SOURCE NOTES · SETUP

Cloudflare Tunnel setup guide — fact-check and revision log

Published July 10, 2026 · Last verified against cloudflared 2026.5.2 on Linux

This page documents how the Cloudflare Tunnel setup guide was written, what sources were consulted, which claims were independently verified, and which revisions were applied before publication. The guide itself is at /guides/cloudflare-tunnel-static-site/.

Sources used

Official Cloudflare docs (canonical)

  1. Cloudflare Tunnel — Get started — developers.cloudflare.com/.../get-started/
  2. Cloudflare Tunnel — Install and setup — developers.cloudflare.com/.../install-and-setup/
  3. Cloudflare Tunnel — Installation — developers.cloudflare.com/.../installation/
  4. Cloudflare Tunnel — Local management — developers.cloudflare.com/.../local-management/
  5. Cloudflare Tunnel — Troubleshoot — developers.cloudflare.com/.../troubleshoot-tunnels/

All 5 returned HTTP 200 during this pass.

Source repo and package checks

  1. cloudflared GitHub repo — github.com/cloudflare/cloudflared (200, README reachable)
  2. pkg.cloudflare.com — pkg.cloudflare.com/ (200, repo metadata reachable)
  3. cloudflared Chocolatey package — chocolatey.org/packages/cloudflared (200)

Live command checks

All commands in the guide were checked against live --help output from cloudflared version 2026.5.2 on Linux on July 10, 2026:

  • cloudflared --version
  • cloudflared tunnel --help
  • cloudflared tunnel login --help
  • cloudflared tunnel create --help
  • cloudflared tunnel route --help
  • cloudflared tunnel info --help
  • cloudflared tunnel list --help
  • cloudflared tunnel run --help

Claim audit

The following claims in the published guide were each verified against at least one canonical source. The verification method is noted for transparency.

Verified against the official docs

  • Cloudflare Tunnels do not require inbound ports on the host. ✓ Confirmed in the Get started page's architecture section.
  • cloudflared uses QUIC/HTTP2 outbound on port 443. ✓ Confirmed in the Install and setup page.
  • cloudflared tunnel login writes a cert.pem to ~/.cloudflared/. ✓ Confirmed in the Local management page.
  • cloudflared tunnel create <NAME> writes a per-tunnel credential JSON to the same directory. ✓ Confirmed.
  • cloudflared tunnel route dns <NAME> <HOSTNAME> creates a CNAME record pointing the hostname to <UUID>.cfargotunnel.com. ✓ Confirmed in tunnel route dns --help output.
  • The default safe catch-all for unknown hostnames is http_status:404. ✓ Confirmed in the Local management page's ingress example.

Verified against live CLI help

  • The flag set for cloudflared tunnel run matches the doc examples (--config, --origincert). ✓ Verified.
  • cloudflared tunnel info <NAME> returns connector details for the named tunnel. ✓ Verified against --help output.
  • cloudflared tunnel list returns all tunnels in the account. ✓ Verified.

Conditional / time-sensitive claims (kept as conditionals in the guide)

  • Install command output may change between cloudflared releases. The guide deliberately avoids copying a specific installer's stdout.
  • DNS propagation can take longer than expected when intermediate resolvers cache stale records. Kept conditional.
  • The exact cost framing ("no hard request cap on tunnels themselves") reflects the public Cloudflare pricing as of July 2026 and is not a long-term guarantee. The guide links to the cost section for verification.

Revisions applied during review

Before publication, the following reviewer-driven revisions were applied to the draft:

  1. Removed a misleading warp-routing mention (out of scope for named tunnels).
  2. Added the noTLSVerify ingress flag for self-signed local origins, with a warning that it is not a generic fix.
  3. Tightened the 1033-error fix path to require byte-identical hostnames (case, subdomain, trailing dot).
  4. Added a Task Scheduler user-context note for native Windows (the running user must match the user that ran tunnel login).
  5. Added a Cloudflare Access pointer for non-public tunnels.
  6. Replaced the dashboard-only credential rotation with the CLI path: cloudflared tunnel delete <NAME> + cloudflared tunnel create <NAME> + re-route.
  7. Added a Docker credential/config mount gotcha (both files must be in the host directory before starting the container).
  8. Clarified expected content-type values per origin type (text/html, text/plain, application/octet-stream).
  9. Tightened the cost framing to note that tunnels themselves do not have a hard request cap.

Last verified

July 10, 2026 against cloudflared 2026.5.2 on Linux. The guide's verification checklist (in §Verification checklist) is the same set of commands a reader can run to confirm their own install.