41.218.4` `198.41.218.5` `198.41.218.6` `198.41.218.7` `198.41.218.8` `198.41.218.9` `198.41.218.10` | `2606:4700:a1::1` `2606:4700:a1::2` `2606:4700:a1::3` `2606:4700:a1::4` `2606:4700:a1::5` `2606:4700:a1::6` `2606:4700:a1::7` `2606:4700:a1::8` `2606:4700:a1::9` `2606:4700:a1::10` | 7844 | TCP/UDP (`http2`/`quic`) | - -#### `us-region2.v2.argotunnel.com` - -| IPv4 | IPv6 | Port | Protocol | -| ------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | -| `198.41.219.1` `198.41.219.2` `198.41.219.3` `198.41.219.4` `198.41.219.5` `198.41.219.6` `198.41.219.7` `198.41.219.8` `198.41.219.9` `198.41.219.10` | `2606:4700:a9::1` `2606:4700:a9::2` `2606:4700:a9::3` `2606:4700:a9::4` `2606:4700:a9::5` `2606:4700:a9::6` `2606:4700:a9::7` `2606:4700:a9::8` `2606:4700:a9::9` `2606:4700:a9::10` | 7844 | TCP/UDP (`http2`/`quic`) | +
-If your firewall enforces Server Name Indication (SNI), also allow these hostnames on port `7844`: - -| Hostname | Port | Protocols | -| --------------------------------------- | ---- | ------------------------ | -| `_v2-origintunneld._tcp.argotunnel.com` | 7844 | TCP (`http2`) | -| `cftunnel.com` | 7844 | TCP/UDP (`http2`/`quic`) | -| `h2.cftunnel.com` | 7844 | TCP (`http2`) | -| `quic.cftunnel.com` | 7844 | UDP (`quic`) | +
diff --git a/src/content/partials/cloudflare-one/tunnel/firewall-required-ports.mdx b/src/content/partials/cloudflare-one/tunnel/firewall-required-ports.mdx new file mode 100644 index 000000000000000..45ac0379be83af3 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/firewall-required-ports.mdx @@ -0,0 +1,16 @@ +--- +{} + +--- + +#### `region1.v2.argotunnel.com` + +| IPv4 | IPv6 | Port | Protocols | +| ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | +| `198.41.192.167` `198.41.192.67` `198.41.192.57` `198.41.192.107` `198.41.192.27` `198.41.192.7` `198.41.192.227` `198.41.192.47` `198.41.192.37` `198.41.192.77` | `2606:4700:a0::1` `2606:4700:a0::2` `2606:4700:a0::3` `2606:4700:a0::4` `2606:4700:a0::5` `2606:4700:a0::6` `2606:4700:a0::7` `2606:4700:a0::8` `2606:4700:a0::9` `2606:4700:a0::10` | 7844 | TCP/UDP (`http2`/`quic`) | + +#### `region2.v2.argotunnel.com` + +| IPv4 | IPv6 | Port | Protocols | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | +| `198.41.200.13` `198.41.200.193` `198.41.200.33` `198.41.200.233` `198.41.200.53` `198.41.200.63` `198.41.200.113` `198.41.200.73` `198.41.200.43` `198.41.200.23` | `2606:4700:a8::1` `2606:4700:a8::2` `2606:4700:a8::3` `2606:4700:a8::4` `2606:4700:a8::5` `2606:4700:a8::6` `2606:4700:a8::7` `2606:4700:a8::8` `2606:4700:a8::9` `2606:4700:a8::10` | 7844 | TCP/UDP (`http2`/`quic`) | diff --git a/src/content/partials/cloudflare-one/tunnel/firewall-sni-hostnames.mdx b/src/content/partials/cloudflare-one/tunnel/firewall-sni-hostnames.mdx new file mode 100644 index 000000000000000..2bbe162b8d986ef --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/firewall-sni-hostnames.mdx @@ -0,0 +1,13 @@ +--- +{} + +--- + +If your firewall enforces Server Name Indication (SNI), also allow these hostnames on port `7844`: + +| Hostname | Port | Protocols | +| --------------------------------------- | ---- | ------------------------ | +| `_v2-origintunneld._tcp.argotunnel.com` | 7844 | TCP (`http2`) | +| `cftunnel.com` | 7844 | TCP/UDP (`http2`/`quic`) | +| `h2.cftunnel.com` | 7844 | TCP (`http2`) | +| `quic.cftunnel.com` | 7844 | UDP (`quic`) | diff --git a/src/content/partials/cloudflare-one/tunnel/firewall-us-region-ports.mdx b/src/content/partials/cloudflare-one/tunnel/firewall-us-region-ports.mdx new file mode 100644 index 000000000000000..23052458507d147 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/firewall-us-region-ports.mdx @@ -0,0 +1,18 @@ +--- +params: + - regionURL +--- + +When using the `--region us` flag, allow outbound connections to these destinations instead. + +#### `us-region1.v2.argotunnel.com` + +| IPv4 | IPv6 | Port | Protocol | +| ------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | +| `198.41.218.1` `198.41.218.2` `198.41.218.3` `198.41.218.4` `198.41.218.5` `198.41.218.6` `198.41.218.7` `198.41.218.8` `198.41.218.9` `198.41.218.10` | `2606:4700:a1::1` `2606:4700:a1::2` `2606:4700:a1::3` `2606:4700:a1::4` `2606:4700:a1::5` `2606:4700:a1::6` `2606:4700:a1::7` `2606:4700:a1::8` `2606:4700:a1::9` `2606:4700:a1::10` | 7844 | TCP/UDP (`http2`/`quic`) | + +#### `us-region2.v2.argotunnel.com` + +| IPv4 | IPv6 | Port | Protocol | +| ------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ------------------------ | +| `198.41.219.1` `198.41.219.2` `198.41.219.3` `198.41.219.4` `198.41.219.5` `198.41.219.6` `198.41.219.7` `198.41.219.8` `198.41.219.9` `198.41.219.10` | `2606:4700:a9::1` `2606:4700:a9::2` `2606:4700:a9::3` `2606:4700:a9::4` `2606:4700:a9::5` `2606:4700:a9::6` `2606:4700:a9::7` `2606:4700:a9::8` `2606:4700:a9::9` `2606:4700:a9::10` | 7844 | TCP/UDP (`http2`/`quic`) | From 96366fd2ac16df769d7dfc07f36e94741149c421 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 20 Feb 2026 17:58:46 -0500 Subject: [PATCH 22/33] update token rotation procedure --- .../remote-tunnel-permissions.mdx | 147 ++++++++---------- src/content/docs/tunnel/configuration.mdx | 29 ++-- 2 files changed, 86 insertions(+), 90 deletions(-) diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/remote-tunnel-permissions.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/remote-tunnel-permissions.mdx index 82d24c042c0f0d7..a1658deb109aa4f 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/remote-tunnel-permissions.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/remote-tunnel-permissions.mdx @@ -19,8 +19,7 @@ To get the token for a remotely-managed tunnel: 1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels**. 2. Select a `cloudflared` tunnel and select **Edit**. -3. Copy the `cloudflared` installation command. -4. Paste the installation command into any text editor. The token value is of the form `eyJhIjoiNWFiNGU5Z...` +3. Copy the `cloudflared` installation command into a text editor (do not run the command). The token is the `eyJ...` string. @@ -61,79 +60,74 @@ To rotate a tunnel token: 1. Refresh the token on Cloudflare: - - -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels**. -2. Select a `cloudflared` tunnel and select **Edit**. -3. Select **Refresh token**. -4. Copy the `cloudflared` installation command for your operating system. This command contains the new token. - - - - 1. Generate a random base64 string (minimum size 32 bytes) to use as a tunnel secret: - - ```sh - openssl rand -base64 32 - ``` - - ```sh output - AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg= - ``` - -2. Make a `PATCH` request to the [Cloudflare Tunnel](/api/resources/zero_trust/subresources/tunnels/methods/edit/) endpoint: - - - - -After refreshing the token, `cloudflared` can no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic. - -2. On half of your `cloudflared` replicas, update `cloudflared` to use the new token. For example, on a Linux host: + + + 1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels**. + 2. Select a `cloudflared` tunnel and select **Edit**. + 3. Select **Refresh token**. + 4. Copy the `cloudflared` installation command for your operating system. This command contains the new token. + + + + 1. Generate a random base64 string (minimum size 32 bytes) to use as a tunnel secret: + + ```sh + openssl rand -base64 32 + ``` + + ```sh output + AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg= + ``` + + 2. Make a `PATCH` request to the [Cloudflare Tunnel](/api/resources/zero_trust/subresources/tunnels/methods/edit/) endpoint: + + + + + After refreshing the token, `cloudflared` can no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic. + +2. On half of your `cloudflared` replicas, reinstall the `cloudflared` service with the new token. For example, on a Linux host: ```sh - sudo cloudflared service install + sudo cloudflared service uninstall + sudo cloudflared service install ``` -3. Restart `cloudflared`: - - ```sh - sudo systemctl restart cloudflared.service - ``` - -4. Confirm that the service started correctly: +3. Confirm that the service started correctly: ```sh sudo systemctl status cloudflared @@ -164,16 +158,11 @@ If your tunnel token is compromised, we recommend taking the following steps: 3. On each `cloudflared` replica, update `cloudflared` to use the new token. For example, on a Linux host: ```sh - sudo cloudflared service install + sudo cloudflared service uninstall + sudo cloudflared service install ``` -4. Restart `cloudflared`: - - ```sh - sudo systemctl restart cloudflared.service - ``` - -5. Confirm that the service started correctly: +4. Confirm that the service started correctly: ```sh sudo systemctl status cloudflared ``` diff --git a/src/content/docs/tunnel/configuration.mdx b/src/content/docs/tunnel/configuration.mdx index 2deab7e31a56744..d5c96add52c5f4f 100644 --- a/src/content/docs/tunnel/configuration.mdx +++ b/src/content/docs/tunnel/configuration.mdx @@ -98,6 +98,8 @@ A remotely-managed tunnel only requires a token to run. Anyone with the token ca ### Get the token +To get the token for a remotely-managed tunnel: + @@ -105,8 +107,9 @@ A remotely-managed tunnel only requires a token to run. Anyone with the token ca -2. Select a tunnel and select **Edit**. -3. Copy the `cloudflared` installation command — the token is the `eyJ...` string. +2. Select your tunnel. +3. Select **Add a replica**. +3. Copy the `cloudflared` installation command into a text editor (do not run the command). The token is the `eyJ...` string. @@ -123,27 +126,31 @@ A remotely-managed tunnel only requires a token to run. Anyone with the token ca Rotate tokens regularly to reduce the risk of compromise. For tunnels with multiple [replicas](#replicas-and-high-availability), rotate outside working hours and update replicas in batches. -1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels**, select your tunnel, select **Edit**, then select **Refresh token**. Copy the new installation command. +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Networking** > **Tunnels**. -2. On each replica, update and restart: + - ```sh - sudo cloudflared service install - sudo systemctl restart cloudflared.service - ``` +2. Select your tunnel. +3. Select **Rotate token**. + After rotating the token, `cloudflared` cannot establish new connections with the old token. Existing connectors remain active until restarted. +4. Select **Add replica** and copy the new `cloudflared` installation command. +5. On each replica, reinstall the `cloudflared` service using the new token: -After refreshing, `cloudflared` cannot establish new connections with the old token. Existing connectors remain active until restarted. + ```sh + sudo cloudflared service uninstall + sudo cloudflared service install + ```
-If your tunnel token is compromised, immediately refresh the token (step 1 above), then force-disconnect all existing connections: +If your tunnel token is compromised, immediately [rotate the token](#rotate-a-token), then force-disconnect all existing connections: -Then update and restart all replicas with the new token. +Then reinstall the `cloudflared` service on all replicas using the new token.
From 8a86eb0b1fdac9a4120eeede037583222026b8f3 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 23 Feb 2026 15:53:50 -0500 Subject: [PATCH 23/33] run parameters --- .../cloudflared-parameters/index.mdx | 123 +------ src/content/docs/tunnel/configuration.mdx | 334 +----------------- .../tunnel/update-run-parameters.mdx | 126 +++++++ 3 files changed, 145 insertions(+), 438 deletions(-) create mode 100644 src/content/partials/cloudflare-one/tunnel/update-run-parameters.mdx diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/index.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/index.mdx index 30da8b31808af53..93a9c09cb2a3049 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/index.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/index.mdx @@ -17,128 +17,7 @@ For instructions on configuring a locally-managed tunnel, refer to the [configur ## Update tunnel run parameters - - -On Linux, Cloudflare Tunnel installs itself as a system service using `systemctl`. By default, the service will be named `cloudflared.service`. To configure your tunnel on Linux: - -1. Open `cloudflared.service`. - - ```sh - sudo systemctl edit --full cloudflared.service - ``` - -2. Modify the `cloudflared tunnel run` command with the desired configuration flag. For example, - - ```txt null {8} - [Unit] - Description=Cloudflare Tunnel - After=network.target - - [Service] - TimeoutStartSec=0 - Type=notify - ExecStart=/usr/local/bin/cloudflared tunnel --loglevel info --logfile /var/log/cloudflared/cloudflared.log run --token - Restart=on-failure - RestartSec=5s - - [Install] - WantedBy=multi-user.target - ``` - -3. Restart `cloudflared.service`: - - ```sh - sudo systemctl restart cloudflared - ``` - -4. To verify the new configuration, check the service status: - - ```sh - sudo systemctl status cloudflared - ``` - ```sh output - ● cloudflared.service - cloudflared - Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; preset: enabled) - Active: active (running) since Wed 2024-10-09 20:02:59 UTC; 2s ago - Main PID: 2157 (cloudflared) - Tasks: 8 (limit: 1136) - Memory: 16.3M - CPU: 136ms - CGroup: /system.slice/cloudflared.service - └─2157 /usr/bin/cloudflared tunnel --loglevel info --logfile /var/log/cloudflared/cloudflared.log run --token eyJhIjoi... - ``` - - - -On macOS, Cloudflare Tunnel installs itself as a launch agent using `launchctl`. By default, the agent will be called `com.cloudflare.cloudflared`. To configure your tunnel on macOS: - -1. Stop the `cloudflared` service. - - ```sh - sudo launchctl stop com.cloudflare.cloudflared - ``` - -2. Unload the configuration file. - - ```sh - sudo launchctl unload /Library/LaunchDaemons/com.cloudflare.cloudflared.plist - ``` - -3. Open `/Library/LaunchDaemons/com.cloudflare.cloudflared.plist` in a text editor. - -4. Modify the `ProgramArguments` key with the desired configuration flag. For example, - - ```txt - - - Label - com.cloudflare.cloudflared - ProgramArguments - - /opt/homebrew/bin/cloudflared - tunnel - --logfile - - --loglevel - debug - run - --token - - - ``` - -5. Load the updated configuration file. - - ```sh - sudo launchctl load /Library/LaunchDaemons/com.cloudflare.cloudflared.plist - ``` - -6. Start the `cloudflared` service. - - ```sh - sudo launchctl start com.cloudflare.cloudflared - ``` - - - -On Windows, Cloudflare Tunnel installs itself as a system service using the Registry Editor. By default, the service will be named `cloudflared`. To configure your tunnel on Windows: - -1. Open the Registry Editor. - -2. Go to **HKEY_LOCAL_MACHINE** > **SYSTEM** > **CurrentControlSet** > **Services** > **cloudflared**. - -3. Double-click **ImagePath**. - -4. Modify **Value data** with the desired configuration flag. For example, - - ```txt - C:\Program Files (x86)\cloudflared\.\cloudflared.exe tunnel --loglevel info --logfile run --token - ``` - -![Modify cloudflared service in the Registry Editor](~/assets/images/cloudflare-one/connections/connect-apps/remote-management-windows.png) - - - + ## Update origin configuration diff --git a/src/content/docs/tunnel/configuration.mdx b/src/content/docs/tunnel/configuration.mdx index d5c96add52c5f4f..df2cb98d34752a8 100644 --- a/src/content/docs/tunnel/configuration.mdx +++ b/src/content/docs/tunnel/configuration.mdx @@ -160,166 +160,26 @@ Then reinstall the `cloudflared` service on all replicas using the new token. ## Run parameters -These flags apply to the `cloudflared tunnel run` command. For remotely-managed tunnels, add them to the tunnel service. For locally-managed tunnels, add them to your [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/) as key/value pairs. +These flags apply to the `cloudflared tunnel run` command. For remotely-managed tunnels, add them to the [tunnel service](#update-run-parameters). For locally-managed tunnels, add them to your [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/) as key/value pairs. The most commonly used parameters: -| Parameter | Default | Description | -| ------------------------- | ----------------- | -------------------------------------------------------- | -| [`--loglevel`](#loglevel) | `info` | Log verbosity: `debug`, `info`, `warn`, `error`, `fatal` | -| [`--logfile`](#logfile) | stdout | Path to write log output | -| [`--metrics`](#metrics) | `127.0.0.1:2024x` | Prometheus metrics endpoint address | -| [`--protocol`](#protocol) | `auto` | Connection protocol: `auto`, `quic`, `http2` | -| [`--region`](#region) | global | Route through US-only data centers with `us` | -| [`--token`](#token) | — | Tunnel token (remotely-managed tunnels) | +| Parameter | Default | Description | +| --------------- | ----------------- | -------------------------------------------------------- | +| [`--loglevel`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#loglevel) | `info` | Log verbosity: `debug`, `info`, `warn`, `error`, `fatal` | +| [`--logfile`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#logfile) | stdout | Path to write log output | +| [`--metrics`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#metrics) | `127.0.0.1:2024x` | Prometheus metrics endpoint address | +| [`--protocol`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#protocol) | `auto` | Connection protocol: `auto`, `quic`, `http2` | +| [`--region`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#region) | global | Route through US-only data centers with `us` | +| [`--token`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#token) | — | Tunnel token (remotely-managed tunnels) | -
+For the complete list of run parameters, refer to [Tunnel run parameters](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/). -### `autoupdate-freq` +### Update run parameters -| Syntax | Default | Environment Variable | -| ---------------------------------------------------------------- | ------- | -------------------- | -| `cloudflared tunnel --autoupdate-freq run ` | `24h` | — | +To modify how a remotely-managed tunnel runs on your OS, update the tunnel service with one or more [run parameters](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/): -Configures the frequency of automatic `cloudflared` updates. On successful update, the old process gracefully shuts down after handling outstanding requests. - -### `config` - -| Syntax | Default | -| ------------------------------------------------------- | --------------------------- | -| `cloudflared tunnel --config run ` | `~/.cloudflared/config.yml` | - -Specifies the path to a configuration file in YAML format. Locally-managed tunnels only. - -### `edge-bind-address` - -| Syntax | Environment Variable | -| ---------------------------------------------------------------- | -------------------------- | -| `cloudflared tunnel --edge-bind-address run ` | `TUNNEL_EDGE_BIND_ADDRESS` | - -Specifies the outgoing IP address used to connect to the Cloudflare global network. Useful when you have multiple network interfaces. - -### `edge-ip-version` - -| Syntax | Default | Environment Variable | -| ------------------------------------------------------------------- | ------- | ------------------------ | -| `cloudflared tunnel --edge-ip-version run ` | `4` | `TUNNEL_EDGE_IP_VERSION` | - -IP version used to connect to Cloudflare. Available values: `auto`, `4`, `6`. - -### `grace-period` - -| Syntax | Default | Environment Variable | -| --------------------------------------------------------------- | ------- | --------------------- | -| `cloudflared tunnel --grace-period run ` | `30s` | `TUNNEL_GRACE_PERIOD` | - -After receiving SIGINT/SIGTERM, `cloudflared` waits this long for in-progress requests to complete before shutting down. - -### `logfile` - -| Syntax | Environment Variable | -| -------------------------------------------------------- | -------------------- | -| `cloudflared tunnel --logfile run ` | `TUNNEL_LOGFILE` | - -Saves application log to the specified file. - -### `loglevel` - -| Syntax | Default | Environment Variable | -| ---------------------------------------------------------- | ------- | -------------------- | -| `cloudflared tunnel --loglevel run ` | `info` | `TUNNEL_LOGLEVEL` | - -Log verbosity. Available values: `debug`, `info`, `warn`, `error`, `fatal`. At `debug` level, request URLs, methods, and headers are logged, which can expose sensitive information. - -### `metrics` - -| Syntax | Environment Variable | -| ----------------------------------------------------------- | -------------------- | -| `cloudflared tunnel --metrics run ` | `TUNNEL_METRICS` | - -Exposes a Prometheus endpoint for [usage metrics](/tunnel/monitoring/#metrics). - -### `no-autoupdate` - -| Syntax | Environment Variable | -| ------------------------------------------------------- | -------------------- | -| `cloudflared tunnel --no-autoupdate run ` | `NO_AUTOUPDATE` | - -Disables automatic updates. Does not apply if `cloudflared` was installed via a package manager. - -### `origincert` - -| Syntax | Default | Environment Variable | -| ----------------------------------------------------------- | ------------------------- | -------------------- | -| `cloudflared tunnel --origincert run ` | `~/.cloudflared/cert.pem` | `TUNNEL_ORIGIN_CERT` | - -Specifies the account certificate for your zone. Locally-managed tunnels only. - -### `pidfile` - -| Syntax | Environment Variable | -| -------------------------------------------------------- | -------------------- | -| `cloudflared tunnel --pidfile run ` | `TUNNEL_PIDFILE` | - -Writes the application PID to the specified file after the first successful connection. - -### `post-quantum` - -| Syntax | Environment Variable | -| ------------------------------------------------------ | --------------------- | -| `cloudflared tunnel run --post-quantum ` | `TUNNEL_POST_QUANTUM` | - -Forces post-quantum key agreements with no fallback. By default, `quic` connections use [post-quantum cryptography](/ssl/post-quantum-cryptography/) but fall back to non-PQ if there are connection issues. Not supported with `http2`. - -### `protocol` - -| Syntax | Default | Environment Variable | -| ---------------------------------------------------------- | ------- | --------------------------- | -| `cloudflared tunnel --protocol run ` | `auto` | `TUNNEL_TRANSPORT_PROTOCOL` | - -Connection protocol. Available values: `auto`, `http2`, `quic`. The `auto` value selects `quic`, falling back to `http2` if UDP is unavailable. - -### `region` - -| Syntax | Environment Variable | -| -------------------------------------------------------- | -------------------- | -| `cloudflared tunnel --region run ` | `TUNNEL_REGION` | - -Routes connections through US-only data centers. The only available value is `us`. Omit for the global region. - -### `retries` - -| Syntax | Default | Environment Variable | -| --------------------------------------------------------- | ------- | -------------------- | -| `cloudflared tunnel --retries run ` | `5` | `TUNNEL_RETRIES` | - -Maximum connection/protocol error retries with exponential backoff. - -### `tag` - -| Syntax | Environment Variable | -| ------------------------------------------------------- | -------------------- | -| `cloudflared tunnel --tag run ` | `TUNNEL_TAG` | - -Custom tags to identify the tunnel. Specify multiple with additional `--tag` flags. - -### `token` - -| Syntax | Environment Variable | -| ----------------------------------------------- | -------------------- | -| `cloudflared tunnel run --token ` | `TUNNEL_TOKEN` | - -Associates the `cloudflared` instance with a specific tunnel. Remotely-managed tunnels only. - -### `token-file` - -| Syntax | Environment Variable | -| -------------------------------------------- | -------------------- | -| `cloudflared tunnel run --token-file ` | `TUNNEL_TOKEN_FILE` | - -Reads the tunnel token from a file. Remotely-managed tunnels only. Requires `2025.4.0` or later. - -
+ ## Origin parameters @@ -329,170 +189,12 @@ The most commonly used parameters: | Parameter | Default | Description | | --------------------------------------- | ------- | ----------------------------------------- | -| [`originServerName`](#originservername) | `""` | Hostname expected from origin certificate | -| [`noTLSVerify`](#notlsverify) | `false` | Disable TLS certificate verification | -| [`httpHostHeader`](#httphostheader) | `""` | Override HTTP Host header | -| [`connectTimeout`](#connecttimeout) | `30s` | TCP connection timeout to origin | - -
- -### `originServerName` - -Hostname that `cloudflared` expects from your origin server certificate. If empty, the expected hostname is the service URL. - -| Default | UI name | -| ------- | ------------------ | -| `""` | Origin Server Name | - -### `matchSNItoHost` - -When `true`, `cloudflared` sets the SNI during TLS handshake to the hostname of the incoming request. Useful for origins hosting multiple services. +| [`originServerName`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#originservername) | `""` | Hostname expected from origin certificate | +| [`noTLSVerify`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#notlsverify) | `false` | Disable TLS certificate verification | +| [`httpHostHeader`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#httphostheader) | `""` | Override HTTP Host header | +| [`connectTimeout`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#connecttimeout) | `30s` | TCP connection timeout to origin | -| Default | UI name | -| ------- | ----------------- | -| `false` | Match SNI to Host | - -### `caPool` - -Path to the CA for your origin server certificate (`.pem` or `.crt`). Only needed if not signed by Cloudflare. - -| Default | UI name | -| ------- | -------------------------- | -| `""` | Certificate Authority Pool | - -### `noTLSVerify` - -When `true`, TLS verification is disabled and any certificate from the origin is accepted. - -| Default | UI name | -| ------- | ------------- | -| `false` | No TLS Verify | - -### `tlsTimeout` - -Timeout for completing a TLS handshake to your origin server. - -| Default | UI name | -| ------- | ----------- | -| `10s` | TLS Timeout | - -### `http2Origin` - -When `true`, `cloudflared` connects to your origin using HTTP/2.0 instead of HTTP/1.1. - -| Default | UI name | -| ------- | ---------------- | -| `false` | HTTP2 connection | - -
- -
- -### `httpHostHeader` - -Sets the HTTP `Host` header on requests sent to the local service. - -| Default | UI name | -| ------- | ---------------- | -| `""` | HTTP Host Header | - -### `disableChunkedEncoding` - -When `true`, chunked transfer encoding is disabled. Useful for WSGI servers. - -| Default | UI name | -| ------- | ------------------------ | -| `false` | Disable Chunked Encoding | - -
- -
- -### `connectTimeout` - -Timeout for establishing a new TCP connection to your origin (excludes TLS). - -| Default | UI name | -| ------- | --------------- | -| `30s` | Connect Timeout | - -### `noHappyEyeballs` - -When `true`, disables the Happy Eyeballs algorithm for IPv4/IPv6 fallback. - -| Default | UI name | -| ------- | ----------------- | -| `false` | No Happy Eyeballs | - -### `proxyType` - -Type of proxy server that translates HTTP traffic into TCP. Valid options: `""` (standard) or `"socks"` (SOCKS5). - -| Default | UI name | -| ------- | ---------- | -| `""` | Proxy Type | - -### `proxyAddress` - -Listen address for the proxy server. Locally-managed tunnels only. - -| Default | -| ----------- | -| `127.0.0.1` | - -### `proxyPort` - -Listen port for the proxy server. `0` means random. Locally-managed tunnels only. - -| Default | -| ------- | -| `0` | - -### `keepAliveTimeout` - -Timeout after which an idle keepalive connection is discarded. - -| Default | UI name | -| ------- | ------------------------------- | -| `1m30s` | Idle Connection Expiration Time | - -### `keepAliveConnections` - -Maximum number of idle keepalive connections to your origin. - -| Default | UI name | -| ------- | ---------------------- | -| `100` | Keep Alive Connections | - -### `tcpKeepAlive` - -Interval for TCP keepalive packets to the origin. - -| Default | UI name | -| ------- | ----------------------- | -| `30s` | TCP Keep Alive Interval | - -
- -
- -### `access` - -Requires `cloudflared` to validate the [Cloudflare Access JWT](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) before proxying traffic. To configure in a [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/#origin-configuration): - -```yml -access: - required: true - teamName: - audTag: - - -``` - -| Default | UI name | -| ------- | ------------------- | -| `""` | Protect with Access | - -
