Cloudflare Tunnel with gRPC h2c/h2

I have a few questions about gRPC and Cloudflare tunnels.

  1. Is gRPC supported at all over a tunnel?
  2. If gRPC is supported now, is h2c or just h2 supported?
  3. Is grpc-web (ex: Content-Type: application/grpc-web+proto) supported?

As per this page (can’t include links so articles name is Understanding-Cloudflare-gRPC-support) tunnels (and access) do not support gRPC.

  • Cloudflare Tunnel currently does not support gRPC.
  • Cloudflare Access does not support gRPC traffic sent through Cloudflare’s reverse proxy. gRPC traffic will be ignored by Access if gRPC is enabled in Cloudflare.

But tunnels has supported HTTP/2 which does support gRPC for a long time. Recently tunnel’s had a PR(again no links but PR number 656) to allow forcing HTTP/2.


Specifically I’m looking at hosting Zitadel which uses grpc-web. I have it running and can sign in but as soon as the grpc-web calls go out I start getting 404’s back. My understanding was that the whole point of grpc-web was to look like regular traffic and then a proxy will translate it to grpc when it arrives at some origin that can send true grpc requests. If that’s the case I don’t understand how it’s possible to not support it unless one of the headers is being filtered out.

In the case that I misunderstood what grpc-web is (and it actually needs h2/h2c) could I have a self signed cert on my server so that the last hop between cloudflared and zitadel is supported?

I should add that I tried
docker run -d ... tunnel --no-autoupdate --loglevel debug run --http2-origin --token ...
and in the logs I see Settings: map[http2-origin:true loglevel:debug no-autoupdate:true token:*****] so the flag was applied. Unfortunately I also see GET https://zitadel.mydomain.com/oauth/v2/keys **HTTP/1.1**

It doesn’t appear to be supported according to the docs and this issue on Github

Dang, that’s really unfortunate. I was hoping the docs were out of date.

I’m still not sure if grpc-web will work or not since it’s not actually grpc. Do you have any idea why even with --http2-origin (I’m using docker latest which is 2022.6.3) the traffic would still be HTTP/1.1?

That would be a better question to ask on the GitHub repo.

Will do, thanks.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.