diff --git a/public/_redirects b/public/_redirects index 07b10d48849d635..9fa638063d5e0cb 100644 --- a/public/_redirects +++ b/public/_redirects @@ -1700,7 +1700,7 @@ /cloudflare-one/applications/non-http/arbitrary-tcp/ /cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/ 301 /cloudflare-one/connections/connect-apps/configuration/ /cloudflare-one/connections/connect-networks/configure-tunnels/ 301 /cloudflare-one/connections/connect-apps/install-and-setup/setup/ /cloudflare-one/connections/connect-networks/get-started/ 301 -/cloudflare-one/connections/connect-apps/run-tunnel/deploy-cloudflared-replicas/ /cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/ 301 +/cloudflare-one/connections/connect-apps/run-tunnel/deploy-cloudflared-replicas/ /cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/ 301 /cloudflare-one/connections/connect-apps/create-tunnel/ /cloudflare-one/connections/connect-networks/get-started/ 301 /cloudflare-one/connections/connect-apps/configuration/remote-management/ /cloudflare-one/connections/connect-networks/configure-tunnels/remote-management/ 301 /cloudflare-one/connections/connect-apps/run-tunnel/ /cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/ 301 @@ -1719,8 +1719,8 @@ /cloudflare-one/connections/connect-apps/install-and-setup/tunnel-useful-commands/ /cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-useful-commands/ 301 /cloudflare-one/connections/connect-apps/configuration/private-networks/ /cloudflare-one/connections/connect-networks/private-net/ 301 /cloudflare-one/connections/connect-apps/routing-to-tunnel/kubernetes/ /cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/kubernetes/ 301 -/cloudflare-one/connections/connect-apps/configuration/ports-and-ips/ /cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/ 301 -/cloudflare-one/connections/connect-apps/do-more-with-tunnels/ports-and-ips/ /cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/ 301 +/cloudflare-one/connections/connect-apps/configuration/ports-and-ips/ /cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/ 301 +/cloudflare-one/connections/connect-apps/do-more-with-tunnels/ports-and-ips/ /cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/ 301 /cloudflare-one/connections/connect-apps/run-tunnel/trycloudflare/ /cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/ 301 /cloudflare-one/connections/connect-apps/trycloudflare/ /cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/ 301 /cloudflare-one/connections/connect-apps/tunnel-monitoring/ /cloudflare-one/connections/connect-networks/monitor-tunnels/ 301 @@ -1736,13 +1736,13 @@ /cloudflare-one/connections/connect-networks/install-and-setup/tunnel-guide/local/local-management/arguments/ /cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/ 301 /cloudflare-one/connections/connect-networks/install-and-setup/tunnel-guide/local/run-tunnel/ /cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/ 301 /cloudflare-one/connections/connect-networks/install-and-setup/tunnel-guide/local/tunnel-useful-commands/ /cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-useful-commands/ 301 -/cloudflare-one/connections/connect-networks/install-and-setup/deploy-cloudflared-replicas/ /cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/ 301 +/cloudflare-one/connections/connect-networks/install-and-setup/deploy-cloudflared-replicas/ /cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/ 301 /cloudflare-one/connections/connect-networks/install-and-setup/tunnel-permissions/ /cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-permissions/ 301 /cloudflare-one/connections/connect-networks/install-and-setup/installation /cloudflare-one/connections/connect-networks/downloads/update-cloudflared/ 307 /cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-permissions/ /cloudflare-one/connections/connect-networks/configure-tunnels/ 301 -/cloudflare-one/connections/connect-networks/install-and-setup/ports-and-ips/ /cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/ 301 +/cloudflare-one/connections/connect-networks/install-and-setup/ports-and-ips/ /cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/ 301 /cloudflare-one/connections/connect-networks/install-and-setup/tunnel-useful-terms/ /cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms/ 301 -/cloudflare-one/connections/connect-networks/do-more-with-tunnels/secure-server/ /cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/ 301 +/cloudflare-one/connections/connect-networks/do-more-with-tunnels/secure-server/ /cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/ 301 /cloudflare-one/connections/connect-networks/do-more-with-tunnels/grafana/ /cloudflare-one/connections/connect-networks/monitor-tunnels/grafana/ 301 /cloudflare-one/connections/connect-networks/downloads/system-requirements/ /cloudflare-one/connections/connect-networks/deploy-tunnels/system-requirements/ 301 /cloudflare-one/connections/connect-networks/private-net/connect-private-networks/ /cloudflare-one/connections/connect-networks/private-net/cloudflared/ 301 @@ -1761,6 +1761,14 @@ /cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/ /cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/ 301 /cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/ /cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment/ 301 /cloudflare-one/connections/connect-networks/locations/ /cloudflare-one/connections/connect-devices/agentless/dns/locations/ 301 +/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/ /cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/ 301 +/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management/ /cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/ 301 +/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/ /cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/ 301 +/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/ /cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/ 301 +/cloudflare-one/connections/connect-networks/deploy-tunnels/system-requirements/ /cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/system-requirements/ 301 +/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/ /cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/ 301 +/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/ /cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/ 301 +/cloudflare-one/connections/connect-networks/deploy-tunnels/ /cloudflare-one/connections/connect-networks/get-started/ 301 /cloudflare-one/connections/connect-networks/monitor-tunnels/grafana/ /cloudflare-one/tutorials/grafana/ 301 /cloudflare-one/connections/connect-networks/use-cases/kubectl/ /cloudflare-one/tutorials/many-cfd-one-tunnel/ 301 /cloudflare-one/connections/connect-networks/use_cases/ssh/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ 301 @@ -1885,8 +1893,9 @@ # Cloudflare One / Zero Trust /cloudflare-one/connections/connect-networks/install-and-setup/tunnel-guide/local/as-a-service/* /cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/:splat 301 -/cloudflare-one/connections/connect-apps/install-and-setup/deployment-guides/* /cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/:splat 301 -/cloudflare-one/connections/connect-networks/deployment-guides/* /cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/:splat 301 +/cloudflare-one/connections/connect-apps/install-and-setup/deployment-guides/* /cloudflare-one/connections/connect-networks/deployment-guides/:splat 301 +/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/* /cloudflare-one/connections/connect-networks/deployment-guides/:splat 301 +/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/* /cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/:splat 301 /cloudflare-one/analytics/logs/* /cloudflare-one/insights/logs/:splat 301 /cloudflare-one/applications/scan-apps/* /cloudflare-one/applications/casb/:splat 301 /cloudflare-one/connections/connect-apps/use_cases/* /cloudflare-one/connections/connect-networks/use-cases/:splat 301 diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/index.mdx new file mode 100644 index 000000000000000..026c1fc2c39a35f --- /dev/null +++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/index.mdx @@ -0,0 +1,150 @@ +--- +pcx_content_type: how-to +title: Configure cloudflared parameters +sidebar: + order: 1 +--- + +import { TabItem, Tabs, Render } from "~/components"; + +Remotely-managed tunnels run as a service on your OS. You can modify the Cloudflare Tunnel service with one or more [general-purpose tunnel parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/). + +:::note +For instructions on configuring a locally-managed tunnel, refer to the [configuration file documentation](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/). +::: + +## Update tunnel run parameters + + + +On Linux, Cloudflare Tunnel installs itself as a system service using `systemctl`. By default, the service will be named `cloudflared.service`. To configure your tunnel on Linux: + +1. Open `cloudflared.service`. + + ```sh + sudo systemctl edit --full cloudflared.service + ``` + +2. Modify the `cloudflared tunnel run` command with the desired configuration flag. For example, + + ```txt null {8} + [Unit] + Description=Cloudflare Tunnel + After=network.target + + [Service] + TimeoutStartSec=0 + Type=notify + ExecStart=/usr/local/bin/cloudflared tunnel --loglevel debug --logfile /var/log/cloudflared/cloudflared.log run --token + Restart=on-failure + RestartSec=5s + + [Install] + WantedBy=multi-user.target + ``` + +3. Restart `cloudflared.service`: + + ```sh + sudo systemctl restart cloudflared + ``` + +4. To verify the new configuration, check the service status: + + ```sh + sudo systemctl status cloudflared + ``` + ```sh output + ● cloudflared.service - cloudflared + Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; preset: enabled) + Active: active (running) since Wed 2024-10-09 20:02:59 UTC; 2s ago + Main PID: 2157 (cloudflared) + Tasks: 8 (limit: 1136) + Memory: 16.3M + CPU: 136ms + CGroup: /system.slice/cloudflared.service + └─2157 /usr/bin/cloudflared tunnel --loglevel debug --logfile /var/log/cloudflared/cloudflared.log run --token eyJhIjoi... + ``` + + + +On macOS, Cloudflare Tunnel installs itself as a launch agent using `launchctl`. By default, the agent will be called `com.cloudflare.cloudflared`. To configure your tunnel on macOS: + +1. Stop the `cloudflared` service. + + ```sh + sudo launchctl stop com.cloudflare.cloudflared + ``` + +2. Unload the configuration file. + + ```sh + sudo launchctl unload /Library/LaunchDaemons/com.cloudflare.cloudflared.plist + ``` + +3. Open `/Library/LaunchDaemons/com.cloudflare.cloudflared.plist` in a text editor. + +4. Modify the `ProgramArguments` key with the desired configuration flag. For example, + + ```txt + + + Label + com.cloudflare.cloudflared + ProgramArguments + + /opt/homebrew/bin/cloudflared + tunnel + --logfile + + --loglevel + debug + run + --token + + + ``` + +5. Load the updated configuration file. + + ```sh + sudo launchctl load /Library/LaunchDaemons/com.cloudflare.cloudflared.plist + ``` + +6. Start the `cloudflared` service. + + ```sh + sudo launchctl start com.cloudflare.cloudflared + ``` + + + +On Windows, Cloudflare Tunnel installs itself as a system service using the Registry Editor. By default, the service will be named `cloudflared`. To configure your tunnel on Windows: + +1. Open the Registry Editor. + +2. Go to **HKEY_LOCAL_MACHINE** > **SYSTEM** > **CurrentControlSet** > **Services** > **cloudflared**. + +3. Double-click **ImagePath**. + +4. Modify **Value data** with the desired configuration flag. For example, + + ```txt + C:\Program Files (x86)\cloudflared\.\cloudflared.exe tunnel --loglevel debug --logfile run --token + ``` + +![Modify cloudflared service in the Registry Editor](~/assets/images/cloudflare-one/connections/connect-apps/remote-management-windows.png) + + + + +## Update origin configuration + +To configure how `cloudflared` sends requests to your [public hostname](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) services: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**. +2. Choose a tunnel and select **Configure**. +3. Select the **Public Hostname** tab. +4. Choose a route and select **Edit**. +5. Under **Additional application settings**, modify one or more [origin configuration parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/). +6. Select **Save hostname**. \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters.mdx similarity index 85% rename from src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters.mdx index 48793581bb75126..554fa22b40f6d32 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters.mdx @@ -1,12 +1,12 @@ --- pcx_content_type: reference -title: Origin configuration +title: Origin configuration parameters sidebar: - order: 3 + order: 9 --- -Origin configuration parameters determine how `cloudflared` proxies traffic to your origin server. You can configure these settings [in the dashboard](/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management/#update-origin-configuration) for remotely-managed tunnels, or add them to your [configuration file](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/#origin-configuration) for locally-managed tunnels. +Origin configuration parameters determine how `cloudflared` proxies traffic to your origin server. If you are using remotely-managed tunnels (default), configure these settings [using the dashboard or API](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/#update-origin-configuration). If you are using [locally-managed tunnels](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/), add these parameters to your [configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/). ## TLS settings @@ -111,7 +111,7 @@ This configures what type of proxy will be started. Valid options are: :::note -For locally-managed tunnels only. +For locally-managed tunnels only. ::: | Default | UI name | @@ -125,7 +125,7 @@ This configures the listen address for that proxy. :::note -For locally-managed tunnels only. +For locally-managed tunnels only. ::: | Default | UI name | @@ -173,7 +173,7 @@ The timeout after which a TCP keepalive packet is sent on a connection between C Requires `cloudflared` to validate the [Cloudflare Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) prior to proxying traffic to your origin. You can enforce this check on public hostname routes that are protected by an Access application. For all L7 requests to these hostnames, Access will send the JWT to `cloudflared` as a `Cf-Access-Jwt-Assertion` request header. -To enable this security control in a [configuration file](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/#origin-configuration), [get the AUD tag](/cloudflare-one/identity/authorization-cookie/validating-json/#get-your-aud-tag) for your Access application and add the following rule to `originRequest`: +To enable this security control in a [configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/#origin-configuration), [get the AUD tag](/cloudflare-one/identity/authorization-cookie/validating-json/#get-your-aud-tag) for your Access application and add the following rule to `originRequest`: ```yml access: diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters.mdx similarity index 90% rename from src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters.mdx index ccfcbbe8250c626..3c4be080486c41e 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters.mdx @@ -6,7 +6,9 @@ sidebar: --- -This page lists general-purpose configuration options for a Cloudflare Tunnel. You can add these flags to the `cloudflared tunnel run` command for [remotely-managed](/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management/) and [locally-managed](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/) tunnels. These flags can also be added as key/value pairs to your [configuration file](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/). +This page lists general-purpose configuration options that you can [add](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/#update-tunnel-run-parameters) to the `cloudflared tunnel run` command. + +Alternatively, if you are running a [locally-managed tunnel](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/) you can add these flags to your [configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/) as key/value pairs. ## `autoupdate-freq` @@ -29,7 +31,7 @@ For locally-managed tunnels only. | ------------------------------------------------------- | --------------------------- | | `cloudflared tunnel --config run ` | `~/.cloudflared/config.yml` | -Specifies the path to a [configuration file](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/) in YAML format. +Specifies the path to a [configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/) in YAML format. ## `edge-bind-address` @@ -104,7 +106,7 @@ For locally-managed tunnels only. | ----------------------------------------------------------- | ------------------------- | -------------------- | | `cloudflared tunnel --origincert run ` | `~/.cloudflared/cert.pem` | `TUNNEL_ORIGIN_CERT` | -Specifies the [account certificate](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-permissions/) for one of your zones, authorizing the client to serve as an origin for that zone. You can obtain a certificate by using the `cloudflared tunnel login` command or