+For the complete list of origin parameters, refer to [Origin parameters](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/). ## System requirements diff --git a/src/content/partials/cloudflare-one/tunnel/update-run-parameters.mdx b/src/content/partials/cloudflare-one/tunnel/update-run-parameters.mdx new file mode 100644 index 000000000000000..8eafe3e520b2eeb --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/update-run-parameters.mdx @@ -0,0 +1,126 @@ +--- +--- + +import { TabItem, Tabs } from "~/components"; + + + +On Linux, Cloudflare Tunnel installs itself as a system service using `systemctl`. By default, the service will be named `cloudflared.service`. To configure your tunnel on Linux: + +1. Open `cloudflared.service`. + + ```sh + sudo systemctl edit --full cloudflared.service + ``` + +2. Modify the `cloudflared tunnel run` command with the desired configuration flag. For example, + + ```txt null {8} + [Unit] + Description=Cloudflare Tunnel + After=network.target + + [Service] + TimeoutStartSec=0 + Type=notify + ExecStart=/usr/local/bin/cloudflared tunnel --loglevel info --logfile /var/log/cloudflared/cloudflared.log run --token + Restart=on-failure + RestartSec=5s + + [Install] + WantedBy=multi-user.target + ``` + +3. Restart `cloudflared.service`: + + ```sh + sudo systemctl restart cloudflared + ``` + +4. To verify the new configuration, check the service status: + + ```sh + sudo systemctl status cloudflared + ``` + ```sh output + ● cloudflared.service - cloudflared + Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; preset: enabled) + Active: active (running) since Wed 2024-10-09 20:02:59 UTC; 2s ago + Main PID: 2157 (cloudflared) + Tasks: 8 (limit: 1136) + Memory: 16.3M + CPU: 136ms + CGroup: /system.slice/cloudflared.service + └─2157 /usr/bin/cloudflared tunnel --loglevel info --logfile /var/log/cloudflared/cloudflared.log run --token eyJhIjoi... + ``` + + + +On macOS, Cloudflare Tunnel installs itself as a launch agent using `launchctl`. By default, the agent will be called `com.cloudflare.cloudflared`. To configure your tunnel on macOS: + +1. Stop the `cloudflared` service. + + ```sh + sudo launchctl stop com.cloudflare.cloudflared + ``` + +2. Unload the configuration file. + + ```sh + sudo launchctl unload /Library/LaunchDaemons/com.cloudflare.cloudflared.plist + ``` + +3. Open `/Library/LaunchDaemons/com.cloudflare.cloudflared.plist` in a text editor. + +4. Modify the `ProgramArguments` key with the desired configuration flag. For example, + + ```txt + + + Label + com.cloudflare.cloudflared + ProgramArguments + + /opt/homebrew/bin/cloudflared + tunnel + --logfile + + --loglevel + debug + run + --token + + + ``` + +5. Load the updated configuration file. + + ```sh + sudo launchctl load /Library/LaunchDaemons/com.cloudflare.cloudflared.plist + ``` + +6. Start the `cloudflared` service. + + ```sh + sudo launchctl start com.cloudflare.cloudflared + ``` + + + +On Windows, Cloudflare Tunnel installs itself as a system service using the Registry Editor. By default, the service will be named `cloudflared`. To configure your tunnel on Windows: + +1. Open the Registry Editor. + +2. Go to **HKEY_LOCAL_MACHINE** > **SYSTEM** > **CurrentControlSet** > **Services** > **cloudflared**. + +3. Double-click **ImagePath**. + +4. Modify **Value data** with the desired configuration flag. For example, + + ```txt + C:\Program Files (x86)\cloudflared\.\cloudflared.exe tunnel --loglevel info --logfile run --token + ``` + +![Modify cloudflared service in the Registry Editor](~/assets/images/cloudflare-one/connections/connect-apps/remote-management-windows.png) + + From e835227e1b0e624f48d94b3678fc9cea139a29ae Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 23 Feb 2026 16:22:14 -0500 Subject: [PATCH 24/33] origin parameters --- src/content/docs/tunnel/configuration.mdx | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/content/docs/tunnel/configuration.mdx b/src/content/docs/tunnel/configuration.mdx index df2cb98d34752a8..ea0da293bab0190 100644 --- a/src/content/docs/tunnel/configuration.mdx +++ b/src/content/docs/tunnel/configuration.mdx @@ -160,7 +160,7 @@ Then reinstall the `cloudflared` service on all replicas using the new token. ## Run parameters -These flags apply to the `cloudflared tunnel run` command. For remotely-managed tunnels, add them to the [tunnel service](#update-run-parameters). For locally-managed tunnels, add them to your [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/) as key/value pairs. +These flags apply to the `cloudflared tunnel run` command. They control how the tunnel runs on your operating system. The most commonly used parameters: @@ -177,13 +177,15 @@ For the complete list of run parameters, refer to [Tunnel run parameters](/cloud ### Update run parameters -To modify how a remotely-managed tunnel runs on your OS, update the tunnel service with one or more [run parameters](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/): +To update run parameters for remotely-managed tunnels, add them to the tunnel service. For locally-managed tunnels, add the run parameters to your [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/) as key/value pairs. + +To update the tunnel service: ## Origin parameters -Origin configuration parameters control how `cloudflared` proxies traffic to your origin server. For remotely-managed tunnels, configure these in the dashboard. For locally-managed tunnels, add them to your [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/). +Origin configuration parameters control how `cloudflared` proxies traffic to your origin server. The most commonly used parameters: @@ -194,7 +196,11 @@ The most commonly used parameters: | [`httpHostHeader`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#httphostheader) | `""` | Override HTTP Host header | | [`connectTimeout`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#connecttimeout) | `30s` | TCP connection timeout to origin | -For the complete list of origin parameters, refer to [Origin parameters](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/). +For the complete list of origin parameters, refer to [Origin configuration parameters](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/). + +### Update origin parameters + +To update origin parameters for remotely-managed tunnels, use the [Cloudflare One dashboard](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/#update-origin-configuration) or the [API](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/configurations/methods/update/). For locally-managed tunnels, add the parameters to your [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/). ## System requirements From 810efb841d724905e0f8da9bd0277107edfd6fa8 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 23 Feb 2026 17:10:50 -0500 Subject: [PATCH 25/33] add partials to configuration page --- .../configure-tunnels/cipher-suites.mdx | 10 +--- .../cloudflared-parameters/index.mdx | 7 +-- .../system-requirements.mdx | 51 +------------------ src/content/docs/tunnel/configuration.mdx | 39 ++++++-------- .../cloudflare-one/tunnel/cipher-suites.mdx | 12 +++++ .../tunnel/port-configuration.mdx | 35 +++++++++++++ .../cloudflare-one/tunnel/ulimits.mdx | 22 ++++++++ .../tunnel/update-origin-configuration.mdx | 9 ++++ 8 files changed, 98 insertions(+), 87 deletions(-) create mode 100644 src/content/partials/cloudflare-one/tunnel/cipher-suites.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/port-configuration.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/ulimits.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/update-origin-configuration.mdx diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cipher-suites.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cipher-suites.mdx index 113b6331f52f42f..01313efb5ebae83 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cipher-suites.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cipher-suites.mdx @@ -7,14 +7,8 @@ sidebar: order: 11 --- -Cloudflare Tunnel connections use the cipher suites supported by `cloudflared`, which relies on the Go TLS library for its TLS implementation. These cipher suites apply to both the TLS connection between Cloudflare's network and `cloudflared`, and the HTTPS connection between `cloudflared` and your origin. In both cases, `cloudflared` negotiates the most secure cipher suite supported by both sides. +import { Render } from "~/components"; -The following table lists the cipher suites supported by `cloudflared`: - -| Protocol support | Cipher suites | -|------------------|----------------| -| TLS 1.3 only | `TLS_AES_128_GCM_SHA256`
`TLS_AES_256_GCM_SHA384`
`TLS_CHACHA20_POLY1305_SHA256` | -| TLS 1.2 only | `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`
`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` | -| Up to and including TLS 1.2 | `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`
`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` | + diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/index.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/index.mdx index 93a9c09cb2a3049..2c3d8a6d609d16a 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/index.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/index.mdx @@ -23,9 +23,4 @@ For instructions on configuring a locally-managed tunnel, refer to the [configur To configure how `cloudflared` sends requests to your [published applications](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/): -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels**. -2. Choose a tunnel and select **Edit**. -3. Select the **Published application routes** tab. -4. Choose an application and select **Edit**. -5. Under **Additional application settings**, modify one or more [origin configuration parameters](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/). -6. Select **Save**. \ No newline at end of file + \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements.mdx index dc5d5a91016a2b4..0dd296a4b6ac162 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements.mdx @@ -26,36 +26,7 @@ When `cloudflared` receives a request from a WARP device, it uses the ports on t - `cloudflared` should be deployed on a dedicated host machine. This model is typically appropriate, but there may be serverless or clustered workflows where a dedicated host is not possible. - The host machine should allocate 50,000 ports to be available for use by the `cloudflared` service. The remaining ports are reserved for system administrative processes. - - -To increase the number of ports available to `cloudflared` on Linux: - -If your machine has a `/etc/sysctl.d/` directory: - -```sh -echo 'net.ipv4.ip_local_port_range = 11000 60999' | sudo tee -a /etc/sysctl.d/99-cloudflared.conf -sudo sysctl -p /etc/sysctl.d/99-cloudflared.conf -``` - -Otherwise: - -```sh -echo 'net.ipv4.ip_local_port_range = 11000 60999' | sudo tee -a /etc/sysctl.conf -sudo sysctl -p /etc/sysctl.conf -``` - - - -To increase the number of ports available to `cloudflared` on Windows, set the [dynamic port range](https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/tcp-ip-port-exhaustion-troubleshooting) for TCP and UDP: - -```txt -netsh int ipv4 set dynamicport tcp start=11000 num=50000 -netsh int ipv4 set dynamicport udp start=11000 num=50000 -netsh int ipv6 set dynamicport tcp start=11000 num=50000 -netsh int ipv6 set dynamicport udp start=11000 num=50000 -``` - - + ### Private DNS @@ -63,25 +34,7 @@ DNS queries utilize [more system resources](#estimated-throughput) compared to T ### ulimits -On Linux and macOS, `ulimit` settings determine the system resources available to a logged-in user. We recommend configuring the following ulimits on the `cloudflared` server: - -| ulimit | Description | Value | -| ------ | ------------------------------------------------ | -------- | -| `-n` | Maximum number of open files or file descriptors | ≥ 70,000 | - -To view your current ulimits, open a terminal and run: - -```sh -ulimit -a -``` - -To set the open files `ulimit`: - -```sh -ulimit -n 70000 -``` - -The command above sets the open files limit only for the current terminal session and will not persist after a reboot or new login. To apply this limit permanently, configure it using the persistent method appropriate for your operating system. + ## Estimated throughput diff --git a/src/content/docs/tunnel/configuration.mdx b/src/content/docs/tunnel/configuration.mdx index ea0da293bab0190..4476e66ecb9cc68 100644 --- a/src/content/docs/tunnel/configuration.mdx +++ b/src/content/docs/tunnel/configuration.mdx @@ -200,7 +200,11 @@ For the complete list of origin parameters, refer to [Origin configuration param ### Update origin parameters -To update origin parameters for remotely-managed tunnels, use the [Cloudflare One dashboard](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/#update-origin-configuration) or the [API](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/configurations/methods/update/). For locally-managed tunnels, add the parameters to your [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/). +To update origin parameters for remotely-managed tunnels, use the [Cloudflare One dashboard](https://one.dash.cloudflare.com) or the [API](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/configurations/methods/update/). For locally-managed tunnels, add the parameters to your [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/). + +To configure origin parameters in Cloudflare One: + + ## System requirements @@ -210,31 +214,23 @@ To update origin parameters for remotely-managed tunnels, use the [Cloudflare On
- - -```sh -echo 'net.ipv4.ip_local_port_range = 11000 60999' | sudo tee /etc/sysctl.d/99-cloudflared.conf -sudo sysctl -p /etc/sysctl.d/99-cloudflared.conf -``` + - - -```txt -netsh int ipv4 set dynamicport tcp start=11000 num=50000 -netsh int ipv4 set dynamicport udp start=11000 num=50000 -netsh int ipv6 set dynamicport tcp start=11000 num=50000 -netsh int ipv6 set dynamicport udp start=11000 num=50000 -``` +
- +
-**ulimits (Linux/macOS):** Set the open file descriptor limit to at least 70,000 with `ulimit -n 70000`. Configure persistently for your OS. +
-Use the [metrics endpoint](/tunnel/monitoring/#cloudflared-metrics) to measure `cloudflared_tcp_total_sessions` and `cloudflared_udp_total_sessions`, then input your values: +To estimate tunnel capacity requirements for your deployment: +1. Use the [metrics endpoint](/tunnel/monitoring/#cloudflared-metrics) to measure `cloudflared_tcp_total_sessions` and `cloudflared_udp_total_sessions`. +2. Compute the average **TCP requests per second** by dividing `cloudflared_tcp_total_sessions` by total time. +3. Compute the average **Non-DNS UDP requests per second** by dividing `cloudflared_udp_total_sessions` by total time. +4. Input **TCP requests per second** and **Non-DNS UDP requests per second** into the calculator below. You can leave **Private DNS requests per second** as `0` unless you are using the tunnel for [private network access](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements/). @@ -244,9 +240,4 @@ To increase tunnel capacity, add identical hosts running `cloudflared` replicas. ## Cipher suites -`cloudflared` uses the Go TLS library. All tunnel connections use TLS 1.3 and post-quantum encryption by default. - -| Protocol | Cipher suites | -| -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| TLS 1.3 | `TLS_AES_128_GCM_SHA256`, `TLS_AES_256_GCM_SHA384`, `TLS_CHACHA20_POLY1305_SHA256` | -| TLS 1.2 | `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`, `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` | + diff --git a/src/content/partials/cloudflare-one/tunnel/cipher-suites.mdx b/src/content/partials/cloudflare-one/tunnel/cipher-suites.mdx new file mode 100644 index 000000000000000..fc6054919539677 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/cipher-suites.mdx @@ -0,0 +1,12 @@ +--- +--- + +Cloudflare Tunnel connections use the cipher suites supported by `cloudflared`, which relies on the Go TLS library for its TLS implementation. These cipher suites apply to both the TLS connection between Cloudflare's network and `cloudflared`, and the HTTPS connection between `cloudflared` and your origin. In both cases, `cloudflared` negotiates the most secure cipher suite supported by both sides. All tunnel connections use TLS 1.3 and post-quantum encryption by default. + +The following table lists the cipher suites supported by `cloudflared`: + +| Protocol support | Cipher suites | +|------------------|----------------| +| TLS 1.3 only | `TLS_AES_128_GCM_SHA256`
`TLS_AES_256_GCM_SHA384`
`TLS_CHACHA20_POLY1305_SHA256` | +| TLS 1.2 only | `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`
`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` | +| Up to and including TLS 1.2 | `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`
`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` | diff --git a/src/content/partials/cloudflare-one/tunnel/port-configuration.mdx b/src/content/partials/cloudflare-one/tunnel/port-configuration.mdx new file mode 100644 index 000000000000000..465ed479bf6c2f1 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/port-configuration.mdx @@ -0,0 +1,35 @@ +--- +--- + +import { TabItem, Tabs } from "~/components"; + + + +To increase the number of ports available to `cloudflared` on Linux: + +If your machine has a `/etc/sysctl.d/` directory: + +```sh +echo 'net.ipv4.ip_local_port_range = 11000 60999' | sudo tee -a /etc/sysctl.d/99-cloudflared.conf +sudo sysctl -p /etc/sysctl.d/99-cloudflared.conf +``` + +Otherwise: + +```sh +echo 'net.ipv4.ip_local_port_range = 11000 60999' | sudo tee -a /etc/sysctl.conf +sudo sysctl -p /etc/sysctl.conf +``` + + + +To increase the number of ports available to `cloudflared` on Windows, set the [dynamic port range](https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/tcp-ip-port-exhaustion-troubleshooting) for TCP and UDP: + +```txt +netsh int ipv4 set dynamicport tcp start=11000 num=50000 +netsh int ipv4 set dynamicport udp start=11000 num=50000 +netsh int ipv6 set dynamicport tcp start=11000 num=50000 +netsh int ipv6 set dynamicport udp start=11000 num=50000 +``` + + diff --git a/src/content/partials/cloudflare-one/tunnel/ulimits.mdx b/src/content/partials/cloudflare-one/tunnel/ulimits.mdx new file mode 100644 index 000000000000000..dc6bc8a21920d37 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/ulimits.mdx @@ -0,0 +1,22 @@ +--- +--- + +On Linux and macOS, `ulimit` settings determine the system resources available to a logged-in user. We recommend configuring the following ulimits on the `cloudflared` server: + +| ulimit | Description | Value | +| ------ | ------------------------------------------------ | -------- | +| `-n` | Maximum number of open files or file descriptors | ≥ 70,000 | + +To view your current ulimits, open a terminal and run: + +```sh +ulimit -a +``` + +To set the open files `ulimit`: + +```sh +ulimit -n 70000 +``` + +The command above sets the open files limit only for the current terminal session and will not persist after a reboot or new login. To apply this limit permanently, configure it using the persistent method appropriate for your operating system. diff --git a/src/content/partials/cloudflare-one/tunnel/update-origin-configuration.mdx b/src/content/partials/cloudflare-one/tunnel/update-origin-configuration.mdx new file mode 100644 index 000000000000000..38ab148e3b71400 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/update-origin-configuration.mdx @@ -0,0 +1,9 @@ +--- +--- + +1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels**. +2. Choose a tunnel and select **Edit**. +3. Select the **Published application routes** tab. +4. Choose an application and select **Edit**. +5. Under **Additional application settings**, modify one or more [origin configuration parameters](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/). +6. Select **Save**. From f6837532442d853aa8c4c430d17d0e9f9d1848f5 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 23 Feb 2026 18:58:35 -0500 Subject: [PATCH 26/33] logs partial --- .../monitor-tunnels/logs.mdx | 59 ++++++------------- src/content/docs/tunnel/configuration.mdx | 2 +- src/content/docs/tunnel/monitoring.mdx | 44 +++++++------- .../cloudflare-one/tunnel/filter-logs.mdx | 16 +++++ .../cloudflare-one/tunnel/view-logs-cli.mdx | 20 +++++++ .../tunnel/view-logs-on-server.mdx | 16 +++++ 6 files changed, 95 insertions(+), 62 deletions(-) create mode 100644 src/content/partials/cloudflare-one/tunnel/filter-logs.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/view-logs-cli.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/view-logs-on-server.mdx diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs.mdx index 5915f5ec294e60e..d8e5c5da399c00e 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs.mdx @@ -8,19 +8,21 @@ head: content: Tunnel log streams --- +import { Render } from "~/components"; + Tunnel logs record all activity between a `cloudflared` instance and Cloudflare's global network, as well as all activity between `cloudflared` and your origin server. These logs allow you to investigate connectivity or performance issues with a Cloudflare Tunnel. You can configure your server to store persistent logs, or you can stream real-time logs from any client machine. ## View logs on the server -If you have access to the origin server, you can use the [`--loglevel` flag](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#loglevel) to enable logging when you start the tunnel. By default, `cloudflared` prints logs to stdout and does not store logs on the server. You can optionally use the [`--logfile` flag](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#logfile) to write your logs to a file. - -To enable logs for a locally-managed tunnel: - -```sh -cloudflared tunnel --loglevel info --logfile cloudflared.log run -``` - -To enable logs for a remotely-managed tunnel, add `--loglevel info` and `--logfile ` to your system service as shown in [Add tunnel run parameters](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/#update-tunnel-run-parameters). + ## View logs on your local machine @@ -42,40 +44,17 @@ Dashboard log streams are only available for remotely-managed tunnels. To view l The `cloudflared` daemon can stream logs from any tunnel in your account to the local command line. `cloudflared` must be installed on both your local machine and the origin server. -#### View logs - -1. On your local machine, authenticate `cloudflared` to your Cloudflare One account: - - ```sh - cloudflared tunnel login - ``` - -2. Run `cloudflared tail` for a specific tunnel: - - ```sh - cloudflared tail - ``` - - For a more structured view of the JSON message, you can pipe the output to tools like [jq](https://stedolan.github.io/jq/): - - ```sh - cloudflared tail --output=json | jq . - ``` + #### Filter logs -You can filter logs by event type (`--event`), event level (`--level`), or sampling rate (`-sampling`) to reduce the volume of logs streamed from the origin. This helps mitigate the performance impact on the origin, especially when the origin is normally under high load. For example: - -```sh -cloudflared tail --level debug -``` - -| Flag | Description | Allowed values | Default value | -| ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | ------------- | -| `--event` | Filter by the type of event / request. | `cloudflared`, `http`, `tcp`, `udp` | All events | -| `--level` | Return logs at this level and above. Works independently of the [`--loglevel`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#loglevel) setting on the server. | `debug`, `info`, `warn`, `error`, `fatal` | `debug` | -| `--sampling` | Sample a fraction of the total logs. | Number from `0.0` to `1.0` | `1.0` | -| | | | | + #### View logs for a replica diff --git a/src/content/docs/tunnel/configuration.mdx b/src/content/docs/tunnel/configuration.mdx index 4476e66ecb9cc68..301c917cdb529ae 100644 --- a/src/content/docs/tunnel/configuration.mdx +++ b/src/content/docs/tunnel/configuration.mdx @@ -230,7 +230,7 @@ To estimate tunnel capacity requirements for your deployment: 1. Use the [metrics endpoint](/tunnel/monitoring/#cloudflared-metrics) to measure `cloudflared_tcp_total_sessions` and `cloudflared_udp_total_sessions`. 2. Compute the average **TCP requests per second** by dividing `cloudflared_tcp_total_sessions` by total time. 3. Compute the average **Non-DNS UDP requests per second** by dividing `cloudflared_udp_total_sessions` by total time. -4. Input **TCP requests per second** and **Non-DNS UDP requests per second** into the calculator below. You can leave **Private DNS requests per second** as `0` unless you are using the tunnel for [private network access](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements/). +4. Input **TCP requests per second** and **Non-DNS UDP requests per second** into the calculator below. (You can leave **Private DNS requests per second** as `0` unless you are using the tunnel for [private network access](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements/).) diff --git a/src/content/docs/tunnel/monitoring.mdx b/src/content/docs/tunnel/monitoring.mdx index 7b9e512c3248b45..ab178894e0d04ad 100644 --- a/src/content/docs/tunnel/monitoring.mdx +++ b/src/content/docs/tunnel/monitoring.mdx @@ -40,35 +40,37 @@ Tunnel logs record all activity between `cloudflared` and the Cloudflare global ### Server-side logs -If you have access to the origin server, use the [`--loglevel`](/tunnel/configuration/#loglevel) flag to set the log level when you start the tunnel. By default, `cloudflared` prints logs to stdout and does not persist them. Use the [`--logfile`](/tunnel/configuration/#logfile) flag to write logs to a file. - -For a locally-managed tunnel: - -```sh -cloudflared tunnel --loglevel info --logfile cloudflared.log run -``` - -For a remotely-managed tunnel, add `--loglevel info` and `--logfile ` to your system service as described in [Run parameters](/tunnel/configuration/#run-parameters). + ### Remote log streaming (CLI) You can stream real-time logs from a running tunnel without SSH access to the server. `cloudflared` must be installed on your local machine. -1. Authenticate `cloudflared`: - - ```sh - cloudflared tunnel login - ``` - -2. Stream logs: + - ```sh - cloudflared tail - ``` +3. If you are running multiple [replicas](/tunnel/configuration/#replicas-and-high-availability), specify which replica to stream logs from: + ```sh + cloudflared tail --connector-id + ``` - Add `--output=json` and pipe to [jq](https://stedolan.github.io/jq/) for structured output. Use `--level`, `--event`, or `--sampling` flags to filter by severity, event type, or sample rate. +
+ - For [replicas](/tunnel/configuration/#replicas-and-high-availability), specify which instance to stream from with `--connector-id `. +
:::note Dashboard-based log streaming is available in the [Cloudflare One dashboard](https://one.dash.cloudflare.com/) under **Networks** > **Connectors** > **Cloudflare Tunnels**. diff --git a/src/content/partials/cloudflare-one/tunnel/filter-logs.mdx b/src/content/partials/cloudflare-one/tunnel/filter-logs.mdx new file mode 100644 index 000000000000000..6c50a4d38d46d4a --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/filter-logs.mdx @@ -0,0 +1,16 @@ +--- +params: + - loglevelURL +--- + +You can filter logs by event type (`--event`), event level (`--level`), or sampling rate (`-sampling`) to reduce the volume of logs streamed from the origin. This helps mitigate the performance impact on the origin, especially when the origin is normally under high load. For example: + +```sh +cloudflared tail --level debug +``` + +| Flag | Description | Allowed values | Default value | +| ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | ------------- | +| `--event` | Filter by the type of event / request. | `cloudflared`, `http`, `tcp`, `udp` | All events | +| `--level` | Return logs at this level and above. Works independently of the `--loglevel` setting on the server. | `debug`, `info`, `warn`, `error`, `fatal` | `debug` | +| `--sampling` | Sample a fraction of the total logs. | Number from `0.0` to `1.0` | `1.0` | diff --git a/src/content/partials/cloudflare-one/tunnel/view-logs-cli.mdx b/src/content/partials/cloudflare-one/tunnel/view-logs-cli.mdx new file mode 100644 index 000000000000000..f194fb638079003 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/view-logs-cli.mdx @@ -0,0 +1,20 @@ +--- +--- + +1. On your local machine, authenticate `cloudflared` to your Cloudflare account: + + ```sh + cloudflared tunnel login + ``` + +2. Run `cloudflared tail` for a specific tunnel: + + ```sh + cloudflared tail + ``` + + For a more structured view of the JSON message, you can pipe the output to tools like [jq](https://stedolan.github.io/jq/): + + ```sh + cloudflared tail --output=json | jq . + ``` diff --git a/src/content/partials/cloudflare-one/tunnel/view-logs-on-server.mdx b/src/content/partials/cloudflare-one/tunnel/view-logs-on-server.mdx new file mode 100644 index 000000000000000..66b8b76770d16bd --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/view-logs-on-server.mdx @@ -0,0 +1,16 @@ +--- +params: + - loglevelURL + - logfileURL + - runParametersURL +--- + +If you have access to the origin server, you can use the `--loglevel` flag to enable logging when you start the tunnel. By default, `cloudflared` prints logs to stdout and does not store logs on the server. You can optionally use the `--logfile` flag to write your logs to a file. + +To enable logs for a remotely-managed tunnel, add `--loglevel info` and `--logfile ` to your system service as shown in Run parameters. + +To enable logs for a locally-managed tunnel: + +```sh +cloudflared tunnel --loglevel info --logfile cloudflared.log run +``` \ No newline at end of file From 11934a422e4f75ca511387b7797d71b874108553 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 24 Feb 2026 13:57:18 -0500 Subject: [PATCH 27/33] advanced section --- .../origin-parameters.mdx | 201 ++--------------- .../cloudflared-parameters/run-parameters.mdx | 202 ++---------------- .../docs/tunnel/advanced/cipher-suites.mdx | 14 ++ src/content/docs/tunnel/advanced/index.mdx | 12 ++ .../local-management/as-a-service/index.mdx | 0 .../local-management/as-a-service/linux.mdx | 0 .../local-management/as-a-service/macos.mdx | 0 .../local-management/as-a-service/windows.mdx | 0 .../local-management/configuration-file.mdx | 0 .../local-management/create-local-tunnel.mdx | 0 .../advanced/local-management/index.mdx | 14 ++ .../local-management/local-tunnel-terms.mdx | 0 .../local-management/tunnel-permissions.mdx | 0 .../tunnel-useful-commands.mdx | 0 .../tunnel/advanced/origin-parameters.mdx | 20 ++ .../docs/tunnel/advanced/run-parameters.mdx | 24 +++ src/content/docs/tunnel/configuration.mdx | 38 ++-- .../docs/tunnel/other-tunnel-types/index.mdx | 15 -- .../local-management/index.mdx | 16 -- .../other-tunnel-types/quick-tunnels.mdx | 39 ---- .../tunnel/origin-parameters.mdx | 196 +++++++++++++++++ .../cloudflare-one/tunnel/run-parameters.mdx | 200 +++++++++++++++++ 22 files changed, 523 insertions(+), 468 deletions(-) create mode 100644 src/content/docs/tunnel/advanced/cipher-suites.mdx create mode 100644 src/content/docs/tunnel/advanced/index.mdx rename src/content/docs/tunnel/{other-tunnel-types => advanced}/local-management/as-a-service/index.mdx (100%) rename src/content/docs/tunnel/{other-tunnel-types => advanced}/local-management/as-a-service/linux.mdx (100%) rename src/content/docs/tunnel/{other-tunnel-types => advanced}/local-management/as-a-service/macos.mdx (100%) rename src/content/docs/tunnel/{other-tunnel-types => advanced}/local-management/as-a-service/windows.mdx (100%) rename src/content/docs/tunnel/{other-tunnel-types => advanced}/local-management/configuration-file.mdx (100%) rename src/content/docs/tunnel/{other-tunnel-types => advanced}/local-management/create-local-tunnel.mdx (100%) create mode 100644 src/content/docs/tunnel/advanced/local-management/index.mdx rename src/content/docs/tunnel/{other-tunnel-types => advanced}/local-management/local-tunnel-terms.mdx (100%) rename src/content/docs/tunnel/{other-tunnel-types => advanced}/local-management/tunnel-permissions.mdx (100%) rename src/content/docs/tunnel/{other-tunnel-types => advanced}/local-management/tunnel-useful-commands.mdx (100%) create mode 100644 src/content/docs/tunnel/advanced/origin-parameters.mdx create mode 100644 src/content/docs/tunnel/advanced/run-parameters.mdx delete mode 100644 src/content/docs/tunnel/other-tunnel-types/index.mdx delete mode 100644 src/content/docs/tunnel/other-tunnel-types/local-management/index.mdx delete mode 100644 src/content/docs/tunnel/other-tunnel-types/quick-tunnels.