Skip to content
Cloudflare for Teams
Visit Cloudflare for Teams on GitHub
Set theme to dark (⇧+D)

Legacy: configuring origins via CLI

cloudflared proxies traffic to local services running on your origin. You can configure the exact properties of each origin by adding stanzas to the Ingress Rules. However, if you only want to proxy traffic to a single local service, you can use CLI flags instead of YAML to configure that service.


SyntaxDefaultEnvironment Variable
--url URLhttp://localhost:8080TUNNEL_URL

Connects to the local webserver at URL.


SyntaxEnvironment Variable
--hostname valueTUNNEL_HOSTNAME

Sets a hostname on a Cloudflare zone to route traffic through this tunnel.


--lb-pool POOL_NAME

Add this tunnel to a Load Balancer pool. If it doesn’t already exist a load balancer will be created for the hostname of your tunnel, and a pool will be created with the pool name you specify. Traffic destined to that pool will be load balanced across this tunnel and any other tunnels which share its pool name.


--origin-ca-pool value

Path to the CA for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.


SyntaxEnvironment Variable
--origin-server-name valueTUNNEL_ORIGIN_SERVER_NAME



Disables chunked transfer encoding; useful if you are running a WSGI server.


SyntaxEnvironment Variable

Use the established tunnel to expose a Hello world HTTP server for testing Cloudflare Tunnel. Mutually exclusive with the --url argument.


--proxy-connect-timeout value30s

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by --proxy-tls-timeout.


--proxy-tls-timeout value10s

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.


--proxy-tcp-keepalive value30s

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.



Disable the "happy eyeballs" algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.


--proxy-keepalive-connections value100

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.


--proxy-keepalive-timeout value1m30s

Timeout after which an idle keepalive connection can be discarded.



See this tutorial on connecting through Cloudflare Access using kubectl for example usage.