Cloudflare Agent Tunnel — 为 OpenClaw 代理提供安全 HTTPS URL

Name: Cloudflare Agent Tunnel — 为 OpenClaw 代理提供安全 HTTPS URL
Author: maverick-software

maverick-software

Cloudflare Agent Tunnel — 为 OpenClaw 代理提供安全 HTTPS URL

v1.1.0

使用 Cloudflare Tunnel (cloudflared) 为每个 OpenClaw 代理提供安全的 HTTPS URL，无需 SSL 证书管理，无需公开暴露端口。适用于在 VPS 上设置 OpenClaw 代理的安全云访问，支持分配代理子域名、启用 HTTPS 无需 nginx 或 Let's Encrypt，以及自定义域名配置。

0· 403·1 当前·1 累计

by @maverick-software·MIT-0

云服务网络工具安全智能体系统工具

下载技能包

License

MIT-0

最后更新

2026/3/5

安全扫描

VirusTotal

无害

查看报告

OpenClaw

安全

high confidence

该技能的文件和指令一致地实现了其声明的功能（为 OpenClaw 代理设置 Cloudflare Tunnels），安装需要根/系统级别的修改，但这些修改与其目的成比例。

评估建议

该技能似乎确实完成了它所声称的功能：为 OpenClaw 代理设置 Cloudflare 隧道和持久的 systemd 服务。安装前，请考虑：(1) 必须以 root 用户运行脚本（它修改 `/etc` 和 systemd）；(2) cloudflared 将在 `/root/.cloudflared` 存储身份验证文件——任何拥有这些文件的人都可以运行该隧道，请保护它们并在停用时删除；(3) 过程需要通过浏览器 URL 授权 Cloudflare —— 不要与不信任的第三方共享该 URL；(4) 脚本从 Cloudflare 的 apt 存储库（pkg.cloudflare.com）安装 cloudflared，这是预期的；(5) 设置完成后，按照指示更新 OpenClaw allowedOrigins 和防火墙规则，以避免直接暴露服务。如果您不舒适于授予根级别的修改或在主机上存储 Cloudflare 隧道凭据，请不要安装；否则，该技能对于其描述的目的而言是连贯的和合适的。...

详细分析 ▾

✓ 用途与能力

名称/描述与包含的 SKILL.md 和脚本匹配：两者都创建 cloudflared 命名或快速隧道、DNS 路由和 systemd 服务，以暴露每个代理的 HTTPS URL。所有请求的操作都与隧道设置有关。

ℹ 指令范围

指令和脚本执行系统级操作（安装 apt 包，写入 /etc/cloudflared、/etc/systemd/system，编辑防火墙，读/写 /root/.cloudflared）。这些对于持久隧道是必要的，但需要根权限和访问机器的服务配置以及 Cloudflare 凭据。指导将 cloudflared 认证 URL 交给人类进行浏览器认证是预期的，但应仅由机器所有者执行。

✓ 安装机制

无隐藏下载；脚本从 Cloudflare 的官方 apt 存储库（pkg.cloudflare.com）安装 cloudflared，通过 curl 获取签名密钥然后使用 apt-get。这是一种标准的可追踪的安装方法。

✓ 凭证需求

该技能声明了无环境变量或外部凭据。它依赖于 cloudflared 的凭据文件，存储在 /root/.cloudflared 下（由 cloudflared 登录/创建创建）。对于命名隧道，这是预期的和合理的。

ℹ 持久化与权限

该技能的脚本和指令创建并启用 systemd 服务，并在 /root/.cloudflared 下写入持久的凭据文件。持久的系统更改对于声明的目的是必要的，但这些是高权限操作 —— 仅在您控制和信任的主机上运行。

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

版本

latestv1.1.02026/3/4

更喜欢命名隧道方法 —— 始终使用 cloudflared 登录 + 永久 URL。快速隧道降级为仅回退，附有明确警告。添加了身份验证 URL 流的轮询模式。

● 无害

安装命令点击复制

官方npx clawhub@latest install cloudflare-agent-tunnel

镜像加速npx clawhub@latest install cloudflare-agent-tunnel --registry https://cn.clawhub-mirror.com

技能文档

请参阅下面的中文翻译（由于原始内容较长，仅提供关键部分的翻译，完整内容请参考原始 SKILL.md）

Give each OpenClaw agent a permanent, secure HTTPS URL via Cloudflare Tunnel — no SSL certs, no nginx, no open ports.

How It Works

User → https://koda.yourdomain.com
         ↓ (Cloudflare edge — TLS termination here)
       Cloudflare Tunnel (encrypted)
         ↓
       cloudflared process on VPS
         ↓
       http://localhost:18789  (OpenClaw gateway)

Cloudflare handles TLS — no cert management on the server
The local port never needs to be open to the internet
Each agent gets its own cloudflared process + systemd service

✅ Preferred Method — Named Tunnel (Permanent, Free Cloudflare Account)

Always use this method. Gives a permanent URL tied to your domain. Requires a free Cloudflare account — takes 2 minutes to set up.