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/origin-parameters.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/run-parameters.mdx diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters.mdx index 96625611f425afc..38ea90fb0689a42 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters.mdx @@ -3,193 +3,18 @@ pcx_content_type: reference title: Origin configuration parameters sidebar: order: 9 - --- -Origin configuration parameters determine how `cloudflared` proxies traffic to your origin server. If you are using remotely-managed tunnels (default), configure these settings [using the dashboard or API](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/#update-origin-configuration). If you are using [locally-managed tunnels](/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/), add these parameters to your [configuration file](/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/configuration-file/). - -## TLS settings - -### originServerName - -| Default | UI name | -| ------- | ------------------ | -| `""` | Origin Server Name | - -Hostname that `cloudflared` should expect from your origin server certificate. If null, the expected hostname is the service URL, for example `localhost` if the service is `https://localhost:443`. - -### matchSNItoHost - -| Default | UI name | -| ------- | ----------------- | -| `false` | Match SNI to Host | - -When `true`, `cloudflared` will automatically set the Server Name Indication (SNI) during the TLS handshake to the hostname of the incoming request. - -This setting is useful when directing traffic to entry points that host multiple services and rely on SNI to route requests or present the correct certificate. It eliminates the need to explicitly configure [`originServerName`](#originservername) for individual services when using wildcard routing. - -### caPool - -| Default | UI name | -| ------- | -------------------------- | -| `""` | Certificate Authority Pool | - -Local file path to the certificate authority (CA) for your origin server certificate (for example, `/root/certs/ca.pem`). The path should point to a certificate store file or a bundle file in `.pem` or `.crt` format that contains one or more trusted root CA certificates. You should only configure this setting if your certificate is not signed by Cloudflare. - -### noTLSVerify - -| Default | UI name | -| ------- | ------------- | -| `false` | No TLS Verify | - -When `false`, TLS verification is performed on the certificate presented by your origin. - -When `true`, TLS verification is disabled. This will allow any certificate from the origin to be accepted. - -### tlsTimeout - -| Default | UI name | -| ------- | ----------- | -| `10s` | TLS Timeout | - -Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - -### http2Origin - -| Default | UI name | -| ------- | ---------------- | -| `false` | HTTP2 connection | - -When `false`, `cloudflared` will connect to your origin with HTTP/1.1. - -When `true`, `cloudflared` will attempt to connect to your origin server using HTTP/2.0 instead of HTTP/1.1. HTTP/2.0 is a faster protocol for high traffic origins but requires you to deploy an SSL certificate on the origin. We recommend using this setting in conjunction with [noTLSVerify](#notlsverify) so that you can use a self-signed certificate. - -## HTTP settings - -### httpHostHeader - -| Default | UI name | -| ------- | ---------------- | -| `""` | HTTP Host Header | - -Sets the HTTP `Host` header on requests sent to the local service. - -### disableChunkedEncoding - -| Default | UI name | -| ------- | ------------------------ | -| `false` | Disable Chunked Encoding | - -When `false`, `cloudflared` performs chunked transfer encoding when transferring data over HTTP/1.1. - -When `true`, chunked transfer encoding is disabled. This is useful if you are running a Web Server Gateway Interface (WSGI) server. - -## Connection settings - -### connectTimeout - -| Default | UI name | -| ------- | --------------- | -| `30s` | Connect Timeout | - -Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to -establish TLS, which is controlled by tlsTimeout. - -### noHappyEyeballs - -| Default | UI name | -| ------- | ----------------- | -| `false` | No Happy Eyeballs | - -When `false`, `cloudflared` uses the Happy Eyeballs algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - -When `true`, Happy Eyeballs is disabled. - -### proxyType - -| Default | UI name | -| ------- | ---------- | -| `""` | Proxy Type | - -`cloudflared` starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. -This configures what type of proxy will be started. Valid options are: - -* `""` for the regular proxy -* `"socks"` for a SOCKS5 proxy. Refer to the [tutorial on connecting through Cloudflare Access using kubectl](/cloudflare-one/tutorials/kubectl/) for more information. - -### proxyAddress - -:::note - -For locally-managed tunnels only. -::: - -| Default | UI name | -| ----------- | ------- | -| `127.0.0.1` | -- | - -`cloudflared` starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. -This configures the listen address for that proxy. - -### proxyPort - -:::note - -For locally-managed tunnels only. -::: - -| Default | UI name | -| ------- | ------- | -| `0` | -- | - -`cloudflared` starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. -This configures the listen port for that proxy. If set to zero, an unused port will randomly be chosen. - -### keepAliveTimeout - -| Default | UI name | -| ------- | ------------------------------- | -| `1m30s` | Idle Connection Expiration Time | - -Timeout after which an idle keepalive connection can be discarded. - -### keepAliveConnections - -| Default | UI name | -| ------- | ---------------------- | -| `100` | Keep Alive Connections | - -Default: `100` - -Maximum number of idle keepalive connections between Cloudflare and your origin. This does not restrict the total number of concurrent connections. - -### tcpKeepAlive - -| Default | UI name | -| ------- | ----------------------- | -| `30s` | TCP Keep Alive Interval | - -Default: `30s` - -The timeout after which a TCP keepalive packet is sent on a connection between Cloudflare and the origin server. - -## Access settings - -### access - -| Default | UI name | -| ------- | ------------------- | -| `""` | Protect with Access | - -Requires `cloudflared` to validate the [Cloudflare Access JWT](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) prior to proxying traffic to your origin. You can enforce this check on public hostname services that are protected by an Access application. For all L7 requests to these hostnames, Access will send the JWT to `cloudflared` as a `Cf-Access-Jwt-Assertion` request header. - -To enable this security control in a [configuration file](/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/configuration-file/#origin-configuration), [get the AUD tag](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#get-your-aud-tag) for your Access application and add the following rule to `originRequest`: - -```yml -access: - required: true - teamName: - audTag: - - - - -``` +import { Render } from "~/components"; + + diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters.mdx index 2f7a652eaf10ade..93fb5c0c840533f 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters.mdx @@ -7,190 +7,18 @@ sidebar: import { Render } from "~/components"; -This page lists general-purpose configuration options that you can [add](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/#update-tunnel-run-parameters) to the `cloudflared tunnel run` command. - -Alternatively, if you are running a [locally-managed tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/) you can add these flags to your [configuration file](/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/configuration-file/) as key/value pairs. - -## `autoupdate-freq` - -| Syntax | Default | -| ---------------------------------------------------------------- | ------- | -| `cloudflared tunnel --autoupdate-freq run ` | `24h` | - -Configures the frequency of `cloudflared` updates. - -By default, `cloudflared` will periodically check for updates and restart with the new version. Restarts are performed by spawning a new process that connects to the Cloudflare global network. On successful connection, the old process will gracefully shut down after handling all outstanding requests. See also: [`no-autoupdate`](#no-autoupdate). - -## `config` - -:::note - -For locally-managed tunnels only. -::: - -| Syntax | Default | -| ------------------------------------------------------- | --------------------------- | -| `cloudflared tunnel --config run ` | `~/.cloudflared/config.yml` | - -Specifies the path to a [configuration file](/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/configuration-file/) in YAML format. - -## `edge-bind-address` - -| Syntax | Environment Variable | -| ---------------------------------------------------------------- | -------------------------- | -| `cloudflared tunnel --edge-bind-address run ` | `TUNNEL_EDGE_BIND_ADDRESS` | - -Specifies the outgoing IP address used to establish a connection between `cloudflared` and the Cloudflare global network. - -By default, `cloudflared` lets the operating system decide which IP address to use. This option is useful if you have multiple network interfaces available and want to prefer a specific interface. - -The IP version of `edge-bind-address` will override [`edge-ip-version`](#edge-ip-version) (if provided). For example, if you enter an IPv6 source address, `cloudflared` will always connect to an IPv6 destination. - -## `edge-ip-version` - -| Syntax | Default | Environment Variable | -| ------------------------------------------------------------------- | ------- | ------------------------ | -| `cloudflared tunnel --edge-ip-version run ` | `4` | `TUNNEL_EDGE_IP_VERSION` | - -Specifies the IP address version (IPv4 or IPv6) used to establish a connection between `cloudflared` and the Cloudflare global network. Available values are `auto`, `4`, and `6`. - -The value `auto` relies on the host operating system to determine which IP version to select. The first IP version returned from the DNS resolution of the region lookup will be used as the primary set. In dual IPv6 and IPv4 network setups, `cloudflared` will separate the IP versions into two address sets that will be used to fallback in connectivity failure scenarios. - -## `grace-period` - -| Syntax | Default | Environment Variable | -| --------------------------------------------------------------- | ------- | --------------------- | -| `cloudflared tunnel --grace-period run ` | `30s` | `TUNNEL_GRACE_PERIOD` | - -When `cloudflared` receives SIGINT/SIGTERM it will stop accepting new requests, wait for in-progress requests to terminate, then shut down. Waiting for in-progress requests will timeout after this grace period, or when a second SIGTERM/SIGINT is received. - -## `logfile` - -| Syntax | Environment Variable | -| -------------------------------------------------------- | -------------------- | -| `cloudflared tunnel --logfile run ` | `TUNNEL_LOGFILE` | - -Saves application log to this file. Mainly useful for reporting issues. For more details on what information you need when contacting Cloudflare support, refer to [this guide](/cloudflare-one/faq/cloudflare-tunnels-faq/). - -## `loglevel` - -| Syntax | Default | Environment Variable | -| ---------------------------------------------------------- | ------- | -------------------- | -| `cloudflared tunnel --loglevel run ` | `info` | `TUNNEL_LOGLEVEL` | - -Specifies the verbosity of logging for the local `cloudflared` instance. Available values are `debug`, `info` (default), `warn`, `error`, and `fatal`. At the `debug` level, `cloudflared` will log and display the request URL, method, protocol, content length, as well as all request and response headers. However, note that this can expose sensitive information in your logs. - -## `metrics` - -| Syntax | Default | Environment Variable | -| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------ | -------------------- | -| `cloudflared tunnel --metrics run ` | Refer to [Tunnel metrics](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/metrics/) | `TUNNEL_METRICS` | - -Exposes a Prometheus endpoint on the specified IP address and port, which you can then query for [usage metrics](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/metrics/). - -## `no-autoupdate` - -:::note - -Does not apply if you installed `cloudflared` using a package manager. - -::: - -| Syntax | Environment Variable | -| ------------------------------------------------------- | -------------------- | -| `cloudflared tunnel --no-autoupdate run ` | `NO_AUTOUPDATE` | - -Disables automatic `cloudflared` updates. See also: [`autoupdate-freq`](#autoupdate-freq). - -## `origincert` - -:::note - -For locally-managed tunnels only. -::: - -| Syntax | Default | Environment Variable | -| ----------------------------------------------------------- | ------------------------- | -------------------- | -| `cloudflared tunnel --origincert run ` | `~/.cloudflared/cert.pem` | `TUNNEL_ORIGIN_CERT` | - -Specifies the [account certificate](/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/tunnel-permissions/) for one of your zones, authorizing the client to serve as an origin for that zone. You can obtain a certificate by using the `cloudflared tunnel login` command or by visiting `https://dash.cloudflare.com/argotunnel`. - -## `pidfile` - -| Syntax | Environment Variable | -| -------------------------------------------------------- | -------------------- | -| `cloudflared tunnel --pidfile run ` | `TUNNEL_PIDFILE` | - -Writes the application's process identifier (PID) to this file after the first successful connection. Mainly useful for scripting and service integration. - -## `post-quantum` - -| Syntax | Environment Variable | -| ------------------------------------------------------ | --------------------- | -| `cloudflared tunnel run --post-quantum ` | `TUNNEL_POST_QUANTUM` | - -By default, Cloudflare Tunnel connections over [`quic`](#protocol) are encrypted using [post-quantum cryptography (PQC)](/ssl/post-quantum-cryptography/) but will fall back to non-PQ if there are issues connecting. If the `--post-quantum` flag is provided, `quic` connections are only allowed to use PQ key agreements, with no fallback to non-PQ. - -Post-quantum key agreements are not supported when using `http2` protocol. - -## `protocol` - -| Syntax | Default | Environment Variable | -| ---------------------------------------------------------- | ------- | --------------------------- | -| `cloudflared tunnel --protocol run ` | `auto` | `TUNNEL_TRANSPORT_PROTOCOL` | - -Specifies the protocol used to establish a connection between `cloudflared` and the Cloudflare global network. Available values are `auto`, `http2`, and `quic`. - -The `auto` value will automatically configure the `quic` protocol. If `cloudflared` is unable to establish UDP connections, it will fallback to using the `http2` protocol. - -## `region` - -| Syntax | Environment Variable | -| -------------------------------------------------------- | -------------------- | -| `cloudflared tunnel --region run ` | `TUNNEL_REGION` | - -Allows you to choose the regions to which connections are established. Currently the only available value is `us`, which routes all connections through data centers in the United States. Omit or leave empty to connect to the global region. - -When the region is set to `us`, `cloudflared` uses different US-specific hostnames and IPs. Refer to [Tunnel with firewall](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall/#region-us) for details. - -## `retries` - -| Syntax | Default | Environment Variable | -| --------------------------------------------------------- | ------- | -------------------- | -| `cloudflared tunnel --retries run ` | `5` | `TUNNEL_RETRIES` | - -Specifies the maximum number of retries for connection/protocol errors. Retries use exponential backoff (retrying at 1, 2, 4, 8, 16 seconds by default), so it is not recommended that you increase this value significantly. - -## `tag` - -| Syntax | Environment Variable | -| ------------------------------------------------------- | -------------------- | -| `cloudflared tunnel --tag run ` | `TUNNEL_TAG` | - -Specifies custom tags used to identify this tunnel. Multiple tags may be specified by adding additional `--tag ` flags to the command. If entering multiple tags into a configuration file, delimit with commas: `tag: {KEY1=VALUE1, KEY2=VALUE2}`. - -## `token` - -:::note - -For remotely-managed tunnels only. -::: - -| Syntax | Environment Variable | -| ----------------------------------------------- | -------------------- | -| `cloudflared tunnel run --token ` | `TUNNEL_TOKEN` | - -Associates the `cloudflared` instance with a specific tunnel. The tunnel's token is shown in the dashboard when you first [create the tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/). You can also retrieve the token using the [API](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/token/methods/get/). - -## `token-file` - -:::note - -For remotely-managed tunnels only. Requires `2025.4.0` or later. -::: - -| Syntax | Environment Variable | -| -------------------------------------------- | -------------------- | -| `cloudflared tunnel run --token-file ` | `TUNNEL_TOKEN_FILE` | - -Associates the `cloudflared` instance with a specific tunnel using a file which contains the token. + diff --git a/src/content/docs/tunnel/advanced/cipher-suites.mdx b/src/content/docs/tunnel/advanced/cipher-suites.mdx new file mode 100644 index 000000000000000..e506d43adf8dddb --- /dev/null +++ b/src/content/docs/tunnel/advanced/cipher-suites.mdx @@ -0,0 +1,14 @@ +--- +pcx_content_type: reference +title: Cipher suites +description: | + Review the TLS cipher suites supported by `cloudflared` for secure connections between your origin and Cloudflare's network. +sidebar: + order: 4 +--- + +import { Render } from "~/components"; + + + + diff --git a/src/content/docs/tunnel/advanced/index.mdx b/src/content/docs/tunnel/advanced/index.mdx new file mode 100644 index 000000000000000..8fe5273c22a48e1 --- /dev/null +++ b/src/content/docs/tunnel/advanced/index.mdx @@ -0,0 +1,12 @@ +--- +pcx_content_type: navigation +title: Advanced +sidebar: + order: 9 + group: + hideIndex: true +--- + +import { DirectoryListing } from "~/components"; + + diff --git a/src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/index.mdx b/src/content/docs/tunnel/advanced/local-management/as-a-service/index.mdx similarity index 100% rename from src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/index.mdx rename to src/content/docs/tunnel/advanced/local-management/as-a-service/index.mdx diff --git a/src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/linux.mdx b/src/content/docs/tunnel/advanced/local-management/as-a-service/linux.mdx similarity index 100% rename from src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/linux.mdx rename to src/content/docs/tunnel/advanced/local-management/as-a-service/linux.mdx diff --git a/src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/macos.mdx b/src/content/docs/tunnel/advanced/local-management/as-a-service/macos.mdx similarity index 100% rename from src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/macos.mdx rename to src/content/docs/tunnel/advanced/local-management/as-a-service/macos.mdx diff --git a/src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/windows.mdx b/src/content/docs/tunnel/advanced/local-management/as-a-service/windows.mdx similarity index 100% rename from src/content/docs/tunnel/other-tunnel-types/local-management/as-a-service/windows.mdx rename to src/content/docs/tunnel/advanced/local-management/as-a-service/windows.mdx diff --git a/src/content/docs/tunnel/other-tunnel-types/local-management/configuration-file.mdx b/src/content/docs/tunnel/advanced/local-management/configuration-file.mdx similarity index 100% rename from src/content/docs/tunnel/other-tunnel-types/local-management/configuration-file.mdx rename to src/content/docs/tunnel/advanced/local-management/configuration-file.mdx diff --git a/src/content/docs/tunnel/other-tunnel-types/local-management/create-local-tunnel.mdx b/src/content/docs/tunnel/advanced/local-management/create-local-tunnel.mdx similarity index 100% rename from src/content/docs/tunnel/other-tunnel-types/local-management/create-local-tunnel.mdx rename to src/content/docs/tunnel/advanced/local-management/create-local-tunnel.mdx diff --git a/src/content/docs/tunnel/advanced/local-management/index.mdx b/src/content/docs/tunnel/advanced/local-management/index.mdx new file mode 100644 index 000000000000000..8220539e8b52ea6 --- /dev/null +++ b/src/content/docs/tunnel/advanced/local-management/index.mdx @@ -0,0 +1,14 @@ +--- +pcx_content_type: navigation +title: Locally-managed tunnels +sidebar: + order: 1 +--- + +import { DirectoryListing } from "~/components"; + +Cloudflare recommends creating a [remotely-managed tunnel](/tunnel/setup/) for most use cases. Remotely-managed tunnels store their configuration on Cloudflare, which allows you to manage the tunnel from any machine using the dashboard, API, or Terraform. + +As an alternative workflow, you can create a locally-managed tunnel by running `cloudflared tunnel create ` on the command line. Tunnel configuration is stored in your local [cloudflared directory](#default-cloudflared-directory). Locally-managed tunnels are intended for specific scenarios such as local development, testing, or legacy configurations. + + diff --git a/src/content/docs/tunnel/other-tunnel-types/local-management/local-tunnel-terms.mdx b/src/content/docs/tunnel/advanced/local-management/local-tunnel-terms.mdx similarity index 100% rename from src/content/docs/tunnel/other-tunnel-types/local-management/local-tunnel-terms.mdx rename to src/content/docs/tunnel/advanced/local-management/local-tunnel-terms.mdx diff --git a/src/content/docs/tunnel/other-tunnel-types/local-management/tunnel-permissions.mdx b/src/content/docs/tunnel/advanced/local-management/tunnel-permissions.mdx similarity index 100% rename from src/content/docs/tunnel/other-tunnel-types/local-management/tunnel-permissions.mdx rename to src/content/docs/tunnel/advanced/local-management/tunnel-permissions.mdx diff --git a/src/content/docs/tunnel/other-tunnel-types/local-management/tunnel-useful-commands.mdx b/src/content/docs/tunnel/advanced/local-management/tunnel-useful-commands.mdx similarity index 100% rename from src/content/docs/tunnel/other-tunnel-types/local-management/tunnel-useful-commands.mdx rename to src/content/docs/tunnel/advanced/local-management/tunnel-useful-commands.mdx diff --git a/src/content/docs/tunnel/advanced/origin-parameters.mdx b/src/content/docs/tunnel/advanced/origin-parameters.mdx new file mode 100644 index 000000000000000..8510441689badaa --- /dev/null +++ b/src/content/docs/tunnel/advanced/origin-parameters.mdx @@ -0,0 +1,20 @@ +--- +pcx_content_type: reference +title: Origin parameters +sidebar: + order: 3 +--- + +import { Render } from "~/components"; + + diff --git a/src/content/docs/tunnel/advanced/run-parameters.mdx b/src/content/docs/tunnel/advanced/run-parameters.mdx new file mode 100644 index 000000000000000..8a155428c3341c2 --- /dev/null +++ b/src/content/docs/tunnel/advanced/run-parameters.mdx @@ -0,0 +1,24 @@ +--- +pcx_content_type: reference +title: Run parameters +sidebar: + order: 2 +--- + +import { Render } from "~/components"; + + diff --git a/src/content/docs/tunnel/configuration.mdx b/src/content/docs/tunnel/configuration.mdx index 301c917cdb529ae..c24aff0d82444b1 100644 --- a/src/content/docs/tunnel/configuration.mdx +++ b/src/content/docs/tunnel/configuration.mdx @@ -15,7 +15,7 @@ import { APIRequest, } from "~/components"; -This page covers the runtime configuration for `cloudflared` tunnels, including high availability, firewall rules, tokens, and all supported parameters. +This page covers the runtime configuration for `cloudflared` tunnels, including high availability, firewall rules, tokens, and common parameters. ## Replicas and high availability @@ -166,20 +166,18 @@ The most commonly used parameters: | Parameter | Default | Description | | --------------- | ----------------- | -------------------------------------------------------- | -| [`--loglevel`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#loglevel) | `info` | Log verbosity: `debug`, `info`, `warn`, `error`, `fatal` | -| [`--logfile`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#logfile) | stdout | Path to write log output | -| [`--metrics`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#metrics) | `127.0.0.1:2024x` | Prometheus metrics endpoint address | -| [`--protocol`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#protocol) | `auto` | Connection protocol: `auto`, `quic`, `http2` | -| [`--region`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#region) | global | Route through US-only data centers with `us` | -| [`--token`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#token) | — | Tunnel token (remotely-managed tunnels) | +| [`--loglevel`](/tunnel/advanced/run-parameters/#loglevel) | `info` | Log verbosity: `debug`, `info`, `warn`, `error`, `fatal` | +| [`--logfile`](/tunnel/advanced/run-parameters/#logfile) | stdout | Path to write log output | +| [`--metrics`](/tunnel/advanced/run-parameters/#metrics) | `127.0.0.1:2024x` | Prometheus metrics endpoint address | +| [`--protocol`](/tunnel/advanced/run-parameters/#protocol) | `auto` | Connection protocol: `auto`, `quic`, `http2` | +| [`--region`](/tunnel/advanced/run-parameters/#region) | global | Route through US-only data centers with `us` | +| [`--token`](/tunnel/advanced/run-parameters/#token) | — | Tunnel token (remotely-managed tunnels) | -For the complete list of run parameters, refer to [Tunnel run parameters](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/). +For the complete list of run parameters, refer to [Run parameters](/tunnel/advanced/run-parameters/). ### Update run parameters -To update run parameters for remotely-managed tunnels, add them to the tunnel service. For locally-managed tunnels, add the run parameters to your [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/) as key/value pairs. - -To update the tunnel service: +To update run parameters, add them to the tunnel service: @@ -191,18 +189,16 @@ The most commonly used parameters: | Parameter | Default | Description | | --------------------------------------- | ------- | ----------------------------------------- | -| [`originServerName`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#originservername) | `""` | Hostname expected from origin certificate | -| [`noTLSVerify`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#notlsverify) | `false` | Disable TLS certificate verification | -| [`httpHostHeader`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#httphostheader) | `""` | Override HTTP Host header | -| [`connectTimeout`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#connecttimeout) | `30s` | TCP connection timeout to origin | +| [`originServerName`](/tunnel/advanced/origin-parameters/#originservername) | `""` | Hostname expected from origin certificate | +| [`noTLSVerify`](/tunnel/advanced/origin-parameters/#notlsverify) | `false` | Disable TLS certificate verification | +| [`httpHostHeader`](/tunnel/advanced/origin-parameters/#httphostheader) | `""` | Override HTTP Host header | +| [`connectTimeout`](/tunnel/advanced/origin-parameters/#connecttimeout) | `30s` | TCP connection timeout to origin | -For the complete list of origin parameters, refer to [Origin configuration parameters](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/). +For the complete list of origin parameters, refer to [Origin parameters](/tunnel/advanced/origin-parameters/). ### Update origin parameters -To update origin parameters for remotely-managed tunnels, use the [Cloudflare One dashboard](https://one.dash.cloudflare.com) or the [API](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/configurations/methods/update/). For locally-managed tunnels, add the parameters to your [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/). - -To configure origin parameters in Cloudflare One: +To update origin parameters, use the [Cloudflare One dashboard](https://one.dash.cloudflare.com) or the [API](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/configurations/methods/update/): @@ -237,7 +233,3 @@ To estimate tunnel capacity requirements for your deployment: To increase tunnel capacity, add identical hosts running `cloudflared` replicas.
