Cloudflare Tunnel setup guide — fact-check and revision log
This page documents how the Cloudflare Tunnel setup guide was written, what sources were consulted, which claims were independently verified, and which revisions were applied before publication. The guide itself is at /guides/cloudflare-tunnel-static-site/.
Sources used
Official Cloudflare docs (canonical)
- Cloudflare Tunnel — Get started — developers.cloudflare.com/.../get-started/
- Cloudflare Tunnel — Install and setup — developers.cloudflare.com/.../install-and-setup/
- Cloudflare Tunnel — Installation — developers.cloudflare.com/.../installation/
- Cloudflare Tunnel — Local management — developers.cloudflare.com/.../local-management/
- Cloudflare Tunnel — Troubleshoot — developers.cloudflare.com/.../troubleshoot-tunnels/
All 5 returned HTTP 200 during this pass.
Source repo and package checks
- cloudflared GitHub repo — github.com/cloudflare/cloudflared (200, README reachable)
- pkg.cloudflare.com — pkg.cloudflare.com/ (200, repo metadata reachable)
- cloudflared Chocolatey package — chocolatey.org/packages/cloudflared (200)
Live command checks
All commands in the guide were checked against live --help output from cloudflared version 2026.5.2 on Linux on July 10, 2026:
cloudflared --versioncloudflared tunnel --helpcloudflared tunnel login --helpcloudflared tunnel create --helpcloudflared tunnel route --helpcloudflared tunnel info --helpcloudflared tunnel list --helpcloudflared tunnel run --help
Claim audit
The following claims in the published guide were each verified against at least one canonical source. The verification method is noted for transparency.
Verified against the official docs
- Cloudflare Tunnels do not require inbound ports on the host. ✓ Confirmed in the Get started page's architecture section.
cloudflareduses QUIC/HTTP2 outbound on port 443. ✓ Confirmed in the Install and setup page.cloudflared tunnel loginwrites acert.pemto~/.cloudflared/. ✓ Confirmed in the Local management page.cloudflared tunnel create <NAME>writes a per-tunnel credential JSON to the same directory. ✓ Confirmed.cloudflared tunnel route dns <NAME> <HOSTNAME>creates a CNAME record pointing the hostname to<UUID>.cfargotunnel.com. ✓ Confirmed intunnel route dns --helpoutput.- The default safe catch-all for unknown hostnames is
http_status:404. ✓ Confirmed in the Local management page's ingress example.
Verified against live CLI help
- The flag set for
cloudflared tunnel runmatches the doc examples (--config,--origincert). ✓ Verified. cloudflared tunnel info <NAME>returns connector details for the named tunnel. ✓ Verified against--helpoutput.cloudflared tunnel listreturns all tunnels in the account. ✓ Verified.
Conditional / time-sensitive claims (kept as conditionals in the guide)
- Install command output may change between cloudflared releases. The guide deliberately avoids copying a specific installer's stdout.
- DNS propagation can take longer than expected when intermediate resolvers cache stale records. Kept conditional.
- The exact cost framing ("no hard request cap on tunnels themselves") reflects the public Cloudflare pricing as of July 2026 and is not a long-term guarantee. The guide links to the cost section for verification.
Revisions applied during review
Before publication, the following reviewer-driven revisions were applied to the draft:
- Removed a misleading warp-routing mention (out of scope for named tunnels).
- Added the
noTLSVerifyingress flag for self-signed local origins, with a warning that it is not a generic fix. - Tightened the 1033-error fix path to require byte-identical hostnames (case, subdomain, trailing dot).
- Added a Task Scheduler user-context note for native Windows (the running user must match the user that ran
tunnel login). - Added a Cloudflare Access pointer for non-public tunnels.
- Replaced the dashboard-only credential rotation with the CLI path:
cloudflared tunnel delete <NAME>+cloudflared tunnel create <NAME>+ re-route. - Added a Docker credential/config mount gotcha (both files must be in the host directory before starting the container).
- Clarified expected
content-typevalues per origin type (text/html, text/plain, application/octet-stream). - Tightened the cost framing to note that tunnels themselves do not have a hard request cap.
Last verified
July 10, 2026 against cloudflared 2026.5.2 on Linux. The guide's verification checklist (in §Verification checklist) is the same set of commands a reader can run to confirm their own install.