首页 / 技能 / Cloudflare Tunnel Manager — Cloudflare工具

📦 Cloudflare Tunnel Manager — Cloudflare工具

v1.0.0

[AI辅助] Create and manage secure Cloudflare Tunnels using cloudflared. Expose local services to the internet safely, configure DNS routing, set up zero-trust access...

0· 154·0 当前·0 累计
by @qoohsuan (Qoohsuan)·MIT-0
云服务系统工具开发工具AI模型访问
下载技能包
License
MIT-0
最后更新
2026/3/26
0
安全扫描
VirusTotal
无害
查看报告
OpenClaw
安全
high confidence
The skill is an instruction-only guide for installing and using cloudflared to manage Cloudflare Tunnels; its requirements, commands, and examples are consistent with that purpose and it does not request unrelated credentials or install arbitrary code itself.
评估建议
This skill is a how-to for cloudflared and appears internally consistent. Before using it: install cloudflared from Cloudflare's official releases (verify checksums), protect the credentials JSON files and service tokens it references, avoid enabling insecure options (e.g., noTLSVerify) unless you understand the risk, and review the full systemd/unit examples before installing them. Because the skill is instruction-only, it does not itself install or run code — but following its commands will ru...
详细分析 ▾
用途与能力
The name/description (Cloudflare Tunnel Manager) match the SKILL.md: it documents installing cloudflared, creating tunnels, DNS routing, Zero Trust policies, and systemd setup. No unrelated credentials, binaries, or config paths are requested.
指令范围
Instructions are focused on cloudflared usage and Cloudflare account resources. A few options (noTLSVerify, proxyAddress, bastionMode) can weaken security if misused; the skill documents creating service tokens and storing credentials files (expected). The systemd snippet is appropriate for running a tunnel but user should inspect the full unit file (SKILL.md was truncated in the listing).
安装机制
No install spec is bundled with the skill (instruction-only). The Linux install recommends downloading from the project's GitHub Releases, and macOS/Windows use Homebrew/winget — these are standard distribution channels. As always, verify the binary and checksums from Cloudflare's official sources before installing.
凭证需求
The skill does not request environment variables, secrets, or unrelated credentials. It shows how to obtain and use Cloudflare service tokens and tunnel credential files, which is proportionate to the task.
持久化与权限
The skill is not marked always:true and is user-invocable. It does not attempt to modify other skills or system-wide agent configuration. The provided systemd instructions are standard for running the tunnel as a service.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/26

Initial release: Cloudflare Tunnel setup and management

无害

安装命令

点击复制
官方npx clawhub@latest install cloudflare-tunnel-manager
镜像加速npx clawhub@latest install cloudflare-tunnel-manager --registry https://cn.longxiaskill.com

技能文档

Create secure tunnels to expose local services through Cloudflare's network without opening inbound firewall ports. Supports HTTP/HTTPS services, TCP tunnels, and zero-trust access controls.

Prerequisites

  • Cloudflare 账户 带有 domain
  • cloudflared CLI installed
  • Domain DNS managed 由 Cloudflare
  • Local services running (web servers, APIs, etc.)

Installation

macOS (Homebrew)

brew install cloudflare/cloudflare/cloudflared

Linux

# Download latest release
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64
chmod +x cloudflared-linux-amd64
sudo mv cloudflared-linux-amd64 /usr/local/bin/cloudflared

Windows

# Using winget
winget install --id Cloudflare.cloudflared
# Or download from GitHub releases

Usage

Authentication

登录 到 Cloudflare: 

# Login (opens browser for OAuth)
cloudflared tunnel login
# Verify authentication
cloudflared tunnel list

Basic Tunnel Setup

创建 和 run tunnel: 

# Create named tunnel
cloudflared tunnel create mytunnel
# Run tunnel for HTTP service
cloudflared tunnel --url http://localhost:3000
# Run tunnel with custom hostname
cloudflared tunnel --url http://localhost:3000 --hostname app.yourdomain.com
# Quick temporary tunnel (random subdomain)
cloudflared tunnel --url http://localhost:8080

