Back to Details

cloudflare-tunnel

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Cloudflare Tunnel / Access Authentication

Cloudflare Tunnel / Access 认证

Authenticate HTTP requests to services protected by Cloudflare Access using Service Token headers.
为受 Cloudflare Access 保护的服务的HTTP请求添加服务令牌头部认证。

When to Use

适用场景

  • Access internal services exposed via Cloudflare Tunnel
  • Authenticate to Cloudflare Zero Trust protected applications
  • Make API calls to services behind Cloudflare Access
  • Bypass Cloudflare Access login page for automated requests
  • 访问通过 Cloudflare Tunnel 暴露的内部服务
  • 对受 Cloudflare Zero Trust 保护的应用进行身份认证
  • 向 Cloudflare Access 背后的服务发起API调用
  • 为自动化请求绕过 Cloudflare Access 登录页面

Prerequisites

前置要求

bash
export CF_ACCESS_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.access
export CF_ACCESS_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
bash
export CF_ACCESS_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.access
export CF_ACCESS_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Create Service Token

创建服务令牌

  1. Go to Cloudflare Zero Trust Dashboard
  2. Navigate to AccessService AuthService Tokens
  3. Click Create Service Token
  4. Name your token and click Generate token
  5. Copy both Client ID and Client Secret (shown only once!)
  1. 前往 Cloudflare Zero Trust 控制台
  2. 进入 AccessService AuthService Tokens 页面
  3. 点击 Create Service Token
  4. 为令牌命名后点击 Generate token
  5. 复制 Client IDClient Secret(仅展示一次!)

Configure Access Policy

配置访问策略

Ensure your Access Application allows service token authentication:
  1. Go to AccessApplications → Select your app
  2. Add a policy with Service Token as Include rule
  3. Select your created token
Important: When using 
$VAR
in a command that pipes to another command, wrap the command containing 
$VAR
in 
bash -c '...'
. Due to a Claude Code bug, environment variables are silently cleared when pipes are used directly.
确保你的访问应用允许服务令牌认证:
  1. 进入 AccessApplications → 选择你的应用
  2. 添加一条以 Service Token 为包含规则的策略
  3. 选择你创建的令牌
重要提示: 如果你在通过管道符连接其他命令的指令中使用
$VAR
,请将包含
$VAR
的命令包裹在
bash -c '...'
中。由于Claude Code的一个bug,直接使用管道符时环境变量会被静默清除。

Usage

使用方法

Basic curl Request

基础curl请求

Add two headers to authenticate through Cloudflare Access:
bash
bash -c 'curl -s \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  "https://your-protected-service.example.com/api/endpoint"'
添加两个头部即可通过 Cloudflare Access 认证:
bash
bash -c 'curl -s \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  "https://your-protected-service.example.com/api/endpoint"'

With Additional Authentication

搭配额外认证

Many services require both Cloudflare Access AND their own authentication:
bash
bash -c 'curl -s \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  -H "Authorization: Bearer $API_TOKEN" \
  "https://your-protected-service.example.com/api/endpoint"'
很多服务需要同时通过 Cloudflare Access 认证和服务自身的认证:
bash
bash -c 'curl -s \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  -H "Authorization: Bearer $API_TOKEN" \
  "https://your-protected-service.example.com/api/endpoint"'

With Basic Auth

搭配Basic Auth

bash
bash -c 'curl -s \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  -u "username:password" \
  "https://your-protected-service.example.com/api/endpoint"'
bash
bash -c 'curl -s \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  -u "username:password" \
  "https://your-protected-service.example.com/api/endpoint"'

POST Request with JSON Body

带JSON请求体的POST请求

Write to 
/tmp/request.json
:
json
{
  "key": "value"
}
Then run:
bash
bash -c 'curl -s -X POST \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  -H "Content-Type: application/json" \
  -d @/tmp/request.json \
  "https://your-protected-service.example.com/api/endpoint"'
写入
/tmp/request.json
json
{
  "key": "value"
}
然后运行:
bash
bash -c 'curl -s -X POST \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  -H "Content-Type: application/json" \
  -d @/tmp/request.json \
  "https://your-protected-service.example.com/api/endpoint"'

Download File

下载文件

bash
bash -c 'curl -s -o /tmp/output.file \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  "https://your-protected-service.example.com/file"'
bash
bash -c 'curl -s -o /tmp/output.file \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  "https://your-protected-service.example.com/file"'

Skip SSL Verification (Self-signed certs)

跳过SSL验证(自签名证书场景)

Add 
-k
flag for services with self-signed certificates:
bash
bash -c 'curl -k -s \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  "https://your-protected-service.example.com/api/endpoint"'
为使用自签名证书的服务添加
-k
参数:
bash
bash -c 'curl -k -s \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  "https://your-protected-service.example.com/api/endpoint"'

Required Headers

必需请求头

HeaderValueDescription
CF-Access-Client-Id
<client-id>.access
Service Token Client ID
CF-Access-Client-Secret
<secret>
Service Token Client Secret
头部说明
CF-Access-Client-Id
<client-id>.access
服务令牌 Client ID
CF-Access-Client-Secret
<secret>
服务令牌 Client Secret

Common Errors

常见错误

ErrorCauseSolution
403 ForbiddenInvalid or missing headersCheck Client ID and Secret
403 ForbiddenToken not in Access policyAdd token to application's Access policy
401 UnauthorizedService's own auth failedCheck service-specific credentials
Connection refusedTunnel not runningVerify cloudflared is running
错误原因解决方案
403 Forbidden头部无效或缺失检查 Client ID 和 Secret
403 Forbidden令牌未被加入访问策略将令牌添加到应用的Access策略中
401 Unauthorized服务自身认证失败检查服务专属的凭证信息
Connection refusedTunnel 未运行确认 cloudflared 正在运行

Tips

提示

  1. Header order doesn't matter - CF headers can be anywhere in the request
  2. Works with any HTTP method - GET, POST, PUT, DELETE, etc.
  3. Combine with other auth - CF Access + Basic Auth, Bearer Token, etc.
  4. Token rotation - Rotate secrets periodically in Zero Trust dashboard
  1. 头部顺序无影响 - CF相关头部可以放在请求的任意位置
  2. 支持所有HTTP方法 - GET、POST、PUT、DELETE等均可
  3. 可与其他认证方式组合 - CF Access + Basic Auth、Bearer Token等
  4. 令牌轮换 - 定期在Zero Trust控制台中轮换密钥

API Reference

API参考