homelab/cloudflared
1
0
Fork 0
mirror of https://github.com/cloudflare/cloudflared.git synced 2026-06-22 20:00:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,842 Commits 2 Branches 262 Tags
da81fb02ecdc0e740f3463dcff7b5167ad798ef5
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Evan Raw da81fb02ec
Check / check (1.22.x, macos-latest) (push) Has been cancelled
Check / check (1.22.x, ubuntu-latest) (push) Has been cancelled
Check / check (1.22.x, windows-latest) (push) Has been cancelled
Semgrep config / semgrep/ci (push) Has been cancelled
AUTH-4699, AUTH-8460, TUN-10179: Fix .lock file deletion race condition 
Replace the lock file mechanism with PID+start-time based stale
detection so that no cleanup is required on process death.

When both org and app token locks were held, the first signal handler
to call os.Exit() would kill the process before the second handler
could delete its lock file. The orphaned lock file then caused the
next invocation to wait ~128 seconds in an exponential backoff loop
before forcibly deleting it. The same issue occurred on SIGKILL, OOM,
or any non-signal death.

Lock files now contain the holder's PID and process start time as
JSON. On acquisition, if a lock file already exists, the recorded
process is checked for liveness via gopsutil. Stale locks are
reclaimed immediately with no backoff. Atomic O_CREATE|O_EXCL
prevents races between concurrent acquirers.

