Command-line Arguments

Tunnel command

All tunnel-related commands are prefixed with ‘tunnel’. For example:

cloudflared tunnel --url localhost:5555 --hostname


Syntax: --config value

Default: ~/.cloudflared/config.yml

Specifies a config file in YAML format.


Syntax: --url URL

Default: http://localhost:8080

Environment variable: TUNNEL_URL

Connect to the local webserver at URL.


Syntax: --hostname value

Environment variable: TUNNEL_HOSTNAME

Set a hostname on a Cloudflare zone to route traffic through this tunnel.


Syntax : --lb-pool POOL_NAME

Add this tunnel to a Load Balancer pool. If it doesn’t already exist a load balancer will be created for the hostname of your tunnel, and a pool will be created with the pool name you specify. Traffic destined to that pool will be load balanced across this tunnel and any other tunnels which share its pool name.


Syntax: --autoupdate-freq duration

Default: 24h

Autoupdate frequency. See also –no-autoupdate


Syntax: --no-autoupdate

Default: false

Disable periodic check for updates, restarting the server with the new version. See also –autoupdate-freq

Restarts are performed by spawning a new process that connects to the Cloudflare edge. On successful connection, the old process will gracefully shut down after handling all outstanding requests.


Syntax: --origincert value

Default: ~/.cloudflared/cert.pem

Environment variable: TUNNEL_ORIGIN_CERT

Specifies the Tunnel certificate for one of your zones, authorizing the client to serve as an origin for that zone. A certificate is required to use Argo Tunnel. You can obtain a certificate by using the login command or by visiting


Syntax: --no-tls-verify

Default: false

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

The connection from your machine to Cloudflare’s Edge is still encrypted and verified using TLS.


Syntax: --origin-ca-pool value

Path to the CA for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.


Syntax: --origin-server-name value

Environment variable: TUNNEL_ORIGIN_SERVER_NAME

Hostname that cloudflared should expect from your origin server certificate.


Syntax: --metrics value

Default: localhost:

Environment variable: TUNNEL_METRICS

Address to query for usage metrics.


Syntax: --metrics-update-freq duration

Default: 5s

Environment variable: TUNNEL_METRICS_UPDATE_FREQ

Frequency to update tunnel metrics.


Syntax: --tag KEY=VALUE

Environment variable: TUNNEL_TAG

Custom tags used to identify this tunnel, in format KEY=VALUE. Multiple tags may be specified by delimiting them with commas e.g. KEY1=VALUE1,KEY2=VALUE2.


Syntax: --loglevel (panic|fatal|error|warn|info|debug)

Default: info

Environment variable: TUNNEL_LOGLEVEL

Specifies the verbosity of logging. The default “info” is not noisy, but you may wish to run with “warn” in production.


Syntax: --proto-loglevel (panic|fatal|error|warn|info|debug)

Default: warn

Environment variable: TUNNEL_PROTO_LOGLEVEL

Specifies the verbosity of the HTTP/2 protocol logging. Any value below ‘warn’ is noisy and should only be used to debug low-level performance issues and protocol quirks.


Syntax: --retries value

Default: 5

Environment variable: TUNNEL_RETRIES

Maximum number of retries for connection/protocol errors. Retries use exponential backoff (retrying at 1, 2, 4, 8, 16 seconds by default) so increasing this value significantly is not recommended.


Syntax: --no-chunked-encoding

Default: false

Disables chunked transfer encoding; useful if you are running a WSGI server.


Syntax: --hello-world

Environment variable: TUNNEL_HELLO_WORLD

Use the established tunnel to expose a ‘Hello world’ HTTP server for testing Argo Tunnel. Mutually exclusive with the --url argument.


Syntax: --pidfile value

Environment variable: TUNNEL_PIDFILE

Write the application’s PID to this file after first successful connection. Mainly useful for scripting and service integration.


Syntax: --logfile value

Environment variable: TUNNEL_LOGFILE

Save application log to this file. Mainly useful for reporting issues.


Syntax: --proxy-connect-timeout value

Default: 30s

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by –proxy-tls-timeout.


Syntax: --proxy-tls-timeout value

Default: 10s

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.


Syntax: --proxy-tcp-keepalive value

Default: 30s

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.


Syntax: --proxy-no-happy-eyeballs

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.


Syntax: --proxy-keepalive-connections value

Default: 100

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.


Syntax: --proxy-keepalive-timeout value

Default: 1m30s

Timeout after which an idle keepalive connection can be discarded.


Syntax: --help

Shows help text.


Syntax: --version

Prints the version number and build date.

Login command

cloudflared tunnel login

Opens a special section of the Cloudflare dashboard for obtaining a Tunnel certificate.

It should open your browser automatically and prompt you to log in to your Cloudflare account (unless you previously logged in with ‘remember me’ selected). If running cloudflared on a server, you will be given an URL that you can visit on another machine.

After logging in, a list of your zones will appear. Select the zone you want to use Argo Tunnel with. After confirming your authorization, the certificate should be sent to the Tunnel client and saved to .cloudflared/cert.pem in your user folder. If this process fails for any reason, the certificate will instead be downloaded by your browser and you will have to copy the file manually to that location.

You can also obtain a Tunnel certificate independently of this command by visiting

Service command

cloudflared service install cloudflared service uninstall

Install or uninstall cloudflared as a system service. The details of service installation depend on the OS you are using. See Automatically starting Argo Tunnel for more information.

Update command

cloudflared update

Looks for a new version on the offical download server. If a new version exists, updates the agent binary and quits. Otherwise, does nothing.

To determine if an update happened in a script, check for error code 64.