Skip to content
Argo Tunnel
Visit Argo Tunnel on GitHub
Set theme to dark (⇧+D)

Configuring Origins via Ingress Rules

cloudflared proxies incoming traffic to one or multiple services running locally on your origin. You can configure the way that cloudflared sends requests to these servers by setting a key in your config file. For example, to set a 30 second connection timeout for all origins except one:

originRequest: # Root-level configuration  connectTimeout: 30singress:  # This service inherits all configuration from the root-level config, i.e.  # it will use a connectTimeout of 30 seconds.  - hostname: example.com    service: localhost:8000  - hostname: example2.com    service: localhost:8001  # This service overrides some root-level config.  - service: localhost:8002    originRequest:      connectTimeout: 10s      disableChunkedEncoding: true

You can validate and test your ingress rules using cloudflared.

You can use the following YAML keys to configure how cloudflared communicates with each local service:

connectTimeout

Default: 30s

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by [tlsTimeout]({{< ref "#tlsTimeout" >}}).

tlsTimeout

Default: 10s

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

tcpKeepAlive

Default: 30s

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

noHappyEyeballs

Default: false

Disable the "happy eyeballs" algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

keepAliveConnections

Default: 100

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

keepAliveTimeout

Default: 1m30s

Timeout after which an idle keepalive connection can be discarded.

httpHostHeader

Default: ""

Sets the HTTP Host header on requests sent to the local service.

originServerName

Default: ""

Hostname that cloudflared should expect from your origin server certificate.

caPool

Default: ""

Path to the CA for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

noTLSVerify

Default: false

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

disableChunkedEncoding

Default: false

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

proxyAddress

Default: 127.0.0.1

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying e.g. SSH or RDP. This configures the listen address for that proxy.

proxyPort

Default: 0

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying e.g. SSH or RDP. This configures the listen port for that proxy. If set to zero, an unused port will randomly be chosen.

proxyType

Default: ""

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying e.g. SSH or RDP. This configures what type of proxy will be started. Valid options are