Argo Tunnel offers an easy way to expose web servers securely to the internet, without opening up firewall ports and configuring ACLs. Argo Tunnel also ensures requests route through Cloudflare before reaching the web server so you can be sure attack traffic is stopped with Cloudflare’s WAF and Unmetered DDoS mitigation and authenticated with Access if you’ve enabled those features for your account.
To use Argo Tunnel, you install and run a daemon on the web server that creates a persistent connection out to Cloudflare. Once configured, people often lock the web server down to external requests and only allow connections from Cloudflare over that persistent connection to make contact with the server.
Argo Tunnel is free with the purchase of Argo Smart Routing. Argo Smart Routing can be purchased in the Cloudflare dashboard and costs $5/month plus 10 cents per GB.
Argo Tunnel uses Argo Smart Routing technology to route traffic over the fastest path within the Cloudflare network between the user and the data centers closest to your origin.
If it’s your first time using Argo, navigate to the Traffic tab of the Cloudflare dashboard, click the ‘Enable’ button, and follow the steps on the screen for setting up usage-based billing.
Enterprise customers who have enabled Argo will need to contact their Cloudflare representative to have Smart Routing enabled for their account as it is necessary for Argo Tunnel to work.
cloudflared is the software that runs Argo Tunnel.
Once installed, verify
cloudflared has installed properly by checking the version.
$ cloudflared --version cloudflared version 2018.0.0 (built 2018-06-05-2106 UTC)
Not working? If you installed a .deb or .rpm package (Linux) or used Homebrew (macOS) it should be in your
PATH; otherwise, change to the directory where you extracted
The first thing you will need to do is login to your Cloudflare account from
Run the following command and a login page should open in your browser:
$ cloudflared tunnel login A browser window should have opened at the following URL: https://www.cloudflare.com/a/warp?callback=https%3A%2F%2Flogin.cloudflarewarp.com%2FA5XXPKA6S5N5YWMTOXRKVWPRPE7BHG3MFRCDZES7UBZU7SWQFF4KA4PWMGL5GXJ
If the browser fails to open automatically, copy and paste the URL into your browser’s address bar and press enter.
Once you login, you will see a list of domains associated with your account. Locate the domain you wish to connect a tunnel to and click its name in the table row. Once you select the domain, Cloudflare will issue a certificate which will be downloaded automatically by your browser. This certificate will be used to authenticate your machine to the Cloudflare edge. Using a certificate is more secure than using your username and password since you can revoke it at any time.
Copy and paste the following command to move the certificate to the
.cloudflared directory on your system.
$ mv cert.pem ~/.cloudflared/cert.pem
Argo Tunnel runs a virtual, encrypted tunnel from a locally running web server to the Cloudflare edge. If you do not have a web server running locally and want to try out Tunnel, you can try out the hello world installation with the built-in web server. Just pass the flag –hello-world and replace [hostname] with a hostname in your Cloudflare account. Because Tunnel automatically creates DNS records for you, you can choose a subdomain that doesn’t yet have anything running or configured.
$ cloudflared tunnel --hostname [hostname] --hello-world INFO Proxying tunnel requests to https://127.0.0.1:62633 INFO Starting Hello World server at 127.0.0.1:62633 INFO Starting metrics server addr="127.0.0.1:62634" INFO Connected to LAX INFO Connected to SFO INFO Connected to LAX INFO Connected to SFO
Above, you can see Tunnel establishes four long-lived connections between the two closest data centers, which in this case happened to be SFO and SJC. You know the tunnel is ready when you see the message
Connected to ….
Argo Tunnel has just created a connection out from your machine to the Cloudflare edge!
If you go visit the domain name at which you created the tunnel (e.g. tunnel.example.com) you will see the request logs directly in the cloudflared output. We call this Tunnel Vision.
INFO GET https://127.0.0.1:62627/ HTTP/1.1 CF-RAY=4067701b598e8184-LAX INFO 200 OK CF-RAY=4067701b598e8184-LAX
If you’re ready to spin up a real tunnel, read on.
With your credentials saved to disk, you can now start Argo Tunnel. Replace [hostname] with the hostname you want associated with your server; this must be the domain or subdomain of a zone added to your Cloudflare account.
The localhost address should point to a locally running web server.
$ cloudflared tunnel --hostname [hostname] http://localhost:8000 INFO Proxying tunnel requests to https://127.0.0.1:8000 INFO Starting metrics server addr="127.0.0.1:62634" INFO Connected to LAX INFO Connected to LAX INFO Connected to SFO INFO Connected to SFO
A successful connection gives you the last line
If you get the error: ‘Server error: Fail to update CNAME’ it is because there is already a DNS A/AAAA record existing at that hostname. You should either first delete the existing A/AAAA records or create a tunnel on a brand new hostname.
Open a web browser and type in your hostname. Access to the tunnel is permitted over both HTTP and HTTPS, though you can easily redirect all HTTP traffic to HTTPS with Cloudflare.
If the connection succeeds, you should see content served from your local webserver—or if you used the built-in Hello World server, you will see a message like this:
If you just want to expose your local development environment to share with other people, this is probably all you need to know. For a production environment you probably want to learn more:
If you have any ideas, run into odd behaviors, or want to share what you’re building with Argo Tunnel, the dev team is following the feedback forum here.