Persistent Tunnel Configuration

创建 tunnel 和 configure DNS: 

# Create tunnel
cloudflared tunnel create production-app
# Note the tunnel ID from output
# Create DNS record
cloudflared tunnel route dns production-app app.yourdomain.com
# Create config file
mkdir -p ~/.cloudflared

Configuration file (~/.cloudflared/配置.yml): 

tunnel: production-app
credentials-file: /Users/username/.cloudflared/TUNNEL_ID.json
ingress:
  # Main app
  - hostname: app.yourdomain.com
    service: http://localhost:3000
  
  # API service
  - hostname: api.yourdomain.com
    service: http://localhost:4000
    
  # Static files
  - hostname: static.yourdomain.com
    service: http://localhost:8080
    
  # WebSocket service
  - hostname: ws.yourdomain.com
    service: ws://localhost:5000
    
  # SSH access (requires Cloudflare for Teams)
  - hostname: ssh.yourdomain.com
    service: ssh://localhost:22
    
  # Default rule (required)
  - service: http_status:404

Run configured tunnel: 

# Run with config file
cloudflared tunnel run production-app
# Run in background
cloudflared tunnel run production-app &
# Check tunnel status
cloudflared tunnel info production-app

Advanced Configuration

Multiple services configuration: 

tunnel: multi-service-tunnel
credentials-file: /Users/username/.cloudflared/TUNNEL_ID.json
ingress:
  # Main website
  - hostname: yourdomain.com
    service: http://localhost:3000
    
  # Admin panel with authentication
  - hostname: admin.yourdomain.com
    service: http://localhost:3001
    originRequest:
      noTLSVerify: true
      
  # Development API
  - hostname: dev-api.yourdomain.com
    service: http://localhost:4000
    originRequest:
      httpHostHeader: localhost:4000
      
  # Load balancer for multiple instances
  - hostname: lb.yourdomain.com
    service: http://localhost:3000
    originRequest:
      bastionMode: true
      
  # File server with custom headers
  - hostname: files.yourdomain.com
    service: http://localhost:8000
    originRequest:
      httpHostHeader: files.local
      originServerName: files.local
      
  # Default catch-all
  - service: http_status:404

Advanced origin 请求 options: 

originRequest:
  # Disable TLS verification (for self-signed certs)
  noTLSVerify: true
  
  # Custom HTTP headers
  httpHostHeader: internal.service.local
  
  # Connection timeout
  connectTimeout: 30s
  
  # Keep alive settings
  keepAliveConnections: 100
  keepAliveTimeout: 90s
  
  # Proxy settings
  proxyAddress: http://proxy:8080
  proxyPort: 8080
  
  # Bastion mode for kubectl/ssh
  bastionMode: true

服务 Management

Tunnel management commands: 

# List all tunnels
cloudflared tunnel list
# Get tunnel info
cloudflared tunnel info TUNNEL_NAME
# Delete tunnel
cloudflared tunnel delete TUNNEL_NAME
# Clean up unused tunnels
cloudflared tunnel cleanup TUNNEL_NAME
# Update tunnel
cloudflared tunnel route dns TUNNEL_NAME new-subdomain.yourdomain.com

DNS management: 

# Add DNS route
cloudflared tunnel route dns mytunnel app.yourdomain.com
# List DNS routes
cloudflared tunnel route list
# Delete DNS route
cloudflared tunnel route delete ROUTE_ID

Zero Trust Access Control

Access policy configuration (通过 Cloudflare Dashboard):

  • Go 到 Cloudflare Zero Trust → Access → Applications
  • 添加 application:
- Application 类型: Self-hosted - App domain: 管理员.yourdomain.com - Policy name: 管理员 Access

  • 创建 access policy:
- Allow/屏蔽/Bypass - Include: Email domain contains @yourcompany.com - Require: Country 在...中 Taiwan

