Cloudflare Tunnel runs a lightweight () in your infrastructure that establishes outbound connections (Tunnels) between your service and the Cloudflare edge. When Cloudflare receives a request for your chosen hostname, it proxies the request through those connections to
cloudflared. In turn,
cloudflared proxies the request to your applications.
This forces any requests to access your applications to go through Cloudflare. This way, you can be sure attack traffic is stopped with Cloudflare’s WAF and Unmetered DDoS mitigation, and authenticated with Access if you’ve enabled those features for your account.
In order to create and manage Tunnels, you'll first need to:
cloudflared has been installed and authenticated, the process to get your first Tunnel up and running includes 3 high-level steps:
Steps 1-2 are executed once per Tunnel, normally by an administrator, and Step 3 is executed whenever the Tunnel is to be started, normally by the owner of the Tunnel (whom may be different from the administrator).
Traffic encryption between Cloudflare Tunnel and HTTPs origin servers
cloudflared performs its own SSL termination that is distinct from the origin.
The data in transit between the Cloudflare network and the instance of
cloudflared is encrypted according to the stages below:
cloudflared to Cloudflare
cloudflaredreaches out to the Cloudflare network, the daemon validates a TLS server name for
- The certificate is issued from a Cloudflare-managed root CA.
cloudflared to origin
cloudflaredtrusts the system's certificate pool. If you need to add an additional CA, you can do so by setting the
- On Windows systems, the system certificate pool is not supported by the Go standard library used by
cloudflared. As a result, Windows users will always need to set the
cloudflareduses the Go HTTP client to connect to the origin. The daemon connects to the URL specified with the
--urlflag, which determines the TLS server name.
- When the Cloudflare network proxies a request through
cloudflaredto the origin,
cloudflaredconverts this stream to an HTTP/1.1 .
cloudflaredthen issues the request and an HTTP/1.1 response from the origin, in plaintext, which is encrypted and sent back to the Cloudflare network.