cloudflare · ranbel · Sep 19, 2025 · Sep 19, 2025 · Sep 19, 2025 · Sep 19, 2025
@@ -28,7 +28,7 @@ warp-routing:
   enabled: true
 ```
 
-## File structure for public hostnames
+## File structure for published applications
 
 If you are exposing local services to the Internet, you can assign a public hostname to each service:
 
@@ -79,9 +79,9 @@ You can use wildcards to match traffic to multiple subdomains. For example, if y
 
 You can also enter regular expressions for the `path` key. For example, if `hostname` is `static.example.com` and `path` is `\.(jpg|png|css|js)$`, matching URLs could include `https://static.example.com/data.js`, `http://static.example.com/images/photo.jpg`, and so on. Cloudflare parses the path regex using the [Go `syntax` package](https://pkg.go.dev/regexp/syntax).
 
-### Supported protocols
+### Services
 
-In addition to HTTP, `cloudflared` supports protocols like SSH, RDP, arbitrary TCP services, and Unix sockets. You can also route traffic to the built-in `Hello World` test server or respond to traffic with an HTTP status.
+In addition to HTTP, `cloudflared` supports protocols like SSH, RDP, arbitrary TCP services, and Unix sockets. You can also route traffic to the built-in `hello_world` test server or respond to traffic with an HTTP status. For a full list of supported service types, refer to [Protocols for published applications](/cloudflare-one/connections/connect-networks/routing-to-tunnel/protocols/).
 
 ```yml
 tunnel: 6ff42ae2-765d-4adf-8112-31c55c1551ef
@@ -101,18 +101,6 @@ ingress:
   - service: http_status:404
 ```
 
-| Service                | Description                                                                                                                   | Example `service` value               |
-| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- |
-| HTTP/S                 | Incoming HTTP requests are proxied directly to your local service.                                                            | `https://localhost:8000`              |
-| HTTP over Unix socket  | Just like HTTP, but using a Unix socket instead.                                                                              | `unix:/home/production/echo.sock`     |
-| HTTPS over Unix socket | Just like HTTPS, but using a Unix socket instead.                                                                             | `unix+tls:/home/production/echo.sock` |
-| TCP                    | TCP connections are proxied to your local service.                                                                            | `tcp://localhost:2222`                |
-| SSH                    | SSH connections are proxied to your local service. [Learn more](/cloudflare-one/connections/connect-networks/use-cases/ssh/). | `ssh://localhost:22`                  |
-| RDP                    | RDP connections are proxied to your local service. [Learn more](/cloudflare-one/connections/connect-networks/use-cases/rdp/). | `rdp://localhost:3389`                |
-| kubectl bastion mode   | `cloudflared` will act like a jumphost, allowing access to any local address.                                                 | `bastion`                             |
-| Hello World            | Test server for validating your Cloudflare Tunnel setup.                                                                      | `hello_world`                         |
-| HTTP status            | Responds to all requests with the given HTTP status.                                                                          | `http_status:404`                     |
-
 ### Origin configuration
 
 If you need to proxy traffic to multiple origins within one instance of `cloudflared`, you can define the way `cloudflared` sends requests to each service by specifying [configuration options](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/) as part of your ingress rules.

@@ -159,7 +159,7 @@ warp-routing:
 ## 5. Start routing traffic
 
 1. Now assign a `CNAME` record that points traffic to your tunnel subdomain:
-   - If you are connecting an application, route the service to a [public hostname](/cloudflare-one/connections/connect-networks/routing-to-tunnel/):
+   - If you are connecting an application, route the service to a [published application](/cloudflare-one/connections/connect-networks/routing-to-tunnel/):
 
    ```sh
    cloudflared tunnel route dns <UUID or NAME> <hostname>

@@ -2,7 +2,7 @@
 pcx_content_type: how-to
 title: DNS records
 sidebar:
-  order: 51
+  order: 2
 ---
 
 import { Render, TabItem, Tabs, DashButton } from "~/components";

@@ -5,9 +5,9 @@ sidebar:
   order: 8
 ---
 
-With Cloudflare Tunnel, you can expose your HTTP resources to the Internet via a public hostname. For example, you can add a route that points `docs.example.com` to `localhost:8080`. Anyone can now view your local application by going to `docs.example.com` in their web browser.
+Cloudflare Tunnel allows you to publish local applications to the Internet via a public hostname. For example, you can [add a published application route](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#2a-publish-an-application) that points `docs.example.com` to `https://localhost:8080`. Anyone can now view your application by going to `docs.example.com` in their web browser.