by visiting `https://dash.cloudflare.com/argotunnel`. +Specifies the [account certificate](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/tunnel-permissions/) for one of your zones, authorizing the client to serve as an origin for that zone. You can obtain a certificate by using the `cloudflared tunnel login` command or by visiting `https://dash.cloudflare.com/argotunnel`. ## `pidfile` diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/index.mdx index 397f89dbdfde0bf..2625e47e1f05eec 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/index.mdx @@ -3,9 +3,6 @@ title: Configure a tunnel pcx_content_type: navigation sidebar: order: 3 - + group: + hideIndex: true --- - -import { DirectoryListing } from "~/components" - - diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/index.mdx deleted file mode 100644 index 21cc0dc76497217..000000000000000 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/index.mdx +++ /dev/null @@ -1,15 +0,0 @@ ---- -pcx_content_type: navigation -title: Locally-managed tunnel -sidebar: - order: 2 - ---- - -import { DirectoryListing } from "~/components" - -If you set up your tunnel [through the CLI](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/), the tunnel runs as an instance of `cloudflared` on your machine. You can configure `cloudflared` properties by modifying [command line parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/) or by editing the tunnel configuration file. - -The CLI provides a quick way to handle configurations if you are connecting a single service through `cloudflared`. If you are connecting multiple services and you need to configure properties or exceptions for specific origins, you can do so by defining ingress rules in your configuration file. - - diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx deleted file mode 100644 index d6d74356d2a3593..000000000000000 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx +++ /dev/null @@ -1,309 +0,0 @@ ---- -pcx_content_type: how-to -title: Remotely-managed tunnel -sidebar: - order: 1 ---- - -import { TabItem, Tabs, Render } from "~/components"; - -If you created a Cloudflare Tunnel [from the dashboard](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/), the tunnel runs as a service on your OS. - -## Add tunnel run parameters - -You can modify the Cloudflare Tunnel service with one or more [general-purpose tunnel parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/). - - - -On Linux, Cloudflare Tunnel installs itself as a system service using `systemctl`. By default, the service will be named `cloudflared.service`. To configure your tunnel on Linux: - -1. Open `cloudflared.service`. - - ```sh - sudo systemctl edit --full cloudflared.service - ``` - -2. Modify the `cloudflared tunnel run` command with the desired configuration flag. For example, - - ```txt null {8} - [Unit] - Description=Cloudflare Tunnel - After=network.target - - [Service] - TimeoutStartSec=0 - Type=notify - ExecStart=/usr/local/bin/cloudflared tunnel --loglevel debug --logfile /var/log/cloudflared/cloudflared.log run --token - Restart=on-failure - RestartSec=5s - - [Install] - WantedBy=multi-user.target - ``` - -3. Restart `cloudflared.service`: - - ```sh - sudo systemctl restart cloudflared - ``` - -4. To verify the new configuration, check the service status: - - ```sh - sudo systemctl status cloudflared - ``` - ```sh output - ● cloudflared.service - cloudflared - Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; preset: enabled) - Active: active (running) since Wed 2024-10-09 20:02:59 UTC; 2s ago - Main PID: 2157 (cloudflared) - Tasks: 8 (limit: 1136) - Memory: 16.3M - CPU: 136ms - CGroup: /system.slice/cloudflared.service - └─2157 /usr/bin/cloudflared tunnel --loglevel debug --logfile /var/log/cloudflared/cloudflared.log run --token eyJhIjoi... - ``` - - - -On macOS, Cloudflare Tunnel installs itself as a launch agent using `launchctl`. By default, the agent will be called `com.cloudflare.cloudflared`. To configure your tunnel on macOS: - -1. Stop the `cloudflared` service. - - ```sh - sudo launchctl stop com.cloudflare.cloudflared - ``` - -2. Unload the configuration file. - - ```sh - sudo launchctl unload /Library/LaunchDaemons/com.cloudflare.cloudflared.plist - ``` - -3. Open `/Library/LaunchDaemons/com.cloudflare.cloudflared.plist` in a text editor. - -4. Modify the `ProgramArguments` key with the desired configuration flag. For example, - - ```txt - - - Label - com.cloudflare.cloudflared - ProgramArguments - - /opt/homebrew/bin/cloudflared - tunnel - --logfile - - --loglevel - debug - run - --token - - - ``` - -5. Load the updated configuration file. - - ```sh - sudo launchctl load /Library/LaunchDaemons/com.cloudflare.cloudflared.plist - ``` - -6. Start the `cloudflared` service. - - ```sh - sudo launchctl start com.cloudflare.cloudflared - ``` - - - -On Windows, Cloudflare Tunnel installs itself as a system service using the Registry Editor. By default, the service will be named `cloudflared`. To configure your tunnel on Windows: - -1. Open the Registry Editor. - -2. Go to **HKEY_LOCAL_MACHINE** > **SYSTEM** > **CurrentControlSet** > **Services** > **cloudflared**. - -3. Double-click **ImagePath**. - -4. Modify **Value data** with the desired configuration flag. For example, - - ```txt - C:\Program Files (x86)\cloudflared\.\cloudflared.exe tunnel --loglevel debug --logfile run --token - ``` - -![Modify cloudflared service in the Registry Editor](~/assets/images/cloudflare-one/connections/connect-apps/remote-management-windows.png) - - - -## Update origin configuration - -To configure how `cloudflared` sends requests to your [public hostname](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) services: - -1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**. -2. Choose a tunnel and select **Configure**. -3. Select the **Public Hostname** tab. -4. Choose a route and select **Edit**. -5. Under **Additional application settings**, modify one or more [origin configuration parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/). -6. Select **Save hostname**. - -## Tunnel permissions - -A remotely-managed tunnel only requires the tunnel token to run. Anyone with access to the token will be able to run the tunnel. - -### View the tunnel token - -To get the token for a remotely-managed tunnel: - - - -1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**. -2. Select a `cloudflared` tunnel and select **Edit**. -3. Copy `cloudflared` installation command. -4. Paste the installation command into any text editor. The token value is of the form `eyJhIjoiNWFiNGU5Z...` - - - - -Make a `GET` request to the [Cloudflare Tunnel token](/api/resources/zero_trust/subresources/tunnels/subresources/token/methods/get/) endpoint. The token value can be found in the `result`: - -```sh output -{ - "success": true, - "errors": [], - "messages": [], - "result": "eyJhIjoiNWFiNGU5Z..." -} -``` - - - - -### Rotate a token without service disruption - -Cloudflare recommends rotating the tunnel token at a regular cadence to reduce the risk of token compromise. You can rotate a token with minimal disruption to users as long as the tunnel is served by at least two [`cloudflared` replicas](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/). To ensure service availability, we recommend performing token rotations outside of working hours or in a maintenance window. - -To rotate a tunnel token: - -1. Refresh the token on Cloudflare: - - - - 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**. - 2. Select a `cloudflared` tunnel and select **Edit**. - 3. Select **Refresh token**. - 4. Copy the `cloudflared` installation command for your operating system. This command contains the new token. - - - - - 1. Generate a random base64 string (minimum size 32 bytes) to use as a tunnel secret: - - ```sh - openssl rand -base64 32 - ``` - - ```sh output - AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg= - ``` - - 2. Make a `PATCH` request to the [Cloudflare Tunnel](/api/resources/zero_trust/subresources/tunnels/methods/edit/) endpoint: - ```sh - curl --request PATCH \ - https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID \ - --header 'Content-Type: application/json' \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --data '{ - "name": "Example tunnel", - "tunnel_secret": "AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg=" - }' - ``` - - ```sh output {18} - { - "success": true, - "errors": [], - "messages": [], - "result": { - "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", - "account_tag": "699d98642c564d2e855e9661899b7252", - "created_at": "2024-12-04T22:03:26.291225Z", - "deleted_at": null, - "name": "Example tunnel", - "connections": [], - "conns_active_at": null, - "conns_inactive_at": "2024-12-04T22:03:26.291225Z", - "tun_type": "cfd_tunnel", - "metadata": {}, - "status": "inactive", - "remote_config": true, - "token": "eyJhIjoiNWFiNGU5Z..." - } - } - ``` - 3. Copy the `token` value shown in the output. - - - - - After refreshing the token, `cloudflared` can no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic. - -2. On half of your `cloudflared` replicas, update `cloudflared` to use the new token. For example, on a Linux host: - - ```sh - sudo cloudflared service install - ``` - -3. Restart `cloudflared`: - - ```sh - sudo systemctl restart cloudflared.service - ``` - -4. Confirm that the service started correctly: - ```sh - sudo systemctl status cloudflared - ``` - - While these replicas are connecting to Cloudflare with the new token, traffic will automatically route through the other replicas. - -5. Wait 10 minutes for traffic to route through the new connectors. - -6. Repeat steps 2, 3, and 4 for the second half of the replicas. - -The tunnel token is now fully rotated. The old token is no longer in use. - -### Rotate a compromised token - -If your tunnel token is compromised, we recommend taking the following steps: - -1. Refresh the token using the dashboard or API. Refer to Step 1 of [Rotate a token without service disruption](#rotate-a-token-without-service-disruption). -2. [Delete all connections](/api/resources/zero_trust/subresources/tunnels/subresources/connections/methods/delete/) between `cloudflared` and Cloudflare: - ```sh - curl --request DELETE \ - https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID/connections \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" - ``` - - This will clean up any unauthorized connections and prevent users from connecting to your network. - -3. On each `cloudflared` replica, update `cloudflared` to use the new token. For example, on a Linux host: - - ```sh - sudo cloudflared service install - ``` -4. Restart `cloudflared`: - - ```sh - sudo systemctl restart cloudflared.service - ``` - -5. Confirm that the service started correctly: - ```sh - sudo systemctl status cloudflared - ``` - -The tunnel token is now fully rotated. The old token is no longer in use. - -### Account-scoped roles - - diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-tunnel-permissions.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-tunnel-permissions.mdx new file mode 100644 index 000000000000000..a94b5d28e07ba95 --- /dev/null +++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-tunnel-permissions.mdx @@ -0,0 +1,168 @@ +--- +pcx_content_type: how-to +title: Tunnel permissions +sidebar: + order: 10 +--- + +import { TabItem, Tabs, Render } from "~/components"; + +A remotely-managed tunnel only requires the tunnel token to run. Anyone with access to the token will be able to run the tunnel. + +## View the tunnel token + +To get the token for a remotely-managed tunnel: + + + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**. +2. Select a `cloudflared` tunnel and select **Edit**. +3. Copy `cloudflared` installation command. +4. Paste the installation command into any text editor. The token value is of the form `eyJhIjoiNWFiNGU5Z...` + + + + +Make a `GET` request to the [Cloudflare Tunnel token](/api/resources/zero_trust/subresources/tunnels/subresources/token/methods/get/) endpoint. The token value can be found in the `result`: + +```sh output +{ + "success": true, + "errors": [], + "messages": [], + "result": "eyJhIjoiNWFiNGU5Z..." +} +``` + + + + +## Rotate a token without service disruption + +Cloudflare recommends rotating the tunnel token at a regular cadence to reduce the risk of token compromise. You can rotate a token with minimal disruption to users as long as the tunnel is served by at least two [`cloudflared` replicas](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/). To ensure service availability, we recommend performing token rotations outside of working hours or in a maintenance window. + +To rotate a tunnel token: + +1. Refresh the token on Cloudflare: + + + + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**. + 2. Select a `cloudflared` tunnel and select **Edit**. + 3. Select **Refresh token**. + 4. Copy the `cloudflared` installation command for your operating system. This command contains the new token. + + + + + 1. Generate a random base64 string (minimum size 32 bytes) to use as a tunnel secret: + + ```sh + openssl rand -base64 32 + ``` + + ```sh output + AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg= + ``` + + 2. Make a `PATCH` request to the [Cloudflare Tunnel](/api/resources/zero_trust/subresources/tunnels/methods/edit/) endpoint: + ```sh + curl --request PATCH \ + https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID \ + --header 'Content-Type: application/json' \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ + --data '{ + "name": "Example tunnel", + "tunnel_secret": "AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg=" + }' + ``` + + ```sh output {18} + { + "success": true, + "errors": [], + "messages": [], + "result": { + "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", + "account_tag": "699d98642c564d2e855e9661899b7252", + "created_at": "2024-12-04T22:03:26.291225Z", + "deleted_at": null, + "name": "Example tunnel", + "connections": [], + "conns_active_at": null, + "conns_inactive_at": "2024-12-04T22:03:26.291225Z", + "tun_type": "cfd_tunnel", + "metadata": {}, + "status": "inactive", + "remote_config": true, + "token": "eyJhIjoiNWFiNGU5Z..." + } + } + ``` + 3. Copy the `token` value shown in the output. + + + + + After refreshing the token, `cloudflared` can no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic. + +2. On half of your `cloudflared` replicas, update `cloudflared` to use the new token. For example, on a Linux host: + + ```sh + sudo cloudflared service install + ``` + +3. Restart `cloudflared`: + + ```sh + sudo systemctl restart cloudflared.service + ``` + +4. Confirm that the service started correctly: + ```sh + sudo systemctl status cloudflared + ``` + + While these replicas are connecting to Cloudflare with the new token, traffic will automatically route through the other replicas. + +5. Wait 10 minutes for traffic to route through the new connectors. + +6. Repeat steps 2, 3, and 4 for the second half of the replicas. + +The tunnel token is now fully rotated. The old token is no longer in use. + +## Rotate a compromised token + +If your tunnel token is compromised, we recommend taking the following steps: + +1. Refresh the token using the dashboard or API. Refer to Step 1 of [Rotate a token without service disruption](#rotate-a-token-without-service-disruption). +2. [Delete all connections](/api/resources/zero_trust/subresources/tunnels/subresources/connections/methods/delete/) between `cloudflared` and Cloudflare: + ```sh + curl --request DELETE \ + https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID/connections \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" + ``` + + This will clean up any unauthorized connections and prevent users from connecting to your network. + +3. On each `cloudflared` replica, update `cloudflared` to use the new token. For example, on a Linux host: + + ```sh + sudo cloudflared service install + ``` +4. Restart `cloudflared`: + + ```sh + sudo systemctl restart cloudflared.service + ``` + +5. Confirm that the service started correctly: + ```sh + sudo systemctl status cloudflared + ``` + +The tunnel token is now fully rotated. The old token is no longer in use. + +## Account-scoped roles + + diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/index.mdx similarity index 92% rename from src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/index.mdx index 4d538b610f61a7b..3dc882e58ec5bc7 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/index.mdx @@ -2,7 +2,7 @@ pcx_content_type: concept title: Tunnel availability and failover sidebar: - order: 2 + order: 4 --- import { Details, GlossaryTooltip } from "~/components"; @@ -25,7 +25,7 @@ By design, replicas do not offer any level of traffic steering (random, hash, or To deploy multiple instances of `cloudflared`, you can create and configure one tunnel and run it on multiple hosts. If your tunnel runs as a service, only one `cloudflared` instance is allowed per host. -
+
1. To create a remotely-managed tunnel, follow the [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). 2. On the **Tunnels** page, select your newly created tunnel. The **Connectors** section shows all of the `cloudflared` instances for that tunnel. @@ -37,11 +37,11 @@ The new replica will appear on the **Connectors** list for the tunnel.
