LinuxCommandLibrary

cloudflared

Create secure tunnels to Cloudflare's network

TLDR

Authenticate and associate the connection to a domain in the Cloudflare account

$ cloudflared tunnel login
copy

Create a tunnel with a specific name
$ cloudflared tunnel create [name]
copy

Establish a tunnel to a host in Cloudflare from the local server
$ cloudflared tunnel --hostname [hostname] localhost:[port_number]
copy

Establish a tunnel to a host in Cloudflare from the local server, without verifying the local server's certificate
$ cloudflared tunnel --hostname [hostname] localhost:[port_number] --no-tls-verify
copy

Save logs to a file
$ cloudflared tunnel --hostname [hostname] http://localhost:[port_number] --loglevel [panic|fatal|error|warn|info|debug] --logfile [path/to/file]
copy

Install cloudflared as a system service
$ cloudflared service install
copy

SYNOPSIS

cloudflared [flags]

Common commands:
cloudflared tunnel run [--config ]
cloudflared tunnel create
cloudflared proxy-dns [--address ] [--port ]
cloudflared login
cloudflared update

PARAMETERS

--config
    Specifies the path to a configuration file for cloudflared.

--logfile
    Writes log output to a specified file instead of standard error.

--loglevel
    Sets the logging verbosity (e.g., debug, info, warn, error).

--metrics


    Exposes Prometheus metrics on the given address and port.

--no-autoupdate
    Disables automatic updates of the cloudflared binary.

--proxy-dns-address

    (For proxy-dns) Specifies the address to listen on for DNS queries.

--proxy-dns-port
    (For proxy-dns) Specifies the port to listen on for DNS queries.

--proxy-dns-upstream
    (For proxy-dns) Defines an upstream DNS server URL for resolution.

--url
    (For tunnel run) Specifies the local service URL to expose via a quick tunnel.

DESCRIPTION

cloudflared is a command-line tool developed by Cloudflare that allows users to create secure, outbound-only tunnels (known as Cloudflare Tunnels or Argo Tunnels) from their infrastructure to Cloudflare's global network. This eliminates the need to open inbound firewall ports, significantly enhancing security. It's primarily used to expose local services like web servers, SSH, RDP, or databases to the internet through Cloudflare, leveraging Cloudflare's security, performance, and reliability features.

cloudflared also functions as a DNS-over-HTTPS (DoH) proxy, allowing local applications to encrypt their DNS queries, improving privacy and security. It's a versatile tool for securing and connecting private networks to Cloudflare's edge.

CAVEATS

Requires Cloudflare Account: To create tunnels and use most features, an active Cloudflare account and domain are necessary.
Security Implications: While cloudflared enhances security by eliminating inbound firewall ports, exposing internal services still requires careful consideration of access controls and potential vulnerabilities.
Network Latency: Performance can be affected by the distance and network latency to the nearest Cloudflare edge.
Complex Configurations: Advanced setups involving multiple services, ingress rules, or specific access policies can require detailed YAML configuration.

KEY USE CASES

Exposing Internal Applications: Securely make internal web applications (e.g., Jira, Confluence) accessible to specific users via Cloudflare Access without needing a VPN.
Secure Remote Access: Provide secure SSH or RDP access to servers and workstations without opening firewall ports.
IoT and Edge Connectivity: Connect IoT devices or services located at the network edge to a central dashboard or application.
DNS-over-HTTPS Proxy: Function as a local DNS proxy to encrypt all DNS queries, enhancing privacy and security for local applications.

SECURITY MODEL

cloudflared establishes an encrypted, outbound-only connection to Cloudflare's global network. This eliminates the need to open any inbound ports on your firewall, significantly reducing the attack surface. All traffic directed to your exposed service flows through Cloudflare's infrastructure, benefiting from their enterprise-grade security features like DDoS protection, Web Application Firewall (WAF), and bot management.

CONFIGURATION FILE

While cloudflared can be operated with command-line flags, complex or persistent setups are typically managed using a YAML configuration file (e.g., located at ~/.cloudflared/config.yaml or specified via the --config flag). This file allows for defining multiple tunnels, detailed service routing rules, advanced ingress policies, and logging preferences, offering greater flexibility and maintainability for production environments.

HISTORY

cloudflared evolved from Cloudflare's 'Argo Tunnel' product, designed to provide a secure and efficient way to connect private resources to Cloudflare's network without public IP addresses or firewall rules. It aims to solve the problem of exposing internal services securely while leveraging Cloudflare's DDoS protection, WAF, and CDN capabilities. Its development focuses on ease of use, security, and integration with Cloudflare's broader ecosystem, becoming a cornerstone for connecting on-premises or private cloud infrastructure to Cloudflare Zero Trust.

SEE ALSO

ssh(1), nginx(8), apache2(8), systemctl(1), dig(1)

Copied to clipboard