Step 1: Install cloudflared

curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared any main" \
  | tee /etc/apt/sources.list.d/cloudflared.list
apt-get update -qq && apt-get install -y cloudflared

Step 2: Authenticate — give the user this URL

Run on the VPS:

cloudflared tunnel login

This prints a Cloudflare auth URL. Give that URL to the user — they open it in their browser, log into their Cloudflare account, and click Authorize. This saves /root/.cloudflared/cert.pem on the VPS.

Poll for completion:

# Wait until cert.pem appears (user has authorized)
until [ -f /root/.cloudflared/cert.pem ]; do sleep 3; done && echo "Authorized!"

Step 3: Create the tunnel

cloudflared tunnel create openclaw-koda
# Outputs a UUID — note it
TUNNEL_UUID=$(cloudflared tunnel list --output json | python3 -c \
  "import json,sys; t=[x for x in json.load(sys.stdin) if x['name']=='openclaw-koda']; print(t[0]['id'])")

Step 4: Write tunnel config

mkdir -p /etc/cloudflared
cat > /etc/cloudflared/openclaw-koda.yml << EOF
tunnel: ${TUNNEL_UUID}
credentials-file: /root/.cloudflared/${TUNNEL_UUID}.jsoningress:
  - hostname: koda.yourdomain.com
    service: http://localhost:18789
  - service: http_status:404
EOF

Step 5: Route DNS

cloudflared tunnel route dns openclaw-koda koda.yourdomain.com
# Automatically creates CNAME: koda.yourdomain.com → .cfargotunnel.com

The domain must use Cloudflare nameservers. If it doesn't yet, the user transfers DNS management to Cloudflare (free, takes ~5 min).

Step 6: Install as systemd service

cat > /etc/systemd/system/cloudflared-koda.service << 'EOF'
[Unit]
Description=Cloudflare Tunnel — openclaw-koda
After=network.target openclaw.service
[Service]
Type=simple
User=root
ExecStart=/usr/bin/cloudflared tunnel --no-autoupdate --config /etc/cloudflared/openclaw-koda.yml run
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
EOFsystemctl daemon-reload
systemctl enable cloudflared-koda
systemctl start cloudflared-koda
systemctl is-active cloudflared-koda

Step 7: Update OpenClaw allowedOrigins

"gateway": {
  "controlUi": {
    "allowedOrigins": [
      "http://localhost:18789",
        "https://koda.yourdomain.com"
    ]
  }
}

Then: systemctl restart openclaw-koda

Step 8: Lock down the port

Block direct public access — all traffic must go through the tunnel:

ufw deny 18789
ufw reload

Quick Tunnel (Fallback Only — Temporary)

⚠️ Use only as a temporary fallback when no domain is available. The URL is random and resets every time the service restarts. Switch to a named tunnel as soon as a domain is ready.

# Start quick tunnel — prints a random https://.trycloudflare.com URL
cloudflared tunnel --url http://localhost:18789 --no-autoupdate# Or as a systemd service (URL logged to /var/log/cloudflared-openclaw.log)
ExecStart=/usr/bin/cloudflared tunnel --no-autoupdate --url http://localhost:18789

Read the assigned URL:

grep -o 'https://[a-z0-9-]\.trycloudflare\.com' /var/log/cloudflared-openclaw.log | tail -1

Multi-Agent Setup (One VPS, Multiple Agents)

Each agent = one OpenClaw gateway port + one named tunnel + one systemd service.

Port 18789 → openclaw-koda.service   + cloudflared-koda.service   → koda.yourdomain.com
Port 18790 → openclaw-alex.service   + cloudflared-alex.service   → alex.yourdomain.com
Port 18791 → openclaw-jordan.service + cloudflared-jordan.service → jordan.yourdomain.com

Critical: Do NOT use cloudflared service install for multiple agents — it only supports one tunnel and overwrites the system service. Always write individual systemd service files per agent.

Custom Domains

Key facts:

Domain must use Cloudflare nameservers (transfer at your registrar — free)
Cloudflare issues and auto-renews TLS certs
CNAME records created automatically via cloudflared tunnel route dns
Free Cloudflare plan: unlimited tunnels, unlimited bandwidth

See references/custom-domains.md for a full walkthrough.

Managing Tunnels

# Status systemctl list-units "cloudflared-*" --no-pager # Logs journalctl -u cloudflared-koda -f # List named tunnels cloudflared tunnel list

# Delete a tunnel cloudflared tunnel delete openclaw-koda systemctl disable cloudflared-koda && rm /etc/systemd/system/cloudflared-koda.service

数据来源：ClawHub ↗ · 中文优化：龙虾技能库

OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险，如需更匹配、更安全的方案，建议联系付费定制

了解定制服务

License

运行时依赖

版本

安装命令 点击复制

技能文档

How It Works

✅ Preferred Method — Named Tunnel (Permanent, Free Cloudflare Account)

Step 1: Install cloudflared

Step 2: Authenticate — give the user this URL

Step 3: Create the tunnel

Step 4: Write tunnel config

Step 5: Route DNS

Step 6: Install as systemd service

Step 7: Update OpenClaw allowedOrigins

Step 8: Lock down the port

Quick Tunnel (Fallback Only — Temporary)

Multi-Agent Setup (One VPS, Multiple Agents)

Custom Domains

Managing Tunnels

安装命令点击复制