- -## Cipher suites - - diff --git a/src/content/docs/tunnel/other-tunnel-types/index.mdx b/src/content/docs/tunnel/other-tunnel-types/index.mdx deleted file mode 100644 index fac7095fa7fa3b2..000000000000000 --- a/src/content/docs/tunnel/other-tunnel-types/index.mdx +++ /dev/null @@ -1,15 +0,0 @@ ---- -pcx_content_type: navigation -title: Other tunnel types -sidebar: - order: 9 - label: Advanced ---- - -import { DirectoryListing } from "~/components"; - -Cloudflare recommends creating a [remotely-managed tunnel](/tunnel/setup/) for most use cases. Remotely-managed tunnels store their configuration on Cloudflare, which allows you to manage the tunnel from any machine using the dashboard, API, or Terraform. - -The following pages cover alternative tunnel workflows that are intended for specific scenarios such as local development, testing, or legacy configurations. - - diff --git a/src/content/docs/tunnel/other-tunnel-types/local-management/index.mdx b/src/content/docs/tunnel/other-tunnel-types/local-management/index.mdx deleted file mode 100644 index a974a682e68c44e..000000000000000 --- a/src/content/docs/tunnel/other-tunnel-types/local-management/index.mdx +++ /dev/null @@ -1,16 +0,0 @@ ---- -pcx_content_type: navigation -title: Locally-managed tunnels -sidebar: - order: 2 ---- - -import { DirectoryListing } from "~/components"; - -A locally-managed tunnel is a Cloudflare Tunnel created by running `cloudflared tunnel create ` on the command line. Tunnel configuration is stored in your local [cloudflared directory](#default-cloudflared-directory). - -:::note -Cloudflare recommends setting up a [remotely-managed tunnel](/tunnel/setup/). Remotely-managed configurations are stored on Cloudflare, which allows you to manage the tunnel from any machine using the dashboard, API, or Terraform. -::: - - diff --git a/src/content/docs/tunnel/other-tunnel-types/quick-tunnels.mdx b/src/content/docs/tunnel/other-tunnel-types/quick-tunnels.mdx deleted file mode 100644 index 852cdb68eea3d59..000000000000000 --- a/src/content/docs/tunnel/other-tunnel-types/quick-tunnels.mdx +++ /dev/null @@ -1,39 +0,0 @@ ---- -pcx_content_type: concept -title: Quick Tunnels -sidebar: - order: 5 ---- - -:::note -Quick Tunnels are intended for testing and development only. For production use, [create a remotely-managed tunnel](/tunnel/setup/). -::: - -Quick Tunnels let you expose a local web server to the internet without a Cloudflare account. `cloudflared` generates a random subdomain on `trycloudflare.com` and proxies requests through Cloudflare's network to your localhost. - -## Use a Quick Tunnel - -1. [Install `cloudflared`](/tunnel/downloads/). -2. Start a local web server. -3. Run: - -```sh -cloudflared tunnel --url http://localhost:8080 -``` - -`cloudflared` will print the generated URL in the terminal. Traffic to that URL is proxied to your local server. - -:::note -Quick Tunnels are not supported if a `config.yaml` file is present in the `.cloudflared` directory. Rename that file temporarily to use this feature. -::: - -## Limitations - -- Maximum of 200 concurrent in-flight requests. Exceeding this limit returns a `429` status code. -- Server-Sent Events (SSE) are not supported. - -To avoid these limitations, [create a tunnel](/tunnel/setup/) with a Cloudflare account. - -### Legal - -Your installation of `cloudflared` software constitutes a symbol of your signature indicating that you accept the terms of the [Cloudflare License](https://github.com/cloudflare/cloudflared/blob/master/LICENSE), [Terms](https://www.cloudflare.com/terms/) and [Privacy Policy](https://www.cloudflare.com/privacypolicy/). diff --git a/src/content/partials/cloudflare-one/tunnel/origin-parameters.mdx b/src/content/partials/cloudflare-one/tunnel/origin-parameters.mdx new file mode 100644 index 000000000000000..d01147c5a4cd003 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/origin-parameters.mdx @@ -0,0 +1,196 @@ +--- +params: + - updateOriginConfigURL + - locallyManagedTunnelURL + - configurationFileURL + - kubectlTutorialURL + - validatingJwtURL +--- + +Origin configuration parameters determine how `cloudflared` proxies traffic to your origin server. For a remotely-managed tunnel (created via the dashboard or API), configure these settings using the dashboard or API. If you are using a locally-managed tunnel, add these parameters to your configuration file. + +## TLS settings + +### originServerName + +| Default | UI name | +| ------- | ------------------ | +| `""` | Origin Server Name | + +Hostname that `cloudflared` should expect from your origin server certificate. If null, the expected hostname is the service URL, for example `localhost` if the service is `https://localhost:443`. + +### matchSNItoHost + +| Default | UI name | +| ------- | ----------------- | +| `false` | Match SNI to Host | + +When `true`, `cloudflared` will automatically set the Server Name Indication (SNI) during the TLS handshake to the hostname of the incoming request. + +This setting is useful when directing traffic to entry points that host multiple services and rely on SNI to route requests or present the correct certificate. It eliminates the need to explicitly configure [`originServerName`](#originservername) for individual services when using wildcard routing. + +### caPool + +| Default | UI name | +| ------- | -------------------------- | +| `""` | Certificate Authority Pool | + +Local file path to the certificate authority (CA) for your origin server certificate (for example, `/root/certs/ca.pem`). The path should point to a certificate store file or a bundle file in `.pem` or `.crt` format that contains one or more trusted root CA certificates. You should only configure this setting if your certificate is not signed by Cloudflare. + +### noTLSVerify + +| Default | UI name | +| ------- | ------------- | +| `false` | No TLS Verify | + +When `false`, TLS verification is performed on the certificate presented by your origin. + +When `true`, TLS verification is disabled. This will allow any certificate from the origin to be accepted. + +### tlsTimeout + +| Default | UI name | +| ------- | ----------- | +| `10s` | TLS Timeout | + +Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. + +### http2Origin + +| Default | UI name | +| ------- | ---------------- | +| `false` | HTTP2 connection | + +When `false`, `cloudflared` will connect to your origin with HTTP/1.1. + +When `true`, `cloudflared` will attempt to connect to your origin server using HTTP/2.0 instead of HTTP/1.1. HTTP/2.0 is a faster protocol for high traffic origins but requires you to deploy an SSL certificate on the origin. We recommend using this setting in conjunction with [noTLSVerify](#notlsverify) so that you can use a self-signed certificate. + +## HTTP settings + +### httpHostHeader + +| Default | UI name | +| ------- | ---------------- | +| `""` | HTTP Host Header | + +Sets the HTTP `Host` header on requests sent to the local service. + +### disableChunkedEncoding + +| Default | UI name | +| ------- | ------------------------ | +| `false` | Disable Chunked Encoding | + +When `false`, `cloudflared` performs chunked transfer encoding when transferring data over HTTP/1.1. + +When `true`, chunked transfer encoding is disabled. This is useful if you are running a Web Server Gateway Interface (WSGI) server. + +## Connection settings + +### connectTimeout + +| Default | UI name | +| ------- | --------------- | +| `30s` | Connect Timeout | + +Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to +establish TLS, which is controlled by tlsTimeout. + +### noHappyEyeballs + +| Default | UI name | +| ------- | ----------------- | +| `false` | No Happy Eyeballs | + +When `false`, `cloudflared` uses the Happy Eyeballs algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. + +When `true`, Happy Eyeballs is disabled. + +### proxyType + +| Default | UI name | +| ------- | ---------- | +| `""` | Proxy Type | + +`cloudflared` starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. +This configures what type of proxy will be started. Valid options are: + +* `""` for the regular proxy +* `"socks"` for a SOCKS5 proxy. Refer to the tutorial on connecting through Cloudflare Access using kubectl for more information. + +### proxyAddress + +:::note + +For locally-managed tunnels only. +::: + +| Default | UI name | +| ----------- | ------- | +| `127.0.0.1` | -- | + +`cloudflared` starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. +This configures the listen address for that proxy. + +### proxyPort + +:::note + +For locally-managed tunnels only. +::: + +| Default | UI name | +| ------- | ------- | +| `0` | -- | + +`cloudflared` starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. +This configures the listen port for that proxy. If set to zero, an unused port will randomly be chosen. + +### keepAliveTimeout + +| Default | UI name | +| ------- | ------------------------------- | +| `1m30s` | Idle Connection Expiration Time | + +Timeout after which an idle keepalive connection can be discarded. + +### keepAliveConnections + +| Default | UI name | +| ------- | ---------------------- | +| `100` | Keep Alive Connections | + +Default: `100` + +Maximum number of idle keepalive connections between Cloudflare and your origin. This does not restrict the total number of concurrent connections. + +### tcpKeepAlive + +| Default | UI name | +| ------- | ----------------------- | +| `30s` | TCP Keep Alive Interval | + +Default: `30s` + +The timeout after which a TCP keepalive packet is sent on a connection between Cloudflare and the origin server. + +## Access settings + +### access + +| Default | UI name | +| ------- | ------------------- | +| `""` | Protect with Access | + +Requires `cloudflared` to validate the Cloudflare Access JWT prior to proxying traffic to your origin. You can enforce this check on public hostname services that are protected by an Access application. For all L7 requests to these hostnames, Access will send the JWT to `cloudflared` as a `Cf-Access-Jwt-Assertion` request header. + +To enable this security control in a configuration file, [get the AUD tag](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#get-your-aud-tag) for your Access application and add the following rule to `originRequest`: + +```yml +access: + required: true + teamName: + audTag: + - + - +``` diff --git a/src/content/partials/cloudflare-one/tunnel/run-parameters.mdx b/src/content/partials/cloudflare-one/tunnel/run-parameters.mdx new file mode 100644 index 000000000000000..daf01387a4ac358 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/run-parameters.mdx @@ -0,0 +1,200 @@ +--- +params: + - updateRunParametersURL + - locallyManagedTunnelURL + - configurationFileURL + - metricsURL + - usageMetricsURL + - tunnelWithFirewallURL + - tunnelPermissionsURL + - createRemoteTunnelURL + - faqURL +--- + +import { Render } from "~/components"; + +This page lists the configuration flags for the `cloudflared tunnel run` command. For a remotely-managed tunnel (created via the dashboard or API), add these flags to the tunnel service. If you are using a locally-managed tunnel, add these flags to your configuration file as key/value pairs. + +## `autoupdate-freq` + +| Syntax | Default | +| ---------------------------------------------------------------- | ------- | +| `cloudflared tunnel --autoupdate-freq run ` | `24h` | + +Configures the frequency of `cloudflared` updates. + +By default, `cloudflared` will periodically check for updates and restart with the new version. Restarts are performed by spawning a new process that connects to the Cloudflare global network. On successful connection, the old process will gracefully shut down after handling all outstanding requests. See also: [`no-autoupdate`](#no-autoupdate). + +## `config` + +:::note + +For locally-managed tunnels only. +::: + +| Syntax | Default | +| ------------------------------------------------------- | --------------------------- | +| `cloudflared tunnel --config run ` | `~/.cloudflared/config.yml` | + +Specifies the path to a configuration file in YAML format. + +## `edge-bind-address` + +| Syntax | Environment Variable | +| ---------------------------------------------------------------- | -------------------------- | +| `cloudflared tunnel --edge-bind-address run ` | `TUNNEL_EDGE_BIND_ADDRESS` | + +Specifies the outgoing IP address used to establish a connection between `cloudflared` and the Cloudflare global network. + +By default, `cloudflared` lets the operating system decide which IP address to use. This option is useful if you have multiple network interfaces available and want to prefer a specific interface. + +The IP version of `edge-bind-address` will override [`edge-ip-version`](#edge-ip-version) (if provided). For example, if you enter an IPv6 source address, `cloudflared` will always connect to an IPv6 destination. + +## `edge-ip-version` + +| Syntax | Default | Environment Variable | +| ------------------------------------------------------------------- | ------- | ------------------------ | +| `cloudflared tunnel --edge-ip-version run ` | `4` | `TUNNEL_EDGE_IP_VERSION` | + +Specifies the IP address version (IPv4 or IPv6) used to establish a connection between `cloudflared` and the Cloudflare global network. Available values are `auto`, `4`, and `6`. + +The value `auto` relies on the host operating system to determine which IP version to select. The first IP version returned from the DNS resolution of the region lookup will be used as the primary set. In dual IPv6 and IPv4 network setups, `cloudflared` will separate the IP versions into two address sets that will be used to fallback in connectivity failure scenarios. + +## `grace-period` + +| Syntax | Default | Environment Variable | +| --------------------------------------------------------------- | ------- | --------------------- | +| `cloudflared tunnel --grace-period run ` | `30s` | `TUNNEL_GRACE_PERIOD` | + +When `cloudflared` receives SIGINT/SIGTERM it will stop accepting new requests, wait for in-progress requests to terminate, then shut down. Waiting for in-progress requests will timeout after this grace period, or when a second SIGTERM/SIGINT is received. + +## `logfile` + +| Syntax | Environment Variable | +| -------------------------------------------------------- | -------------------- | +| `cloudflared tunnel --logfile run ` | `TUNNEL_LOGFILE` | + +Saves application log to this file. Mainly useful for reporting issues. For more details on what information you need when contacting Cloudflare support, refer to this guide. + +## `loglevel` + +| Syntax | Default | Environment Variable | +| ---------------------------------------------------------- | ------- | -------------------- | +| `cloudflared tunnel --loglevel run ` | `info` | `TUNNEL_LOGLEVEL` | + +Specifies the verbosity of logging for the local `cloudflared` instance. Available values are `debug`, `info` (default), `warn`, `error`, and `fatal`. At the `debug` level, `cloudflared` will log and display the request URL, method, protocol, content length, as well as all request and response headers. However, note that this can expose sensitive information in your logs. + +## `metrics` + +| Syntax | Default | Environment Variable | +| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------ | -------------------- | +| `cloudflared tunnel --metrics run ` | Refer to Tunnel metrics | `TUNNEL_METRICS` | + +Exposes a Prometheus endpoint on the specified IP address and port, which you can then query for usage metrics. + +## `no-autoupdate` + +:::note + +Does not apply if you installed `cloudflared` using a package manager. + +::: + +| Syntax | Environment Variable | +| ------------------------------------------------------- | -------------------- | +| `cloudflared tunnel --no-autoupdate run ` | `NO_AUTOUPDATE` | + +Disables automatic `cloudflared` updates. See also: [`autoupdate-freq`](#autoupdate-freq). + +## `origincert` + +:::note + +For locally-managed tunnels only. +::: + +| Syntax | Default | Environment Variable | +| ----------------------------------------------------------- | ------------------------- | -------------------- | +| `cloudflared tunnel --origincert run ` | `~/.cloudflared/cert.pem` | `TUNNEL_ORIGIN_CERT` | + +Specifies the account certificate for one of your zones, authorizing the client to serve as an origin for that zone. You can obtain a certificate by using the `cloudflared tunnel login` command or by visiting `https://dash.cloudflare.com/argotunnel`. + +## `pidfile` + +| Syntax | Environment Variable | +| -------------------------------------------------------- | -------------------- | +| `cloudflared tunnel --pidfile run ` | `TUNNEL_PIDFILE` | + +Writes the application's process identifier (PID) to this file after the first successful connection. Mainly useful for scripting and service integration. + +## `post-quantum` + +| Syntax | Environment Variable | +| ------------------------------------------------------ | --------------------- | +| `cloudflared tunnel run --post-quantum ` | `TUNNEL_POST_QUANTUM` | + +By default, Cloudflare Tunnel connections over [`quic`](#protocol) are encrypted using [post-quantum cryptography (PQC)](/ssl/post-quantum-cryptography/) but will fall back to non-PQ if there are issues connecting. If the `--post-quantum` flag is provided, `quic` connections are only allowed to use PQ key agreements, with no fallback to non-PQ. + +Post-quantum key agreements are not supported when using `http2` protocol. + +## `protocol` + +| Syntax | Default | Environment Variable | +| ---------------------------------------------------------- | ------- | --------------------------- | +| `cloudflared tunnel --protocol run ` | `auto` | `TUNNEL_TRANSPORT_PROTOCOL` | + +Specifies the protocol used to establish a connection between `cloudflared` and the Cloudflare global network. Available values are `auto`, `http2`, and `quic`. + +The `auto` value will automatically configure the `quic` protocol. If `cloudflared` is unable to establish UDP connections, it will fallback to using the `http2` protocol. + +## `region` + +| Syntax | Environment Variable | +| -------------------------------------------------------- | -------------------- | +| `cloudflared tunnel --region run ` | `TUNNEL_REGION` | + +Allows you to choose the regions to which connections are established. Currently the only available value is `us`, which routes all connections through data centers in the United States. Omit or leave empty to connect to the global region. + +When the region is set to `us`, `cloudflared` uses different US-specific hostnames and IPs. Refer to Tunnel with firewall for details. + +## `retries` + +| Syntax | Default | Environment Variable | +| --------------------------------------------------------- | ------- | -------------------- | +| `cloudflared tunnel --retries run ` | `5` | `TUNNEL_RETRIES` | + +Specifies the maximum number of retries for connection/protocol errors. Retries use exponential backoff (retrying at 1, 2, 4, 8, 16 seconds by default), so it is not recommended that you increase this value significantly. + +## `tag` + +| Syntax | Environment Variable | +| ------------------------------------------------------- | -------------------- | +| `cloudflared tunnel --tag run ` | `TUNNEL_TAG` | + +Specifies custom tags used to identify this tunnel. Multiple tags may be specified by adding additional `--tag ` flags to the command. If entering multiple tags into a configuration file, delimit with commas: `tag: {KEY1=VALUE1, KEY2=VALUE2}`. + +## `token` + +:::note + +For remotely-managed tunnels only. +::: + +| Syntax | Environment Variable | +| ----------------------------------------------- | -------------------- | +| `cloudflared tunnel run --token ` | `TUNNEL_TOKEN` | + +Associates the `cloudflared` instance with a specific tunnel. The tunnel's token is shown in the dashboard when you first create the tunnel. You can also retrieve the token using the [API](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/token/methods/get/). + +## `token-file` + +:::note + +For remotely-managed tunnels only. Requires `2025.4.0` or later. +::: + +| Syntax | Environment Variable | +| -------------------------------------------- | -------------------- | +| `cloudflared tunnel run --token-file ` | `TUNNEL_TOKEN_FILE` | + +Associates the `cloudflared` instance with a specific tunnel using a file which contains the token. From 08f8ff94d1f768136684f5b8a5229a14b1288773 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 24 Feb 2026 17:56:40 -0500 Subject: [PATCH 28/33] monitoring partials --- .../monitor-tunnels/metrics.mdx | 104 ++-------- .../troubleshoot-tunnels/diag-logs.mdx | 134 ++++--------- src/content/docs/tunnel/monitoring.mdx | 178 +++++++----------- .../cloudflare-one/tunnel/diag-docker.mdx | 53 ++++++ .../tunnel/diag-host-environment.mdx | 26 +++ .../cloudflare-one/tunnel/diag-kubernetes.mdx | 41 ++++ .../tunnel/metrics-cloudflared.mdx | 30 +++ .../tunnel/metrics-configure-address.mdx | 20 ++ .../tunnel/metrics-default-address.mdx | 12 ++ .../tunnel/metrics-go-runtime.mdx | 29 +++ .../cloudflare-one/tunnel/metrics-intro.mdx | 4 + .../tunnel/metrics-prometheus.mdx | 7 + .../tunnel/tunnel-diag-file.mdx | 14 +- .../tunnel/view-logs-on-server.mdx | 6 +- 14 files changed, 352 insertions(+), 306 deletions(-) create mode 100644 src/content/partials/cloudflare-one/tunnel/diag-docker.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/diag-host-environment.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/diag-kubernetes.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/metrics-cloudflared.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/metrics-configure-address.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/metrics-default-address.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/metrics-go-runtime.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/metrics-intro.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/metrics-prometheus.mdx diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/metrics.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/metrics.mdx index 9cd270e5729e85c..5299a5800d4f4fa 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/metrics.