-
+
-1. To create a locally-managed tunnel, complete Steps 1 through 5 in the [CLI setup guide](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/). +1. To create a locally-managed tunnel, complete Steps 1 through 5 in the [CLI setup guide](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/). -2. Next, run your newly created tunnel. +2. Run your newly created tunnel. ```sh cloudflared tunnel run @@ -57,7 +57,7 @@ The new replica will appear on the **Connectors** list for the tunnel. This will initialize another `cloudflared` instance and generate another `connector_id`. -4. Next, run `tunnel info` to show each `cloudflared` instance running your tunnel: +4. Run `tunnel info` to show each `cloudflared` instance running your tunnel: ```sh cloudflared tunnel info @@ -71,7 +71,7 @@ You can run the same tunnel across various `cloudflared` processes for up to 100 :::note[Deploy replicas with Kubernetes] -For information about running `cloudflared` instances in a Kubernetes deployment, refer to our guides for tunnels managed [remotely via the dashboard](/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/kubernetes/) or [locally via the CLI](/cloudflare-one/tutorials/many-cfd-one-tunnel/). +For information about running `cloudflared` instances in a Kubernetes deployment, refer to our guides for tunnels managed [remotely via the dashboard](/cloudflare-one/connections/connect-networks/deployment-guides/kubernetes/) or [locally via the CLI](/cloudflare-one/tutorials/many-cfd-one-tunnel/). ::: diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/system-requirements.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/system-requirements.mdx similarity index 94% rename from src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/system-requirements.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/system-requirements.mdx index ac47183eafcc5c8..b8b758d62d2e084 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/system-requirements.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/system-requirements.mdx @@ -2,7 +2,7 @@ pcx_content_type: concept title: System requirements sidebar: - order: 3 + order: 6 --- import { Render, TabItem, Tabs, TunnelCalculator } from "~/components"; @@ -13,7 +13,7 @@ Our connector, `cloudflared`, was designed to be lightweight and flexible enough For most use cases, we recommend the following baseline configuration: -- Run a [`cloudflared` replica](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/#cloudflared-replicas) on two dedicated host machines per network location. Using two hosts enables server-side redundancy and traffic balancing. +- Run a [`cloudflared` replica](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/#cloudflared-replicas) on two dedicated host machines per network location. Using two hosts enables server-side redundancy and traffic balancing. - Size each host with minimum 4GB of RAM and 4 CPU cores. - Allocate 50,000 [ports](#number-of-ports) to the `cloudflared` process on each host. @@ -104,4 +104,4 @@ To calculate your tunnel capacity: -You can use these results to determine if your tunnel is appropriately sized. To increase your tunnel capacity, add identical host machines running [`cloudflared` replicas](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/#cloudflared-replicas). +You can use these results to determine if your tunnel is appropriately sized. To increase your tunnel capacity, add identical host machines running [`cloudflared` replicas](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/#cloudflared-replicas). diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall.mdx similarity index 99% rename from src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall.mdx index 2b7281bcda2a84a..f51a9f5012a9958 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Tunnel with firewall sidebar: - order: 1 + order: 3 tableOfContents: false --- @@ -36,7 +36,7 @@ Opening port 443 enables some optional features. Failure to allow these connecti | `api.cloudflare.com` | `104.19.192.29`
`104.19.192.177`
`104.19.192.175`
`104.19.193.29`
`104.19.192.174`
`104.19.192.176` | `2606:4700:300a::6813:c0af`
`2606:4700:300a::6813:c01d`
`2606:4700:300a::6813:c0ae`
`2606:4700:300a::6813:c11d`
`2606:4700:300a::6813:c0b0`
`2606:4700:300a::6813:c0b1` | 443 | TCP (HTTPS) | Allows `cloudflared` to query if software updates are available. | | `update.argotunnel.com` | `104.18.25.129`
`104.18.24.129` | `2606:4700::6812:1881`
`2606:4700::6812:1981` | 443 | TCP (HTTPS) | Allows `cloudflared` to query if software updates are available. | | `github.com` | [GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) | [GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) | 443 | TCP (HTTPS) | Allows `cloudflared` to download the latest release and perform a software update. | -| `.`
`cloudflareaccess.com` | `104.19.194.29`
`104.19.195.29` | `2606:4700:300a::6813:c31d`
`2606:4700:300a::6813:c21d` | 443 | TCP (HTTPS) | Allows `cloudflared` to validate the Access JWT. Only required if the [`access`](/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/#access) setting is enabled. | +| `.`
`cloudflareaccess.com` | `104.19.194.29`
`104.19.195.29` | `2606:4700:300a::6813:c31d`
`2606:4700:300a::6813:c21d` | 443 | TCP (HTTPS) | Allows `cloudflared` to validate the Access JWT. Only required if the [`access`](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/#access) setting is enabled. | | `pqtunnels.`
`cloudflareresearch.com` | `104.18.4.64`
`104.18.5.64` | `2606:4700::6812:540`
`2606:4700::6812:440` | 443 | TCP (HTTPS) | Allows `cloudflared` to report [post-quantum key exchange](https://blog.cloudflare.com/post-quantum-tunnel/) errors to Cloudflare. | ## Firewall configuration diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/index.mdx deleted file mode 100644 index 967bdf0a3fb0217..000000000000000 --- a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/index.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: Deploy a tunnel -pcx_content_type: navigation -sidebar: - order: 3 - ---- - -import { DirectoryListing } from "~/components" - - diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/ansible.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/ansible.mdx similarity index 95% rename from src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/ansible.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/ansible.mdx index 26ae236adf68ee2..2427bf42af1384a 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/ansible.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/ansible.mdx @@ -9,14 +9,14 @@ import { Render } from "~/components"; Ansible is a software tool that enables at scale management of infrastructure. Ansible is agentless — all it needs to function is the ability to SSH to the target and Python installed on the target. -Ansible works alongside Terraform to streamline the Cloudflare Tunnel setup process. In this guide, you will use Terraform to deploy an SSH server on Google Cloud and create a [locally-managed tunnel](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/) that makes the server available over the Internet. Terraform will automatically run an Ansible playbook that installs and configures `cloudflared` on the server. +Ansible works alongside Terraform to streamline the Cloudflare Tunnel setup process. In this guide, you will use Terraform to deploy an SSH server on Google Cloud and create a [locally-managed tunnel](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/) that makes the server available over the Internet. Terraform will automatically run an Ansible playbook that installs and configures `cloudflared` on the server. ## Prerequisites To complete the steps in this guide, you will need: - [A Google Cloud Project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project) and [GCP CLI installed and authenticated](https://cloud.google.com/sdk/docs/install). -- [Basic knowledge of Terraform](/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/terraform/) and[Terraform installed](https://developer.hashicorp.com/terraform/tutorials/certification-associate-tutorials/install-cli). +- [Basic knowledge of Terraform](/cloudflare-one/connections/connect-networks/deployment-guides/terraform/) and[Terraform installed](https://developer.hashicorp.com/terraform/tutorials/certification-associate-tutorials/install-cli). - [A zone on Cloudflare](/fundamentals/setup/manage-domains/add-site/). - [A Cloudflare API token](/fundamentals/api/get-started/create-token/) with `Cloudflare Tunnel` and `DNS` permissions. @@ -140,7 +140,7 @@ The following configuration will modify settings in your Cloudflare account. ### Configure GCP resources -The following configuration defines the specifications for the GCP virtual machine and installs Python3 on the machine. Python3 allows Ansible to configure the GCP instance instead of having to run a [startup script](/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/terraform/#create-a-startup-script) on boot. +The following configuration defines the specifications for the GCP virtual machine and installs Python3 on the machine. Python3 allows Ansible to configure the GCP instance instead of having to run a [startup script](/cloudflare-one/connections/connect-networks/deployment-guides/terraform/#create-a-startup-script) on boot. 1. In your configuration directory, create a `.tf` file: diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/aws.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx similarity index 94% rename from src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/aws.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx index 5a15cfee882ec46..bc2bc1574d2c082 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/aws.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx @@ -115,7 +115,7 @@ You can optionally [create Gateway network policies](/cloudflare-one/connections ## Firewall configuration -To secure your AWS instance, you can configure your [Security Group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) to deny all inbound traffic and allow only outbound traffic to the [Cloudflare Tunnel IP addresses](/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/#required-for-tunnel-operation). All Security Group rules are Allow rules; traffic that does not match a rule is blocked. Therefore, you can delete all inbound rules and leave only the relevant outbound rules. +To secure your AWS instance, you can configure your [Security Group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) to deny all inbound traffic and allow only outbound traffic to the [Cloudflare Tunnel IP addresses](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/#required-for-tunnel-operation). All Security Group rules are Allow rules; traffic that does not match a rule is blocked. Therefore, you can delete all inbound rules and leave only the relevant outbound rules. :::note diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/azure.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/azure.mdx similarity index 100% rename from src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/azure.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/azure.mdx diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/google-cloud-platform.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/google-cloud-platform.mdx similarity index 94% rename from src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/google-cloud-platform.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/google-cloud-platform.mdx index 91fef839c8b5dd2..ecffc6743161829 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/google-cloud-platform.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/google-cloud-platform.mdx @@ -97,7 +97,7 @@ You can optionally [create Gateway network policies](/cloudflare-one/connections ## Firewall configuration -To secure your VM instance, you can [configure your VPC firewall rules](https://cloud.google.com/firewall/docs/using-firewalls) to deny all ingress traffic and allow only egress traffic to the [Cloudflare Tunnel IP addresses](/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/#required-for-tunnel-operation). Since GCP denies ingress traffic by [default](https://cloud.google.com/firewall/docs/firewalls#default_firewall_rules), you can delete all ingress rules and leave only the relevant egress rules. +To secure your VM instance, you can [configure your VPC firewall rules](https://cloud.google.com/firewall/docs/using-firewalls) to deny all ingress traffic and allow only egress traffic to the [Cloudflare Tunnel IP addresses](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/#required-for-tunnel-operation). Since GCP denies ingress traffic by [default](https://cloud.google.com/firewall/docs/firewalls#default_firewall_rules), you can delete all ingress rules and leave only the relevant egress rules. :::note diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/index.mdx similarity index 69% rename from src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/index.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/index.mdx index a796eba3642b8a8..c2001e98cc26863 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/index.mdx @@ -3,9 +3,10 @@ pcx_content_type: navigation title: Environments sidebar: order: 6 - --- import { DirectoryListing } from "~/components" +Learn how to deploy Cloudflare Tunnel in specific environments: + diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/kubernetes.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/kubernetes.mdx similarity index 100% rename from src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/kubernetes.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/kubernetes.mdx diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/terraform.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/terraform.mdx similarity index 100% rename from src/content/docs/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/terraform.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/terraform.mdx diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/index.mdx index 37dd0dbea55f04f..1c02f368a5e678f 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/index.mdx @@ -2,7 +2,7 @@ pcx_content_type: navigation title: Do more with Tunnel sidebar: - order: 7 + order: 11 --- diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/as-a-service/index.mdx similarity index 100% rename from src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/index.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/as-a-service/index.mdx diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/linux.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/as-a-service/linux.mdx similarity index 67% rename from src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/linux.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/as-a-service/linux.mdx index 5a2d6b007b8c8f6..efa511a00897f18 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/linux.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/as-a-service/linux.mdx @@ -12,11 +12,11 @@ You can install `cloudflared` as a system service on Linux. ## Prerequisites -Before you install Cloudflare Tunnel as a service on Linux, follow Steps 1 through 4 of the [Tunnel CLI setup guide](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/). At this point you should have a named tunnel and a `config.yml` file in your `.cloudflared` directory. +Before you install Cloudflare Tunnel as a service on Linux, follow Steps 1 through 4 of the [Tunnel CLI setup guide](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/). At this point you should have a named tunnel and a `config.yml` file in your `.cloudflared` directory. ## 1. Configure `cloudflared` as a service -By default, Cloudflare Tunnel expects all of the configuration to exist in the `$HOME/.cloudflared/config.yml` [configuration file](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/). At a minimum you must specify the following arguments to run as a service: +By default, Cloudflare Tunnel expects all of the configuration to exist in the `$HOME/.cloudflared/config.yml` [configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/). At a minimum you must specify the following arguments to run as a service: | Argument | Description | | ------------------ | ---------------------------------------------------- | @@ -45,7 +45,7 @@ By default, Cloudflare Tunnel expects all of the configuration to exist in the ` ## Next steps -You can now [route traffic through your tunnel](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/#5-start-routing-traffic). If you add IP routes or otherwise change the configuration, restart the service to load the new configuration: +You can now [route traffic through your tunnel](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/#5-start-routing-traffic). If you add IP routes or otherwise change the configuration, restart the service to load the new configuration: ```sh systemctl restart cloudflared diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/macos.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/as-a-service/macos.mdx similarity index 75% rename from src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/macos.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/as-a-service/macos.mdx index acd721b1ccf8770..3073fb92344c4ea 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/macos.