Tunnel configuration doesn't take effect when set by the API

I’m using the Cloudflare API (through the Python client library) to create Cloudflare tunnels. I noticed that the tunnel configuration doesn’t take effect, even though I can see it in Zero Trust dashboard. If I open the tunnel in Zero Trust, go to the “public hostname” and click edit, then click save without making any changes, it starts working.

More details. Here’s a simplified version of the code I use to create and configure the tunnel:

domain = 'mydomain.tld'
tunnel_name = 'test-tunnel'
tunnel_secret = b64encode(os.urandom(32)).decode('ascii')
tunnel = cf.accounts.cfd_tunnel.post(
    account_id,
    data={'name': tunnel_name, 'tunnel_secret': tunnel_secret}
)
hostname = f'{tunnel_name}.{domain}'
cf.accounts.cfd_tunnel.configurations.put(
    account_id, tunnel['id'],
    data={
        'config': {
            'ingress': [
                {
                    'hostname': hostname,
                    'path': '/api',
                    'service': 'http://localhost:9090',
                },
                {
                    'service': 'http_status:404'
                },
            ],
        },
    },
)

print(json.dumps({
    'AccountTag': account_id,
    'TunnelID': tunnel['id'],
    'TunnelSecret': tunnel_secret,
}))

I’ll save the credentials in a file named “test-creds.json”. The I’ll create a file named test-config.yml with the following content:

tunnel: <tunnel id>
credentials-file: ./test-creds.json
no-autoupdate: true

And then run cloudflared like this: cloudflared tunnel --config ./test-config.yml run.

Looking at cloudflared output, I can see that tunnel config is not received:

2022-11-01T10:36:48Z INF Starting tunnel tunnelID=fa99f9ad-14ac-4bfd-8ece-68624b5eb0d1
2022-11-01T10:36:48Z INF Version 2022.10.3
2022-11-01T10:36:48Z INF GOOS: linux, GOVersion: go1.18.6, GoArch: amd64
2022-11-01T10:36:48Z INF Settings: map[config:./test-config.yml cred-file:./test-creds.json credentials-file:./test-creds.json no-autoupdate:true]
2022-11-01T10:36:48Z INF cloudflared will not automatically update if installed by a package manager.
2022-11-01T10:36:48Z INF Generated Connector ID: e41847c3-31c7-4fc6-9bba-bfb04b18400a
2022-11-01T10:36:48Z INF Initial protocol quic
2022-11-01T10:36:48Z INF ICMP proxy will use 192.168.1.100 as source for IPv4
2022-11-01T10:36:48Z INF ICMP proxy will use :: as source for IPv6
2022-11-01T10:36:48Z INF Starting metrics server on 127.0.0.1:33979/metrics
2022/11/01 11:36:48 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/luca
s-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details.
2022-11-01T10:36:49Z INF Connection f025cd7e-5001-4692-a60c-4b869cd1b572 registered connIndex=0 ip=198.41.200.43 location=VIE
2022-11-01T10:36:50Z INF Connection c9e059a0-3183-49cb-bdcb-ff2d030471df registered connIndex=1 ip=198.41.192.27 location=AMS
2022-11-01T10:36:51Z INF Connection 2dcf2af0-f740-4409-b6f5-767272a99e98 registered connIndex=2 ip=198.41.200.53 location=VIE
2022-11-01T10:36:52Z INF Connection 39749a67-98b1-4222-bd2b-a405f6b1656f registered connIndex=3 ip=198.41.192.227 location=AMS

If, as described above, I go to the Zero Trust dashboard, open the config and save it again, then run cloudflared, I’ll see that the config is received this time:

2022-11-01T10:39:36Z INF Version 2022.10.3
2022-11-01T10:39:36Z INF GOOS: linux, GOVersion: go1.18.6, GoArch: amd64
2022-11-01T10:39:36Z INF Settings: map[config:./test-config.yml cred-file:./test-creds.json credentials-file:./test-creds.json no-autoupdate:true]
2022-11-01T10:39:36Z INF cloudflared will not automatically update if installed by a package manager.
2022-11-01T10:39:36Z INF Generated Connector ID: 37d2d570-8fd8-48dd-a6c6-09ae4c784d7c
2022-11-01T10:39:36Z INF Initial protocol quic
2022-11-01T10:39:36Z INF ICMP proxy will use 192.168.1.100 as source for IPv4
2022-11-01T10:39:36Z INF ICMP proxy will use :: as source for IPv6
2022-11-01T10:39:36Z INF Starting metrics server on 127.0.0.1:37831/metrics
2022/11/01 11:39:36 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/luca
s-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details.
2022-11-01T10:39:37Z INF Connection c19ad87d-2a64-4cc6-aaae-afbbdf1a5ec4 registered connIndex=0 ip=198.41.200.233 location=VIE
2022-11-01T10:39:37Z INF Updated to new configuration config="{\"ingress\":[{\"hostname\":\"test-tunnel.oneconnect.hair\",\"originRequest\":{},\"pa
th\":\"/api\",\"service\":\"http://localhost:9090\"},{\"service\":\"http_status:404\"}],\"warp-routing\":{\"enabled\":false}}" version=1
2022-11-01T10:39:37Z INF Connection 84d180c5-9494-4e3e-84b4-347999b01e80 registered connIndex=1 ip=198.41.192.107 location=AMS
2022-11-01T10:39:39Z INF Connection e176f629-77a1-4cde-99f4-d2b27902c377 registered connIndex=2 ip=198.41.200.113 location=VIE
2022-11-01T10:39:39Z INF Connection 4966d9c8-f6be-4a70-901a-82a3ceb5c97e registered connIndex=3 ip=198.41.192.37 location=AMS

Am I doing anything wrong?

Forgot to mention that in the first attempt, when cloudflared doesn’t receive ingress config, it seems to default to connecting to port 8080 on localhost.

When creating the tunnel (with the POST) you need to tell it is to be managed by Cloudflare’s API. The field to be set is “source” with value “Cloudflare”. I believe the API docs will be updated to contain this info soon.

You should run cloudflared with the token obtained from Cloudflare API v4 Documentation , similarly to what the UI instructions say.

No need for the test-config.yml at all. You can pass no-autoupdate as a CLI flag inline with the token.

Ah, I thought there should be something like that. Thanks.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.