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/metrics.mdx @@ -8,104 +8,40 @@ head: content: Tunnel metrics --- -Tunnel metrics show a Cloudflare Tunnel's throughput and resource usage over time. When you run a tunnel, `cloudflared` will spin up a Prometheus metrics endpoint — an HTTP server that exposes metrics in [Prometheus](https://prometheus.io/docs/introduction/overview/) format. You can use the Prometheus toolkit on a remote machine to scrape metrics data from the `cloudflared` server. +import { Render } from "~/components"; -## Default metrics server address - -In non-containerized environments, `cloudflared` starts the metrics server on `127.0.0.1:/metrics`, where `` is the first available port in the range `20241` to `20245`. In case of all ports being unavailable then the fallback is to bind to a random port. In containerized environments such as Docker and Kubernetes, the default address is `0.0.0.0:/metrics`. + -To determine the default port being used by a `cloudflared` instance, you can check your [Tunnel logs](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) around the time when the tunnel started. For example: +## Default metrics server address -```text -2024-12-19T21:17:58Z INF Starting metrics server on 127.0.0.1:20241/metrics -``` + ## Configure the metrics server address -To serve metrics on a custom IP address and port, perform these steps on the `cloudflared` host: - -1. Run the tunnel using the [--metrics](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#metrics) flag. Here is an example command for a locally-managed tunnel: - - ```sh - cloudflared tunnel --metrics 127.0.0.1:60123 run my-tunnel - ``` - - To learn how to add the `--metrics` flag to a remotely-managed tunnel, refer to [Configure a remotely-managed tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/#update-tunnel-run-parameters). - - :::note - If you plan to fetch metrics from another machine on the local network, replace `127.0.0.1` with the internal IP of the `cloudflared` server (for example, `198.168.x.x`). To serve metrics on all available network interfaces, use `0.0.0.0`. - ::: - -2. Verify that the metrics server is running by going to `http://localhost:60123/metrics`. This will only work if you configured a localhost IP (`127.0.0.1` or `0.0.0.0`). - -You can now export the metrics to Prometheus and Grafana in order to visualize and query the data. Refer to our [tutorial](/cloudflare-one/tutorials/grafana/) for instructions on getting started with these tools. + ## Available metrics ### cloudflared metrics -| Name | Description | Type | Labels | -| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ------- | ------------------------------------------ | -| `build_info` | Build and version information. | GAUGE | `goversion`, `revision`, `type`, `version` | -| `cloudflared_config_local_config_pushes` | Number of local configuration pushes to Cloudflare. | COUNTER | | -| `cloudflared_config_local_config_pushes_errors` | Number of errors that occurred during local configuration pushes. | COUNTER | | -| `cloudflared_orchestration_config_version` | Configuration version. | GAUGE | | -| `cloudflared_tcp_active_sessions` | Concurrent number of TCP sessions that are being proxied to any origin. | GAUGE | | -| `cloudflared_tcp_total_sessions` | Total number of TCP sessions that have been proxied to any origin. | COUNTER | | -| `cloudflared_tunnel_active_streams` | Total number of active streams. | GAUGE | | -| `cloudflared_tunnel_concurrent_requests_per_tunnel` | Concurrent number of requests proxied through each tunnel. | GAUGE | | -| `cloudflared_tunnel_ha_connections` | Number of active HA connections. | GAUGE | | -| `cloudflared_tunnel_request_errors` | Number of errors proxying to origin. | COUNTER | | -| `cloudflared_tunnel_server_locations` | Where each tunnel is connected to. `1` means current location, `0` means previous locations. | GAUGE | `connection_id`, `edge_location` | -| `cloudflared_tunnel_timer_retries` | Unacknowledged heart beats count. | GAUGE | | -| `cloudflared_tunnel_total_requests` | Number of requests proxied through all tunnels. | COUNTER | | -| `cloudflared_tunnel_tunnel_authenticate_success` | Number of successful tunnel authentication events. | COUNTER | | -| `cloudflared_tunnel_tunnel_register_success` | Number of successful tunnel registrations. | COUNTER | `rpcName` | -| `cloudflared_udp_active_sessions` | Concurrent number of UDP sessions that are being proxied to any origin. | GAUGE | | -| `cloudflared_udp_total_sessions` | Total number of UDP sessions that have been proxied to any origin. | COUNTER | | -| `coredns_panics_total` | Number of panics. | COUNTER | | -| `quic_client_closed_connections` | Number of connections that have been closed. | COUNTER | | -| `quic_client_latest_rtt` | Latest round-trip time (RTT) measured on a connection. | GAUGE | `conn_index` | -| `quic_client_lost_packets` | Number of packets that have been lost from a connection. | COUNTER | `conn_index`, `reason` | -| `quic_client_min_rtt` | Lowest RTT measured on a connection in ms. | GAUGE | `conn_index` | -| `quic_client_packet_too_big_dropped` | Number of packets received from origin that are too big to send to Cloudflare and are dropped as a result. | COUNTER | | -| `quic_client_smoothed_rtt` | Smoothed RTT calculated for a connection in ms. | GAUGE | `conn_index` | -| `quic_client_total_connections` | Number of connections initiated. For all QUIC metrics, client means the side initiating the connection. | COUNTER | | + ### Prometheus metrics -| Name | Description | Type | Labels | -| -------------------------------------------- | -------------------------------------------- | ------- | ------ | -| `promhttp_metric_handler_requests_in_flight` | Current number of scrapes being served. | GAUGE | | -| `promhttp_metric_handler_requests_total` | Total number of scrapes by HTTP status code. | COUNTER | `code` | -| | | | | + ### Go runtime metrics -| Name | Description | Type | Labels | -| ---------------------------------- | ------------------------------------------------------------------ | ------- | --------- | -| `go_gc_duration_seconds` | A summary of the pause duration of garbage collection cycles. | SUMMARY | | -| `go_goroutines` | Number of goroutines that currently exist. | GAUGE | | -| `go_info` | Information about the Go environment. | GAUGE | `version` | -| `go_memstats_alloc_bytes` | Number of bytes allocated and still in use. | GAUGE | | -| `go_memstats_alloc_bytes_total` | Total number of bytes allocated, even if freed. | COUNTER | | -| `go_memstats_buck_hash_sys_bytes` | Number of bytes used by the profiling bucket hash table. | GAUGE | | -| `go_memstats_frees_total` | Total number of frees. | COUNTER | | -| `go_memstats_gc_sys_bytes` | Number of bytes used for garbage collection system metadata. | GAUGE | | -| `go_memstats_heap_alloc_bytes` | Number of heap bytes allocated and still in use. | GAUGE | | -| `go_memstats_heap_idle_bytes` | Number of heap bytes waiting to be used. | GAUGE | | -| `go_memstats_heap_inuse_bytes` | Number of heap bytes that are in use. | GAUGE | | -| `go_memstats_heap_objects` | Number of allocated objects. | GAUGE | | -| `go_memstats_heap_released_bytes` | Number of heap bytes released to OS. | GAUGE | | -| `go_memstats_heap_sys_bytes` | Number of heap bytes obtained from system. | GAUGE | | -| `go_memstats_last_gc_time_seconds` | Number of seconds since 1970 of last garbage collection. | GAUGE | | -| `go_memstats_lookups_total` | Total number of pointer lookups. | COUNTER | | -| `go_memstats_mallocs_total` | Total number of mallocs. | COUNTER | | -| `go_memstats_mcache_inuse_bytes` | Number of bytes in use by mcache structures. | GAUGE | | -| `go_memstats_mcache_sys_bytes` | Number of bytes used for mcache structures obtained from system. | GAUGE | | -| `go_memstats_mspan_inuse_bytes` | Number of bytes in use by mspan structures. | GAUGE | | -| `go_memstats_mspan_sys_bytes` | Number of bytes used for mspan structures obtained from system. | GAUGE | | -| `go_memstats_next_gc_bytes` | Number of heap bytes when next garbage collection will take place. | GAUGE | | -| `go_memstats_other_sys_bytes` | Number of bytes used for other system allocations. | GAUGE | | -| `go_memstats_stack_inuse_bytes` | Number of bytes in use by the stack allocator. | GAUGE | | -| | | | | + diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/diag-logs.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/diag-logs.mdx index adacaa18dff316e..54ed41511daac4f 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/diag-logs.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/diag-logs.mdx @@ -22,113 +22,45 @@ The steps for getting diagnostic logs depend on your `cloudflared` deployment en These instructions apply to remotely-managed and locally-managed tunnels running directly on the host machine. -1. (Linux only) To include network diagnostics in the logs, allow the `cloudflared` user to create RAW and PACKET sockets without root permissions: - - ```sh - sudo setcap cap_net_raw+ep /usr/bin/traceroute && sudo setcap cap_net_raw+ep /usr/bin/traceroute - ``` - - If you do not set `cap_net_raw`, then traceroute data will be unavailable. - -2. Get diagnostic logs: - - ```sh - cloudflared tunnel diag - ``` - - If multiple instances of `cloudflared` are running on the same host, specify the [metrics server IP and port](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/metrics/#configure-the-metrics-server-address) for the instance you want to diagnose. For example: - - ```sh - cloudflared tunnel diag --metrics 127.0.0.1:20241 - ``` - -This command will output the status of each diagnostic task and place a `cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip` file in your working directory. + ### Docker -`cloudflared` reads diagnostic data from the [tunnel metrics server](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/metrics/). To get diagnostic logs, the metrics server must be exposed from the Docker container and reachable from the host machine. - -1. Determine the [metrics server port](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/metrics/#default-metrics-server-address) for the `cloudflared` instance running in Docker. - -2. Ensure the container is deployed with port forwarding enabled. The diagnostic feature will request information from the Docker instance using local port `20241`, therefore you should forward port `20241` to the container port obtained in Step 1: - - ```sh - docker run -d -p 20241: docker.io/cloudflare/cloudflared tunnel ... - ``` - -3. Verify that you can reach the metrics server address from the Docker host environment: - - ```sh - curl localhost:20241/diag/tunnel - ``` - - This command should return a JSON: - ```json - { - "tunnelID": "ef96b330-a7f5-4bce-a00e-827ce5be077f", - "connectorID": "d236670a-9f74-422f-adf1-030f5c5f0523", - "connections": [ - { "isConnected": true, "protocol": 1, "edgeAddress": "198.41.192.167"}, - {"isConnected": true, "protocol": 1, "edgeAddress": "198.41.200.113", "index": 1}, - {"isConnected": true, "protocol": 1, "edgeAddress": "198.41.192.47", "index": 2}, - {"isConnected": true, "protocol": 1, "edgeAddress": "198.41.200.73", "index": 3} - ], - "icmp_sources": ["192.168.1.243", "fe80::c59:bd4a:e815:ed6"] - } - ``` - -4. Run the diagnostic using the Docker container ID: - - ```sh - cloudflared tunnel diag --diag-container-id= - ``` - - Alternatively, you can specify the container's name instead of its ID: - ```sh - cloudflared tunnel diag --diag-container-id= - ``` - - Running the diagnostic command with the container ID allows `cloudflared` to collect information from the Docker environment such as logs and container details. - -This command will output the status of each diagnostic task and place a `cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip` file in your working directory. + ### Kubernetes -The diagnostic feature will request data from the [tunnel metrics server](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/metrics/) using ports `20241` to `20245`. You will need to use port forwarding to allow the local `cloudflared` instance to connect to the metrics server on one of these ports. - -1. Determine the tunnel's [metrics server port](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/metrics/#default-metrics-server-address). - -2. Enable port forwarding: - - ```sh - kubectl port-forward : - ``` - - - ``: Name of the pod where the tunnel is running - - `` is any local port in the range `20241` to `20245`. - - `` is the Kubernetes pod port for the `cloudflared` instance you want to diagnose (obtained in Step 1). - - For example, if you set the metrics server address to `0.0.0.0:12345`: - - ```sh - kubectl port-forward cloudflared-6d4897585b-r8kfz 20244:12345 - ``` - Connections made to local port `20244` are forwarded to port `12345` of the pod that is running the tunnel. - -3. Run the diagnostic: - - ```sh - cloudflared tunnel diag --diag-pod-id= - ``` - - If the pod has multiple applications/services running and `cloudflared` is not the first in the pod, you must specify either the container ID or name: - - ```sh - cloudflared tunnel diag --diag-pod-id= --diag-container-id= - ``` - -This command will output the status of each diagnostic task and place a `cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip` file in your working directory. + ## cloudflared-diag files - + diff --git a/src/content/docs/tunnel/monitoring.mdx b/src/content/docs/tunnel/monitoring.mdx index ab178894e0d04ad..ec4196c5adc8135 100644 --- a/src/content/docs/tunnel/monitoring.mdx +++ b/src/content/docs/tunnel/monitoring.mdx @@ -50,10 +50,16 @@ Tunnel logs record all activity between `cloudflared` and the Cloudflare global }} /> -### Remote log streaming (CLI) +### Remote log streaming You can stream real-time logs from a running tunnel without SSH access to the server. `cloudflared` must be installed on your local machine. +:::note +Dashboard-based log streaming is available in the [Cloudflare One dashboard](https://one.dash.cloudflare.com/) under **Networks** > **Connectors** > **Cloudflare Tunnels**. +::: + +To stream logs using the CLI: + 3. If you are running multiple [replicas](/tunnel/configuration/#replicas-and-high-availability), specify which replica to stream logs from: @@ -72,149 +78,97 @@ You can stream real-time logs from a running tunnel without SSH access to the se
-:::note -Dashboard-based log streaming is available in the [Cloudflare One dashboard](https://one.dash.cloudflare.com/) under **Networks** > **Connectors** > **Cloudflare Tunnels**. -::: - ## Metrics -When you run a tunnel, `cloudflared` exposes a [Prometheus](https://prometheus.io/docs/introduction/overview/) metrics endpoint. You can scrape this endpoint from a remote machine using the Prometheus toolkit. + ### Default metrics server address -In non-containerized environments, `cloudflared` starts the metrics server on `127.0.0.1:/metrics`, where `` is the first available port in the range `20241` to `20245`. If all ports are unavailable, `cloudflared` binds to a random port. In containerized environments (Docker, Kubernetes), the default address is `0.0.0.0:/metrics`. - -Check your [tunnel logs](#server-side-logs) to find the default port: - -```text -2024-12-19T21:17:58Z INF Starting metrics server on 127.0.0.1:20241/metrics -``` + ### Configure a custom address -To serve metrics on a custom IP and port, use the [`--metrics`](/tunnel/configuration/#metrics) flag: - -```sh -cloudflared tunnel --metrics 127.0.0.1:60123 run my-tunnel -``` - -To add the `--metrics` flag to a remotely-managed tunnel, refer to [Run parameters](/tunnel/configuration/#run-parameters). + -:::note -To fetch metrics from another machine on the local network, replace `127.0.0.1` with the internal IP of the `cloudflared` server (for example, `192.168.x.x`). To serve metrics on all interfaces, use `0.0.0.0`. -::: +
-Verify the metrics server is running by opening `http://localhost:60123/metrics`. You can then export the data to Prometheus and Grafana. Refer to the [Grafana tutorial](/cloudflare-one/tutorials/grafana/) for setup instructions. - -### cloudflared metrics - -| Name | Description | Type | Labels | -| --------------------------------------------------- | ------------------------------------------------------------------------------- | ------- | ------------------------------------------ | -| `build_info` | Build and version information. | GAUGE | `goversion`, `revision`, `type`, `version` | -| `cloudflared_tcp_active_sessions` | Concurrent TCP sessions being proxied to any origin. | GAUGE | | -| `cloudflared_tcp_total_sessions` | Total TCP sessions proxied to any origin. | COUNTER | | -| `cloudflared_tunnel_active_streams` | Total number of active streams. | GAUGE | | -| `cloudflared_tunnel_concurrent_requests_per_tunnel` | Concurrent requests proxied through each tunnel. | GAUGE | | -| `cloudflared_tunnel_ha_connections` | Number of active HA connections. | GAUGE | | -| `cloudflared_tunnel_request_errors` | Number of errors proxying to origin. | COUNTER | | -| `cloudflared_tunnel_server_locations` | Where each tunnel is connected. `1` means current location, `0` means previous. | GAUGE | `connection_id`, `edge_location` | -| `cloudflared_tunnel_timer_retries` | Unacknowledged heartbeat count. | GAUGE | | -| `cloudflared_tunnel_total_requests` | Total requests proxied through all tunnels. | COUNTER | | -| `cloudflared_udp_active_sessions` | Concurrent UDP sessions being proxied to any origin. | GAUGE | | -| `cloudflared_udp_total_sessions` | Total UDP sessions proxied to any origin. | COUNTER | | -| `quic_client_latest_rtt` | Latest round-trip time (RTT) measured on a connection. | GAUGE | `conn_index` | -| `quic_client_smoothed_rtt` | Smoothed RTT for a connection in ms. | GAUGE | `conn_index` | - -
- -| Name | Description | Type | Labels | -| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------- | ------- | ---------------------- | -| `cloudflared_config_local_config_pushes` | Number of local configuration pushes to Cloudflare. | COUNTER | | -| `cloudflared_config_local_config_pushes_errors` | Number of errors during local configuration pushes. | COUNTER | | -| `cloudflared_orchestration_config_version` | Configuration version. | GAUGE | | -| `cloudflared_tunnel_tunnel_authenticate_success` | Number of successful tunnel authentication events. | COUNTER | | -| `cloudflared_tunnel_tunnel_register_success` | Number of successful tunnel registrations. | COUNTER | `rpcName` | -| `coredns_panics_total` | Number of panics. | COUNTER | | -| `quic_client_closed_connections` | Number of connections that have been closed. | COUNTER | | -| `quic_client_lost_packets` | Number of packets lost from a connection. | COUNTER | `conn_index`, `reason` | -| `quic_client_min_rtt` | Lowest RTT measured on a connection in ms. | GAUGE | `conn_index` | -| `quic_client_packet_too_big_dropped` | Packets received from origin too big to send to Cloudflare, dropped. | COUNTER | | -| `quic_client_total_connections` | Number of connections initiated. For all QUIC metrics, client means the side initiating the connection. | COUNTER | | -| `promhttp_metric_handler_requests_in_flight` | Current number of scrapes being served. | GAUGE | | -| `promhttp_metric_handler_requests_total` | Total number of scrapes by HTTP status code. | COUNTER | `code` | +
-## Diagnostic logs - -Cloudflare Tunnel generates diagnostic reports that collect data from a single `cloudflared` instance running on the local machine. This requires `cloudflared` version 2024.12.2 or later. +
-### Generate diagnostics + -1. (Linux only) To include network diagnostics, allow the `cloudflared` user to create raw and packet sockets without root permissions: +
- ```sh - sudo setcap cap_net_raw+ep /usr/bin/traceroute && sudo setcap cap_net_raw+ep /usr/bin/traceroute - ``` +
- If you do not set `cap_net_raw`, traceroute data will be unavailable. + -2. Generate diagnostic logs: +
- ```sh - cloudflared tunnel diag - ``` +## Diagnostic logs - If multiple `cloudflared` instances run on the same host, specify the [metrics server address](#configure-a-custom-address): +Cloudflare Tunnel generates diagnostic reports that collect data from a single `cloudflared` instance running on the local machine. This requires `cloudflared` version 2024.12.2 or later. - ```sh - cloudflared tunnel diag --metrics 127.0.0.1:20241 - ``` +### Generate diagnostics -This command outputs the status of each diagnostic task and places a `cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip` file in your working directory. +
-`cloudflared` reads diagnostic data from the [metrics server](#metrics). Expose the metrics server from the Docker container so the host machine can reach it. - -1. Deploy the container with port forwarding to the metrics port: - - ```sh - docker run -d -p 20241: docker.io/cloudflare/cloudflared tunnel ... - ``` - -2. Verify the metrics server is reachable: - - ```sh - curl localhost:20241/diag/tunnel - ``` - -3. Run the diagnostic using the Docker container ID or name: - - ```sh - cloudflared tunnel diag --diag-container-id= - ``` +
-Use port forwarding to connect to the metrics server. Forward a local port in the range `20241`-`20245` to the container metrics port: - -```sh -kubectl port-forward : -``` - -Then run: - -```sh -cloudflared tunnel diag --diag-pod-id= -``` - -If the pod has multiple containers and `cloudflared` is not the first, add `--diag-container-id=`. +
### Diagnostic file contents - + diff --git a/src/content/partials/cloudflare-one/tunnel/diag-docker.mdx b/src/content/partials/cloudflare-one/tunnel/diag-docker.mdx new file mode 100644 index 000000000000000..4f15318c29c1162 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/diag-docker.mdx @@ -0,0 +1,53 @@ +--- +params: + - metricsURL + - defaultMetricsURL +--- + +`cloudflared` reads diagnostic data from the tunnel metrics server. To get diagnostic logs, the metrics server must be exposed from the Docker container and reachable from the host machine. + +1. Determine the metrics server port for the `cloudflared` instance running in Docker. + +2. Ensure the container is deployed with port forwarding enabled. The diagnostic feature will request information from the Docker instance using local port `20241`, therefore you should forward port `20241` to the container port obtained in Step 1: + + ```sh + docker run -d -p 20241: docker.io/cloudflare/cloudflared tunnel ... + ``` + +3. Verify that you can reach the metrics server address from the Docker host environment: + + ```sh + curl localhost:20241/diag/tunnel + ``` + + This command should return a JSON: + + ```json + { + "tunnelID": "ef96b330-a7f5-4bce-a00e-827ce5be077f", + "connectorID": "d236670a-9f74-422f-adf1-030f5c5f0523", + "connections": [ + { "isConnected": true, "protocol": 1, "edgeAddress": "198.41.192.167"}, + {"isConnected": true, "protocol": 1, "edgeAddress": "198.41.200.113", "index": 1}, + {"isConnected": true, "protocol": 1, "edgeAddress": "198.41.192.47", "index": 2}, + {"isConnected": true, "protocol": 1, "edgeAddress": "198.41.200.73", "index": 3} + ], + "icmp_sources": ["192.168.1.243", "fe80::c59:bd4a:e815:ed6"] + } + ``` + +4. Run the diagnostic using the Docker container ID: + + ```sh + cloudflared tunnel diag --diag-container-id= + ``` + + Alternatively, you can specify the container's name instead of its ID: + + ```sh + cloudflared tunnel diag --diag-container-id= + ``` + + Running the diagnostic command with the container ID allows `cloudflared` to collect information from the Docker environment such as logs and container details. + +This command will output the status of each diagnostic task and place a `cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip` file in your working directory. diff --git a/src/content/partials/cloudflare-one/tunnel/diag-host-environment.mdx b/src/content/partials/cloudflare-one/tunnel/diag-host-environment.mdx new file mode 100644 index 000000000000000..003dd21934f8386 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/diag-host-environment.mdx @@ -0,0 +1,26 @@ +--- +params: + - metricsURL +--- + +1. (Linux only) To include network diagnostics in the logs, allow the `cloudflared` user to create RAW and PACKET sockets without root permissions: + + ```sh + sudo setcap cap_net_raw+ep /usr/bin/traceroute && sudo setcap cap_net_raw+ep /usr/bin/traceroute + ``` + + If you do not set `cap_net_raw`, then traceroute data will be unavailable. + +2. Get diagnostic logs: + + ```sh + cloudflared tunnel diag + ``` + + If multiple instances of `cloudflared` are running on the same host, specify the metrics server IP and port for the instance you want to diagnose. For example: + + ```sh + cloudflared tunnel diag --metrics 127.0.0.1:20241 + ``` + +This command will output the status of each diagnostic task and place a `cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip` file in your working directory. diff --git a/src/content/partials/cloudflare-one/tunnel/diag-kubernetes.mdx b/src/content/partials/cloudflare-one/tunnel/diag-kubernetes.mdx new file mode 100644 index 000000000000000..afa71324209ae61 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/diag-kubernetes.mdx @@ -0,0 +1,41 @@ +--- +params: + - metricsURL + - defaultMetricsURL +--- + +The diagnostic feature will request data from the tunnel metrics server using ports `20241` to `20245`. You will need to use port forwarding to allow the local `cloudflared` instance to connect to the metrics server on one of these ports. + +1. Determine the tunnel's metrics server port. + +2. Enable port forwarding: + + ```sh + kubectl port-forward : + ``` + + - ``: Name of the pod where the tunnel is running + - `` is any local port in the range `20241` to `20245`. + - `` is the Kubernetes pod port for the `cloudflared` instance you want to diagnose (obtained in Step 1). + + For example, if you set the metrics server address to `0.0.0.0:12345`: + + ```sh + kubectl port-forward cloudflared-6d4897585b-r8kfz 20244:12345 + ``` + + Connections made to local port `20244` are forwarded to port `12345` of the pod that is running the tunnel. + +3. Run the diagnostic: + + ```sh + cloudflared tunnel diag --diag-pod-id= + ``` + + If the pod has multiple applications/services running and `cloudflared` is not the first in the pod, you must specify either the container ID or name: + + ```sh + cloudflared tunnel diag --diag-pod-id= --diag-container-id= + ``` + +This command will output the status of each diagnostic task and place a `cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip` file in your working directory. diff --git a/src/content/partials/cloudflare-one/tunnel/metrics-cloudflared.mdx b/src/content/partials/cloudflare-one/tunnel/metrics-cloudflared.mdx new file mode 100644 index 000000000000000..4e0fc2c84e7e66e --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/metrics-cloudflared.mdx @@ -0,0 +1,30 @@ +--- +--- + +| Name | Description | Type | Labels | +| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ------- | ------------------------------------------ | +| `build_info` | Build and version information. | GAUGE | `goversion`, `revision`, `type`, `version` | +| `cloudflared_config_local_config_pushes` | Number of local configuration pushes to Cloudflare. | COUNTER | | +| `cloudflared_config_local_config_pushes_errors` | Number of errors that occurred during local configuration pushes. | COUNTER | | +| `cloudflared_orchestration_config_version` | Configuration version. | GAUGE | | +| `cloudflared_tcp_active_sessions` | Concurrent number of TCP sessions that are being proxied to any origin. | GAUGE | | +| `cloudflared_tcp_total_sessions` | Total number of TCP sessions that have been proxied to any origin. | COUNTER | | +| `cloudflared_tunnel_active_streams` | Total number of active streams. | GAUGE | | +| `cloudflared_tunnel_concurrent_requests_per_tunnel` | Concurrent number of requests proxied through each tunnel. | GAUGE | | +| `cloudflared_tunnel_ha_connections` | Number of active HA connections. | GAUGE | | +| `cloudflared_tunnel_request_errors` | Number of errors proxying to origin. | COUNTER | | +| `cloudflared_tunnel_server_locations` | Where each tunnel is connected to. `1` means current location, `0` means previous locations. | GAUGE | `connection_id`, `edge_location` | +| `cloudflared_tunnel_timer_retries` | Unacknowledged heart beats count. | GAUGE | | +| `cloudflared_tunnel_total_requests` | Number of requests proxied through all tunnels. | COUNTER | | +| `cloudflared_tunnel_tunnel_authenticate_success` | Number of successful tunnel authentication events. | COUNTER | | +| `cloudflared_tunnel_tunnel_register_success` | Number of successful tunnel registrations. | COUNTER | `rpcName` | +| `cloudflared_udp_active_sessions` | Concurrent number of UDP sessions that are being proxied to any origin. | GAUGE | | +| `cloudflared_udp_total_sessions` | Total number of UDP sessions that have been proxied to any origin. | COUNTER | | +| `coredns_panics_total` | Number of panics. | COUNTER | | +| `quic_client_closed_connections` | Number of connections that have been closed. | COUNTER | | +| `quic_client_latest_rtt` | Latest round-trip time (RTT) measured on a connection. | GAUGE | `conn_index` | +| `quic_client_lost_packets` | Number of packets that have been lost from a connection. | COUNTER | `conn_index`, `reason` | +| `quic_client_min_rtt` | Lowest RTT measured on a connection in ms. | GAUGE | `conn_index` | +| `quic_client_packet_too_big_dropped` | Number of packets received from origin that are too big to send to