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/as-a-service/macos.mdx @@ -12,11 +12,11 @@ You can install `cloudflared` as a system service on macOS. ## Prerequisites -Before you install Cloudflare Tunnel as a service on your OS, follow Steps 1 through 4 of the [Tunnel CLI setup guide](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/). At this point you should have a named tunnel and a `config.yml` file in your `$HOME/.cloudflared` directory. +Before you install Cloudflare Tunnel as a service on your OS, follow Steps 1 through 4 of the [Tunnel CLI setup guide](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/). At this point you should have a named tunnel and a `config.yml` file in your `$HOME/.cloudflared` directory. ## 1. Configure `cloudflared` as a service -By default, Cloudflare Tunnel expects all of the configuration to exist in the `$HOME/.cloudflared/config.yml` [configuration file](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/). At a minimum you must specify the following arguments to run as a service: +By default, Cloudflare Tunnel expects all of the configuration to exist in the `$HOME/.cloudflared/config.yml` [configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/). At a minimum you must specify the following arguments to run as a service: | Argument | Description | | ------------------ | ---------------------------------------------------- | @@ -59,7 +59,7 @@ The output will be logged to `/Library/Logs/com.cloudflare.cloudflared.err.log` ## Next steps -You can now [route traffic through your tunnel](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/#5-start-routing-traffic). If you add IP routes or otherwise change the configuration, restart the service to load the new configuration: +You can now [route traffic through your tunnel](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/#5-start-routing-traffic). If you add IP routes or otherwise change the configuration, restart the service to load the new configuration: ```sh sudo launchctl stop com.cloudflare.cloudflared diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/windows.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/as-a-service/windows.mdx similarity index 88% rename from src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/windows.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/as-a-service/windows.mdx index 2851280cbee09e3..0e73142d6982aaa 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/windows.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/as-a-service/windows.mdx @@ -13,7 +13,7 @@ You can install `cloudflared` as a system service on Windows. ## Configure `cloudflared` as a service -By default, Cloudflare Tunnel expects all of the configuration to exist in the `%USERPROFILE%\.cloudflared\config.yml` [configuration file](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/). At a minimum you must specify the following arguments to run as a service: +By default, Cloudflare Tunnel expects all of the configuration to exist in the `%USERPROFILE%\.cloudflared\config.yml` [configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/). At a minimum you must specify the following arguments to run as a service: | Argument | Description | | ------------------ | ---------------------------------------------------- | @@ -66,7 +66,7 @@ By default, Cloudflare Tunnel expects all of the configuration to exist in the ` This will generate a [credentials file](/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms/#credentials-file) in `.json` format. -10. [Create a configuration file](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/#4-create-a-configuration-file) with the following content: +10. [Create a configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/#4-create-a-configuration-file) with the following content: ```txt tunnel: @@ -125,7 +125,7 @@ By default, Cloudflare Tunnel expects all of the configuration to exist in the ` ## Next steps -You can now [route traffic through your tunnel](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/#5-start-routing-traffic). If you add IP routes or otherwise change the configuration, restart the service to load the new configuration: +You can now [route traffic through your tunnel](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/#5-start-routing-traffic). If you add IP routes or otherwise change the configuration, restart the service to load the new configuration: ```bash sc stop cloudflared diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file.mdx similarity index 87% rename from src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file.mdx index 83e4cf427888e5e..a494696e4c8005c 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file.mdx @@ -11,7 +11,9 @@ sidebar: ::: -The tunnel [configuration file](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/#4-create-a-configuration-file) allows you to have fine-grained control over how an instance of `cloudflared` will operate. In your configuration file, you can specify top-level properties for your `cloudflared` instance as well as configure [origin-specific properties](/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/). For a full list of configuration options, type `cloudflared tunnel help` in your terminal. +Locally-managed tunnels run as an instance of `cloudflared` on your machine. You can configure `cloudflared` properties by modifying [command line parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/) or by editing the tunnel [configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/#4-create-a-configuration-file). + +The CLI provides a quick way to handle configurations if you are connecting a single service through `cloudflared`. The tunnel configuration file is useful if you are connecting multiple services and need to configure properties or exceptions for specific origins. In the configuration file, you can define top-level properties for your `cloudflared` instance as well as [origin-specific properties](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/). For a full list of configuration options, type `cloudflared tunnel help` in your terminal. In the absence of a configuration file, `cloudflared` will proxy outbound traffic through port `8080`. @@ -115,7 +117,7 @@ ingress: ### Origin configuration -If you need to proxy traffic to multiple origins within one instance of `cloudflared`, you can define the way `cloudflared` sends requests to each service by specifying [configuration options](/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/) as part of your ingress rules. +If you need to proxy traffic to multiple origins within one instance of `cloudflared`, you can define the way `cloudflared` sends requests to each service by specifying [configuration options](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/) as part of your ingress rules. In the following example, the top-level configuration `connectTimeout: 30s` sets a 30-second connection timeout for all services within that instance of `cloudflared`. The ingress rule for `service: localhost:8002` then configures an exception to the top-level configuration by setting `connectTimeout` for that service at `10s`. The 30-second connection timeout still applies to all other services. @@ -169,7 +171,7 @@ Matched rule #3 ## Update a configuration file -When making changes to the configuration file for a given tunnel, we suggest relying on [`cloudflared` replicas](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/) to propagate the new configuration with minimal downtime. +When making changes to the configuration file for a given tunnel, we suggest relying on [`cloudflared` replicas](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/) to propagate the new configuration with minimal downtime. 1. Have a `cloudflared` instance running with the original version of the configuration file. 2. Start a `cloudflared` replica running with the updated version of the configuration file. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel.mdx similarity index 95% rename from src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel.mdx index 4932292c38fb69a..8b98bbc9754c490 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel.mdx @@ -1,8 +1,8 @@ --- -title: Create a locally-managed tunnel (CLI) +title: Create a locally-managed tunnel pcx_content_type: how-to sidebar: - order: 2 + order: 1 --- import { Render, TabItem, Tabs } from "~/components"; @@ -129,7 +129,7 @@ cloudflared tunnel list ## 4. Create a configuration file -1. In your `.cloudflared` directory, create a [`config.yml` file](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/) using any text editor. This file will configure the tunnel to route traffic from a given origin to the hostname of your choice. +1. In your `.cloudflared` directory, create a [`config.yml` file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/) using any text editor. This file will configure the tunnel to route traffic from a given origin to the hostname of your choice. 2. Add the following fields to the file: @@ -194,7 +194,7 @@ cloudflared tunnel --config /path/your-config-file.yml run :::note -Cloudflare Tunnel can install itself as a system service on Linux and Windows and as a launch agent on macOS. For more information, refer to [run as a service](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/). +Cloudflare Tunnel can install itself as a system service on Linux and Windows and as a launch agent on macOS. For more information, refer to [run as a service](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/as-a-service/). ::: diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/index.mdx new file mode 100644 index 000000000000000..3b8828cd295aef1 --- /dev/null +++ b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/index.mdx @@ -0,0 +1,18 @@ +--- +pcx_content_type: navigation +title: Locally-managed tunnels +sidebar: + order: 2 + +--- + +import { DirectoryListing } from "~/components" + + +A loocally-managed tunnel is a Cloudflare Tunnel created by running `cloudflared tunnel create ` on the command line. Tunnel configuration is stored in your local [cloudflared directory](#default-cloudflared-directory). + +:::note +Cloudflare recommends setting up a [remotely-managed tunnel](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). Remotely-managed configurations are stored on Cloudflare, which allows you to manage the tunnel from any machine using the dashboard, API, or Terraform. +::: + + diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/local-tunnel-terms.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/local-tunnel-terms.mdx new file mode 100644 index 000000000000000..a56a2acab8b39c2 --- /dev/null +++ b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/local-tunnel-terms.mdx @@ -0,0 +1,35 @@ +--- +pcx_content_type: reference +title: Useful terms +sidebar: + order: 10 +--- + +This page contains terminology specific to locally-managed Cloudflare Tunnels. For general Tunnel terminology, refer to the [Get started section](/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms/). + +## Default `cloudflared` directory + +`cloudflared` uses a default directory when storing credentials files for your tunnels, as well as the `cert.pem` file it generates when you run `cloudflared login`. The default directory is also where `cloudflared` will look for a [configuration file](#configuration-file) if no other file path is specified when running a tunnel. + +| OS | Path to default directory | +| --------------------------- | -------------------------------------------------------------------------------------- | +| Windows | `%USERPROFILE%\.cloudflared` | +| macOS and Unix-like systems | `~/.cloudflared`, `/etc/cloudflared`, and `/usr/local/etc/cloudflared`, in this order. | + +## Configuration file + +This is a YAML file that functions as the operating manual for `cloudflared`. `cloudflared` will automatically look for the configuration file in the [default `cloudflared` directory](#default-cloudflared-directory), but you can store your configuration file in any directory. It is recommended to always specify the file path for your configuration file whenever you reference it. By creating a configuration file, you can have fine-grained control over how their instance of `cloudflared` will operate. This includes operations like what you want `cloudflared` to do with traffic (for example, proxy websockets to port `xxxx` or SSH to port `yyyy`), where `cloudflared` should search for authorization (credentials file, tunnel token), and what mode it should run in (for example, [`warp-routing`](/cloudflare-one/connections/connect-networks/private-net/)). In the absence of a configuration file, cloudflared will proxy outbound traffic through port `8080`. For more information on how to create, store, and structure a configuration file, refer to the [dedicated instructions](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/). + +## Cert.pem + +This is the certificate file issued by Cloudflare when you run `cloudflared tunnel login`. This file uses a certificate to authenticate your instance of `cloudflared` and it is required when you create new tunnels, delete existing tunnels, change DNS records, or configure tunnel routing from cloudflared. This file is not required to perform actions such as running an existing tunnel or managing tunnel routing from the Cloudflare dashboard. Refer to the [Tunnel permissions page](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/tunnel-permissions/) for more details on when this file is needed. + +The `cert.pem` origin certificate is valid for at least 10 years, and the service token it contains is valid until revoked. + +## Credentials file + +This file is created when you run `cloudflared tunnel create `. It stores your tunnel's credentials in JSON format, and is unique to each tunnel. This file functions as a token authenticating the tunnel it is associated with. Refer to the [Tunnel permissions page](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/tunnel-permissions/) for more details on when this file is needed. + +## Ingress rule + +Ingress rules let you specify which local services traffic should be proxied to. If a rule does not specify a path, all paths will be matched. Ingress rules can be listed in your [configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/) or when running `cloudflared tunnel ingress`. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-permissions.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/tunnel-permissions.mdx similarity index 100% rename from src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-permissions.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/tunnel-permissions.mdx diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-useful-commands.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/tunnel-useful-commands.mdx similarity index 98% rename from src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-useful-commands.mdx rename to src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/tunnel-useful-commands.mdx index e3e4bbbe6d0307e..30bcc1addae3285 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-useful-commands.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/tunnel-useful-commands.mdx @@ -26,7 +26,7 @@ To view all CLI commands, refer to the CLI help text in your terminal. For examp | `cloudflared tunnel --config path/config.yaml run ` | Runs a tunnel, creating highly available connections between your server and the Cloudflare edge. You can provide name or UUID of the tunnel to run either as the last command line argument or in the configuration file using `tunnel: `. | | `cloudflared tunnel info ` | Displays details about the active connectors for a given tunnel identified by name of UUID. | | `cloudflared tunnel cleanup ` | Deletes connections for tunnels with the given UUIDs or names. This is useful if you get an error trying to delete or run a tunnel after `cloudflared` is not shut down gracefully (for example, if a `kill` command is issued). | -| `cloudflared tunnel cleanup --connector-id ` | Disconnects and deletes a [cloudflared replica](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/) with the given connector ID. You can view all replicas for a tunnel by running `cloudflared tunnel info `. | +| `cloudflared tunnel cleanup --connector-id ` | Disconnects and deletes a [cloudflared replica](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/) with the given connector ID. You can view all replicas for a tunnel by running `cloudflared tunnel info `. | | `cloudflared tunnel delete ` | Deletes tunnels with the given name or UUID. A tunnel cannot be deleted if it has active connections. To delete the tunnel unconditionally, use the `-f` flag. | | `cloudflared tunnel vnet add ` | Creates a Virtual Network to which IP routes can be assigned. To make this Virtual Network the default for your Zero Trust organization, use the `-d` flag. | | `cloudflared tunnel vnet delete ` | Deletes the Virtual Network with the given name or UUID. Before you can delete a Virtual Network, you must first delete all IP routes assigned to the Virtual Network. | diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels.mdx index cc3bd1491a58f68..34861c011fde784 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels.mdx @@ -34,7 +34,7 @@ To migrate your legacy tunnels to the named tunnels architecture: 2. Obtain a new origin certificate by running `cloudflared login`. While named tunnels are scoped to an account, for legacy reasons the login page requires selecting a zone. -3. [Create a tunnel](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/#3-create-a-tunnel-and-give-it-a-name). +3. [Create a tunnel](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/#3-create-a-tunnel-and-give-it-a-name). ```sh cloudflared tunnel create @@ -54,7 +54,7 @@ To migrate your legacy tunnels to the named tunnels