To start using Argo Tunnel, a super administrator in the Cloudflare account must first log in through
The client will launch a browser window and prompt the user to select a hostname in their Cloudflare account. Once selected, Cloudflare generates a certificate that consists of three components:
Those three components are bundled into a single PEM file that is downloaded one time
during that login flow. The host certificate is valid for the root domain and any subdomain
one-level deep. Cloudflare uses that certificate file to authenticate
create DNS records for your domain in Cloudflare.
The third componenent, the token, consists of the zone ID (for the selected domain) and
an API token scoped to the user who first authenticated with the login command. When user
permissions change (if that user is removed from the account or becomes an admin of another
account, for example), Cloudflare rolls the user’s API key. However, the certificate file
cloudflared retains the older API key and can cause authentication
failures. The user will need to login once more through
cloudflared to regenerate the
certificate. Alternatively, the administrator can create a dedicated service user to authenticate.
No. Argo Tunnel will only create DNS records for subdomains.
Argo Tunnel has full support for Websockets.
Cloudflare offers two modes of setup: Full Setup, in which the domain uses Cloudflare DNS name servers, and Partial Setup (also known as CNAME setup) in which the domain uses non-Cloudflare DNS servers.
The best experience with Argo Tunnel is using Full Setup because Cloudflare manages DNS for the domain and can automatically configure DNS records for newly started Tunnels.
You can still use Tunnel with Partial Setup. You will need to create a new DNS record with your current DNS provider for each new hostname connected through Argo Tunnel. The DNS record should be of type CNAME or ALIAS if it is on the root of the domain. The name of the record should be the subdomain it corresponds to (e.g. example.com or tunnel.example.com) and the value of the record should be subdomain.domain.tld.cdn.cloudflare.net. (e.g. example.com.cdn.cloudflare.net or tunnel.example.com.cdn.cloudflare.net)
Tunnel deletes DNS records after 24-48 hours of being unregistered. Tunnel does not delete TLS certificates on your behalf once the tunnel is shut down. If you want to clean up a tunnel you’ve shut down, you can delete DNS records in the DNS editor and revoke TLS certificates in the Origin Certificates section of the crypto tab of the Cloudflare dashboard.
Audit Logs for Tunnel are available in the account section of the Cloudflare dashboard which you can find by clicking on your name or email in the upper right-hand corner of the dashboard. The following actions are logged:
|Registered||This is logged when Tunnel is started and connects to the Cloudflare edge.|
|Unregistered||This is logged when Tunnel is disconnected from the Cloudflare edge.|
|CNAME add||This is logged when Tunnel registers a new DNS (CNAME) record for the tunneled application.|
Tunnel can expose web applications to the internet that sit behind a NAT or firewall. Thus, you can keep your web server otherwise completely locked down. To double check that your origin web server is not responding to requests outside Cloudflare while Tunnel is running you can run netcat in the command line:
netcat -zv [your-server’s-ip-address] 80 netcat -zv [your-server’s-ip-address] 443
If your server is still responding on those ports, you will see:
[ip-address] 80 (http) open
If your server is correctly locked down, you will see:
[ip-address] 443 (https): Connection refused
Argo Tunnel was previously named Warp during the beta phase. As Warp was added to the Argo product family, we changed the name to match.
Argo Tunnel allows a maximum number of 1000 concurrently running tunnels per account.