 
-Cloudflare can route traffic to your Cloudflare Tunnel connection using a [DNS record](/cloudflare-one/connections/connect-networks/routing-to-tunnel/dns/) or [Cloudflare Load Balancer](/cloudflare-one/connections/connect-networks/routing-to-tunnel/lb/). You can configure either option from the Cloudflare dashboard by pointing a DNS `CNAME` record or a load balancer pool to the Cloudflare Tunnel subdomain for your connection. You can also associate these records with your tunnel from `cloudflared` directly.
+Cloudflare can route traffic down your Cloudflare Tunnel using a [DNS record](/cloudflare-one/connections/connect-networks/routing-to-tunnel/dns/) or [Cloudflare Load Balancer](/cloudflare-one/connections/connect-networks/routing-to-tunnel/lb/). You can configure either option from the Cloudflare dashboard by pointing a DNS `CNAME` record or a load balancer pool to your Cloudflare Tunnel subdomain (`<UUID>.cfargotunnel.com`). You can also associate these records with your tunnel from `cloudflared` directly.
 
 :::note
 

@@ -2,7 +2,7 @@
 pcx_content_type: concept
 title: Load balancing
 sidebar:
-  order: 51
+  order: 3
 ---
 
 import { Render, TabItem, Tabs } from "~/components";

@@ -0,0 +1,25 @@
+---
+pcx_content_type: reference
+title: Protocols for published applications
+sidebar:
+  order: 4
+  label: Protocols
+tableOfContents: false
+---
+
+
+When you [add a published application route](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#2a-publish-an-application) to a Cloudflare Tunnel, you are instructing Cloudflare to proxy requests for your public hostname to a service running privately behind `cloudflared`.  The table below lists the service types that can route to a public hostname. Non-HTTP services will require [installing `cloudflared` on the client](/cloudflare-one/applications/non-http/cloudflared-authentication/) for end users to connect.
+
+| Service type | Description | Example `service` value |
+| ------------ | ----------- | ----------  |
+| HTTP         | Incoming requests to Cloudflare over HTTPS are proxied to the local web service via HTTP. |  `http://localhost:8000` |
+| HTTPS        | Incoming requests to Cloudflare over HTTPS are proxied directly to the local web service. You can [disable TLS verification](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/#notlsverify) if your origin uses self-signed certificates. | `https://localhost:8000` |
+| UNIX         | Just like HTTP, but using a Unix socket instead. | `unix:/home/production/echo.sock` |
+| TCP          | Enables TCP streams over a Websocket connection. `cloudflared` will take the packets received from the Websocket and reach out to the origin using TCP. To [connect to the public hostname over arbitrary TCP](/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/), the user needs to run `cloudflared access tcp`, and there are no guarantees on how long the TCP tunnel will live. For long-lived connections, we recommend using [WARP-to-Tunnel](/cloudflare-one/connections/connect-networks/private-net/cloudflared/) instead.| `tcp://localhost:2222` |
+| SSH          | Enables SSH streams over a Websocket connection. `cloudflared` will take the packets received from the Websocket and reach out to the origin using SSH. To [connect to the public hostname over SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-cloudflared-authentication/), the client needs to run `cloudflared access ssh`, and there are no guarantees on how long the SSH connection will last. For long-lived connections, we recommend using [WARP-to-Tunnel](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/) instead. | `ssh://localhost:22`   |
+| RDP          | Similar to TCP but for RDP streams only. For more information, refer to [Connect to RDP with client-side cloudflared](/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-cloudflared-authentication/). | `rdp://localhost:3389`   |
+| UNIX + TLS   | Just like HTTPS, but using a Unix socket instead.  | `unix+tls:/home/production/echo.sock` |
+| SMB          | Similar to TCP but for SMB streams only. For more information, refer to [Connect to SMB with client-side cloudflared](/cloudflare-one/connections/connect-networks/use-cases/smb/#connect-to-smb-server-with-cloudflared-access).  | `smb://localhost:445` |
+| HTTP_STATUS  | Responds to all requests with the given HTTP status. | `http_status:404`   |
+| BASTION      | `cloudflared` will act like a jumphost, allowing access to any local address. | `bastion`
+| HELLO_WORLD  | Test server for validating your Cloudflare Tunnel connection (for [locally managed tunnels](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/#file-structure-for-published-applications) only). | `hello_world`  |
@@ -73,7 +73,7 @@ The public hostname method can be implemented in conjunction with routing over W
 
 2. In the **Published application routes** tab, choose a domain from the drop-down menu and specify any subdomain (for example, `smb.example.com`).
 
-3. For **Service**, select _TCP_ and enter the SMB listening port (for example, `localhost:445`). SMB drives listen on port `139` or `445` by default.
+3. For **Service**, select _SMB_ and enter the SMB listening port (for example, `localhost:445`). SMB drives listen on port `139` or `445` by default.
 
 4. Select **Save**.