cloudflared tunnel [command options]

Use Cloudflare Tunnel to expose private services to the Internet or to Cloudflare connected private users

Arguments

Name	Description
`command options`

Subcommands

Name	Description
`login`	Generate a configuration file with your login details
`create`	Creates a tunnel, registers it with Cloudflare edge and generates credential file used to run this tunnel. Use "cloudflared tunnel route" subcommand to map a DNS name to this tunnel and "cloudflared tunnel run" to start the connection
`route`	The route command defines how Cloudflare will proxy requests to this tunnel
`vnet`	Configure and query virtual networks to manage private IP routes with overlapping IPs
`run`	Proxy a local web server by running the given tunnel
`list`	Cloudflared tunnel list will display all active tunnels, their created time and associated connections
`info`	Cloudflared tunnel info displays details about the active connectors for a given tunnel (identified by name or uuid)
`delete`	Cloudflared tunnel delete will delete tunnels with the given tunnel UUIDs or names. A tunnel cannot be deleted if it has active connections. To delete the tunnel unconditionally, use -f flag
`cleanup`	Delete connections for tunnels with the given UUIDs or names
`token`	Fetch the credentials token for an existing tunnel (by name or UUID) that allows to run it
`help, h`	Shows a list of commands or help for one command

Options

Name	Description
`--config <value>`	Specifies a config file in YAML format. (default: "/usr/local/etc/cloudflared/config.yml")
`--origincert <value>`	Path to the certificate generated for your origin when you run cloudflared login. [$TUNNEL_ORIGIN_CERT]
`--autoupdate-freq <value>`	Autoupdate frequency. Default is 24h0m0s. (default: 24h0m0s)
`--no-autoupdate`	Disable periodic check for updates, restarting the server with the new version. (default: false) [$NO_AUTOUPDATE]
`--metrics <value>`	Listen address for metrics reporting. (default: "localhost:") [$TUNNEL_METRICS]
`--pidfile <value>`	Write the application's PID to this file after first successful connection. [$TUNNEL_PIDFILE]
`--url <URL>`	Connect to the local webserver at URL. (default: "http://localhost:8080") [$TUNNEL_URL]
`--hello-world`	Run Hello World Server (default: false) [$TUNNEL_HELLO_WORLD]
`--socks5`	Specify if this tunnel is running as a SOCK5 Server This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress (default: false) [$TUNNEL_SOCKS]
`--proxy-connect-timeout`	HTTP proxy timeout for establishing a new connection This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress (default: 30s)
`--proxy-tls-timeout`	HTTP proxy timeout for completing a TLS handshake This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress (default: 10s)
`--proxy-tcp-keepalive`	HTTP proxy TCP keepalive duration This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress (default: 30s)
`--proxy-no-happy-eyeballs`	HTTP proxy should disable "happy eyeballs" for IPv4/v6 fallback This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress (default: false)
`--proxy-keepalive-connections`	HTTP proxy maximum keepalive connection pool size This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress (default: 100)
`--proxy-keepalive-timeout`	HTTP proxy timeout for closing an idle connection This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress (default: 1m30s)
`--proxy-connection-timeout`	DEPRECATED. No longer has any effect. (default: 1m30s)
`--proxy-expect-continue-timeout`	DEPRECATED. No longer has any effect. (default: 1m30s)
`--http-host-header`	Sets the HTTP Host header for the local webserver. This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress [$TUNNEL_HTTP_HOST_HEADER]
`--origin-server-name`	Hostname on the origin server certificate. This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress [$TUNNEL_ORIGIN_SERVER_NAME]
`--unix-socket <value>`	Path to unix socket to use instead of --url [$TUNNEL_UNIX_SOCKET]
`--origin-ca-pool`	Path to the CA for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress [$TUNNEL_ORIGIN_CA_POOL]