architecture: cloudflared tunnel route lb ``` -5. Next, create a [configuration file](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/) with ingress rules. The ingress rules describe how to dispatch requests to your origins based on hostname and path. For example, if in the past you used to run `cloudflared tunnel --hostname tunnel.example.com --url https://localhost:3000`, you should add an equivalent ingress rule to your configuration file: +5. Next, create a [configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/) with ingress rules. The ingress rules describe how to dispatch requests to your origins based on hostname and path. For example, if in the past you used to run `cloudflared tunnel --hostname tunnel.example.com --url https://localhost:3000`, you should add an equivalent ingress rule to your configuration file: ```yml ingress: @@ -64,7 +64,7 @@ To migrate your legacy tunnels to the named tunnels architecture: # Note that the last rule is the catch-all rule and is required. ``` -6. [Run your tunnel](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/#6-run-the-tunnel). +6. [Run your tunnel](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/#6-run-the-tunnel). ## Make sure everything works diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel.mdx index e3f91cbe5ff87ae..4be1947bb3e815e 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel.mdx @@ -1,5 +1,5 @@ --- -title: Create a remotely-managed tunnel (dashboard) +title: Create a tunnel (dashboard) pcx_content_type: how-to sidebar: order: 1 diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/get-started/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/get-started/index.mdx index 99594af411ebac0..c013e2b4bc20b99 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/get-started/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/get-started/index.mdx @@ -13,6 +13,4 @@ import { DirectoryListing, GlossaryTooltip } from "~/components" To create and manage tunnels, you will need to install and authenticate cloudflared on your origin server. `cloudflared` is what connects your server to Cloudflare's global network. -You have the option of creating a tunnel [via the dashboard](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) or [via the command line](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/). We recommend getting started with the dashboard, since it will allow you to manage the tunnel from any machine. - diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms.mdx index 0ccef5a20767a40..dd716fa7d05ac07 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms.mdx @@ -33,34 +33,7 @@ A remotely-managed tunnel is a [tunnel](#tunnel) that was created in [Zero Trust ## Locally-managed tunnel -A locally-managed tunnel is a [tunnel](#tunnel) that was created by running `cloudflared tunnel create ` on the command line. Tunnel configuration is stored in your local [cloudflared directory](#default-cloudflared-directory). - -### Default `cloudflared` directory - -`cloudflared` uses a default directory when storing credentials files for your tunnels, as well as the `cert.pem` file it generates when you run `cloudflared login`. The default directory is also where `cloudflared` will look for a [configuration file](#configuration-file) if no other file path is specified when running a tunnel. - -| OS | Path to default directory | -| --------------------------- | -------------------------------------------------------------------------------------- | -| Windows | `%USERPROFILE%\.cloudflared` | -| macOS and Unix-like systems | `~/.cloudflared`, `/etc/cloudflared`, and `/usr/local/etc/cloudflared`, in this order. | - -### Configuration file - -This is a YAML file that functions as the operating manual for `cloudflared`. `cloudflared` will automatically look for the configuration file in the [default `cloudflared` directory](#default-cloudflared-directory), but you can store your configuration file in any directory. It is recommended to always specify the file path for your configuration file whenever you reference it. By creating a configuration file, you can have fine-grained control over how their instance of `cloudflared` will operate. This includes operations like what you want `cloudflared` to do with traffic (for example, proxy websockets to port `xxxx` or SSH to port `yyyy`), where `cloudflared` should search for authorization (credentials file, tunnel token), and what mode it should run in (for example, [`warp-routing`](/cloudflare-one/connections/connect-networks/private-net/)). In the absence of a configuration file, cloudflared will proxy outbound traffic through port `8080`. For more information on how to create, store, and structure a configuration file, refer to the [dedicated instructions](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/). - -### Cert.pem - -This is the certificate file issued by Cloudflare when you run `cloudflared tunnel login`. This file uses a certificate to authenticate your instance of `cloudflared` and it is required when you create new tunnels, delete existing tunnels, change DNS records, or configure tunnel routing from cloudflared. This file is not required to perform actions such as running an existing tunnel or managing tunnel routing from the Cloudflare dashboard. Refer to the [Tunnel permissions page](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-permissions/) for more details on when this file is needed. - -The `cert.pem` origin certificate is valid for at least 10 years, and the service token it contains is valid until revoked. - -### Credentials file - -This file is created when you run `cloudflared tunnel create `. It stores your tunnel's credentials in JSON format, and is unique to each tunnel. This file functions as a token authenticating the tunnel it is associated with. Refer to the [Tunnel permissions page](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-permissions/) for more details on when this file is needed. - -### Ingress rule - -Ingress rules let you specify which local services traffic should be proxied to. If a rule does not specify a path, all paths will be matched. Ingress rules can be listed in your [configuration file](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/) or when running `cloudflared tunnel ingress`. +A locally-managed tunnel is a [tunnel](#tunnel) that was created by running `cloudflared tunnel create ` on the command line. Tunnel configuration is stored in your local [cloudflared directory](#default-cloudflared-directory). For terminology specific to locally-managed tunnels, refer to the [Locally-managed tunnel glossary](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/local-tunnel-terms/). ## Quick tunnels diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/monitor-tunnels/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/monitor-tunnels/index.mdx index 094637e601bd677..a6ba333ef5b74eb 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/monitor-tunnels/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/monitor-tunnels/index.mdx @@ -2,7 +2,7 @@ pcx_content_type: navigation title: Monitor tunnels sidebar: - order: 6 + order: 9 --- diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/monitor-tunnels/logs.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/monitor-tunnels/logs.mdx index 3eb0b4f45ed7bfb..84b9c1ca42e7290 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/monitor-tunnels/logs.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/monitor-tunnels/logs.mdx @@ -12,7 +12,7 @@ Tunnel logs record all activity between a `cloudflared` instance and Cloudflare' ## View logs on the server -If you have access to the origin server, you can use the [`--loglevel` flag](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/#loglevel) to enable logging when you start the tunnel. By default, `cloudflared` prints logs to stdout and does not store logs on the server. You can optionally use the [`--logfile` flag](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/#logfile) to write your logs to a file. +If you have access to the origin server, you can use the [`--loglevel` flag](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#loglevel) to enable logging when you start the tunnel. By default, `cloudflared` prints logs to stdout and does not store logs on the server. You can optionally use the [`--logfile` flag](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#logfile) to write your logs to a file. To enable logs for a locally-managed tunnel: @@ -20,7 +20,7 @@ To enable logs for a locally-managed tunnel: cloudflared tunnel --loglevel debug --logfile cloudflared.log run ``` -To enable logs for a remotely-managed tunnel, add `--loglevel debug` and `--logfile ` to your system service as shown in [Add tunnel run parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management/#add-tunnel-run-parameters). +To enable logs for a remotely-managed tunnel, add `--loglevel debug` and `--logfile ` to your system service as shown in [Add tunnel run parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/#update-tunnel-run-parameters). ## View logs on your local machine @@ -69,13 +69,13 @@ cloudflared tail --level debug | Flag | Description | Allowed values | Default value | | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | ------------- | | `--event` | Filter by the type of event / request. | `cloudflared`, `http`, `tcp`, `udp` | All events | -| `--level` | Return logs at this level and above. Works independently of the [`--loglevel`](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/#loglevel) setting on the server. | `debug`, `info`, `warn`, `error`, `fatal` | `debug` | +| `--level` | Return logs at this level and above. Works independently of the [`--loglevel`](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#loglevel) setting on the server. | `debug`, `info`, `warn`, `error`, `fatal` | `debug` | | `--sampling` | Sample a fraction of the total logs. | Number from `0.0` to `1.0` | `1.0` | | | | | | #### View logs for a replica -If you are running multiple `cloudflared` instances for the same tunnel (also known as [replicas](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/)), you must specify an individual instance to stream logs from: +If you are running multiple `cloudflared` instances for the same tunnel (also known as [replicas](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/)), you must specify an individual instance to stream logs from: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels** and select your tunnel. 2. Find the **Connector ID** for the `cloudflared` instance you want to view. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/monitor-tunnels/metrics.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/monitor-tunnels/metrics.mdx index c4e0e26732ff7f1..7f3730096562224 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/monitor-tunnels/metrics.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/monitor-tunnels/metrics.mdx @@ -24,13 +24,13 @@ To determine the default port being used by a `cloudflared` instance, you can ch To serve metrics on a custom IP address and port, perform these steps on the `cloudflared` host: -1. Run the tunnel using the [--metrics](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/#metrics) flag. Here is an example command for a locally-managed tunnel: +1. Run the tunnel using the [--metrics](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#metrics) flag. Here is an example command for a locally-managed tunnel: ```sh cloudflared tunnel --metrics 127.0.0.1:60123 run my-tunnel ``` - To learn how to add the `--metrics` flag to a remotely-managed tunnel, refer to [Configure a remotely-managed tunnel](/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management/#add-tunnel-run-parameters). + To learn how to add the `--metrics` flag to a remotely-managed tunnel, refer to [Configure a remotely-managed tunnel](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/#update-tunnel-run-parameters). :::note If you plan to fetch metrics from another machine on the local network, replace `127.0.0.1` with the internal IP of the `cloudflared` server (for example, `198.168.x.x`). To serve metrics on all available network interfaces, use `0.0.0.0`. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/private-dns.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/private-dns.mdx index e7a7b5fc958129d..7ba2feb7061b386 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/private-dns.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/private-dns.mdx @@ -23,7 +23,7 @@ Ensure that **Split Tunnels** are configured to [include traffic to private IPs ::: -5. Finally, ensure that your tunnel uses QUIC as the default [transport protocol](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/#protocol). This will enable `cloudflared` to proxy UDP-based traffic which is required in most cases to resolve DNS queries. +5. Finally, ensure that your tunnel uses QUIC as the default [transport protocol](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#protocol). This will enable `cloudflared` to proxy UDP-based traffic which is required in most cases to resolve DNS queries. The WARP client will now resolve requests through the internal DNS server you set up in your private network. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks.mdx index 9d5b79ff00ebf66..e39ef7ebcc16567 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks.mdx @@ -38,7 +38,7 @@ Here are a few scenarios where virtual networks may prove useful: ## Prerequisites -- [Install `cloudflared`](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/#1-download-and-install-cloudflared) on each private network. +- [Install `cloudflared`](/cloudflare-one/connections/connect-networks/downloads/) on each private network. - [Deploy the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on user devices. ## Create a virtual network @@ -137,7 +137,7 @@ The following example demonstrates how to add two overlapping IP routes to Cloud We now have two overlapping IP addresses routed over `staging-vnet` and `production-vnet` respectively. - 6. Within your staging environment, create a [configuration file](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/) for `staging-tunnel`. The configuration file will be structured as follows: + 6. Within your staging environment, create a [configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/) for `staging-tunnel`. The configuration file will be structured as follows: ```txt tunnel: diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/index.mdx index 9418c9f194e6788..554f09cc4b6775e 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/index.mdx @@ -2,7 +2,7 @@ pcx_content_type: concept title: Private networks sidebar: - order: 5 + order: 7 --- With Cloudflare Zero Trust, you can connect private networks and the services running in those networks to Cloudflare's global network. This involves installing a [connector](#connectors) on the private network, and then [setting up routes](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#2b-connect-a-network) which define the IP addresses available in that environment. Unlike [public hostname routes](/cloudflare-one/connections/connect-networks/routing-to-tunnel/), private network routes can expose both HTTP and non-HTTP resources. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/index.mdx index f2648387b3b398d..64bc9606108510f 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/index.mdx @@ -2,7 +2,7 @@ pcx_content_type: concept title: Public hostnames sidebar: - order: 5 + order: 8 --- diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/lb.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/lb.mdx index f82cb681185afa3..3b63e59513fafe8 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/lb.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/lb.mdx @@ -56,11 +56,11 @@ The application will default to the Cloudflare settings for the load balancer ho If you have a tunnel to a port or SSH port, do not run a TCP health check. -Instead, set up a health check endpoint in `cloudflared` — for example, an [ingress entry rule](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/#file-structure-for-public-hostnames) that returns a fixed HTTP status response — and create an **HTTP** [monitor](/load-balancing/monitors/) for that endpoint. The monitor will only verify that your server is reachable. It does not check whether the server is running and accepting requests. +Instead, set up a health check endpoint in `cloudflared` — for example, an [ingress entry rule](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/#file-structure-for-public-hostnames) that returns a fixed HTTP status response — and create an **HTTP** [monitor](/load-balancing/monitors/) for that endpoint. The monitor will only verify that your server is reachable. It does not check whether the server is running and accepting requests. ### Session affinity and replicas -The load balancer does not distinguish between [replicas](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/) of the same tunnel. If you run the same tunnel UUID on two separate hosts, the load balancer treats both hosts as a single endpoint. To maintain [session affinity](/load-balancing/understand-basics/session-affinity/) between a client and a particular host, you will need to connect each host to Cloudflare using a different tunnel UUID. +The load balancer does not distinguish between [replicas](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/) of the same tunnel. If you run the same tunnel UUID on two separate hosts, the load balancer treats both hosts as a single endpoint. To maintain [session affinity](/load-balancing/understand-basics/session-affinity/) between a client and a particular host, you will need to connect each host to Cloudflare using a different tunnel UUID. ### Local connection preference @@ -68,4 +68,4 @@ If you notice traffic imbalances across endpoints in different locations, you ma `cloudflared` connections give preference to tunnels that terminate in the same Cloudflare data center. This behavior can impact how connections are weighted and traffic is distributed. -The solution depends on the type of tunnel being used. If running [legacy tunnels](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels/), put your origins in different pools. If running [Cloudflare tunnel replicas](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/) (using a shared ID), switch to separate Cloudflare tunnels as distinct origins. +The solution depends on the type of tunnel being used. If running [legacy tunnels](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels/), put your origins in different pools. If running [Cloudflare tunnel replicas](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/) (using a shared ID), switch to separate Cloudflare tunnels as distinct origins. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/common-errors.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/common-errors.mdx index 225bd5e76e3da4f..81796d560b1288d 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/common-errors.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/common-errors.mdx @@ -54,14 +54,14 @@ This means the origin is using a certificate that `cloudflared` does not trust. An error 1033 indicates your tunnel is not connected to Cloudflare's edge. First, run `cloudflared tunnel list` to see whether your tunnel is listed as active. If it isn't, check the following: -1. Make sure you correctly routed traffic to your tunnel (step 5 in the [Tunnel guide](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/#5-start-routing-traffic)) by assigning a CNAME record to point traffic to your tunnel. Alternatively, check [this guide](/cloudflare-one/connections/connect-networks/routing-to-tunnel/lb/) to route traffic to your tunnel using load balancers. -2. Make sure you run your tunnel (step 6 in the [Tunnel guide](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/#6-run-the-tunnel)). +1. Make sure you correctly routed traffic to your tunnel (step 5 in the [Tunnel guide](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/#5-start-routing-traffic)) by assigning a CNAME record to point traffic to your tunnel. Alternatively, check [this guide](/cloudflare-one/connections/connect-networks/routing-to-tunnel/lb/) to route traffic to your tunnel using load balancers. +2. Make sure you run your tunnel (step 6 in the [Tunnel guide](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/#6-run-the-tunnel)). For more information, here is a [comprehensive list](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors/) of Cloudflare 1xxx errors. ## I see `ERR_TOO_MANY_REDIRECTS` when attempting to connect to an Access self-hosted app. -This error occurs when `cloudflared` does not recognize the SSL/TLS certificate presented by your origin. To resolve the issue, set the [origin server name](/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/#originservername) parameter to the hostname on your origin certificate. Here is an example of a locally-managed tunnel configuration: +This error occurs when `cloudflared` does not recognize the SSL/TLS certificate presented by your origin. To resolve the issue, set the [origin server name](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/#originservername) parameter to the hostname on your origin certificate. Here is an example of a locally-managed tunnel configuration: ```txt ingress: @@ -102,7 +102,7 @@ If `cloudflared` returns error `error="remote error: tls: handshake failure"`, c ## Tunnel connections fail with `Too many open files` error. -If your [Cloudflare Tunnel logs](/cloudflare-one/connections/connect-networks/monitor-tunnels/logs/) returns a `socket: too many open files` error, it means that `cloudflared` has exhausted the open files limit on your machine. The maximum number of open files, or file descriptors, is an operating system setting that determines how many files a process is allowed to open. To increase the open file limit, you will need to [configure ulimit settings](/cloudflare-one/connections/connect-networks/deploy-tunnels/system-requirements/#ulimits) on the machine running `cloudflared`. +If your [Cloudflare Tunnel logs](/cloudflare-one/connections/connect-networks/monitor-tunnels/logs/) returns a `socket: too many open files` error, it means that `cloudflared` has exhausted the open files limit on your machine. The maximum number of open files, or file descriptors, is an operating system setting that determines how many files a process is allowed to open. To increase the open file limit, you will need to [configure ulimit settings](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/system-requirements/#ulimits) on the machine running `cloudflared`. ## I see `failed to sufficiently increase receive buffer size` in my cloudflared logs. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/diag-logs.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/diag-logs.mdx index 413ba535014e788..7606ab666dbf67a 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/diag-logs.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/diag-logs.mdx @@ -135,7 +135,7 @@ The `cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip` archive contains the files listed | File name | Description | Instance | | -| - | - | -| `cli-configuration.json`| [Tunnel run parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/) used when starting the tunnel | diagnosee| +| `cli-configuration.json`| [Tunnel run parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/) used when starting the tunnel | diagnosee| | `cloudflared_logs.txt` | [Tunnel log file](/cloudflare-one/connections/connect-networks/monitor-tunnels/logs/)[^1] | diagnosee| | `configuration.json` | Tunnel configuration parameters | diagnosee| | `goroutine.pprof` | goroutine profile made available by `pprof` | diagnosee| diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/index.mdx index 23f72ff9af12ab6..1dd6edca659a470 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/index.mdx @@ -2,7 +2,7 @@ pcx_content_type: navigation title: Troubleshoot tunnels sidebar: - order: 6 + order: 10 --- diff --git a/src/content/docs/cloudflare-one/faq/cloudflare-tunnels-faq.mdx b/src/content/docs/cloudflare-one/faq/cloudflare-tunnels-faq.mdx index 72899b069ca7211..248efdb8240383a 100644 --- a/src/content/docs/cloudflare-one/faq/cloudflare-tunnels-faq.mdx +++ b/src/content/docs/cloudflare-one/faq/cloudflare-tunnels-faq.mdx @@ -83,6 +83,6 @@ Before contacting the Cloudflare support team: 3. Gather any relevant error/access logs from your server. -4. (Locally-managed tunnels only) Set [`--loglevel`](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/#loglevel) to `debug`, so the Cloudflare support team can get more info from the `cloudflared.log` file. +4. (Locally-managed tunnels only) Set [`--loglevel`](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#loglevel) to `debug`, so the Cloudflare support team can get more info from the `cloudflared.log` file. 5. Include your [Cloudflare Tunnel diagnostic logs](/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/diag-logs/) (`cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip`). diff --git a/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx index bcde3a3126a82ba..21f453e856dd1ca 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx @@ -52,7 +52,7 @@ You can protect your authoritative nameservers from DDoS attacks by enabling [DN ### Cloudflare Tunnel -You can configure connections to a private resolver connected to Cloudflare with [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/). To ensure `cloudflared` can route UDP traffic to your resolver, connect your tunnel via [QUIC](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/#protocol). +You can configure connections to a private resolver connected to Cloudflare with [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/). To ensure `cloudflared` can route UDP traffic to your resolver, connect your tunnel via [QUIC](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#protocol). For more information on connecting a private DNS resolver to Cloudflare with Cloudflare Tunnel, refer to [Private DNS](/cloudflare-one/connections/connect-networks/private-net/cloudflared/private-dns/). diff --git a/src/content/docs/cloudflare-one/tutorials/grafana.mdx b/src/content/docs/cloudflare-one/tutorials/grafana.mdx index 4a8074e4cc8f988..bf1f25c85a817b1 100644 --- a/src/content/docs/cloudflare-one/tutorials/grafana.mdx +++ b/src/content/docs/cloudflare-one/tutorials/grafana.mdx @@ -36,7 +36,7 @@ If your tunnel was created via the CLI, run the following command on the `cloudf cloudflared tunnel --metrics 192.168.1.1:60123 run my-tunnel ``` -If your tunnel was created via the dashboard, the [--metrics](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/#metrics) flag must be added to your `cloudflared` system service configuration. Refer to [Add tunnel run parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management/#add-tunnel-run-parameters) for instructions on how to do this. +If your tunnel was created via the dashboard, the [--metrics](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#metrics) flag must be added to your `cloudflared` system service configuration. Refer to [Add tunnel run parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/#update-tunnel-run-parameters) for instructions on how to do this. ## Set up Prometheus diff --git a/src/content/docs/cloudflare-one/tutorials/kubectl.mdx b/src/content/docs/cloudflare-one/tutorials/kubectl.mdx index f44ceed780499aa..2fc8777f6f02943 100644 --- a/src/content/docs/cloudflare-one/tutorials/kubectl.mdx +++ b/src/content/docs/cloudflare-one/tutorials/kubectl.mdx @@ -69,7 +69,7 @@ cloudflared tunnel list ## Configure the Tunnel -You can now [configure the tunnel](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/#4-create-a-configuration-file) to serve traffic. +You can now [configure the tunnel](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/#4-create-a-configuration-file) to serve traffic. Create a `YAML` file that `cloudflared` can reach. By default, `cloudflared` will look for the file in the same folder where `cloudflared` has been installed. @@ -95,7 +95,7 @@ ingress: ## Route to the Tunnel -You can now create a DNS record that will route traffic to this Tunnel. Multiple DNS records can point to a single Tunnel and will send traffic to the configured service as long as the hostname is defined with an [ingress rule](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/#file-structure-for-public-hostnames). +You can now create a DNS record that will route traffic to this Tunnel. Multiple DNS records can point to a single Tunnel and will send traffic to the configured service as long as the hostname is defined with an [ingress rule](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/#file-structure-for-public-hostnames). 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. Select your domain and go to **DNS**. @@ -117,7 +117,7 @@ You can now run the Tunnel to connect the target service to Cloudflare. Use the cloudflared tunnel run ``` -We recommend that you run `cloudflared` [as a service](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/) that is configured to launch on start. +We recommend that you run `cloudflared` [as a service](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/as-a-service/) that is configured to launch on start. ## Connect from a client machine diff --git a/src/content/docs/cloudflare-one/tutorials/migrate-lb-tunnel.mdx b/src/content/docs/cloudflare-one/tutorials/migrate-lb-tunnel.mdx index afd83494f0185c1..bf054ce7ce987b0 100644 --- a/src/content/docs/cloudflare-one/tutorials/migrate-lb-tunnel.mdx +++ b/src/content/docs/cloudflare-one/tutorials/migrate-lb-tunnel.mdx @@ -22,7 +22,7 @@ If you are using Legacy Tunnel today you can migrate to Named Tunnel deployment 10 minutes -See additional documentation for working with [Kubernetes](/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/kubernetes/). +See additional documentation for working with [Kubernetes](/cloudflare-one/connections/connect-networks/deployment-guides/kubernetes/). --- @@ -82,7 +82,7 @@ This command will create a Tunnel object in your Cloudflare account that is repr ## Create a configuration file -Next, configure your Tunnel. The example below consists of a web service that is available at port 8000. The ingress rule will send traffic that `cloudflared` receives for the specified hostname to that port. You can also connect [multiple services](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/#file-structure-for-public-hostnames) with a single instance of `cloudflared`. +Next, configure your Tunnel. The example below consists of a web service that is available at port 8000. The ingress rule will send traffic that `cloudflared` receives for the specified hostname to that port. You can also connect [multiple services](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/#file-structure-for-public-hostnames) with a single instance of `cloudflared`. In the configuration file, you must specify the location of the credentials file generated previously when you created the Tunnel. diff --git a/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx b/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx index 505d0e204901f6c..8b18c4b28698716 100644 --- a/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx +++ b/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx @@ -196,7 +196,7 @@ done; ## Configure Cloudflare Tunnel -Next, you can use `cloudflared` to connect to Cloudflare's Edge using Cloudflare Tunnel. Start by [downloading and installing](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/) the Cloudflare Tunnel daemon, `cloudflared`. +Next, you can use `cloudflared` to connect to Cloudflare's Edge using Cloudflare Tunnel. Start by [downloading and installing](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/) the Cloudflare Tunnel daemon, `cloudflared`. Once installed, run the following command to authenticate the instance of `cloudflared` into your Cloudflare account. @@ -214,7 +214,7 @@ You can now use `cloudflared` to control Cloudflare Tunnel connections in your C ### Create a Tunnel -You can now [create a Tunnel](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/) that will connect `cloudflared` to Cloudflare's edge. You'll configure the details of that Tunnel in the next step. +You can now [create a Tunnel](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/) that will connect `cloudflared` to Cloudflare's edge. You'll configure the details of that Tunnel in the next step. Run the following command to create a Tunnel. You can replace `mongodb` with any name that you choose. This command requires the `cert.pem` file. diff --git a/src/content/docs/cloudflare-one/tutorials/vnc-client-in-browser.mdx b/src/content/docs/cloudflare-one/tutorials/vnc-client-in-browser.mdx index 37ad5aa5b2bf9b5..1be132d6cdbf06e 100644 --- a/src/content/docs/cloudflare-one/tutorials/vnc-client-in-browser.mdx +++ b/src/content/docs/cloudflare-one/tutorials/vnc-client-in-browser.mdx @@ -135,7 +135,7 @@ At this point, you have a VNC server ready to test with browser-based VNC. We re cloudflared tunnel --config path/config.yaml run ``` -8. Follow [this guide](/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/) to open outbound connections for Cloudflare Tunnel if you have a firewall enabled. +8. Follow [this guide](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/) to open outbound connections for Cloudflare Tunnel if you have a firewall enabled. At this point you have a running VNC server and a Cloudflare Tunnel on your machine ready to accept inbound VNC requests. diff --git a/src/content/docs/data-localization/compatibility.mdx b/src/content/docs/data-localization/compatibility.mdx index 274c405609cb9ab..dac0b1f2e470074 100644 --- a/src/content/docs/data-localization/compatibility.mdx +++ b/src/content/docs/data-localization/compatibility.mdx @@ -129,7 +129,7 @@ The table below provides a summary of the Data Localization Suite product's beha [^15]: Can be localized to US FedRAMP region only. More regions coming in 2024. [^16]: Customer Metadata Boundary can be used to limit data transfer outside region, but Access User Logs will not be available outside US region. [^17]: Currently may only be used with US FedRAMP region. -[^18]: The only connectivity option is [US FedRAMP region](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/#region). Regional Services only applies when using [Public Hostnames](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) set to a region. +[^18]: The only connectivity option is [US FedRAMP region](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#region). Regional Services only applies when using [Public Hostnames](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) set to a region. [^19]: Uses Gateway HTTP and CASB. [^20]: You can [bring your own certificate](https://blog.cloudflare.com/bring-your-certificates-cloudflare-gateway/) to Gateway but these cannot yet be restricted to a specific region. [^21]: Gateway HTTP supports Regional Services. Gateway DNS does not yet support regionalization.
