Skip to content
Cloudflare API
Start here
API Reference
Zero Trust
Tunnels
Cloudflared

Configurations

Get configuration
client.zeroTrust.tunnels.cloudflared.configurations.get(stringtunnelId, ConfigurationGetParams { account_id } params, RequestOptionsoptions?): ConfigurationGetResponse { account_id, config, created_at, 3 more }
GET/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurations
Put configuration
client.zeroTrust.tunnels.cloudflared.configurations.update(stringtunnelId, ConfigurationUpdateParams { account_id, config } params, RequestOptionsoptions?): ConfigurationUpdateResponse { account_id, config, created_at, 3 more }
PUT/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurations
ModelsExpand Collapse
ConfigurationGetResponse { account_id, config, created_at, 3 more }

Cloudflare Tunnel configuration

account_id?: string

Identifier.

maxLength32
config?: Config { ingress, originRequest }

The tunnel configuration and ingress rules.

ingress?: Array<Ingress>

List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel.

hostname: string

Public hostname for this service.

service: string

Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. ‘http_status:404’.

originRequest?: OriginRequest { access, caPool, connectTimeout, 12 more }

Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.

access?: Access { audTag, teamName, required }

For all L7 requests to this hostname, cloudflared will validate each request’s Cf-Access-Jwt-Assertion request header.

audTag: Array<string>

Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.

teamName: string
required?: boolean

Deny traffic that has not fulfilled Access authorization.

caPool?: string

Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

connectTimeout?: number

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.

disableChunkedEncoding?: boolean

Disables chunked transfer encoding. Useful if you are running a WSGI server.

http2Origin?: boolean

Attempt to connect to origin using HTTP2. Origin must be configured as https.

httpHostHeader?: string

Sets the HTTP Host header on requests sent to the local service.

keepAliveConnections?: number

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

keepAliveTimeout?: number

Timeout after which an idle keepalive connection can be discarded.

matchSNItoHost?: boolean

Auto configure the Hostname on the origin server certificate.

noHappyEyeballs?: boolean

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

noTLSVerify?: boolean

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

originServerName?: string

Hostname that cloudflared should expect from your origin server certificate.

proxyType?: string

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and “socks” for a SOCKS5 proxy.

tcpKeepAlive?: number

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

tlsTimeout?: number

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

path?: string

Requests with this path route to this public hostname.

originRequest?: OriginRequest { access, caPool, connectTimeout, 12 more }

Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.

access?: Access { audTag, teamName, required }

For all L7 requests to this hostname, cloudflared will validate each request’s Cf-Access-Jwt-Assertion request header.

audTag: Array<string>

Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.

teamName: string
required?: boolean

Deny traffic that has not fulfilled Access authorization.

caPool?: string

Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

connectTimeout?: number

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.

disableChunkedEncoding?: boolean

Disables chunked transfer encoding. Useful if you are running a WSGI server.

http2Origin?: boolean

Attempt to connect to origin using HTTP2. Origin must be configured as https.

httpHostHeader?: string

Sets the HTTP Host header on requests sent to the local service.

keepAliveConnections?: number

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

keepAliveTimeout?: number

Timeout after which an idle keepalive connection can be discarded.

matchSNItoHost?: boolean

Auto configure the Hostname on the origin server certificate.

noHappyEyeballs?: boolean

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

noTLSVerify?: boolean

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

originServerName?: string

Hostname that cloudflared should expect from your origin server certificate.

proxyType?: string

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and “socks” for a SOCKS5 proxy.

tcpKeepAlive?: number

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

tlsTimeout?: number

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

created_at?: string
formatdate-time
source?: "local" | "cloudflare"

Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel’s configuration on the Zero Trust dashboard.

One of the following:
"local"
"cloudflare"
tunnel_id?: string

UUID of the tunnel.

formatuuid
maxLength36
version?: number

The version of the Tunnel Configuration.

ConfigurationUpdateResponse { account_id, config, created_at, 3 more }

Cloudflare Tunnel configuration

account_id?: string

Identifier.

maxLength32
config?: Config { ingress, originRequest }

The tunnel configuration and ingress rules.

ingress?: Array<Ingress>

List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel.

hostname: string

Public hostname for this service.

service: string

Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. ‘http_status:404’.

originRequest?: OriginRequest { access, caPool, connectTimeout, 12 more }

Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.

access?: Access { audTag, teamName, required }

For all L7 requests to this hostname, cloudflared will validate each request’s Cf-Access-Jwt-Assertion request header.

audTag: Array<string>

Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.

teamName: string
required?: boolean

Deny traffic that has not fulfilled Access authorization.

caPool?: string

Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

connectTimeout?: number

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.

disableChunkedEncoding?: boolean

Disables chunked transfer encoding. Useful if you are running a WSGI server.

http2Origin?: boolean

Attempt to connect to origin using HTTP2. Origin must be configured as https.

httpHostHeader?: string

Sets the HTTP Host header on requests sent to the local service.

keepAliveConnections?: number

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

keepAliveTimeout?: number

Timeout after which an idle keepalive connection can be discarded.

matchSNItoHost?: boolean

Auto configure the Hostname on the origin server certificate.

noHappyEyeballs?: boolean

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

noTLSVerify?: boolean

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

originServerName?: string

Hostname that cloudflared should expect from your origin server certificate.

proxyType?: string

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and “socks” for a SOCKS5 proxy.

tcpKeepAlive?: number

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

tlsTimeout?: number

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

path?: string

Requests with this path route to this public hostname.

originRequest?: OriginRequest { access, caPool, connectTimeout, 12 more }

Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.

access?: Access { audTag, teamName, required }

For all L7 requests to this hostname, cloudflared will validate each request’s Cf-Access-Jwt-Assertion request header.

audTag: Array<string>

Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.

teamName: string
required?: boolean

Deny traffic that has not fulfilled Access authorization.

caPool?: string

Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

connectTimeout?: number

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.

disableChunkedEncoding?: boolean

Disables chunked transfer encoding. Useful if you are running a WSGI server.

http2Origin?: boolean

Attempt to connect to origin using HTTP2. Origin must be configured as https.

httpHostHeader?: string

Sets the HTTP Host header on requests sent to the local service.

keepAliveConnections?: number

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

keepAliveTimeout?: number

Timeout after which an idle keepalive connection can be discarded.

matchSNItoHost?: boolean

Auto configure the Hostname on the origin server certificate.

noHappyEyeballs?: boolean

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

noTLSVerify?: boolean

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

originServerName?: string

Hostname that cloudflared should expect from your origin server certificate.

proxyType?: string

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and “socks” for a SOCKS5 proxy.

tcpKeepAlive?: number

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

tlsTimeout?: number

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

created_at?: string
formatdate-time
source?: "local" | "cloudflare"

Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel’s configuration on the Zero Trust dashboard.

One of the following:
"local"
"cloudflare"
tunnel_id?: string

UUID of the tunnel.

formatuuid
maxLength36
version?: number

The version of the Tunnel Configuration.