Cloudflare and are dropped as a result. | COUNTER | | +| `quic_client_smoothed_rtt` | Smoothed RTT calculated for a connection in ms. | GAUGE | `conn_index` | +| `quic_client_total_connections` | Number of connections initiated. For all QUIC metrics, client means the side initiating the connection. | COUNTER | | diff --git a/src/content/partials/cloudflare-one/tunnel/metrics-configure-address.mdx b/src/content/partials/cloudflare-one/tunnel/metrics-configure-address.mdx new file mode 100644 index 000000000000000..2da2ff7378dc23e --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/metrics-configure-address.mdx @@ -0,0 +1,20 @@ +--- +params: + - updateRunParametersURL +--- + +To serve metrics on a custom IP address and port, perform these steps on the `cloudflared` host: + +1. Run the tunnel using the `--metrics` flag. For example, + + ```sh + cloudflared tunnel --metrics 127.0.0.1:60123 run my-tunnel + ``` + + :::note + If you plan to fetch metrics from another machine on the local network, replace `127.0.0.1` with the internal IP of the `cloudflared` server (for example, `198.168.x.x`). To serve metrics on all available network interfaces, use `0.0.0.0`. + ::: + +2. Verify that the metrics server is running by going to `http://localhost:60123/metrics`. This will only work if you configured a localhost IP (`127.0.0.1` or `0.0.0.0`). + +You can now export the metrics to Prometheus and Grafana to visualize and query the data. Refer to the [Grafana tutorial](/cloudflare-one/tutorials/grafana/) for instructions on getting started with these tools. diff --git a/src/content/partials/cloudflare-one/tunnel/metrics-default-address.mdx b/src/content/partials/cloudflare-one/tunnel/metrics-default-address.mdx new file mode 100644 index 000000000000000..9988a3eb7cfa45d --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/metrics-default-address.mdx @@ -0,0 +1,12 @@ +--- +params: + - logsURL +--- + +In non-containerized environments, `cloudflared` starts the metrics server on `127.0.0.1:/metrics`, where `` is the first available port in the range `20241` to `20245`. If all ports are unavailable, `cloudflared` binds to a random port. In containerized environments (Docker, Kubernetes), the default address is `0.0.0.0:/metrics`. + +To determine the default port, check your tunnel logs around the time when the tunnel started. For example: + +```text +2024-12-19T21:17:58Z INF Starting metrics server on 127.0.0.1:20241/metrics +``` diff --git a/src/content/partials/cloudflare-one/tunnel/metrics-go-runtime.mdx b/src/content/partials/cloudflare-one/tunnel/metrics-go-runtime.mdx new file mode 100644 index 000000000000000..c9b4e30ac62b994 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/metrics-go-runtime.mdx @@ -0,0 +1,29 @@ +--- +--- + +| Name | Description | Type | Labels | +| ---------------------------------- | ------------------------------------------------------------------ | ------- | --------- | +| `go_gc_duration_seconds` | A summary of the pause duration of garbage collection cycles. | SUMMARY | | +| `go_goroutines` | Number of goroutines that currently exist. | GAUGE | | +| `go_info` | Information about the Go environment. | GAUGE | `version` | +| `go_memstats_alloc_bytes` | Number of bytes allocated and still in use. | GAUGE | | +| `go_memstats_alloc_bytes_total` | Total number of bytes allocated, even if freed. | COUNTER | | +| `go_memstats_buck_hash_sys_bytes` | Number of bytes used by the profiling bucket hash table. | GAUGE | | +| `go_memstats_frees_total` | Total number of frees. | COUNTER | | +| `go_memstats_gc_sys_bytes` | Number of bytes used for garbage collection system metadata. | GAUGE | | +| `go_memstats_heap_alloc_bytes` | Number of heap bytes allocated and still in use. | GAUGE | | +| `go_memstats_heap_idle_bytes` | Number of heap bytes waiting to be used. | GAUGE | | +| `go_memstats_heap_inuse_bytes` | Number of heap bytes that are in use. | GAUGE | | +| `go_memstats_heap_objects` | Number of allocated objects. | GAUGE | | +| `go_memstats_heap_released_bytes` | Number of heap bytes released to OS. | GAUGE | | +| `go_memstats_heap_sys_bytes` | Number of heap bytes obtained from system. | GAUGE | | +| `go_memstats_last_gc_time_seconds` | Number of seconds since 1970 of last garbage collection. | GAUGE | | +| `go_memstats_lookups_total` | Total number of pointer lookups. | COUNTER | | +| `go_memstats_mallocs_total` | Total number of mallocs. | COUNTER | | +| `go_memstats_mcache_inuse_bytes` | Number of bytes in use by mcache structures. | GAUGE | | +| `go_memstats_mcache_sys_bytes` | Number of bytes used for mcache structures obtained from system. | GAUGE | | +| `go_memstats_mspan_inuse_bytes` | Number of bytes in use by mspan structures. | GAUGE | | +| `go_memstats_mspan_sys_bytes` | Number of bytes used for mspan structures obtained from system. | GAUGE | | +| `go_memstats_next_gc_bytes` | Number of heap bytes when next garbage collection will take place. | GAUGE | | +| `go_memstats_other_sys_bytes` | Number of bytes used for other system allocations. | GAUGE | | +| `go_memstats_stack_inuse_bytes` | Number of bytes in use by the stack allocator. | GAUGE | | diff --git a/src/content/partials/cloudflare-one/tunnel/metrics-intro.mdx b/src/content/partials/cloudflare-one/tunnel/metrics-intro.mdx new file mode 100644 index 000000000000000..ef5c8feea1a9a82 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/metrics-intro.mdx @@ -0,0 +1,4 @@ +--- +--- + +Tunnel metrics show a Cloudflare Tunnel's throughput and resource usage over time. When you run a tunnel, `cloudflared` will spin up a Prometheus metrics endpoint — an HTTP server that exposes metrics in [Prometheus](https://prometheus.io/docs/introduction/overview/) format. You can use the Prometheus toolkit on a remote machine to scrape metrics data from the `cloudflared` server. diff --git a/src/content/partials/cloudflare-one/tunnel/metrics-prometheus.mdx b/src/content/partials/cloudflare-one/tunnel/metrics-prometheus.mdx new file mode 100644 index 000000000000000..cec7d984e3bba42 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/metrics-prometheus.mdx @@ -0,0 +1,7 @@ +--- +--- + +| Name | Description | Type | Labels | +| -------------------------------------------- | -------------------------------------------- | ------- | ------ | +| `promhttp_metric_handler_requests_in_flight` | Current number of scrapes being served. | GAUGE | | +| `promhttp_metric_handler_requests_total` | Total number of scrapes by HTTP status code. | COUNTER | `code` | diff --git a/src/content/partials/cloudflare-one/tunnel/tunnel-diag-file.mdx b/src/content/partials/cloudflare-one/tunnel/tunnel-diag-file.mdx index 2607e51012841a9..35a23d38040988e 100644 --- a/src/content/partials/cloudflare-one/tunnel/tunnel-diag-file.mdx +++ b/src/content/partials/cloudflare-one/tunnel/tunnel-diag-file.mdx @@ -1,21 +1,25 @@ --- -{} +params: + - runParametersURL + - logsURL + - metricsURL + - loglevelURL --- The `cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip` archive contains the files listed below. The data in a file either applies to the `cloudflared` instance being diagnosed (`diagnosee`) or the instance that triggered the diagnosis (`diagnoser`). For example, if your tunnel is running in a Docker container, the diagnosee is the Docker instance and the diagnoser is the host instance. | File name | Description | Instance | | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------- | -| `cli-configuration.json` | [Tunnel run parameters](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/) used when starting the tunnel | diagnosee | -| `cloudflared_logs.txt` | [Tunnel log file](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/)[^1] | diagnosee | +| `cli-configuration.json` | Tunnel run parameters used when starting the tunnel | diagnosee | +| `cloudflared_logs.txt` | Tunnel log file[^1] | diagnosee | | `configuration.json` | Tunnel configuration parameters | diagnosee | | `goroutine.pprof` | goroutine profile made available by `pprof` | diagnosee | | `heap.pprof` | heap profile made available by `pprof` | diagnosee | -| `metrics.txt` | Snapshot of [Tunnel metrics](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/metrics/#available-metrics) at the time of diagnosis | diagnosee | +| `metrics.txt` | Snapshot of Tunnel metrics at the time of diagnosis | diagnosee | | `network.txt` | JSON traceroutes to Cloudflare's global network using IPv4 and IPv6 | diagnoser | | `raw-network.txt` | Raw traceroutes to Cloudflare's global network using IPv4 and IPv6 | diagnoser | | `systeminformation.json` | Operating system information and resource usage | diagnosee | | `task-result.json` | Result of each diagnostic task | diagnoser | | `tunnelstate.json` | Tunnel connections at the time of diagnosis | diagnosee | -[^1]: If the log file is blank, you may need to [set `--loglevel` to `debug`](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/#view-logs-on-the-server) when you start the tunnel. The `--loglevel` parameter is only required if you ran the tunnel from the CLI using a `cloudflared tunnel run` command. It is not necessary if the tunnel runs as a Linux/macOS service or runs in Docker/Kubernetes. +[^1]: If the log file is blank, you may need to set `--loglevel` to `debug` when you start the tunnel. The `--loglevel` parameter is only required if you ran the tunnel from the CLI using a `cloudflared tunnel run` command. It is not necessary if the tunnel runs as a Linux/macOS service or runs in Docker/Kubernetes. diff --git a/src/content/partials/cloudflare-one/tunnel/view-logs-on-server.mdx b/src/content/partials/cloudflare-one/tunnel/view-logs-on-server.mdx index 66b8b76770d16bd..c5d8a1638544701 100644 --- a/src/content/partials/cloudflare-one/tunnel/view-logs-on-server.mdx +++ b/src/content/partials/cloudflare-one/tunnel/view-logs-on-server.mdx @@ -7,10 +7,8 @@ params: If you have access to the origin server, you can use the `--loglevel` flag to enable logging when you start the tunnel. By default, `cloudflared` prints logs to stdout and does not store logs on the server. You can optionally use the `--logfile` flag to write your logs to a file. -To enable logs for a remotely-managed tunnel, add `--loglevel info` and `--logfile ` to your system service as shown in Run parameters. - -To enable logs for a locally-managed tunnel: +To enable logs, run the tunnel using the `--loglevel info` and `--logfile ` flags. For example, ```sh cloudflared tunnel --loglevel info --logfile cloudflared.log run -``` \ No newline at end of file +``` From 30dff4c6d00ae7e37c5894e7feb6e69bb1be231c Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 24 Feb 2026 18:52:47 -0500 Subject: [PATCH 29/33] common error partials --- .../troubleshoot-tunnels/common-errors.mdx | 237 ++++++------------ src/content/docs/tunnel/troubleshooting.mdx | 203 ++++++--------- .../tunnel/common-errors/502-bad-gateway.mdx | 85 +++++++ .../credentials-file-not-found.mdx | 14 ++ .../dns-record-already-exists.mdx | 5 + .../common-errors/err-too-many-redirects.mdx | 14 ++ .../tunnel/common-errors/error-1033.mdx | 9 + .../common-errors/receive-buffer-size.mdx | 31 +++ .../service-already-installed.mdx | 5 + .../common-errors/ssl-handshake-failure.mdx | 5 + .../streaming-responses-buffered.mdx | 5 + .../common-errors/too-many-open-files.mdx | 7 + .../tunnel-fails-to-authenticate.mdx | 13 + .../common-errors/websocket-bad-handshake.mdx | 14 ++ .../common-errors/x509-unknown-authority.mdx | 9 + 15 files changed, 367 insertions(+), 289 deletions(-) create mode 100644 src/content/partials/cloudflare-one/tunnel/common-errors/502-bad-gateway.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/common-errors/credentials-file-not-found.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/common-errors/dns-record-already-exists.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/common-errors/err-too-many-redirects.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/common-errors/error-1033.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/common-errors/receive-buffer-size.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/common-errors/service-already-installed.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/common-errors/ssl-handshake-failure.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/common-errors/streaming-responses-buffered.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/common-errors/too-many-open-files.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/common-errors/tunnel-fails-to-authenticate.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/common-errors/websocket-bad-handshake.mdx create mode 100644 src/content/partials/cloudflare-one/tunnel/common-errors/x509-unknown-authority.mdx diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx index 0130de838817599..e42c987936e5b3f 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx @@ -5,7 +5,7 @@ sidebar: order: 2 --- -import { Tabs, TabItem, GlossaryTooltip, Render } from "~/components"; +import { GlossaryTooltip, Render } from "~/components"; This section covers the most common errors you might encounter when connecting resources with Cloudflare Tunnel. If you do not see your issue listed below, refer to the [troubleshooting FAQ](/cloudflare-one/faq/troubleshooting/), view your [Tunnel logs](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/), or [contact Cloudflare Support](/support/contacting-cloudflare-support/). @@ -22,162 +22,81 @@ The tunnel status only reflects the connection between `cloudflared` and the Clo ## I see `cloudflared service is already installed`. -If you see this error when installing a remotely-managed tunnel, ensure that no other `cloudflared` instances are running as a service on this machine. Only a single instance of `cloudflared` may run as a service on any given machine. Instead, we recommend adding additional routes to your existing tunnel. Alternatively, you can run `sudo cloudflared service uninstall` to uninstall `cloudflared`. + ## I see `An A, AAAA, or CNAME record with that host already exists`. -If you are unable to save your tunnel's public hostname, choose a different hostname or delete the existing DNS record. [Check the DNS records](/dns/manage-dns-records/how-to/create-dns-records/) for your domain from the [Cloudflare dashboard](https://dash.cloudflare.com). + ## Tunnel credentials file doesn't exist or is not a file. -If you encounter the following error when running a tunnel, double check your `config.yml` file and ensure that the `credentials-file` points to the correct location. You may need to change `/root/` to your home directory. - -```sh -cloudflared tunnel run -``` - -```sh output -2021-06-04T06:21:16Z INF Starting tunnel tunnelID=928655cc-7f95-43f2-8539-2aba6cf3592d -Tunnel credentials file '/root/.cloudflared/928655cc-7f95-43f2-8539-2aba6cf3592d.json' doesn't exist or is not a file -``` + ## My tunnel fails to authenticate. -To start using Cloudflare Tunnel, a super administrator in the Cloudflare account must first log in through `cloudflared login`. The client will launch a browser window and prompt the user to select a hostname in their Cloudflare account. Once selected, Cloudflare generates a certificate that consists of three components: - -- The public key of the origin certificate for that hostname -- The private key of the origin certificate for that domain -- A token that is unique to Cloudflare Tunnel - -Those three components are bundled into a single PEM file that is downloaded one time during that login flow. The host certificate is valid for the root domain and any subdomain one-level deep. Cloudflare uses that certificate file to authenticate `cloudflared` to create DNS records for your domain in Cloudflare. - -The third component, the token, consists of the zone ID (for the selected domain) and an API token scoped to the user who first authenticated with the login command. When user permissions change (if that user is removed from the account or becomes an admin of another account, for example), Cloudflare rolls the user's API key. However, the certificate file downloaded through `cloudflared` retains the older API key and can cause authentication failures. The user will need to login once more through `cloudflared` to regenerate the certificate. Alternatively, the administrator can create a dedicated service user to authenticate. + ## I see an error: x509: certificate signed by unknown authority. -This means the origin is using a certificate that `cloudflared` does not trust. For example, you may get this error if you are using SSL/TLS inspection in a proxy between your server and Cloudflare. To solve this: - -- Add the certificate to the system certificate pool. -- Use the `--origin-ca-pool` flag and specify the path to the certificate. -- Use the `--no-tls-verify` flag to stop `cloudflared` checking the certificate for a trust chain. + ## I see an error 1033 when attempting to run a tunnel. - - -For more information, refer to the [comprehensive list](/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/) of Cloudflare 1xxx errors. + ## I see a 502 Bad Gateway error when connecting to an HTTP or HTTPS application through tunnel. -A `502 Bad Gateway` error with `Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared` on a tunnel route means the tunnel itself is connected to the Cloudflare network, but `cloudflared` cannot reach the origin service defined in your ingress rule. Unlike [error 1033](#i-see-an-error-1033-when-attempting-to-run-a-tunnel), which indicates the tunnel is not connected to Cloudflare, a 502 error indicates the problem is between `cloudflared` and your local service. - -To identify the specific cause, review your [Tunnel logs](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) for `error`-level messages. Common causes include: - -### Origin service is not running - -If the origin service has stopped or never started, `cloudflared` logs will show an error similar to: - -```txt -error="dial tcp [::1]:8080: connect: connection refused" -``` - -To resolve, verify the service is running and listening on the expected port: - -```sh -curl -v http://localhost:8080 -``` - -If the service is not running, start or restart it. You can confirm the service is listening by running `ss -tlnp | grep ` (Linux) or `lsof -iTCP -sTCP:LISTEN -nP | grep ` (macOS). - -### Origin service URL uses the wrong protocol - -If the origin expects HTTPS but the [published application route](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2a-publish-an-application) specifies `http://`, or vice versa, `cloudflared` logs will show an error similar to: - -```txt -error="net/http: HTTP/1.x transport connection broken: malformed HTTP response \"\x15\x03\x01\x00\x02\x02\"" -``` - -To resolve, update the `service` field in your published application route to match the [protocol](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/protocols/) your origin expects. For example, change `http://localhost:8080` to `https://localhost:8080`. If you are using a locally-managed tunnel, update your ingress rule in the [configuration file](/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/configuration-file/#file-structure-for-published-applications). - -### Origin service URL points to the wrong port - -If the port in your [published application route](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2a-publish-an-application) does not match the port your service is listening on, `cloudflared` will log a `connection refused` error for that port. Double-check the `service` URL in your ingress rule and compare it against the port your application is bound to. - -### Origin uses a certificate that `cloudflared` does not trust - -If the origin presents a TLS certificate that `cloudflared` cannot verify, the logs will show an error similar to: - -```txt -error="x509: certificate is valid for example.com, not localhost" -``` - -This commonly occurs when the origin uses a self-signed certificate or when an SSL/TLS inspection proxy sits between `cloudflared` and the origin. - -To resolve, use one of the following approaches: - -- Set [`originServerName`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#originservername) to the hostname on the origin certificate in your [published application route](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2a-publish-an-application). If you are using a locally-managed tunnel, here is an example of a [configuration file](/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/configuration-file/): - - ```yml - ingress: - - hostname: app.example.com - service: https://localhost:443 - originRequest: - originServerName: app.example.com - ``` - -- Provide the CA certificate using [`caPool`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#capool): - - ```yml - ingress: - - hostname: app.example.com - service: https://localhost:443 - originRequest: - caPool: /path/to/ca-cert.pem - ``` - -- As a last resort, disable TLS verification with [`noTLSVerify`](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#notlsverify). This is not recommended for production environments. - - ```yml - ingress: - - hostname: app.example.com - service: https://localhost:443 - originRequest: - noTLSVerify: true - ``` + ## I see `ERR_TOO_MANY_REDIRECTS` when attempting to connect to an Access self-hosted app. -This error occurs when `cloudflared` does not recognize the SSL/TLS certificate presented by your origin. To resolve the issue, set the [origin server name](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#originservername) parameter to the hostname on your origin certificate. Here is an example of a locally-managed tunnel configuration: - -```txt -ingress: - - hostname: test.example.com - service: https://localhost:443 - originRequest: - originServerName: test.example.com -``` + ## `cloudflared access` shows an error `websocket: bad handshake`. -This means that your `cloudflared access` client is unable to reach your `cloudflared tunnel` origin. -To diagnose this, you should look at the `cloudflared tunnel` logs. A very often root cause is that the `cloudflared tunnel` is unable to proxy to your origin (e.g. because the ingress is mis-configured, or the origin is down, or because the origin HTTPS certificate cannot be validated by `cloudflared tunnel`). -If `cloudflared tunnel` has no logs, it means Cloudflare Edge is not even able to route the websocket traffic to it. - -There are a few different possible root causes behind the `websocket: bad handshake` error: - -- Your `cloudflared tunnel` is either not running or not connected to Cloudflare Edge. - -- WebSockets are not [enabled](/network/websockets/#enable-websockets). - -- Your Cloudflare account has Universal SSL enabled but your SSL/TLS encryption mode is set to **Off (not secure)**. To resolve: - 1. On the Cloudflare dashboard for your zone, go to **SSL/TLS** > **Overview**. - 2. Ensure that your SSL/TLS encryption mode is set to either **Flexible**, **Full** or **Full (strict)**. - -- Your requests are blocked by [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/). To resolve, make sure you set **Definitely automated** to _Allow_ in the bot fight mode settings. - -- Your SSH or RDP Access application has the [Binding Cookie](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#binding-cookie) enabled. To disable the cookie, go to **Access controls** > **Applications** and edit the application settings. - -- One or more [Workers routes](/workers/configuration/routing/routes/) are overlapping with the tunnel hostname, and the Workers do not properly handle the traffic. To resolve, you could either exclude your tunnel from the Worker route by not defining a route that includes the tunnel's hostname or update your Worker to only handle specific paths and forward all other requests to the origin, for example, by using `return fetch(req)`. + ## My tunnel randomly disconnects. @@ -185,41 +104,30 @@ Long-lived connections initiated through Cloudflare One, such as SSH sessions, c ## Tunnel connections fail with SSL error. -If `cloudflared` returns error `error="remote error: tls: handshake failure"`, check to make sure the hostname in question is covered by a SSL certificate. If using a multi-level subdomain, an advanced certificate may be required as the Universal SSL will not cover more than one level of subdomain. This may surface in the browser as `ERR_SSL_VERSION_OR_CIPHER_MISMATCH`. + ## Tunnel connections fail with `Too many open files` error. -If your [Cloudflare Tunnel logs](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) returns a `socket: too many open files` error, it means that `cloudflared` has exhausted the open files limit on your machine. The maximum number of open files, or file descriptors, is an operating system setting that determines how many files a process is allowed to open. To increase the open file limit, you will need to [configure ulimit settings](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements/#ulimits) on the machine running `cloudflared`. + ## I see `failed to sufficiently increase receive buffer size` in my cloudflared logs. -This buffer size increase is reported by the [quic-go library](https://github.com/quic-go/quic-go) leveraged by [cloudflared](https://github.com/cloudflare/cloudflared). You can learn more about the log message in the [quic-go repository](https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes). This log message is generally not impactful and can be safely ignored when troubleshooting. However, if you have deployed `cloudflared` within a unique, high-bandwidth environment then buffer size can be manually overridden for testing purposes. - -To set the maximum receive buffer size on Linux: - -1. Create a new file under `/etc/sysctl.d/`: - -```sh -sudo vi 98-core-rmem-max.conf -``` - -2. In the file, define the desired buffer size: - -```txt -net.core.rmem_max=2500000 -``` - -3. Reboot