服务 authentication 令牌: 

# Create service token for API access
# (Done via Cloudflare Dashboard → Zero Trust → Access → Service Tokens)
# Use service token in requests
curl -H "CF-Access-Client-Id: TOKEN_ID" \
     -H "CF-Access-Client-Secret: TOKEN_SECRET" \
     https://api.yourdomain.com/data

System 服务 Setup

Linux systemd 服务: 

# /etc/systemd/system/cloudflared-tunnel.service
[Unit]
Description=Cloudflare Tunnel
After=network.target
[Service]
Type=simple
User=cloudflared
ExecStart=/usr/local/bin/cloudflared tunnel run production-app
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target

# Enable and start service
sudo systemctl enable cloudflared-tunnel
sudo systemctl start cloudflared-tunnel
sudo systemctl status cloudflared-tunnel

macOS LaunchAgent: 






    Label
    com.cloudflare.tunnel
    ProgramArguments
    
        /usr/local/bin/cloudflared
        tunnel
        run
        production-app
    
    RunAtLoad
    
    KeepAlive
    



# Load and start LaunchAgent
launchctl load ~/Library/LaunchAgents/com.cloudflare.tunnel.plist
launchctl start com.cloudflare.tunnel

Monitoring 和 Troubleshooting

Health checking: 

# Check tunnel connectivity
curl -H "Host: yourdomain.com" http://localhost:3000
# Test external access
curl https://yourdomain.com
# Check tunnel logs
cloudflared tunnel --loglevel debug run production-app
# Monitor metrics (if enabled)
curl http://localhost:2000/metrics

Common troubleshooting: 

# Check tunnel status
cloudflared tunnel info production-app
# Validate config file
cloudflared tunnel ingress validate
# Test ingress rules
cloudflared tunnel ingress rule https://app.yourdomain.com
# Debug connection
cloudflared tunnel --loglevel debug run production-app

Production 示例 Setup

Complete production deployment: 

#!/bin/bash
# setup-cloudflare-tunnel.sh
TUNNEL_NAME="propower-production"
DOMAIN="api.pro-power.cc"
echo "Setting up Cloudflare Tunnel: $TUNNEL_NAME"
# Create tunnel
cloudflared tunnel create $TUNNEL_NAME
# Get tunnel ID
TUNNEL_ID=$(cloudflared tunnel list | grep $TUNNEL_NAME | awk '{print $1}')
# Create DNS records
cloudflared tunnel route dns $TUNNEL_NAME $DOMAIN
cloudflared tunnel route dns $TUNNEL_NAME api.$DOMAIN
# Create config file
cat > ~/.cloudflared/config.yml << EOF
tunnel: $TUNNEL_NAME
credentials-file: $HOME/.cloudflared/$TUNNEL_ID.json
ingress:
  - hostname: $DOMAIN
    service: http://localhost:3000
  - hostname: api.$DOMAIN
    service: http://localhost:4000
  - service: http_status:404
metrics: localhost:2000
EOF
echo "Configuration created. Start tunnel with:"
echo "cloudflared tunnel run $TUNNEL_NAME"

备份 和 Migration

备份 tunnel configuration: 

# Backup credentials and config
cp ~/.cloudflared/.json ~/backup/
cp ~/.cloudflared/config.yml ~/backup/
# Export tunnel list
cloudflared tunnel list > ~/backup/tunnel-list.txt

Migration 到 新的 server: 

# Copy credentials to new server
scp ~/.cloudflared/.json user@newserver:~/.cloudflared/
scp ~/.cloudflared/config.yml user@newserver:~/.cloudflared/
# Test on new server
ssh user@newserver "cloudflared tunnel run production-app --dry-run"

This skill enables secure, firewall-friendly exposure of local services through Cloudflare's global network with built-in DDoS protection and zero-trust access controls.

数据来源ClawHub ↗ · 中文优化:龙虾技能库