cloudflared
Create secure tunnels to Cloudflare's network
TLDR
Authenticate and associate the connection to a domain in the Cloudflare account
Create a tunnel with a specific name
Establish a tunnel to a host in Cloudflare from the local server
Establish a tunnel to a host in Cloudflare from the local server, without verifying the local server's certificate
Save logs to a file
Install cloudflared as a system service
SYNOPSIS
cloudflared
Common commands:
cloudflared tunnel run
cloudflared tunnel create
cloudflared proxy-dns [--address
cloudflared login
cloudflared update
PARAMETERS
--config
Specifies the path to a configuration file for cloudflared.
--logfile
Writes log output to a specified file instead of standard error.
--loglevel
Sets the logging verbosity (e.g., debug, info, warn, error).
--metrics
Exposes Prometheus metrics on the given address and port.
--no-autoupdate
Disables automatic updates of the cloudflared binary.
--proxy-dns-address
(For proxy-dns) Specifies the address to listen on for DNS queries.
--proxy-dns-port
(For proxy-dns) Specifies the port to listen on for DNS queries.
--proxy-dns-upstream
(For proxy-dns) Defines an upstream DNS server URL for resolution.
--url
(For tunnel run) Specifies the local service URL to expose via a quick tunnel.
DESCRIPTION
cloudflared is a command-line tool developed by Cloudflare that allows users to create secure, outbound-only tunnels (known as Cloudflare Tunnels or Argo Tunnels) from their infrastructure to Cloudflare's global network. This eliminates the need to open inbound firewall ports, significantly enhancing security. It's primarily used to expose local services like web servers, SSH, RDP, or databases to the internet through Cloudflare, leveraging Cloudflare's security, performance, and reliability features.
cloudflared also functions as a DNS-over-HTTPS (DoH) proxy, allowing local applications to encrypt their DNS queries, improving privacy and security. It's a versatile tool for securing and connecting private networks to Cloudflare's edge.
CAVEATS
Requires Cloudflare Account: To create tunnels and use most features, an active Cloudflare account and domain are necessary.
Security Implications: While cloudflared enhances security by eliminating inbound firewall ports, exposing internal services still requires careful consideration of access controls and potential vulnerabilities.
Network Latency: Performance can be affected by the distance and network latency to the nearest Cloudflare edge.
Complex Configurations: Advanced setups involving multiple services, ingress rules, or specific access policies can require detailed YAML configuration.
KEY USE CASES
Exposing Internal Applications: Securely make internal web applications (e.g., Jira, Confluence) accessible to specific users via Cloudflare Access without needing a VPN.
Secure Remote Access: Provide secure SSH or RDP access to servers and workstations without opening firewall ports.
IoT and Edge Connectivity: Connect IoT devices or services located at the network edge to a central dashboard or application.
DNS-over-HTTPS Proxy: Function as a local DNS proxy to encrypt all DNS queries, enhancing privacy and security for local applications.
SECURITY MODEL
cloudflared establishes an encrypted, outbound-only connection to Cloudflare's global network. This eliminates the need to open any inbound ports on your firewall, significantly reducing the attack surface. All traffic directed to your exposed service flows through Cloudflare's infrastructure, benefiting from their enterprise-grade security features like DDoS protection, Web Application Firewall (WAF), and bot management.
CONFIGURATION FILE
While cloudflared can be operated with command-line flags, complex or persistent setups are typically managed using a YAML configuration file (e.g., located at ~/.cloudflared/config.yaml or specified via the --config flag). This file allows for defining multiple tunnels, detailed service routing rules, advanced ingress policies, and logging preferences, offering greater flexibility and maintainability for production environments.
HISTORY
cloudflared evolved from Cloudflare's 'Argo Tunnel' product, designed to provide a secure and efficient way to connect private resources to Cloudflare's network without public IP addresses or firewall rules. It aims to solve the problem of exposing internal services securely while leveraging Cloudflare's DDoS protection, WAF, and CDN capabilities. Its development focuses on ease of use, security, and integration with Cloudflare's broader ecosystem, becoming a cornerstone for connecting on-premises or private cloud infrastructure to Cloudflare Zero Trust.