the host machine running `cloudflared`. - -4. To validate that these changes have taken effect, use the `grep` command: - -```sh -sudo sysctl -a | grep net.core.rmem_max -``` - -```sh output -net.core.rmem_max = 2500000 -``` + ## `ping` and `traceroute` commands do not work. @@ -227,7 +135,10 @@ To ping an IP address behind Cloudflare Tunnel, your system must allow ICMP traf ## Cloudflare Tunnel is buffering my streaming response instead of streaming it live. -Proxied traffic through Cloudflare Tunnel is buffered by default unless the origin server includes the response header `Content-Type: text/event-stream`. The `Content-Type: text/event-stream` response header tells `cloudflared` to stream data as it arrives instead of buffering the entire response. + ## I see `Error: This route's network is inside an existing subnet's network at "100.96.0.0/12"`. diff --git a/src/content/docs/tunnel/troubleshooting.mdx b/src/content/docs/tunnel/troubleshooting.mdx index 59e68690f5dd276..72012311bf291f1 100644 --- a/src/content/docs/tunnel/troubleshooting.mdx +++ b/src/content/docs/tunnel/troubleshooting.mdx @@ -5,7 +5,7 @@ sidebar: order: 8 --- -import { Details, GlossaryTooltip, Render, Tabs, TabItem } from "~/components"; +import { Render, Tabs, TabItem } from "~/components"; Use this page to diagnose and resolve common issues with Cloudflare Tunnel. For tunnel health monitoring, logs, and metrics, refer to [Monitoring](/tunnel/monitoring/). @@ -87,153 +87,104 @@ If DNS or network tests fail, the problem is likely in your local environment. D If you do not see your issue below, refer to the [troubleshooting FAQ](/cloudflare-one/faq/troubleshooting/), view your [tunnel logs](/tunnel/monitoring/#logs), or [contact Cloudflare Support](/support/contacting-cloudflare-support/). -### `cloudflared service is already installed` +### I see `cloudflared service is already installed`. -Only one instance of `cloudflared` may run as a service per machine. Add additional routes to your existing tunnel instead, or run `sudo cloudflared service uninstall` to remove the existing service. - -### `An A, AAAA, or CNAME record with that host already exists` - -Choose a different hostname for your tunnel, or delete the existing DNS record in the [Cloudflare dashboard](https://dash.cloudflare.com). - -### Tunnel credentials file does not exist - -If you see `Tunnel credentials file '/root/.cloudflared/.json' doesn't exist or is not a file`, verify that the `credentials-file` path in your `config.yml` points to the correct location. You may need to change `/root/` to your home directory. - -### Tunnel fails to authenticate - -If the authenticating user is removed from the account or their permissions change, Cloudflare rolls the API key. The certificate retains the old key and authentication fails. Run `cloudflared tunnel login` again to regenerate the certificate, or create a dedicated service user to authenticate. - -### `x509: certificate signed by unknown authority` - -The origin uses a certificate that `cloudflared` does not trust. To resolve: - -- Add the certificate to the system certificate pool. -- Use the `--origin-ca-pool` flag and specify the path to the certificate. -- Use the `--no-tls-verify` flag to skip certificate verification. - -### Error 1033 - - - -For more information, refer to [Cloudflare 1xxx errors](/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/). - -### 502 Bad Gateway - -A `502 Bad Gateway` error with `Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared` on a tunnel route means the tunnel itself is connected to the Cloudflare network, but `cloudflared` cannot reach the origin service defined in your ingress rule. Unlike [error 1033](#error-1033), which indicates the tunnel is not connected to Cloudflare, a 502 error indicates the problem is between `cloudflared` and your local service. - -To identify the specific cause, review your [tunnel logs](/tunnel/monitoring/#logs) for `error`-level messages. Common causes include: - -#### Origin service is not running - -If the origin service has stopped or never started, `cloudflared` logs will show an error similar to: - -```txt -error="dial tcp [::1]:8080: connect: connection refused" -``` - -To resolve, verify the service is running and listening on the expected port: - -```sh -curl -v http://localhost:8080 -``` - -If the service is not running, start or restart it. You can confirm the service is listening by running `ss -tlnp | grep ` (Linux) or `lsof -iTCP -sTCP:LISTEN -nP | grep ` (macOS). - -#### Origin service URL uses the wrong protocol - -If the origin expects HTTPS but the tunnel route specifies `http://`, or vice versa, `cloudflared` logs will show an error similar to: - -```txt -error="net/http: HTTP/1.x transport connection broken: malformed HTTP response \"\x15\x03\x01\x00\x02\x02\"" -``` - -To resolve, update the service URL in your tunnel route to match the [protocol](/tunnel/routing/#supported-protocols) your origin expects. For example, change `http://localhost:8080` to `https://localhost:8080`. If you are using a locally-managed tunnel, update your ingress rule in the [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/). - -#### Origin service URL points to the wrong port - -If the port in your tunnel route does not match the port your service is listening on, `cloudflared` will log a `connection refused` error for that port. Double-check the service URL in your ingress rule and compare it against the port your application is bound to. - -#### Origin uses a certificate that `cloudflared` does not trust - -If the origin presents a TLS certificate that `cloudflared` cannot verify, the logs will show an error similar to: + -```txt -error="x509: certificate is valid for example.com, not localhost" -``` +### I see `An A, AAAA, or CNAME record with that host already exists`. -This commonly occurs when the origin uses a self-signed certificate or when an SSL/TLS inspection proxy sits between `cloudflared` and the origin. + -To resolve, use one of the following approaches: +### Tunnel credentials file doesn't exist or is not a file. -- Set [`originServerName`](/tunnel/configuration/#originservername) to the hostname on the origin certificate in your tunnel route. If you are using a locally-managed tunnel, here is an example of a [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/): + - ```yml - ingress: - - hostname: app.example.com - service: https://localhost:443 - originRequest: - originServerName: app.example.com - ``` +### My tunnel fails to authenticate. -- Provide the CA certificate using [`caPool`](/tunnel/configuration/#capool): + - ```yml - ingress: - - hostname: app.example.com - service: https://localhost:443 - originRequest: - caPool: /path/to/ca-cert.pem - ``` +### I see an error: x509: certificate signed by unknown authority. -- As a last resort, disable TLS verification with [`noTLSVerify`](/tunnel/configuration/#notlsverify). This is not recommended for production environments. + - ```yml - ingress: - - hostname: app.example.com - service: https://localhost:443 - originRequest: - noTLSVerify: true - ``` +### I see an error 1033 when attempting to run a tunnel. -### `ERR_TOO_MANY_REDIRECTS` + -Set the [origin server name](/tunnel/configuration/#originservername) parameter to the hostname on your origin certificate: +### I see a 502 Bad Gateway error when connecting to an HTTP or HTTPS application through tunnel. -```txt -ingress: - - hostname: test.example.com - service: https://localhost:443 - originRequest: - originServerName: test.example.com -``` + -### `websocket: bad handshake` +### I see `ERR_TOO_MANY_REDIRECTS` when attempting to connect to an Access self-hosted app. -Your `cloudflared access` client cannot reach your `cloudflared tunnel` origin. Common causes: + -- The tunnel is not running or not connected to Cloudflare. -- WebSockets are not [enabled](/network/websockets/#enable-websockets). -- SSL/TLS encryption mode is set to **Off (not secure)**. Set it to **Flexible**, **Full**, or **Full (strict)** in **SSL/TLS** > **Overview**. -- Requests are blocked by [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/). -- One or more [Workers routes](/workers/configuration/routing/routes/) overlap with the tunnel hostname. +### `cloudflared access` shows an error `websocket: bad handshake`. -### Tunnel connections fail with SSL error + -If `cloudflared` returns `error="remote error: tls: handshake failure"`, verify the hostname is covered by an SSL certificate. Multi-level subdomains may require an [advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/) because Universal SSL does not cover more than one level of subdomain. +### Tunnel connections fail with SSL error. -### `Too many open files` + -Increase the open file descriptor limit to at least 70,000 with `ulimit -n 70000` on the host running `cloudflared`. Configure the limit persistently for your operating system. +### Tunnel connections fail with `Too many open files` error. -### `failed to sufficiently increase receive buffer size` + -This message from the [quic-go library](https://github.com/quic-go/quic-go) is generally not impactful. For high-bandwidth environments, set the maximum receive buffer size on Linux: +### I see `failed to sufficiently increase receive buffer size` in my cloudflared logs. -```sh -echo 'net.core.rmem_max=2500000' | sudo tee /etc/sysctl.d/98-core-rmem-max.conf -sudo sysctl -p /etc/sysctl.d/98-core-rmem-max.conf -``` + -### Streaming responses are buffered +### Cloudflare Tunnel is buffering my streaming response instead of streaming it live. -Proxied traffic through Cloudflare Tunnel is buffered by default unless the origin server includes the `Content-Type: text/event-stream` response header. This header tells `cloudflared` to stream data as it arrives instead of buffering the entire response. + diff --git a/src/content/partials/cloudflare-one/tunnel/common-errors/502-bad-gateway.mdx b/src/content/partials/cloudflare-one/tunnel/common-errors/502-bad-gateway.mdx new file mode 100644 index 000000000000000..750db57a4d52155 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/common-errors/502-bad-gateway.mdx @@ -0,0 +1,85 @@ +--- +params: + - logsURL + - protocolURL + - configFileURL + - originServerNameURL + - caPoolURL + - noTLSVerifyURL +--- + +A `502 Bad Gateway` error with `Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared` on a tunnel route means the tunnel itself is connected to the Cloudflare network, but `cloudflared` cannot reach the origin service defined in your ingress rule. Unlike [error 1033](#i-see-an-error-1033-when-attempting-to-run-a-tunnel), which indicates the tunnel is not connected to Cloudflare, a 502 error indicates the problem is between `cloudflared` and your local service. + +To identify the specific cause, review your Tunnel logs for `error`-level messages. Common causes include: + +#### Origin service is not running + +If the origin service has stopped or never started, `cloudflared` logs will show an error similar to: + +```txt +error="dial tcp [::1]:8080: connect: connection refused" +``` + +To resolve, verify the service is running and listening on the expected port: + +```sh +curl -v http://localhost:8080 +``` + +If the service is not running, start or restart it. You can confirm the service is listening by running `ss -tlnp | grep ` (Linux) or `lsof -iTCP -sTCP:LISTEN -nP | grep ` (macOS). + +#### Origin service URL uses the wrong protocol + +If the origin expects HTTPS but the tunnel route specifies `http://`, or vice versa, `cloudflared` logs will show an error similar to: + +```txt +error="net/http: HTTP/1.x transport connection broken: malformed HTTP response \"\x15\x03\x01\x00\x02\x02\"" +``` + +To resolve, update the service URL in your tunnel route to match the protocol your origin expects. For example, change `http://localhost:8080` to `https://localhost:8080`. If you are using a locally-managed tunnel, update your ingress rule in the configuration file. + +#### Origin service URL points to the wrong port + +If the port in your tunnel route does not match the port your service is listening on, `cloudflared` will log a `connection refused` error for that port. Double-check the service URL in your ingress rule and compare it against the port your application is bound to. + +#### Origin uses a certificate that `cloudflared` does not trust + +If the origin presents a TLS certificate that `cloudflared` cannot verify, the logs will show an error similar to: + +```txt +error="x509: certificate is valid for example.com, not localhost" +``` + +This commonly occurs when the origin uses a self-signed certificate or when an SSL/TLS inspection proxy sits between `cloudflared` and the origin. + +To resolve, use one of the following approaches: + +- Set `originServerName` to the hostname on the origin certificate in your tunnel route. If you are using a locally-managed tunnel, here is an example of a configuration file: + + ```yml + ingress: + - hostname: app.example.com + service: https://localhost:443 + originRequest: + originServerName: app.example.com + ``` + +- Provide the CA certificate using `caPool`: + + ```yml + ingress: + - hostname: app.example.com + service: https://localhost:443 + originRequest: + caPool: /path/to/ca-cert.pem + ``` + +- As a last resort, disable TLS verification with `noTLSVerify`. This is not recommended for production environments. + + ```yml + ingress: + - hostname: app.example.com + service: https://localhost:443 + originRequest: + noTLSVerify: true + ``` diff --git a/src/content/partials/cloudflare-one/tunnel/common-errors/credentials-file-not-found.mdx b/src/content/partials/cloudflare-one/tunnel/common-errors/credentials-file-not-found.mdx new file mode 100644 index 000000000000000..91fb4ddaea1b1ea --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/common-errors/credentials-file-not-found.mdx @@ -0,0 +1,14 @@ +--- +{} +--- + +If you encounter the following error when running a tunnel, double check your `config.yml` file and ensure that the `credentials-file` points to the correct location. You may need to change `/root/` to your home directory. + +```sh +cloudflared tunnel run +``` + +```sh output +2021-06-04T06:21:16Z INF Starting tunnel tunnelID=928655cc-7f95-43f2-8539-2aba6cf3592d +Tunnel credentials file '/root/.cloudflared/928655cc-7f95-43f2-8539-2aba6cf3592d.json' doesn't exist or is not a file +``` diff --git a/src/content/partials/cloudflare-one/tunnel/common-errors/dns-record-already-exists.mdx b/src/content/partials/cloudflare-one/tunnel/common-errors/dns-record-already-exists.mdx new file mode 100644 index 000000000000000..b9695021ad9f267 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/common-errors/dns-record-already-exists.mdx @@ -0,0 +1,5 @@ +--- +{} +--- + +If you are unable to save your tunnel's public hostname, choose a different hostname or delete the existing DNS record. [Check the DNS records](/dns/manage-dns-records/how-to/create-dns-records/) for your domain from the [Cloudflare dashboard](https://dash.cloudflare.com). diff --git a/src/content/partials/cloudflare-one/tunnel/common-errors/err-too-many-redirects.mdx b/src/content/partials/cloudflare-one/tunnel/common-errors/err-too-many-redirects.mdx new file mode 100644 index 000000000000000..e8d1242efcffbfc --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/common-errors/err-too-many-redirects.mdx @@ -0,0 +1,14 @@ +--- +params: + - originServerNameURL +--- + +This error occurs when `cloudflared` does not recognize the SSL/TLS certificate presented by your origin. To resolve the issue, set the origin server name parameter to the hostname on your origin certificate. Here is an example of a locally-managed tunnel configuration: + +```txt +ingress: + - hostname: test.example.com + service: https://localhost:443 + originRequest: + originServerName: test.example.com +``` diff --git a/src/content/partials/cloudflare-one/tunnel/common-errors/error-1033.mdx b/src/content/partials/cloudflare-one/tunnel/common-errors/error-1033.mdx new file mode 100644 index 000000000000000..432974cdcaa1755 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/common-errors/error-1033.mdx @@ -0,0 +1,9 @@ +--- +{} +--- + +import { Render } from "~/components"; + + + +For more information, refer to the [comprehensive list of Cloudflare 1xxx errors](/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/). diff --git a/src/content/partials/cloudflare-one/tunnel/common-errors/receive-buffer-size.mdx b/src/content/partials/cloudflare-one/tunnel/common-errors/receive-buffer-size.mdx new file mode 100644 index 000000000000000..ab051ac80f9bdf9 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/common-errors/receive-buffer-size.mdx @@ -0,0 +1,31 @@ +--- +{} +--- + +This buffer size increase is reported by the [quic-go library](https://github.com/quic-go/quic-go) leveraged by [cloudflared](https://github.com/cloudflare/cloudflared). You can learn more about the log message in the [quic-go repository](https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes). This log message is generally not impactful and can be safely ignored when troubleshooting. However, if you have deployed `cloudflared` within a unique, high-bandwidth environment then buffer size can be manually overridden for testing purposes. + +To set the maximum receive buffer size on Linux: + +1. Create a new file under `/etc/sysctl.d/`: + +```sh +sudo vi 98-core-rmem-max.conf +``` + +2. In the file, define the desired buffer size: + +```txt +net.core.rmem_max=2500000 +``` + +3. Reboot the host machine running `cloudflared`. + +4. To validate that these changes have taken effect, use the `grep` command: + +```sh +sudo sysctl -a | grep net.core.rmem_max +``` + +```sh output +net.core.rmem_max = 2500000 +``` diff --git a/src/content/partials/cloudflare-one/tunnel/common-errors/service-already-installed.mdx b/src/content/partials/cloudflare-one/tunnel/common-errors/service-already-installed.mdx new file mode 100644 index 000000000000000..2d81832c800ffc7 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/common-errors/service-already-installed.mdx @@ -0,0 +1,5 @@ +--- +{} +--- + +If you see this error when installing a remotely-managed tunnel, ensure that no other `cloudflared` instances are running as a service on this machine. Only a single instance of `cloudflared` may run as a service on any given machine. Instead, add additional routes to your existing tunnel. Alternatively, you can run `sudo cloudflared service uninstall` to uninstall `cloudflared`. diff --git a/src/content/partials/cloudflare-one/tunnel/common-errors/ssl-handshake-failure.mdx b/src/content/partials/cloudflare-one/tunnel/common-errors/ssl-handshake-failure.mdx new file mode 100644 index 000000000000000..54bb37642a94c3d --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/common-errors/ssl-handshake-failure.mdx @@ -0,0 +1,5 @@ +--- +{} +--- + +If `cloudflared` returns error `error="remote error: tls: handshake failure"`, check to make sure the hostname in question is covered by a SSL certificate. If using a multi-level subdomain, an [advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/) may be required as the Universal SSL will not cover more than one level of subdomain. This may surface in the browser as `ERR_SSL_VERSION_OR_CIPHER_MISMATCH`. diff --git a/src/content/partials/cloudflare-one/tunnel/common-errors/streaming-responses-buffered.mdx b/src/content/partials/cloudflare-one/tunnel/common-errors/streaming-responses-buffered.mdx new file mode 100644 index 000000000000000..94fd62a5494fea8 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/common-errors/streaming-responses-buffered.mdx @@ -0,0 +1,5 @@ +--- +{} +--- + +Proxied traffic through Cloudflare Tunnel is buffered by default unless the origin server includes the `Content-Type: text/event-stream` response header. This header tells `cloudflared` to stream data as it arrives instead of buffering the entire response. diff --git a/src/content/partials/cloudflare-one/tunnel/common-errors/too-many-open-files.mdx b/src/content/partials/cloudflare-one/tunnel/common-errors/too-many-open-files.mdx new file mode 100644 index 000000000000000..9e63bec2ef0bdac --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/common-errors/too-many-open-files.mdx @@ -0,0 +1,7 @@ +--- +params: + - logsURL + - ulimitsURL +--- + +If your Cloudflare Tunnel logs return a `socket: too many open files` error, it means that `cloudflared` has exhausted the open files limit on your machine. The maximum number of open files, or file descriptors, is an operating system setting that determines how many files a process is allowed to open. To increase the open file limit, you will need to configure ulimit settings on the machine running `cloudflared`. diff --git a/src/content/partials/cloudflare-one/tunnel/common-errors/tunnel-fails-to-authenticate.mdx b/src/content/partials/cloudflare-one/tunnel/common-errors/tunnel-fails-to-authenticate.mdx new file mode 100644 index 000000000000000..3c9886fd410f158 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/common-errors/tunnel-fails-to-authenticate.mdx @@ -0,0 +1,13 @@ +--- +{} +--- + +To start using Cloudflare Tunnel, a super administrator in the Cloudflare account must first log in through `cloudflared login`. The client will launch a browser window and prompt the user to select a hostname in their Cloudflare account. Once selected, Cloudflare generates a certificate that consists of three components: + +- The public key of the origin certificate for that hostname +- The private key of the origin certificate for that domain +- A token that is unique to Cloudflare Tunnel + +Those three components are bundled into a single PEM file that is downloaded one time during that login flow. The host certificate is valid for the root domain and any subdomain one-level deep. Cloudflare uses that certificate file to authenticate `cloudflared` to create DNS records for your domain in Cloudflare. + +The third component, the token, consists of the zone ID (for the selected domain) and an API token scoped to the user who first authenticated with the login command. When user permissions change (if that user is removed from the account or becomes an admin of another account, for example), Cloudflare rolls the user's API key. However, the certificate file downloaded through `cloudflared` retains the older API key and can cause authentication failures. The user will need to login once more through `cloudflared` to regenerate the certificate. Alternatively, the administrator can create a dedicated service user to authenticate. diff --git a/src/content/partials/cloudflare-one/tunnel/common-errors/websocket-bad-handshake.mdx b/src/content/partials/cloudflare-one/tunnel/common-errors/websocket-bad-handshake.mdx new file mode 100644 index 000000000000000..ffb2fdc7f030016 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/common-errors/websocket-bad-handshake.mdx @@ -0,0 +1,14 @@ +--- +{} +--- + +This means that your `cloudflared access` client is unable to reach your `cloudflared tunnel` origin. To diagnose this, look at the `cloudflared tunnel` logs. A common root cause is that the `cloudflared tunnel` is unable to proxy to your origin (for example, because the ingress is misconfigured, the origin is down, or the origin HTTPS certificate cannot be validated by `cloudflared tunnel`). If `cloudflared tunnel` has no logs, it means Cloudflare's network is not able to route the websocket traffic to it. + +There are several possible root causes behind this error: + +- Your `cloudflared tunnel` is either not running or not connected to Cloudflare's network. +- WebSockets are not [enabled](/network/websockets/#enable-websockets). +- Your Cloudflare account has Universal SSL enabled but your SSL/TLS encryption mode is set to **Off (not secure)**. To resolve, go to **SSL/TLS** > **Overview** in the Cloudflare dashboard and set your SSL/TLS encryption mode to **Flexible**, **Full**, or **Full (strict)**. +- Your requests are blocked by [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/). To resolve, make sure you set **Definitely automated** to _Allow_ in the bot fight mode settings. +- Your SSH or RDP Access application has the [Binding Cookie](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#binding-cookie) enabled. To disable the cookie, go to **Access controls** > **Applications** and edit the application settings. +- One or more [Workers routes](/workers/configuration/routing/routes/) are overlapping with the tunnel hostname, and the Workers do not properly handle the traffic. To resolve, either exclude your tunnel from the Worker route by not defining a route that includes the tunnel's hostname, or update your Worker to only handle specific paths and forward all other requests to the origin (for example, by using `return fetch(req)`). diff --git a/src/content/partials/cloudflare-one/tunnel/common-errors/x509-unknown-authority.mdx b/src/content/partials/cloudflare-one/tunnel/common-errors/x509-unknown-authority.mdx new file mode 100644 index 000000000000000..c752c59f374e493 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/common-errors/x509-unknown-authority.mdx @@ -0,0 +1,9 @@ +--- +{} +--- + +This means the origin is using a certificate that `cloudflared` does not trust. For example, you may get this error if you are using SSL/TLS inspection in a proxy between your server and Cloudflare. To resolve: + +- Add the certificate to the system certificate pool. +- Use the `--origin-ca-pool` flag and specify the path to the certificate. +- Use the `--no-tls-verify` flag to stop `cloudflared` checking the certificate for a trust chain. From 572de2f178a59bc48a55064dc9ef5142c96af223 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Wed, 25 Feb 2026 13:06:25 -0500 Subject: [PATCH 30/33] refactor troubleshooting --- .../troubleshoot-tunnels/common-errors.mdx | 97 +-------- src/content/docs/tunnel/troubleshooting.mdx | 101 +-------- .../cloudflare-one/tunnel/common-errors.mdx | 204 ++++++++++++++++++ 3 files changed, 212 insertions(+), 190 deletions(-) create mode 100644 src/content/partials/cloudflare-one/tunnel/common-errors.mdx diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx index e42c987936e5b3f..1bd13690de778de 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx @@ -20,49 +20,8 @@ You can check your tunnel's connection status either from Cloudflare One (by goi The tunnel status only reflects the connection between `cloudflared` and the Cloudflare network. Tunnel status does not indicate whether `cloudflared` can successfully reach your internal services. As a result, a tunnel can appear `Healthy` while users are still unable to connect to an application. ::: -## I see `cloudflared service is already installed`. - - - -## I see `An A, AAAA, or CNAME record with that host already exists`. - - - -## Tunnel credentials file doesn't exist or is not a file. - - -## My tunnel fails to authenticate. - - - -## I see an error: x509: certificate signed by unknown authority. - - - -## I see an error 1033 when attempting to run a tunnel. - - - -## I see a 502 Bad Gateway error when connecting to an HTTP or HTTPS application through tunnel. - - - -## I see `ERR_TOO_MANY_REDIRECTS` when attempting to connect to an Access self-hosted app. - - - -## `cloudflared access` shows an error `websocket: bad handshake`. - - - -## My tunnel randomly disconnects. - -Long-lived connections initiated through Cloudflare One, such as SSH sessions, can last up to eight hours. However, disruptions along the service path may result in more frequent disconnects. Often, these disconnects are caused by regularly scheduled maintenance events such as data center, server, or service updates and restarts. If you believe these events are not the cause of disconnects in your environment, collect the relevant [WARP logs](/cloudflare-one/team-and-resources/devices/warp/troubleshooting/warp-logs/) and [Tunnel logs](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) and contact Support. - -## Tunnel connections fail with SSL error. - - - -## Tunnel connections fail with `Too many open files` error. - - -## I see `failed to sufficiently increase receive buffer size` in my cloudflared logs. +## My tunnel randomly disconnects. - +Long-lived connections initiated through Cloudflare One, such as SSH sessions, can last up to eight hours. However, disruptions along the service path may result in more frequent disconnects. Often, these disconnects are caused by regularly scheduled maintenance events such as data center, server, or service updates and restarts. If you believe these events are not the cause of disconnects in your environment, collect the relevant [WARP logs](/cloudflare-one/team-and-resources/devices/warp/troubleshooting/warp-logs/) and [Tunnel logs](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) and contact Support. ## `ping` and `traceroute` commands do not work. To ping an IP address behind Cloudflare Tunnel, your system must allow ICMP traffic through `cloudflared`. For configuration instructions, refer to the [ICMP proxy documentation](/cloudflare-one/traffic-policies/proxy/#icmp). -## Cloudflare Tunnel is buffering my streaming response instead of streaming it live. - - - ## I see `Error: This route's network is inside an existing subnet's network at "100.96.0.0/12"`. This error occurs when you try to add a CIDR route that falls within Cloudflare WARP's CGNAT IP range. The `100.96.0.0/12` range, which covers addresses from `100.96.0.1` to `100.111.255.254`, is reserved for internal WARP routing and cannot be added as a Cloudflare Tunnel route. To connect your private network, you will need to change its IP/CIDR so that it does not overlap with `100.96.0.0/12`. diff --git a/src/content/docs/tunnel/troubleshooting.mdx b/src/content/docs/tunnel/troubleshooting.mdx index 72012311bf291f1..93a7bac82405a09 100644 --- a/src/content/docs/tunnel/troubleshooting.mdx +++ b/src/content/docs/tunnel/troubleshooting.mdx @@ -73,63 +73,10 @@ nc -vz -w 3 198.41.192.167 7844 # TCP | TCP succeeds, UDP fails | UDP on port `7844` is blocked. `cloudflared` can only use `http2`. | Allow UDP on port `7844`, or do not force `quic` in your [protocol](/tunnel/configuration/#protocol) configuration. | | Both fail | Packets are being dropped between the host and Cloudflare. | Allow all traffic over port `7844` on the local network firewall. If this does not resolve the issue, troubleshoot with your ISP or service provider. | -### Get help - If DNS or network tests fail, the problem is likely in your local environment. Debug with your administrator, ISP, or cloud provider. - -## Common errors - -If you do not see your issue below, refer to the [troubleshooting FAQ](/cloudflare-one/faq/troubleshooting/), view your [tunnel logs](/tunnel/monitoring/#logs), or [contact Cloudflare Support](/support/contacting-cloudflare-support/). - -### I see `cloudflared service is already installed`. - - - -### I see `An A, AAAA, or CNAME record with that host already exists`. - - - -### Tunnel credentials file doesn't exist or is not a file. - - - -### My tunnel fails to authenticate. - - - -### I see an error: x509: certificate signed by unknown authority. - - - -### I see an error 1033 when attempting to run a tunnel. - - - -### I see a 502 Bad Gateway error when connecting to an HTTP or HTTPS application through tunnel. - - - -### I see `ERR_TOO_MANY_REDIRECTS` when attempting to connect to an Access self-hosted app. - - - -### `cloudflared access` shows an error `websocket: bad handshake`. - - - -### Tunnel connections fail with SSL error. - - - -### Tunnel connections fail with `Too many open files` error. - - -### I see `failed to sufficiently increase receive buffer size` in my cloudflared logs. +## How do I contact support? - -### Cloudflare Tunnel is buffering my streaming response instead of streaming it live. - - + params={{ tunnelMode: true }} +/> \ No newline at end of file diff --git a/src/content/partials/cloudflare-one/tunnel/common-errors.mdx b/src/content/partials/cloudflare-one/tunnel/common-errors.mdx new file mode 100644 index 000000000000000..3d37f4991c739cd --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/common-errors.mdx @@ -0,0 +1,204 @@ +--- +params: + - logsURL + - protocolURL + - configFileURL + - originServerNameURL + - caPoolURL + - noTLSVerifyURL + - ulimitsURL +--- + +import { Render } from "~/components"; + +## I see `cloudflared service is already installed`. + +If you see this error when installing a remotely-managed tunnel, ensure that no other `cloudflared` instances are running as a service on this machine. Only a single instance of `cloudflared` may run as a service on any given machine. Instead, add additional routes to your existing tunnel. Alternatively, you can run `sudo cloudflared service uninstall` to uninstall `cloudflared`. + +## I see `An A, AAAA, or CNAME record with that host already exists`. + +If you are unable to save your tunnel's public hostname, choose a different hostname or delete the existing DNS record. [Check the DNS records](/dns/manage-dns-records/how-to/create-dns-records/) for your domain from the [Cloudflare dashboard](https://dash.cloudflare.com). + +## Tunnel credentials file does not exist or is not a file. + +If you encounter the following error when running a tunnel, double check your `config.yml` file and ensure that the `credentials-file` points to the correct location. You may need to change `/root/` to your home directory. + +```sh +cloudflared tunnel run +``` + +```sh output +2021-06-04T06:21:16Z INF Starting tunnel tunnelID=928655cc-7f95-43f2-8539-2aba6cf3592d +Tunnel credentials file '/root/.cloudflared/928655cc-7f95-43f2-8539-2aba6cf3592d.json' doesn't exist or is not a file +``` + +## My tunnel fails to authenticate. + +To start using Cloudflare Tunnel, a super administrator in the Cloudflare account must first log in through `cloudflared login`. The client will launch a browser window and prompt the user to select a hostname in their Cloudflare account. Once selected, Cloudflare generates a certificate that consists of three components: + +- The public key of the origin certificate for that hostname +- The private key of the origin certificate for that domain +- A token that is unique to Cloudflare Tunnel + +Those three components are bundled into a single PEM file that is downloaded one time during that login flow. The host certificate is valid for the root domain and any subdomain one-level deep. Cloudflare uses that certificate file to authenticate `cloudflared` to create DNS records for your domain in Cloudflare. + +The third component, the token, consists of the zone ID (for the selected domain) and an API token scoped to the user who first authenticated with the login command. When user permissions change (if that user is removed from the account or becomes an admin of another account, for example), Cloudflare rolls the user's API key. However, the certificate file downloaded through `cloudflared` retains the older API key and can cause authentication failures. The user will need to login once more through `cloudflared` to regenerate the certificate. Alternatively, the administrator can create a dedicated service user to authenticate. + +## I see an error: x509: certificate signed by unknown authority. + +This means the origin is using a certificate that `cloudflared` does not trust. For example, you may get this error if you are using SSL/TLS inspection in a proxy between your server and Cloudflare. To resolve: + +- Add the certificate to the system certificate pool. +- Use the `--origin-ca-pool` flag and specify the path to the certificate. +- Use the `--no-tls-verify` flag to stop `cloudflared` checking the certificate for a trust chain. + +## I see an error 1033 when attempting to run a tunnel. + + + +For more information, refer to the [comprehensive list of Cloudflare 1xxx errors](/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/). + +## I see a 502 Bad Gateway error when connecting to an HTTP or HTTPS application through tunnel. + +A `502 Bad Gateway` error with `Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared` on a tunnel route means the tunnel itself is connected to the Cloudflare network, but `cloudflared` cannot reach the origin service defined in your ingress rule. Unlike [error 1033](#i-see-an-error-1033-when-attempting-to-run-a-tunnel), which indicates the tunnel is not connected to Cloudflare, a 502 error indicates the problem is between `cloudflared` and your local service. + +To identify the specific cause, review your Tunnel logs for `error`-level messages. Common causes include: + +#### Origin service is not running + +If the origin service has stopped or never started, `cloudflared` logs will show an error similar to: + +```txt +error="dial tcp [::1]:8080: connect: connection refused" +``` + +To resolve, verify the service is running and listening on the expected port: + +```sh +curl -v http://localhost:8080 +``` + +If the service is not running, start or restart it. You can confirm the service is listening by running `ss -tlnp | grep ` (Linux) or `lsof -iTCP -sTCP:LISTEN -nP | grep ` (macOS). + +#### Origin service URL uses the wrong protocol + +If the origin expects HTTPS but the tunnel route specifies `http://`, or vice versa, `cloudflared` logs will show an error similar to: + +```txt +error="net/http: HTTP/1.x transport connection broken: malformed HTTP response \"\x15\x03\x01\x00\x02\x02\"" +``` + +To resolve, update the service URL in your tunnel route to match the protocol your origin expects. For example, change `http://localhost:8080` to `https://localhost:8080`. If you are using a locally-managed tunnel, update your ingress rule in the configuration file. + +#### Origin service URL points to the wrong port + +If the port in your tunnel route does not match the port your service is listening on, `cloudflared` will log a `connection refused` error for that port. Double-check the service URL in your ingress rule and compare it against the port your application is bound to. + +#### Origin uses a certificate that `cloudflared` does not trust + +If the origin presents a TLS certificate that `cloudflared` cannot verify, the logs will show an error similar to: + +```txt +error="x509: certificate is valid for example.com, not localhost" +``` + +This commonly occurs when the origin uses a self-signed certificate or when an SSL/TLS inspection proxy sits between `cloudflared` and the origin. + +To resolve, use one of the following approaches: + +- Set `originServerName` to the hostname on the origin certificate in your tunnel route. If you are using a locally-managed tunnel, here is an example of a configuration file: + + ```yml + ingress: + - hostname: app.example.com + service: https://localhost:443 + originRequest: + originServerName: app.example.com + ``` + +- Provide the CA certificate using `caPool`: + + ```yml + ingress: + - hostname: app.example.com + service: https://localhost:443 + originRequest: + caPool: /path/to/ca-cert.pem + ``` + +- As a last resort, disable TLS verification with `noTLSVerify`. This is not recommended for production environments. + + ```yml + ingress: + - hostname: app.example.com + service: https://localhost:443 + originRequest: + noTLSVerify: true + ``` + +## I see `ERR_TOO_MANY_REDIRECTS` when attempting to connect to an Access self-hosted app. + +This error occurs when `cloudflared` does not recognize the SSL/TLS certificate presented by your origin. To resolve the issue, set the origin server name parameter to the hostname on your origin certificate. Here is an example of a locally-managed tunnel configuration: + +```txt +ingress: + - hostname: test.example.com + service: https://localhost:443 + originRequest: + originServerName: test.example.com +``` + +## `cloudflared access` shows an error `websocket: bad handshake`. + +This means that your `cloudflared access` client is unable to reach your `cloudflared tunnel` origin. To diagnose this, look at the `cloudflared tunnel` logs. A common root cause is that the `cloudflared tunnel` is unable to proxy to your origin (for example, because the ingress is misconfigured, the origin is down, or the origin HTTPS certificate cannot be validated by `cloudflared tunnel`). If `cloudflared tunnel` has no logs, it means Cloudflare's network is not able to route the websocket traffic to it. + +There are several possible root causes behind this error: + +- Your `cloudflared tunnel` is either not running or not connected to Cloudflare's network. +- WebSockets are not [enabled](/network/websockets/#enable-websockets). +- Your Cloudflare account has Universal SSL enabled but your SSL/TLS encryption mode is set to **Off (not secure)**. To resolve, go to **SSL/TLS** > **Overview** in the Cloudflare dashboard and set your SSL/TLS encryption mode to **Flexible**, **Full**, or **Full (strict)**. +- Your requests are blocked by [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/). To resolve, make sure you set **Definitely automated** to _Allow_ in the bot fight mode settings. +- Your SSH or RDP Access application has the [Binding Cookie](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#binding-cookie) enabled. To disable the cookie, go to **Access controls** > **Applications** and edit the application settings. +- One or more [Workers routes](/workers/configuration/routing/routes/) are overlapping with the tunnel hostname, and the Workers do not properly handle the traffic. To resolve, either exclude your tunnel from the Worker route by not defining a route that includes the tunnel's hostname, or update your Worker to only handle specific paths and forward all other requests to the origin (for example, by using `return fetch(req)`). + +## Tunnel connections fail with SSL error. + +If `cloudflared` returns error `error="remote error: tls: handshake failure"`, check to make sure the hostname in question is covered by a SSL certificate. If using a multi-level subdomain, an [advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/) may be required as the Universal SSL will not cover more than one level of subdomain. This may surface in the browser as `ERR_SSL_VERSION_OR_CIPHER_MISMATCH`. + +## Tunnel connections fail with `Too many open files` error. + +If your Cloudflare Tunnel logs return a `socket: too many open files` error, it means that `cloudflared` has exhausted the open files limit on your machine. The maximum number of open files, or file descriptors, is an operating system setting that determines how many files a process is allowed to open. To increase the open file limit, you will need to configure ulimit settings on the machine running `cloudflared`. + +## I see `failed to sufficiently increase receive buffer size` in my cloudflared logs. + +This buffer size increase is reported by the [quic-go library](https://github.com/quic-go/quic-go) leveraged by [cloudflared](https://github.com/cloudflare/cloudflared). You can learn more about the log message in the [quic-go repository](https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes). This log message is generally not impactful and can be safely ignored when troubleshooting. However, if you have deployed `cloudflared` within a unique, high-bandwidth environment then buffer size can be manually overridden for testing purposes. + +To set the maximum receive buffer size on Linux: + +1. Create a new file under `/etc/sysctl.d/`: + + ```sh + sudo vi 98-core-rmem-max.conf + ``` + +2. In the file, define the desired buffer size: + + ```txt + net.core.rmem_max=2500000 + ``` + +3. Reboot the host machine running `cloudflared`. + +4. To validate that these changes have taken effect, use the `grep` command: + + ```sh + sudo sysctl -a | grep net.core.rmem_max + ``` + + ```sh output + net.core.rmem_max = 2500000 + ``` + +## Cloudflare Tunnel is buffering my streaming response instead of streaming it live. + +Proxied traffic through Cloudflare Tunnel is buffered by default unless the origin server includes the `Content-Type: text/event-stream` response header. This header tells `cloudflared` to stream data as it arrives instead of buffering the entire response. From 1c02ef9003f8d459ae08301a8ff85d7b58270bf7 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Wed, 25 Feb 2026 13:08:55 -0500 Subject: [PATCH 31/33] delete FAQ --- src/content/docs/tunnel/faq.mdx | 50 --------------------------------- 1 file changed, 50 deletions(-) delete mode 100644 src/content/docs/tunnel/faq.mdx diff --git a/src/content/docs/tunnel/faq.mdx b/src/content/docs/tunnel/faq.mdx deleted file mode 100644 index 4fd2eef16419618..000000000000000 --- a/src/content/docs/tunnel/faq.mdx +++ /dev/null @@ -1,50 +0,0 @@ ---- -pcx_content_type: faq -title: FAQ -structured_data: true -sidebar: - order: 10 -description: Review frequently asked questions about Cloudflare Tunnel. ---- - -import { Render } from "~/components"; - -## Can I create a tunnel for an apex domain? - -Yes. Create a CNAME record at the apex that points to `.cfargotunnel.com`. Refer to [DNS records](/tunnel/routing/#dns-records) for details. - -## Does Cloudflare Tunnel support WebSockets? - -Yes. Cloudflare Tunnel has full support for WebSockets. - -## Does Cloudflare Tunnel support gRPC? - -Yes. - -## How can Tunnel be used with Partial DNS (CNAME Setup)? - -The best experience with Cloudflare Tunnel is using [Full Setup](/dns/zone-setups/full-setup/) because Cloudflare manages DNS and can automatically configure records for new tunnels. - -You can still use Tunnel with [Partial Setup](/dns/zone-setups/partial-setup/). Create a CNAME or ALIAS record with your DNS provider for each hostname. The record value should be `subdomain.domain.tld.cdn.cloudflare.net` (for example, `tunnel.example.com.cdn.cloudflare.net`). - -## How can I verify my origin is not publicly reachable? - -After deploying a tunnel, confirm that your origin does not respond to direct requests. Refer to [Firewall rules](/tunnel/configuration/#firewall-rules) for guidance on locking down your origin. - -## Does Cloudflare Tunnel send visitor IPs to my origin? - -No. All requests to the origin are made internally between `cloudflared` and the origin. To log external visitor IPs, [configure an alternative method](/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/). - -## Is it possible to restore a deleted tunnel? - -No. You cannot undo a tunnel deletion. If the tunnel was locally-managed, its [configuration file](/tunnel/other-tunnel-types/local-management/configuration-file/) will still be present and you can create a new tunnel with the same configuration. If the tunnel was remotely-managed, both the tunnel and its configuration are permanently deleted. - -## How do I contact support? - -Before contacting the Cloudflare support team: - -1. Take note of any specific error messages and/or problematic behaviors. -2. Make sure that `cloudflared` is updated to the [latest version](https://github.com/cloudflare/cloudflared). -3. Gather any relevant error/access logs from your server. -4. If needed, set [`--loglevel`](/tunnel/configuration/#loglevel) to `debug`, so the Cloudflare support team can get more info from the `cloudflared.log` file. -5. Include your [Cloudflare Tunnel diagnostic logs](/tunnel/monitoring/#diagnostic-logs) (`cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip`). From 65432fd326e5f655c8cf067dcce29e6a88886c25 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Wed, 25 Feb 2026 13:34:11 -0500 Subject: [PATCH 32/33] consolidate changelogs --- .../2024-12-19-diagnostic-logs.mdx | 2 -- .../2025-07-15-udp-improvements.mdx | 0 ...25-09-02-tunnel-networks-list-endpoints-new-default.mdx | 0 .../2025-09-18-tunnel-hostname-routing.mdx | 0 .../2025-11-11-cloudflared-proxy-dns.mdx | 0 .../2026-01-15-warp-connector-ping-support.mdx | 0 src/content/docs/cloudflare-one/changelog/tunnel.mdx | 4 ++-- src/content/docs/tunnel/changelog.mdx | 7 ++++++- 8 files changed, 8 insertions(+), 5 deletions(-) rename src/content/changelog/{cloudflare-tunnel-sase => tunnel}/2024-12-19-diagnostic-logs.mdx (90%) rename src/content/changelog/{cloudflare-tunnel-sase => tunnel}/2025-07-15-udp-improvements.mdx (100%) rename src/content/changelog/{cloudflare-tunnel-sase => tunnel}/2025-09-02-tunnel-networks-list-endpoints-new-default.mdx (100%) rename src/content/changelog/{cloudflare-tunnel-sase => tunnel}/2025-09-18-tunnel-hostname-routing.mdx (100%) rename src/content/changelog/{cloudflare-tunnel-sase => tunnel}/2025-11-11-cloudflared-proxy-dns.mdx (100%) rename src/content/changelog/{cloudflare-tunnel-sase => tunnel}/2026-01-15-warp-connector-ping-support.mdx (100%) diff --git a/src/content/changelog/cloudflare-tunnel-sase/2024-12-19-diagnostic-logs.mdx b/src/content/changelog/tunnel/2024-12-19-diagnostic-logs.mdx similarity index 90% rename from src/content/changelog/cloudflare-tunnel-sase/2024-12-19-diagnostic-logs.mdx rename to src/content/changelog/tunnel/2024-12-19-diagnostic-logs.mdx index 267fccac7ca1bb0..3eea4fca6905f0d 100644 --- a/src/content/changelog/cloudflare-tunnel-sase/2024-12-19-diagnostic-logs.mdx +++ b/src/content/changelog/tunnel/2024-12-19-diagnostic-logs.mdx @@ -10,6 +10,4 @@ The latest `cloudflared` build [2024.12.2](https://github.com/cloudflare/cloudfl A diagnostic report collects data from a single instance of `cloudflared` running on the local machine and outputs it to a `cloudflared-diag` file. - - For more information, refer to [Diagnostic logs](/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/diag-logs/). diff --git a/src/content/changelog/cloudflare-tunnel-sase/2025-07-15-udp-improvements.mdx b/src/content/changelog/tunnel/2025-07-15-udp-improvements.mdx similarity index 100% rename from src/content/changelog/cloudflare-tunnel-sase/2025-07-15-udp-improvements.mdx rename to src/content/changelog/tunnel/2025-07-15-udp-improvements.mdx diff --git a/src/content/changelog/cloudflare-tunnel-sase/2025-09-02-tunnel-networks-list-endpoints-new-default.mdx b/src/content/changelog/tunnel/2025-09-02-tunnel-networks-list-endpoints-new-default.mdx similarity index 100% rename from src/content/changelog/cloudflare-tunnel-sase/2025-09-02-tunnel-networks-list-endpoints-new-default.mdx rename to src/content/changelog/tunnel/2025-09-02-tunnel-networks-list-endpoints-new-default.mdx diff --git a/src/content/changelog/cloudflare-tunnel-sase/2025-09-18-tunnel-hostname-routing.mdx b/src/content/changelog/tunnel/2025-09-18-tunnel-hostname-routing.mdx similarity index 100% rename from src/content/changelog/cloudflare-tunnel-sase/2025-09-18-tunnel-hostname-routing.mdx rename to src/content/changelog/tunnel/2025-09-18-tunnel-hostname-routing.mdx diff --git a/src/content/changelog/cloudflare-tunnel-sase/2025-11-11-cloudflared-proxy-dns.mdx b/src/content/changelog/tunnel/2025-11-11-cloudflared-proxy-dns.mdx similarity index 100% rename from src/content/changelog/cloudflare-tunnel-sase/2025-11-11-cloudflared-proxy-dns.mdx rename to src/content/changelog/tunnel/2025-11-11-cloudflared-proxy-dns.mdx diff --git a/src/content/changelog/cloudflare-tunnel-sase/2026-01-15-warp-connector-ping-support.mdx b/src/content/changelog/tunnel/2026-01-15-warp-connector-ping-support.mdx similarity index 100% rename from src/content/changelog/cloudflare-tunnel-sase/2026-01-15-warp-connector-ping-support.mdx rename to src/content/changelog/tunnel/2026-01-15-warp-connector-ping-support.mdx diff --git a/src/content/docs/cloudflare-one/changelog/tunnel.mdx b/src/content/docs/cloudflare-one/changelog/tunnel.mdx index e1b147cdfaedbaf..360096688b43728 100644 --- a/src/content/docs/cloudflare-one/changelog/tunnel.mdx +++ b/src/content/docs/cloudflare-one/changelog/tunnel.mdx @@ -9,10 +9,10 @@ description: Review recent changes to Cloudflare Tunnel. import { ProductChangelog, Render } from "~/components"; -{/*