Also adds a companion .url file so processes waiting on an active
lock can print the auth URL for the user.
2026-05-01 13:04:51 +00:00
.ci
TUN-9952: Bump go to 1.26
2026-04-06 13:04:18 +01:00
.githooks
chore: Add pre-push hooks
2026-04-29 13:09:22 +00:00
.github
Update semgrep.yml
2024-09-24 21:40:50 -04:00
.mac_resources
AUTH-2712 mac package build script and better config file handling when started as a service
2020-06-25 16:44:57 -05:00
carrier
AUTH-7480 update fed callback url for login helper
2025-08-19 18:54:31 +00:00
cfapi
chore: Addressing small fixes and typos
2026-03-05 16:53:48 +00:00
cfio
TUN-6035: Reduce buffer size when proxying data
2022-04-11 14:41:33 +00:00
client
TUN-9883: Add new datagram v3 feature flag
2025-10-10 13:55:31 -07:00
cmd/cloudflared
AUTH-4699, AUTH-8460, TUN-10179: Fix .lock file deletion race condition
2026-05-01 13:04:51 +00:00
component-tests
TUN-10383: Set edge-ip-version to auto
2026-04-14 16:11:59 +00:00
config
TUN-9858: Remove proxy-dns feature from cloudflared
2026-02-06 12:43:53 +00:00
connection
TUN-10388: Adding probe check
2026-04-30 14:32:24 +01:00
credentials
TUN-9755: Set endpoint in tunnel credentials when generating locally managed tunnel with a Fed token
2025-08-27 15:57:58 +00:00
datagramsession
TUN-9016: update go to 1.24
2025-06-06 09:05:49 +00:00
diagnostic
TUN-8914: Create a flags module to group all cloudflared cli flags
2025-02-06 03:30:27 -08:00
edgediscovery
TUN-10388 Implement dialers for connectivity checks
2026-04-30 15:15:25 +00:00
features
TUN-9883: Add new datagram v3 feature flag
2025-10-10 13:55:31 -07:00
fips
TUN-8855: Update PQ curve preferences
2025-01-30 05:02:47 -08:00
flow
TUN-8861: Rename Session Limiter to Flow Limiter
2025-01-20 06:33:40 -08:00
hello
TUN-7590: Remove usages of ioutil
2023-07-17 19:08:38 +00:00
ingress
TUN-9882: Add write deadline for UDP origin writes
2025-10-07 19:54:42 -07:00
internal/test
TUN-7125: Add management streaming logs WebSocket protocol
2023-04-05 16:25:16 +00:00
ipaccess
TUN-6016: Push local managed tunnels configuration to the edge
2022-05-06 15:43:24 +00:00
logger
TUN-9371: Add logging format as JSON
2025-06-16 21:25:13 +00:00
management
TUN-9583: set proper url and hostname for cloudflared tail command
2025-07-23 20:09:50 +01:00
metrics
TUN-8792: Make diag/system endpoint always return a JSON
2024-12-11 02:48:41 -08:00
mocks
TUN-10388 Implement dialers for connectivity checks
2026-04-30 15:15:25 +00:00
orchestration
TUN-9470: Add OriginDialerService to include TCP
2025-06-30 13:24:16 -07:00
overwatch
AUTH-2169 make access login page more generic
2020-06-08 11:20:30 -05:00
packet
chore: Addressing small fixes and typos
2026-03-05 16:53:48 +00:00
prechecks
TUN-10389: Improve probe functions
2026-04-30 16:18:07 +00:00
proxy
TUN-9470: Add OriginDialerService to include TCP
2025-06-30 13:24:16 -07:00
quic
TUN-9882: Bump datagram v3 write channel capacity
2025-10-13 17:18:22 -07:00
release
SECENG-13496 update pkg docs for gokeyless to support multiple builds
2026-04-29 05:37:09 -04:00
retry
chore: fix linter rules
2025-04-01 18:57:55 +01:00
signal
TUN-1562: Refactor connectedSignal to be safe to close multiple times
2019-03-05 15:51:35 -06:00
socks
TUN-7590: Remove usages of ioutil
2023-07-17 19:08:38 +00:00
sshgen
TUN-8333: Bump go-jose dependency to v4
2024-04-10 09:49:40 -07:00
stream
TUN-7545: Add support for full bidirectionally streaming with close signal propagation
2023-07-06 11:54:26 +01:00
supervisor
TUN-10388: Adding probe check
2026-04-30 14:32:24 +01:00
tlsconfig
TUN-7590: Remove usages of ioutil
2023-07-17 19:08:38 +00:00
token
AUTH-4699, AUTH-8460, TUN-10179: Fix .lock file deletion race condition
2026-05-01 13:04:51 +00:00
tracing
add: new go-fuzz targets
2024-11-11 20:45:49 +05:30
tunnelrpc
TUN-9016: update go to 1.24
2025-06-06 09:05:49 +00:00
tunnelstate
TUN-8728: implement diag/tunnel endpoint
2024-11-25 10:43:32 -08:00
validation
add: new go-fuzz targets
2024-11-11 20:45:49 +05:30
vendor
AUTH-4699, AUTH-8460, TUN-10179: Vendor gopsutil/v4 for cross-platform process identification
2026-05-01 13:04:51 +00:00
watcher
TUN-7584: Bump go 1.20.6
2023-07-26 13:52:40 -07:00
websocket
TUN-7057: Remove dependency github.com/gorilla/mux
2022-12-24 21:05:51 -07:00
.docker-images
TUN-6825: Fix cloudflared:version images require arch hyphens
2022-10-04 15:48:58 +00:00
.dockerignore
TUN-5129: Use go 1.17 and copy .git folder to docker build to compute version
2021-09-21 15:50:35 +00:00
.gitignore
fix: rpm bundling and rpm key import
2026-01-19 18:10:47 +00:00
.gitlab-ci.yml
TUN-9952: Bump go to 1.26
2026-04-06 13:04:18 +01:00
.golangci.yaml
TUN-9952: Bump go to 1.26
2026-04-06 13:04:18 +01:00
.vulnignore
TUN-9858: Remove proxy-dns feature from cloudflared
2026-02-06 12:43:53 +00:00
AGENTS.md
TUN-10258: add agents.md
2026-02-24 11:17:27 +00:00
catalog-info.yaml
GRC-16749: Add fedramp tags to catalog
2025-10-07 11:27:41 +00:00
cfsetup.yaml
TUN-9800: Migrate apt internal builds to Gitlab
2025-11-10 14:43:10 +00:00
CHANGES.md
TUN-10383: Set edge-ip-version to auto
2026-04-14 16:11:59 +00:00
check-fips.sh
TUN-5551: Reintroduce FIPS compliance for linux amd64 now as separate binaries
2021-12-20 21:50:42 +00:00
cloudflared_man_template
AUTH-2644: Change install location and add man page
2020-07-06 19:27:25 +00:00
cloudflared.wxs
Remove extraneous period from Path Environment Variable (#1009)
2023-12-14 16:32:48 +00:00
Dockerfile
TUN-9952: Bump go to 1.26
2026-04-06 13:04:18 +01:00
Dockerfile.amd64
TUN-9952: Bump go to 1.26
2026-04-06 13:04:18 +01:00
Dockerfile.arm64
TUN-9952: Bump go to 1.26
2026-04-06 13:04:18 +01:00
github_message.py
TUN-6823: Update github release message to pull from KV
2022-10-11 15:43:06 +00:00
github_release.py
DEVTOOLS-16383: Create GitlabCI pipeline to release Mac builds
2025-04-30 09:57:52 +00:00
go.mod
AUTH-4699, AUTH-8460, TUN-10179: Vendor gopsutil/v4 for cross-platform process identification
2026-05-01 13:04:51 +00:00
go.sum
AUTH-4699, AUTH-8460, TUN-10179: Vendor gopsutil/v4 for cross-platform process identification
2026-05-01 13:04:51 +00:00
LICENSE
TUN-5851: Update all references to point to Apache License 2.0
2022-03-08 17:35:31 +00:00
Makefile
chore: Add pre-push hooks
2026-04-29 13:09:22 +00:00
postinst.sh
TUN-9919: Make RPM postinstall scriplet idempotent
2025-10-15 14:33:43 +00:00
postrm.sh
TUN-8290: Remove || true from postrm.sh
2024-03-07 16:22:56 +00:00
README.md
chore: Add pre-push hooks
2026-04-29 13:09:22 +00:00
RELEASE_NOTES
Release 2026.3.0
2026-03-06 12:53:40 +00:00
release_pkgs.py
TUN-9800: Add pipelines for linux packaging
2025-11-05 10:45:04 +00:00
wix.json
AUTH-2712 mac package build script and better config file handling when started as a service
2020-06-25 16:44:57 -05:00

