Skip to content
Cloudflare API
Start here
API Reference
Zero Trust
Tunnels
Cloudflared

Configurations

Get configuration
GET/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurations
Put configuration
PUT/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurations
ModelsExpand Collapse
ConfigurationGetResponse { account_id, config, created_at, 3 more }

Cloudflare Tunnel configuration

account_id: optional string

Identifier.

maxLength32
config: optional { ingress, originRequest }

The tunnel configuration and ingress rules.

ingress: optional array of { hostname, service, originRequest, path }

List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel.

hostname: string

Public hostname for this service.

service: string

Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. ‘http_status:404’.

originRequest: optional { access, caPool, connectTimeout, 12 more }

Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.

access: optional { audTag, teamName, required }

For all L7 requests to this hostname, cloudflared will validate each request’s Cf-Access-Jwt-Assertion request header.

audTag: array of string

Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.

teamName: string
required: optional boolean

Deny traffic that has not fulfilled Access authorization.

caPool: optional string

Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

connectTimeout: optional number

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.

disableChunkedEncoding: optional boolean

Disables chunked transfer encoding. Useful if you are running a WSGI server.

http2Origin: optional boolean

Attempt to connect to origin using HTTP2. Origin must be configured as https.

httpHostHeader: optional string

Sets the HTTP Host header on requests sent to the local service.

keepAliveConnections: optional number

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

keepAliveTimeout: optional number

Timeout after which an idle keepalive connection can be discarded.

matchSNItoHost: optional boolean

Auto configure the Hostname on the origin server certificate.

noHappyEyeballs: optional boolean

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

noTLSVerify: optional boolean

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

originServerName: optional string

Hostname that cloudflared should expect from your origin server certificate.

proxyType: optional string

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and “socks” for a SOCKS5 proxy.

tcpKeepAlive: optional number

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

tlsTimeout: optional number

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

path: optional string

Requests with this path route to this public hostname.

originRequest: optional { access, caPool, connectTimeout, 12 more }

Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.

access: optional { audTag, teamName, required }

For all L7 requests to this hostname, cloudflared will validate each request’s Cf-Access-Jwt-Assertion request header.

audTag: array of string

Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.

teamName: string
required: optional boolean

Deny traffic that has not fulfilled Access authorization.

caPool: optional string

Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

connectTimeout: optional number

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.

disableChunkedEncoding: optional boolean

Disables chunked transfer encoding. Useful if you are running a WSGI server.

http2Origin: optional boolean

Attempt to connect to origin using HTTP2. Origin must be configured as https.

httpHostHeader: optional string

Sets the HTTP Host header on requests sent to the local service.

keepAliveConnections: optional number

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

keepAliveTimeout: optional number

Timeout after which an idle keepalive connection can be discarded.

matchSNItoHost: optional boolean

Auto configure the Hostname on the origin server certificate.

noHappyEyeballs: optional boolean

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

noTLSVerify: optional boolean

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

originServerName: optional string

Hostname that cloudflared should expect from your origin server certificate.

proxyType: optional string

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and “socks” for a SOCKS5 proxy.

tcpKeepAlive: optional number

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

tlsTimeout: optional number

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

created_at: optional string
formatdate-time
source: optional "local" or "cloudflare"

Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel’s configuration on the Zero Trust dashboard.

One of the following:
"local"
"cloudflare"
tunnel_id: optional string

UUID of the tunnel.

formatuuid
maxLength36
version: optional number

The version of the Tunnel Configuration.

ConfigurationUpdateResponse { account_id, config, created_at, 3 more }

Cloudflare Tunnel configuration

account_id: optional string

Identifier.

maxLength32
config: optional { ingress, originRequest }

The tunnel configuration and ingress rules.

ingress: optional array of { hostname, service, originRequest, path }

List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel.

hostname: string

Public hostname for this service.

service: string

Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. ‘http_status:404’.

originRequest: optional { access, caPool, connectTimeout, 12 more }

Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.

access: optional { audTag, teamName, required }

For all L7 requests to this hostname, cloudflared will validate each request’s Cf-Access-Jwt-Assertion request header.

audTag: array of string

Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.

teamName: string
required: optional boolean

Deny traffic that has not fulfilled Access authorization.

caPool: optional string

Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

connectTimeout: optional number

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.

disableChunkedEncoding: optional boolean

Disables chunked transfer encoding. Useful if you are running a WSGI server.

http2Origin: optional boolean

Attempt to connect to origin using HTTP2. Origin must be configured as https.

httpHostHeader: optional string

Sets the HTTP Host header on requests sent to the local service.

keepAliveConnections: optional number

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

keepAliveTimeout: optional number

Timeout after which an idle keepalive connection can be discarded.

matchSNItoHost: optional boolean

Auto configure the Hostname on the origin server certificate.

noHappyEyeballs: optional boolean

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

noTLSVerify: optional boolean

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

originServerName: optional string

Hostname that cloudflared should expect from your origin server certificate.

proxyType: optional string

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and “socks” for a SOCKS5 proxy.

tcpKeepAlive: optional number

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

tlsTimeout: optional number

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

path: optional string

Requests with this path route to this public hostname.

originRequest: optional { access, caPool, connectTimeout, 12 more }

Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.

access: optional { audTag, teamName, required }

For all L7 requests to this hostname, cloudflared will validate each request’s Cf-Access-Jwt-Assertion request header.

audTag: array of string

Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.

teamName: string
required: optional boolean

Deny traffic that has not fulfilled Access authorization.

caPool: optional string

Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

connectTimeout: optional number

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.

disableChunkedEncoding: optional boolean

Disables chunked transfer encoding. Useful if you are running a WSGI server.

http2Origin: optional boolean

Attempt to connect to origin using HTTP2. Origin must be configured as https.

httpHostHeader: optional string

Sets the HTTP Host header on requests sent to the local service.

keepAliveConnections: optional number

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

keepAliveTimeout: optional number

Timeout after which an idle keepalive connection can be discarded.

matchSNItoHost: optional boolean

Auto configure the Hostname on the origin server certificate.

noHappyEyeballs: optional boolean

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

noTLSVerify: optional boolean

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

originServerName: optional string

Hostname that cloudflared should expect from your origin server certificate.

proxyType: optional string

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and “socks” for a SOCKS5 proxy.

tcpKeepAlive: optional number

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

tlsTimeout: optional number

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

created_at: optional string
formatdate-time
source: optional "local" or "cloudflare"

Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel’s configuration on the Zero Trust dashboard.

One of the following:
"local"
"cloudflare"
tunnel_id: optional string

UUID of the tunnel.

formatuuid
maxLength36
version: optional number

The version of the Tunnel Configuration.