cloudflare-tunnel
43
总安装量
21
周安装量
#8947
全站排名
安装命令
npx skills add https://github.com/vm0-ai/vm0-skills --skill cloudflare-tunnel
Agent 安装分布
claude-code
15
gemini-cli
14
codex
13
opencode
12
antigravity
10
kilo
9
Skill 文档
Cloudflare Tunnel / Access Authentication
Authenticate HTTP requests to services protected by Cloudflare Access using Service Token headers.
When to Use
- Access internal services exposed via Cloudflare Tunnel
- Authenticate to Cloudflare Zero Trust protected applications
- Make API calls to services behind Cloudflare Access
- Bypass Cloudflare Access login page for automated requests
Prerequisites
export CF_ACCESS_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.access
export CF_ACCESS_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Create Service Token
- Go to Cloudflare Zero Trust Dashboard
- Navigate to Access â Service Auth â Service Tokens
- Click Create Service Token
- Name your token and click Generate token
- Copy both Client ID and Client Secret (shown only once!)
Configure Access Policy
Ensure your Access Application allows service token authentication:
- Go to Access â Applications â Select your app
- Add a policy with Service Token as Include rule
- Select your created token
Important: When using
$VARin a command that pipes to another command, wrap the command containing$VARinbash -c '...'. Due to a Claude Code bug, environment variables are silently cleared when pipes are used directly.
Usage
Basic curl Request
Add two headers to authenticate through Cloudflare Access:
bash -c 'curl -s \
-H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
-H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
"https://your-protected-service.example.com/api/endpoint"'
With Additional Authentication
Many services require both Cloudflare Access AND their own authentication:
bash -c 'curl -s \
-H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
-H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
-H "Authorization: Bearer $API_TOKEN" \
"https://your-protected-service.example.com/api/endpoint"'
With Basic Auth
bash -c 'curl -s \
-H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
-H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
-u "username:password" \
"https://your-protected-service.example.com/api/endpoint"'
POST Request with JSON Body
Write to /tmp/request.json:
{
"key": "value"
}
Then run:
bash -c 'curl -s -X POST \
-H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
-H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-d @/tmp/request.json \
"https://your-protected-service.example.com/api/endpoint"'
Download File
bash -c 'curl -s -o /tmp/output.file \
-H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
-H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
"https://your-protected-service.example.com/file"'
Skip SSL Verification (Self-signed certs)
Add -k flag for services with self-signed certificates:
bash -c 'curl -k -s \
-H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
-H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
"https://your-protected-service.example.com/api/endpoint"'
Required Headers
| Header | Value | Description |
|---|---|---|
CF-Access-Client-Id |
<client-id>.access |
Service Token Client ID |
CF-Access-Client-Secret |
<secret> |
Service Token Client Secret |
Common Errors
| Error | Cause | Solution |
|---|---|---|
| 403 Forbidden | Invalid or missing headers | Check Client ID and Secret |
| 403 Forbidden | Token not in Access policy | Add token to application’s Access policy |
| 401 Unauthorized | Service’s own auth failed | Check service-specific credentials |
| Connection refused | Tunnel not running | Verify cloudflared is running |
Tips
- Header order doesn’t matter – CF headers can be anywhere in the request
- Works with any HTTP method – GET, POST, PUT, DELETE, etc.
- Combine with other auth – CF Access + Basic Auth, Bearer Token, etc.
- Token rotation – Rotate secrets periodically in Zero Trust dashboard
API Reference
- Cloudflare Access: https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/
- Zero Trust Dashboard: https://one.dash.cloudflare.com/