README.md

Cloudflare Tunnel client

Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins. This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible. Extensive documentation can be found in the Cloudflare Tunnel section of the Cloudflare Docs. All usages related with proxying to your origins are available under cloudflared tunnel help.

You can also use cloudflared to access Tunnel origins (that are protected with cloudflared tunnel) for TCP traffic at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc. Such usages are available under cloudflared access help.

You can instead use WARP client to access private origins behind Tunnels for Layer 4 traffic without requiring cloudflared access commands on the client side.

Before you get started

Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private routing), but for legacy reasons this requirement is still necessary:

  1. Add a website to Cloudflare
  2. Change your domain nameservers to Cloudflare

Installing cloudflared

Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases here on the cloudflared GitHub repository.

User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/

Creating Tunnels and routing traffic

Once installed, you can authenticate cloudflared into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.

TryCloudflare

Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation available here.

Deprecated versions

Cloudflare currently supports versions of cloudflared that are within one year of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our developer documentation.

For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.

Development

Requirements

Build

To build cloudflared locally run make cloudflared

Test

To locally run the tests run make test

Linting

To format the code and keep a good code quality use make fmt and make lint

Mocks

After changes on interfaces you might need to regenerate the mocks, so run make mocks

Git Hooks

To avoid CI errors, you can install pre-push hooks that run linting and tests before each push:

make install-hooks

This will configure git to use the hooks in .githooks/ that run make fmt-check lint test before each push.

Reference in New Issue View Git Blame Copy Permalink
S
Description
Cloudflare Tunnel client (formerly Argo Tunnel)
argo-tunnelcloudflarecloudflare-tunnelreverse-proxyzero-trust-network-access
Readme Apache-2.0 50 MiB
Languages
Go 90.1%
Python 6.9%
Shell 0.9%
HTML 0.8%
Makefile 0.5%
Other 0.8%