ICMP proxy and WARP-to-WARP proxy are not available to Regional Services users. diff --git a/src/content/docs/data-localization/how-to/zero-trust.mdx b/src/content/docs/data-localization/how-to/zero-trust.mdx index 270415f55f029a4..6a6a9e297bd6d4c 100644 --- a/src/content/docs/data-localization/how-to/zero-trust.mdx +++ b/src/content/docs/data-localization/how-to/zero-trust.mdx @@ -60,7 +60,7 @@ To ensure that all reverse proxy requests for applications protected by Cloudfla ## Cloudflare Tunnel -You can [configure Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/#region) to only connect to data centers within the United States, regardless of where the software was deployed. +You can [configure Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#region) to only connect to data centers within the United States, regardless of where the software was deployed. ## WARP settings diff --git a/src/content/docs/fundamentals/reference/connection-limits.mdx b/src/content/docs/fundamentals/reference/connection-limits.mdx index 65135605f8ecd05..a0ab0f8c78e050c 100644 --- a/src/content/docs/fundamentals/reference/connection-limits.mdx +++ b/src/content/docs/fundamentals/reference/connection-limits.mdx @@ -19,7 +19,7 @@ When HTTP/HTTPS traffic is [proxied through Cloudflare](/fundamentals/concepts/h :::note -If you are using [Cloudflare tunnels](/cloudflare-one/connections/connect-networks/), refer to [Origin configuration](/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/) to view or modify your connection settings. +If you are using [Cloudflare tunnels](/cloudflare-one/connections/connect-networks/), refer to [Origin configuration](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/) to view or modify your connection settings. ::: | Type | Limit (seconds) | HTTP status code at limit | [Configurable](/fundamentals/reference/connection-limits/#configurable-limits) | diff --git a/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx b/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx index 1f780c84acd0784..2f730c55fd2729d 100644 --- a/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx +++ b/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx @@ -55,7 +55,7 @@ Your tunnel must be configured to use a public hostname so that Hyperdrive can r 3. Select **Save tunnel**. :::note -If you are setting up the tunnel through the CLI instead ([locally-managed tunnel](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/)), you will have to complete these steps manually. Follow the Cloudflare Zero Trust documentation to [add a public hostname to your tunnel](/cloudflare-one/connections/connect-networks/routing-to-tunnel/dns/) and [configure the public hostname to route to the address of your database](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/). +If you are setting up the tunnel through the CLI instead ([locally-managed tunnel](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/)), you will have to complete these steps manually. Follow the Cloudflare Zero Trust documentation to [add a public hostname to your tunnel](/cloudflare-one/connections/connect-networks/routing-to-tunnel/dns/) and [configure the public hostname to route to the address of your database](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/). ::: ## 2. Create and configure Hyperdrive to connect to the Cloudflare Tunnel diff --git a/src/content/docs/learning-paths/replace-vpn/connect-private-network/cloudflared.mdx b/src/content/docs/learning-paths/replace-vpn/connect-private-network/cloudflared.mdx index e86da3b29f1bba6..bac9206fcc7e33c 100644 --- a/src/content/docs/learning-paths/replace-vpn/connect-private-network/cloudflared.mdx +++ b/src/content/docs/learning-paths/replace-vpn/connect-private-network/cloudflared.mdx @@ -26,7 +26,7 @@ All internal applications and services in this IP range are now connected to Clo If the tunnel is disconnected: -* Ensure that your on-premise or cloud firewall allows egress traffic on the [required ports](/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/#required-for-tunnel-operation). +* Ensure that your on-premise or cloud firewall allows egress traffic on the [required ports](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/#required-for-tunnel-operation). * Ensure that the `cloudflared` host machine can connect to your internal applications and services. Verify that the host has the proper security group memberships and that no firewalls will block traffic between the host and the target services. @@ -35,7 +35,7 @@ If the tunnel is disconnected: ## Best practices * Segregate production and staging traffic among different Cloudflare tunnels. -* Add a [`cloudflared` replica](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/) to another host machine for an additional point of availability. +* Add a [`cloudflared` replica](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/) to another host machine for an additional point of availability. * Distribute access to critical services (for example, private DNS, Active Directory, and other critical systems) across different tunnels for blast-radius reduction in the event of a server-side outage. * [Enable notifications](/cloudflare-one/connections/connect-networks/monitor-tunnels/notifications/) in the Cloudflare dashboard to monitor tunnel health. * [Monitor performance metrics](/cloudflare-one/connections/connect-networks/monitor-tunnels/metrics/) to identify potential bottlenecks. diff --git a/src/content/docs/learning-paths/replace-vpn/connect-private-network/tunnel-capacity.mdx b/src/content/docs/learning-paths/replace-vpn/connect-private-network/tunnel-capacity.mdx index 72e0c61600a5f67..bc51ddeee4a5be4 100644 --- a/src/content/docs/learning-paths/replace-vpn/connect-private-network/tunnel-capacity.mdx +++ b/src/content/docs/learning-paths/replace-vpn/connect-private-network/tunnel-capacity.mdx @@ -17,7 +17,7 @@ To determine how many `cloudflared` host servers you need: 1. Start with our baseline recommendations: -2. After you have completed this learning path and have users actively engaging with the network, [calculate](/cloudflare-one/connections/connect-networks/deploy-tunnels/system-requirements/#calculate-your-tunnel-capacity) your actual tunnel usage. +2. After you have completed this learning path and have users actively engaging with the network, [calculate](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/system-requirements/#calculate-your-tunnel-capacity) your actual tunnel usage. 3. Decide how much headroom you want to include and [resize the tunnel](#scale-the-tunnel) if needed. @@ -61,7 +61,7 @@ tunnel-3 <--> C ### When to add replicas -Adding additional [replicas](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/#cloudflared-replicas) of an existing Cloudflare Tunnel (two is the baseline recommendation) should only be done to support additional traffic to the IP routes in the tunnel. Replicas should always be added in the same physical location as one another so that they can operate in a pooled mode. If you are considering adding a replica in a different geographic location, reevaluate the network proxy design for your Cloudflare Tunnel and refer to [When to add tunnels](#when-to-add-tunnels). +Adding additional [replicas](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/#cloudflared-replicas) of an existing Cloudflare Tunnel (two is the baseline recommendation) should only be done to support additional traffic to the IP routes in the tunnel. Replicas should always be added in the same physical location as one another so that they can operate in a pooled mode. If you are considering adding a replica in a different geographic location, reevaluate the network proxy design for your Cloudflare Tunnel and refer to [When to add tunnels](#when-to-add-tunnels). ### When to add tunnels diff --git a/src/content/docs/learning-paths/replace-vpn/get-started/prerequisites.mdx b/src/content/docs/learning-paths/replace-vpn/get-started/prerequisites.mdx index 3be949b75801089..f9488158b254ef2 100644 --- a/src/content/docs/learning-paths/replace-vpn/get-started/prerequisites.mdx +++ b/src/content/docs/learning-paths/replace-vpn/get-started/prerequisites.mdx @@ -10,5 +10,5 @@ To make the most of this learning path, make sure that you have the following: * A device that can run [WARP](/cloudflare-one/connections/connect-devices/warp/download-warp/), Cloudflare's endpoint agent. * A private network with applications or services that are available locally or via a VPN. -* A [host server](/cloudflare-one/connections/connect-networks/deploy-tunnels/system-requirements/#recommendations) on the private network that can run the lightweight Cloudflare Tunnel daemon process. +* A [host server](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/system-requirements/#recommendations) on the private network that can run the lightweight Cloudflare Tunnel daemon process. * (Optional) A [Linux host server](/cloudflare-one/connections/connect-devices/warp/download-warp/#linux) on the private network that can run the Cloudflare WARP Connector. This is only needed for server-initiated traffic flows such as Microsoft SCCM, Active Directory (AD) updates, and DevOps workflows that require server-initiated connections. diff --git a/src/content/docs/learning-paths/zero-trust-web-access/connect-private-applications/best-practices.mdx b/src/content/docs/learning-paths/zero-trust-web-access/connect-private-applications/best-practices.mdx index 2fe20bc7ee282a4..7360867fa01f7b4 100644 --- a/src/content/docs/learning-paths/zero-trust-web-access/connect-private-applications/best-practices.mdx +++ b/src/content/docs/learning-paths/zero-trust-web-access/connect-private-applications/best-practices.mdx @@ -10,7 +10,7 @@ We recommend following these best practices when you deploy Cloudflare Tunnel fo ## Deploy another instance of cloudflared -For an additional point of availability, add a [`cloudflared` replica](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/) to another host machine in your network. +For an additional point of availability, add a [`cloudflared` replica](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/) to another host machine in your network. ## Standardize public hostnames @@ -22,11 +22,11 @@ To make your applications easier to manage, standardize the public hostnames tha ## Disable TLS verification -If your public hostname route serves an `HTTPS` application, we recommend enabling [**No TLS Verify**](/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/#notlsverify) to reduce connectivity issues caused by mismatched certificates. **No TLS Verify** disables TLS verification between `cloudflared` and the origin service, meaning that `cloudflared` will accept any certificate that the origin service provides. This setting has no impact on traffic between the user's browser and the `cloudflared` host, which will always be encrypted. +If your public hostname route serves an `HTTPS` application, we recommend enabling [**No TLS Verify**](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/#notlsverify) to reduce connectivity issues caused by mismatched certificates. **No TLS Verify** disables TLS verification between `cloudflared` and the origin service, meaning that `cloudflared` will accept any certificate that the origin service provides. This setting has no impact on traffic between the user's browser and the `cloudflared` host, which will always be encrypted. ## (Optional) Add `Host` header to accommodate local traffic management tools -If your target application sits behind a load balancer or similar, you may need to set [**HTTP Host Header**](/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/#httphostheader) to the service hostname. Load balancers in between the origin service and `cloudflared` can be difficult to troubleshoot, and you can typically resolve the issue by adding a request header to match the way that the load balancer typically identifies traffic. +If your target application sits behind a load balancer or similar, you may need to set [**HTTP Host Header**](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/#httphostheader) to the service hostname. Load balancers in between the origin service and `cloudflared` can be difficult to troubleshoot, and you can typically resolve the issue by adding a request header to match the way that the load balancer typically identifies traffic. ## Enable tunnel notifications diff --git a/src/content/docs/learning-paths/zero-trust-web-access/connect-private-applications/create-tunnel.mdx b/src/content/docs/learning-paths/zero-trust-web-access/connect-private-applications/create-tunnel.mdx index 23084f2659864af..bc4ac1cf78388dc 100644 --- a/src/content/docs/learning-paths/zero-trust-web-access/connect-private-applications/create-tunnel.mdx +++ b/src/content/docs/learning-paths/zero-trust-web-access/connect-private-applications/create-tunnel.mdx @@ -30,7 +30,7 @@ All users on the Internet can now connect to this application via its public hos If the tunnel is disconnected: -* Ensure that your on-premise or cloud firewall allows egress traffic on the [required ports](/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/#required-for-tunnel-operation). +* Ensure that your on-premise or cloud firewall allows egress traffic on the [required ports](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/#required-for-tunnel-operation). * Ensure that the `cloudflared` host machine can connect to your internal applications and services. Verify that the host has the proper security group memberships and that no firewalls will block traffic between the host and the target services. diff --git a/src/content/docs/learning-paths/zero-trust-web-access/terraform/publish-apps-with-terraform.mdx b/src/content/docs/learning-paths/zero-trust-web-access/terraform/publish-apps-with-terraform.mdx index 74296f42f08e09a..72d7882cf4ae228 100644 --- a/src/content/docs/learning-paths/zero-trust-web-access/terraform/publish-apps-with-terraform.mdx +++ b/src/content/docs/learning-paths/zero-trust-web-access/terraform/publish-apps-with-terraform.mdx @@ -16,7 +16,7 @@ This guide covers how to use the [Cloudflare Terraform provider](https://registr * [Configure an IdP integration](/learning-paths/zero-trust-web-access/initial-setup/configure-idp/) * [Create a Cloudflare Tunnel](/learning-paths/zero-trust-web-access/connect-private-applications/create-tunnel/#create-a-tunnel) via the Zero Trust dashboard * Install the [Terraform client](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) -* [Create an API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) (refer to the [minimum required permissions](/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/terraform/#3-create-a-cloudflare-api-token)) +* [Create an API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) (refer to the [minimum required permissions](/cloudflare-one/connections/connect-networks/deployment-guides/terraform/#3-create-a-cloudflare-api-token)) ## 1. Create a Terraform configuration directory @@ -76,7 +76,7 @@ Add the following resources to your Terraform configuration. ### Add public hostname route to Cloudflare Tunnel -Using the [`cloudflare_tunnel_config`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/tunnel_config) resource, create an ingress rule that maps your application to a public DNS record. This example makes `localhost:8080` available on `app.mycompany.com`, sets the [Connect Timeout](/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/#connecttimeout), and enables [Access JWT validation](/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/#access). +Using the [`cloudflare_tunnel_config`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/tunnel_config) resource, create an ingress rule that maps your application to a public DNS record. This example makes `localhost:8080` available on `app.mycompany.com`, sets the [Connect Timeout](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/#connecttimeout), and enables [Access JWT validation](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/#access). ```txt resource "cloudflare_tunnel_config" "example_config" { diff --git a/src/content/docs/load-balancing/private-network/tunnels-setup.mdx b/src/content/docs/load-balancing/private-network/tunnels-setup.mdx index 76a4c067998bd1c..559a30ed32cd325 100644 --- a/src/content/docs/load-balancing/private-network/tunnels-setup.mdx +++ b/src/content/docs/load-balancing/private-network/tunnels-setup.mdx @@ -13,9 +13,8 @@ Consider the following steps to learn how to configure Private Network Load Bala The specific configuration steps can vary depending on your infrastructure and services you are looking to connect. If you are not familiar with Cloudflare Tunnel, the pages linked on each step provide more guidance. -1. [Create a tunnel](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#1-create-a-tunnel). -2. [Deploy the tunnel](/cloudflare-one/connections/connect-networks/deploy-tunnels/) to connect to your data center. -3. Create a [virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) and assign it to the tunnel you configured in the previous steps. +1. [Create a tunnel](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#1-create-a-tunnel) to connect your data center to Cloudflare. +2. Create a [virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) and assign it to the tunnel you configured in the previous steps. diff --git a/src/content/docs/pages/how-to/preview-with-cloudflare-tunnel.mdx b/src/content/docs/pages/how-to/preview-with-cloudflare-tunnel.mdx index 20b4f1714fde147..eabee3222e986b7 100644 --- a/src/content/docs/pages/how-to/preview-with-cloudflare-tunnel.mdx +++ b/src/content/docs/pages/how-to/preview-with-cloudflare-tunnel.mdx @@ -56,6 +56,6 @@ In this example, the randomly-generated URL `https://seasonal-deck-organisms-sf. ## Next Steps -Cloudflare Tunnel can be configured in a variety of ways and can be used beyond providing access to your in-development applications. For example, you can provide `cloudflared` with a [configuration file](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/) to add more complex routing and tunnel setups that go beyond a simple `--url` flag. You can also [attach a Cloudflare DNS record](/cloudflare-one/connections/connect-networks/routing-to-tunnel/dns/) to a domain or subdomain for an easily accessible, long-lived tunnel to your local machine. +Cloudflare Tunnel can be configured in a variety of ways and can be used beyond providing access to your in-development applications. For example, you can provide `cloudflared` with a [configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/) to add more complex routing and tunnel setups that go beyond a simple `--url` flag. You can also [attach a Cloudflare DNS record](/cloudflare-one/connections/connect-networks/routing-to-tunnel/dns/) to a domain or subdomain for an easily accessible, long-lived tunnel to your local machine. Finally, by incorporating Cloudflare Access, you can provide [secure access to your tunnels](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) without exposing your entire server, or compromising on security. Refer to the [Cloudflare for Teams documentation](/cloudflare-one/) to learn more about what you can do with Cloudflare's entire suite of Zero Trust tools. diff --git a/src/content/docs/reference-architecture/architectures/load-balancing.mdx b/src/content/docs/reference-architecture/architectures/load-balancing.mdx index 641d98ea5099c3d..d0c1e19b19098e1 100644 --- a/src/content/docs/reference-architecture/architectures/load-balancing.mdx +++ b/src/content/docs/reference-architecture/architectures/load-balancing.mdx @@ -457,9 +457,9 @@ The public endpoint method allows organizations to define a tunnel that points t When configured via the Dashboard, Cloudflare automatically creates a CNAME record in the DNS zone that refers to the cfargotunnel.com hostname. For example, a CNAME record of myTunnelService.example.com could be created to point the A record of d74b3a46-f3a3-4596-9049-da7e72c876f5.cfargotunnel.com. The main benefit being the ease of use and administration as the CNAME record is much more suggestive about its purpose and belongs to the customer DNS zone. -Another option is to create these tunnels and services on the host running cloudflared. This is called a [locally-managed tunnel](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/). When working with locally-managed tunnels, the CNAME entry is not created automatically however, so the organization would have to configure this manually, after the tunnel and service is defined. +Another option is to create these tunnels and services on the host running cloudflared. This is called a [locally-managed tunnel](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/). When working with locally-managed tunnels, the CNAME entry is not created automatically however, so the organization would have to configure this manually, after the tunnel and service is defined. -From a load balancer perspective, it's very important to understand how these tunnels can be used as an endpoint. An endpoint can only be defined by using the cfargotunnel.com hostname. Using a public CNAME record that points to the cfargotunnel.com address will not work properly and is not supported. This is especially important for endpoint services that don’t operate on ports 80 or 443. Cloudflare Load Balancers default to these two ports to access the services running on the endpoints. If an organization has services running on other ports, they will need to configure a Cloudflare Tunnel with a [catch-all rule](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/#how-traffic-is-matched) to reach that port. This configuration allows a Cloudflare Load Balancer to reach the service via port 443 while having Cloudflare tunnel proxy the connection to the desired port on the endpoint. +From a load balancer perspective, it's very important to understand how these tunnels can be used as an endpoint. An endpoint can only be defined by using the cfargotunnel.com hostname. Using a public CNAME record that points to the cfargotunnel.com address will not work properly and is not supported. This is especially important for endpoint services that don’t operate on ports 80 or 443. Cloudflare Load Balancers default to these two ports to access the services running on the endpoints. If an organization has services running on other ports, they will need to configure a Cloudflare Tunnel with a [catch-all rule](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/#how-traffic-is-matched) to reach that port. This configuration allows a Cloudflare Load Balancer to reach the service via port 443 while having Cloudflare tunnel proxy the connection to the desired port on the endpoint. ###### Private IP diff --git a/src/content/docs/reference-architecture/design-guides/extending-cloudflares-benefits-to-saas-providers-end-customers.mdx b/src/content/docs/reference-architecture/design-guides/extending-cloudflares-benefits-to-saas-providers-end-customers.mdx index 9d3db2005f092bc..8b4f6dfee33444c 100644 --- a/src/content/docs/reference-architecture/design-guides/extending-cloudflares-benefits-to-saas-providers-end-customers.mdx +++ b/src/content/docs/reference-architecture/design-guides/extending-cloudflares-benefits-to-saas-providers-end-customers.mdx @@ -56,7 +56,7 @@ The following products are used to deliver this solution. | [DDoS Protection](/ddos-protection/) | Volumetric attack protection is automatically enabled for [proxied](/dns/proxy-status/) hostnames. | | [Regional Services](/data-localization/regional-services/) (part of the Data Localization Suite) | Restrict inspection of data (processing) to only those data centers within jurisdictional boundaries. | | [Load Balancer](/load-balancing/) | Distributes traffic across your endpoints, which reduces endpoint strain and latency and improves the experience for end users. | -| [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/) | Secure method to connect to customers' networks and servers without creating holes in [firewalls](/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/). cloudflared is the daemon (software) installed on origin servers to create a secure tunnel from applications back to Cloudflare. | +| [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/) | Secure method to connect to customers' networks and servers without creating holes in [firewalls](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/). cloudflared is the daemon (software) installed on origin servers to create a secure tunnel from applications back to Cloudflare. | ## Cloudflare for SaaS examples diff --git a/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx b/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx index c1d5ed4939f759b..5594d1bd163e4e0 100644 --- a/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx +++ b/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx @@ -138,14 +138,14 @@ Cloudflare offers two types of software connectors: As discussed in the introduction, `cloudflared` is the preferred method for Zero Trust Network Access, but only supports inbound connectivity to your networks and application servers, any server initiated connection will not go via the tunnel and instead follow the server's default network path. WARP connector is designed to create tunnels that facilitate both inbound and outbound connectivity, but it doesn't currently have the same level of failover support and ease of configuration. For this guide, we will be discussing using `cloudflared` as it supports the internal DNS use case described. -For large remote access use cases, Cloudflare recommends deploying connectors to dedicated hosts. See the [System Requirements documentation](/cloudflare-one/connections/connect-networks/deploy-tunnels/system-requirements/) for more deployment recommendations and server sizing. Where to deploy these servers depends on the access they need and the internal firewall rules and segmentation of the network. Some customers start with their first deployment in their DMZ, while others install it deeper in their network and evolve from there. +For large remote access use cases, Cloudflare recommends deploying connectors to dedicated hosts. See the [System Requirements documentation](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/system-requirements/) for more deployment recommendations and server sizing. Where to deploy these servers depends on the access they need and the internal firewall rules and segmentation of the network. Some customers start with their first deployment in their DMZ, while others install it deeper in their network and evolve from there. Installing `cloudflared` is best done in an automated manner, so we recommend deploying using a virtualization technology such as Docker or deploying as VMware guests and configuring via Ansible. Preferably, as traffic using `cloudflared` tunnels increases, such systems can scale the deployment automatically based on real-time metrics collected from the hosts. `cloudflared` instances can be monitored using the [Prometheus metrics endpoint](/cloudflare-one/connections/connect-networks/monitor-tunnels/metrics/). Prometheus is an HTTP-based monitoring and alerting system similar in functionality to SNMP, exposing metrics that can be polled from the resource to be monitored. Most monitoring systems on the market today support Prometheus as a format to collect the metrics needed for alerting and automatically scaling the deployment. For more information about deploying `cloudflared` connectors at scale: -- [Various guides to deploy and update](/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/) connectors in environments such as Ansible, Terraform and Kubernetes -- High availability using [replicas](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/#cloudflared-replicas) +- [Various guides to deploy and update](/cloudflare-one/connections/connect-networks/deployment-guides/) connectors in environments such as Ansible, Terraform and Kubernetes +- High availability using [replicas](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/#cloudflared-replicas) - [Monitor tunnels with Grafana](/cloudflare-one/tutorials/grafana/) ### DNS resolution with Resolver Policies diff --git a/src/content/docs/reference-architecture/design-guides/secure-application-delivery.mdx b/src/content/docs/reference-architecture/design-guides/secure-application-delivery.mdx index 071aa6260a688dc..e59709867000b34 100644 --- a/src/content/docs/reference-architecture/design-guides/secure-application-delivery.mdx +++ b/src/content/docs/reference-architecture/design-guides/secure-application-delivery.mdx @@ -106,7 +106,7 @@ We can also use Cloudflare Tunnel over the Internet to provide for more security To create and manage tunnels, you need to install and authenticate cloudflared on your origin server. cloudflared is what connects your server to Cloudflare’s global network. -There are two options for creating a tunnel - [via the dashboard](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) or [via the command line](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/). It’s recommended getting started with the dashboard, since it will allow you to manage the tunnel from any machine. +There are two options for creating a tunnel - [via the dashboard](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) or [via the command line](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/). It’s recommended getting started with the dashboard, since it will allow you to manage the tunnel from any machine. A remotely-managed tunnel only requires the tunnel token to run. Anyone with access to the token will be able to run the tunnel. You can get a tunnel’s token from the dashboard or via the API as shown below. The command provided in the dashboard will install and configure cloudflared to run as a service using an auth token. diff --git a/src/content/notifications/index.yaml b/src/content/notifications/index.yaml index 005b86b1bad23a5..6186d76c83e2a24 100644 --- a/src/content/notifications/index.yaml +++ b/src/content/notifications/index.yaml @@ -495,13 +495,13 @@ entries: audience: Customers who want to be warned about changes in health status for their Cloudflare Tunnels. availability: All Cloudflare Zero Trust plans. associatedProducts: Tunnel - nextSteps: Monitor tunnel health over time and consider deploying [`cloudflared` replicas or load balancers](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/). + nextSteps: Monitor tunnel health over time and consider deploying [`cloudflared` replicas or load balancers](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/). otherFilters: None. additional_information: |- |
Health status
| Description | | ------------- | ------------ | | Healthy | The tunnel is active and serving traffic through four connections to the Cloudflare global network. | - | Degraded | The tunnel is active and serving traffic, but at least one individual connection has failed. Further degradation in [tunnel availability](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/) could risk the tunnel going down and failing to serve traffic.| + | Degraded | The tunnel is active and serving traffic, but at least one individual connection has failed. Further degradation in [tunnel availability](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/) could risk the tunnel going down and failing to serve traffic.| | Down | The tunnel cannot serve traffic as it has no connections to the Cloudflare global network.| | Inactive | This value is reserved for tunnels which have been created, but have never been run.| diff --git a/src/content/partials/cloudflare-one/access/secure-tunnel-with-access.mdx b/src/content/partials/cloudflare-one/access/secure-tunnel-with-access.mdx index fb328dc1478bb1d..cdc43ce176fe0fe 100644 --- a/src/content/partials/cloudflare-one/access/secure-tunnel-with-access.mdx +++ b/src/content/partials/cloudflare-one/access/secure-tunnel-with-access.mdx @@ -5,4 +5,4 @@ To secure your origin, you must validate the [application token](/cloudflare-one/identity/authorization-cookie/) issued by Cloudflare Access. Token validation ensures that any requests which bypass Cloudflare Access (for example, due to a network misconfiguration) are rejected. -One option is to configure the Cloudflare Tunnel daemon, `cloudflared`, to validate the token on your behalf. This is done by enabling [**Protect with Access**](/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/#access) in your Cloudflare Tunnel settings. Alternatively, if you do not wish to perform automatic validation with Cloudflare Tunnel, you can instead [manually configure your origin](/cloudflare-one/identity/authorization-cookie/validating-json/) to check all requests for a valid token. +One option is to configure the Cloudflare Tunnel daemon, `cloudflared`, to validate the token on your behalf. This is done by enabling [**Protect with Access**](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/#access) in your Cloudflare Tunnel settings. Alternatively, if you do not wish to perform automatic validation with Cloudflare Tunnel, you can instead [manually configure your origin](/cloudflare-one/identity/authorization-cookie/validating-json/) to check all requests for a valid token. diff --git a/src/content/partials/cloudflare-one/tunnel/add-public-hostname.mdx b/src/content/partials/cloudflare-one/tunnel/add-public-hostname.mdx index a06546576bf4e31..b69497a57d07c2c 100644 --- a/src/content/partials/cloudflare-one/tunnel/add-public-hostname.mdx +++ b/src/content/partials/cloudflare-one/tunnel/add-public-hostname.mdx @@ -9,6 +9,6 @@ 3. Specify a service, for example `https://localhost:8000`. -4. Under **Additional application settings**, specify any [parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/) you would like to add to your tunnel configuration. +4. Under **Additional application settings**, specify any [parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/) you would like to add to your tunnel configuration. 5. Select **Save hostname**. \ No newline at end of file diff --git a/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx b/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx index c38f43166395f21..d3c0ea1b1bcd830 100644 --- a/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx +++ b/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx @@ -124,4 +124,4 @@ To troubleshoot TLS inspection: - **Option 1:** Create a permanent [`Do Not Inspect` HTTP policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) for this application. - **Option 2:** Customers who use their [own certificate infrastructure](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/) for inspection can opt to create an [Allow _Pass Through_ policy](/cloudflare-one/policies/gateway/http-policies/#untrusted-certificates) which enables our proxy to accept the TLS negotiation from your application. This will allow requests to flow correctly without the need for a `Do Not Inspect` policy. - - **Option 3:** If your application uses `HTTPS` or other common protocols, you can add a [public hostname route](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) to your Cloudflare Tunnel and set [noTLSVerify](/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/#notlsverify) to `true`. This will allow `cloudflared` to trust your self-signed certificate. + - **Option 3:** If your application uses `HTTPS` or other common protocols, you can add a [public hostname route](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) to your Cloudflare Tunnel and set [noTLSVerify](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/#notlsverify) to `true`. This will allow `cloudflared` to trust your self-signed certificate. diff --git a/src/content/partials/cloudflare-one/tunnel/tunnel-capacity-baseline.mdx b/src/content/partials/cloudflare-one/tunnel/tunnel-capacity-baseline.mdx index 739f5311d07f34d..29a9c0e6d0c00d1 100644 --- a/src/content/partials/cloudflare-one/tunnel/tunnel-capacity-baseline.mdx +++ b/src/content/partials/cloudflare-one/tunnel/tunnel-capacity-baseline.mdx @@ -3,8 +3,8 @@ --- -* Run a [`cloudflared` replica](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/#cloudflared-replicas) on two dedicated host machines per network location. Using two hosts enables server-side redundancy and traffic balancing. +* Run a [`cloudflared` replica](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/#cloudflared-replicas) on two dedicated host machines per network location. Using two hosts enables server-side redundancy and traffic balancing. * Size each host with minimum 4GB of RAM and 4 CPU cores. -* Allocate 50,000 [ports](/cloudflare-one/connections/connect-networks/deploy-tunnels/system-requirements/#number-of-ports) to the `cloudflared` process on each host. +* Allocate 50,000 [ports](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/system-requirements/#number-of-ports) to the `cloudflared` process on each host. This setup is usually sufficient to handle traffic from 8,000 users (4,000 per host). diff --git a/src/content/partials/ssl/keyless-tunnel-setup.mdx b/src/content/partials/ssl/keyless-tunnel-setup.mdx index c23a18865e5b091..ec573bb9f4582a3 100644 --- a/src/content/partials/ssl/keyless-tunnel-setup.mdx +++ b/src/content/partials/ssl/keyless-tunnel-setup.mdx @@ -3,4 +3,4 @@ --- -This process differs depending on whether you are using the [command line](/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/) or the [Cloudflare dashboard](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). +This process differs depending on whether you are using the [command line](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/) or the [Cloudflare dashboard](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). diff --git a/src/content/release-notes/tunnel.yaml b/src/content/release-notes/tunnel.yaml index c8ba0175596d427..ae9beae2a9e354a 100644 --- a/src/content/release-notes/tunnel.yaml +++ b/src/content/release-notes/tunnel.yaml @@ -16,7 +16,7 @@ entries: - publish_date: "2024-10-10" title: Bugfix for --grace-period description: |- - The new `cloudflared` build [2024.10.0](https://github.com/cloudflare/cloudflared/releases/tag/2024.10.0) has a bugfix related to the [--grace-period](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/#grace-period) tunnel run parameter. `cloudflared` connectors will now abide by the specified waiting period before forcefully closing connections to Cloudflare's network. + The new `cloudflared` build [2024.10.0](https://github.com/cloudflare/cloudflared/releases/tag/2024.10.0) has a bugfix related to the [--grace-period](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#grace-period) tunnel run parameter. `cloudflared` connectors will now abide by the specified waiting period before forcefully closing connections to Cloudflare's network. - publish_date: "2024-08-06" title: cloudflared builds available in GitHub for Apple silicon description: |-