Cloudflared: Difference between revisions
basic stub with untested config |
|||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
[https://github.com/cloudflare/cloudflared Cloudflared] is a command line client for a network tunnel from the cloudflare network to a server. | |||
Introduced in https://github.com/NixOS/nixpkgs/pull/171875 | Introduced in https://github.com/NixOS/nixpkgs/pull/171875 | ||
== Example == | == Example == | ||
To get credentialsFile (e.g. tunnel-ID.json) do: | |||
<syntaxhighlight lang="sh"> | |||
cloudflared tunnel login <the-token-you-see-in-dashboard> | |||
cloudflared tunnel create ConvenientTunnelName | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="nix"> | |||
{ | |||
services.cloudflared = { | |||
enable = true; | |||
tunnels = { | |||
"00000000-0000-0000-0000-000000000000" = { | |||
credentialsFile = "${config.sops.secrets.cloudflared-creds.path}"; | |||
default = "http_status:404"; | |||
}; | |||
}; | |||
}; | |||
} | |||
</syntaxhighlight> | |||
Then you can use dashboard to add your public hosts (will need to convert the new tunnel to dashboard-managed). | |||
Alternatively, save the <code>cert.pem</code> to cloudflared user's %home%/.cloudflared/cert.pem, and instead of using dashboard specify ingress rules in your configuration.nix like this: | |||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
| Line 24: | Line 49: | ||
}; | }; | ||
} | } | ||
</syntaxhighlight> | |||
== Troubleshooting == | |||
At the moment (2025), for support of browser rendering of the tunnels, this line is required: | |||
<syntaxhighlight lang="nix"> | |||
services.openssh.settings.Macs = [ | |||
[ | |||
# Current defaults: | |||
"hmac-sha2-512-etm@openssh.com" | |||
"hmac-sha2-256-etm@openssh.com" | |||
"umac-128-etm@openssh.com" | |||
# Added: | |||
"hmac-sha2-256" | |||
]; | |||
</syntaxhighlight> | </syntaxhighlight> | ||
The issue has been reported on [https://github.com/cloudflare/cloudflared/issues/1198 Github] | |||
[[Category:Networking]] | |||
Latest revision as of 06:06, 15 October 2025
Cloudflared is a command line client for a network tunnel from the cloudflare network to a server.
Introduced in https://github.com/NixOS/nixpkgs/pull/171875
Example
To get credentialsFile (e.g. tunnel-ID.json) do:
cloudflared tunnel login <the-token-you-see-in-dashboard>
cloudflared tunnel create ConvenientTunnelName
{
services.cloudflared = {
enable = true;
tunnels = {
"00000000-0000-0000-0000-000000000000" = {
credentialsFile = "${config.sops.secrets.cloudflared-creds.path}";
default = "http_status:404";
};
};
};
}
Then you can use dashboard to add your public hosts (will need to convert the new tunnel to dashboard-managed).
Alternatively, save the cert.pem to cloudflared user's %home%/.cloudflared/cert.pem, and instead of using dashboard specify ingress rules in your configuration.nix like this:
{
services.cloudflared = {
enable = true;
tunnels = {
"00000000-0000-0000-0000-000000000000" = {
credentialsFile = "${config.sops.secrets.cloudflared-creds.path}";
ingress = {
"*.domain1.com" = {
service = "http://localhost:80";
path = "/*.(jpg|png|css|js)";
};
"*.domain2.com" = "http://localhost:80";
};
default = "http_status:404";
};
};
};
}
Troubleshooting
At the moment (2025), for support of browser rendering of the tunnels, this line is required:
services.openssh.settings.Macs = [
[
# Current defaults:
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
# Added:
"hmac-sha2-256"
];
The issue has been reported on Github