`--no-tls-verify`	Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. Note: The connection from your machine to Cloudflare's Edge is still encrypted. This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress (default: false) [$NO_TLS_VERIFY]
`--no-chunked-encoding`	Disables chunked transfer encoding; useful if you are running a WSGI server. This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress (default: false) [$TUNNEL_NO_CHUNKED_ENCODING]
`--bastion`	Runs as jump host (default: false) [$TUNNEL_BASTION]
`--proxy-address <value>`	Listen address for the proxy. (default: "127.0.0.1") [$TUNNEL_PROXY_ADDRESS]
`--proxy-port <value>`	Listen port for the proxy. (default: 0) [$TUNNEL_PROXY_PORT]
`--loglevel <value>`	Application logging level { value: debug, info, warn, error, fatal}. At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. This can expose sensitive information in your logs. (default: "info") [$TUNNEL_LOGLEVEL]
`--transport-loglevel, --proto-loglevel <value>`	Transport logging level(previously called protocol logging level) { value: debug, info, warn, error, fatal} (default: "info") [$TUNNEL_PROTO_LOGLEVEL, $TUNNEL_TRANSPORT_LOGLEVEL]
`--logfile <value>`	Save application log to this file for reporting issues. [$TUNNEL_LOGFILE]
`--log-directory <value>`	Save application log to this directory for reporting issues. [$TUNNEL_LOGDIRECTORY]
`--trace-output <value>`	Name of trace output file, generated when cloudflared stops. [$TUNNEL_TRACE_OUTPUT]
`--proxy-dns`	Run a DNS over HTTPS proxy server. (default: false) [$TUNNEL_DNS]
`--proxy-dns-port <value>`	Listen on given port for the DNS over HTTPS proxy server. (default: 53) [$TUNNEL_DNS_PORT]
`--proxy-dns-address <value>`	Listen address for the DNS over HTTPS proxy server. (default: "localhost") [$TUNNEL_DNS_ADDRESS]
`--proxy-dns-upstream <value...>`	Upstream endpoint URL, you can specify multiple endpoints for redundancy. (default: "https://1.1.1.1/dns-query", "https://1.0.0.1/dns-query") (accepts multiple inputs) [$TUNNEL_DNS_UPSTREAM]
`--proxy-dns-max-upstream-conns <URL>`	Maximum concurrent connections to upstream. Setting to 0 means unlimited. (default: 5) [$TUNNEL_DNS_MAX_UPSTREAM_CONNS]
`--proxy-dns-bootstrap <value...>`	Bootstrap endpoint URL, you can specify multiple endpoints for redundancy. (default: "https://162.159.36.1/dns-query", "https://162.159.46.1/dns-query", "https://[2606:4700:4700::1111]/dns-query", "https://[2606:4700:4700::1001]/dns-query") (accepts multiple inputs) [$TUNNEL_DNS_BOOTSTRAP]
`--credentials-file, --cred-file <value>`	Filepath at which to read/write the tunnel credentials [$TUNNEL_CRED_FILE]
`--region <value>`	Cloudflare Edge region to connect to. Omit or set to empty to connect to the global region. [$TUNNEL_REGION]
`--hostname <value>`	Set a hostname on a Cloudflare zone to route traffic through this tunnel. [$TUNNEL_HOSTNAME]
`--lb-pool <value>`	The name of a (new/existing) load balancing pool to add this origin to. [$TUNNEL_LB_POOL]
`--metrics-update-freq <value>`	Frequency to update tunnel metrics (default: 5s) [$TUNNEL_METRICS_UPDATE_FREQ]
`--tag <KEY...>`	Custom tags used to identify this tunnel, in format KEY=VALUE. Multiple tags may be specified (accepts multiple inputs) [$TUNNEL_TAG]
`--retries <value>`	Maximum number of retries for connection/protocol errors. (default: 5) [$TUNNEL_RETRIES]
`--grace-period <value>`	When cloudflared receives SIGINT/SIGTERM it will stop accepting new requests, wait for in-progress requests to terminate, then shutdown. Waiting for in-progress requests will timeout after this grace period, or when a second SIGTERM/SIGINT is received. (default: 30s) [$TUNNEL_GRACE_PERIOD]
`--compression-quality <value>`	(beta) Use cross-stream compression instead HTTP compression. 0-off, 1-low, 2-medium, >=3-high. (default: 0) [$TUNNEL_COMPRESSION_LEVEL]
`--name, -n <value>`	Stable name to identify the tunnel. Using this flag will create, route and run a tunnel. For production usage, execute each command separately [$TUNNEL_NAME]
`--ui`	Launch tunnel UI. Tunnel logs are scrollable via 'j', 'k', or arrow keys. (default: false)
`--overwrite-dns, -f`	Overwrites existing DNS records with this hostname (default: false) [$TUNNEL_FORCE_PROVISIONING_DNS]