CHANGES.md
Removes the proxy-dns feature from cloudflared. This feature allowed running a local DNS over HTTPS (DoH) proxy.
Users who relied on this functionality should migrate to alternative solutions.
Removed commands and flags:
cloudflared proxy-dnscloudflared tunnel proxy-dns--proxy-dns, --proxy-dns-port, --proxy-dns-address, --proxy-dns-upstream, --proxy-dns-max-upstream-conns, --proxy-dns-bootstrapresolver section in configuration filecloudflared will no longer officially support Debian and Ubuntu distros that reached end-of-life: buster, bullseye, impish, trusty.cloudflared tunnel diag.--metrics is still honoured meaning that if this flag is set the metrics server will try to bind it, however, this version includes a change that makes the metrics server bind to a port with a semi-deterministic approach. If the metrics flag is not present the server will bind to the first available port of the range 20241 to 20245. In case of all ports being unavailable then the fallback is to bind to a random port.--grace-period. Tunnels that use QUIC as transport weren't abiding by this waiting period before forcefully closing the connections to the edge. From now on, both QUIC and HTTP2 tunnels will wait for either the grace period to end (defaults to 30 seconds) or until the last in-flight request is handled. Users that wish to maintain the previous behavior should set --grace-period to 0 if --protocol is set to quic. This will force cloudflared to shutdown as soon as either SIGTERM or SIGINT is received.--management-diagnostics=false (or env TUNNEL_MANAGEMENT_DIAGNOSTICS).warp-routing enabled: boolean flag is no longer supported in the configuration file. Warp Routing traffic (eg TCP, UDP, ICMP) traffic is proxied to cloudflared if routes to the target tunnel are configured. This change does not affect remotely managed tunnels, but for locally managed tunnels, users that might be relying on this feature flag to block traffic should instead guarantee that tunnel has no Private Routes configured for the tunnel.--management-diagnostics (or env TUNNEL_MANAGEMENT_DIAGNOSTICS). This feature is provided as opt-in and requires the flag to enable. Endpoints such as /metrics provides your prometheus metrics endpoint another mechanism to be reached. Additionally /debug/pprof/(goroutine|heap) are also introduced to allow for remotely retrieving active pprof information from a running cloudflared connector.cloudflared tail <TUNNEL-ID>. This new feature requires the remote cloudflared to be version 2023.4.1 or higher.cloudflared tunnel --help and look for edge-ip-version for more information. For now, the default behavior is to still connect with IPv4 only.cloudflared tunnel run no longer logs the Tunnel token or JSON credentials in clear text as those are the secret
that allows to run the Tunnel.cloudflared tunnel token --cred-file /path/to/file.json TUNNEL. This new feature only works for
Tunnels created with cloudflared version 2022.3.0 or more recent.cloudflared service install now starts the underlying agent service on Linux operating system (similarly to the
behaviour in Windows and MacOS).cloudflared service install now starts the underlying agent service on Windows operating system (similarly to the
behaviour in MacOS).quic protocol, including an edge case that could lead to cloudflared crashing.unix:/ then we assume HTTP (existing behavior). Otherwise, the origin can start with
unix+tls:/ for HTTPS.quic protocol.cloudflared tunnel vnet commands to allow for private routing to be virtualized. This means that the same CIDR
can now be used to point to two different Tunnels with cloudflared tunnel route ip command. More information will be
made available on blog.cloudflare.com and developers.cloudflare.com/cloudflare-one once the feature is globally available.protocol property is defined (e.g. for quic), cloudflared no longer falls back to an older protocol
(such as http2) in face of connectivity errors. This is important because some features are only supported in a specific
protocol (e.g. UDP proxying only works for quic). Hence, if a user chooses a protocol, cloudflared now adheres to it
no matter what.quic protocol now respects graceful shutdown.quic transport is used and UDP traffic is proxied.ERR level logging if there are no connections to
Cloudflare edge that are active. Otherwise it logs WARN level.protocol:quic to protocol:http2 immediately if UDP connectivity isn't available. This could be because of a firewall or
egress rule.cloudflared can now run with quic as the underlying tunnel transport protocol. To try it, change or add "protocol: quic" to your config.yml file or
run cloudflared with the --protocol quic flag. e.g:
cloudflared tunnel --protocol quic run <tunnel-name>quic mode. It's advised to upgrade to at least this version (2021.9.2) when running cloudflared
with quic protocol.cloudflared docker images will now show version.cloudflared tunnel route dns --overwrite-dns foo-tunnel foo.example.comcloudflared tunnel --overwrite-dns --name foo-tunnel --hostname foo.example.comIt is now possible to run the same tunnel using more than one cloudflared instance. This is a server-side change and
is compatible with any client version that uses Named Tunnels.
To get started, visit our developer documentation.
cloudflared tunnel ingress validate will now warn about unused keys in your config file. This is helpful for
detecting typos in your config.
If cloudflared detects it is running inside a Linux container, it will limit itself to use only the number of CPUs
the pod has been granted, instead of trying to use every CPU available.
proxy-dns option now works in conjunction with running a named tunnel #346.cloudflared tunnel -name NAME, will not overwrite
existing files when writing tunnel credentials.--credentials-file flag.cloudflared tunnel info <name/uuid>. It is possible to sort the output as well as output in different formats,
such as: cloudflared tunnel info --sort-by version --invert-sort --output json <name/uuid>.
You can obtain more information via cloudflared tunnel info --help.--config FILE flag is present after tunnel subcommand.cloudflared tunnel route --help output.service: socks-proxy. Traffic is routed to any destination specified by the SOCKS5 packet but only
if allowed by a rule. In the following example we allow proxying to a certain CIDR but explicitly forbid one address
within it:ingress:
- hostname: socks.example.com
service: socks-proxy
originRequest:
ipRules:
- prefix: 192.168.1.8/32
allow: false
- prefix: 192.168.1.0/24
ports: [80, 443]
allow: true
cloudflared tunnel run, now consider CLI arguments even if they appear earlier on the
command. For instance, cloudflared --config config.yaml tunnel run will now behave the same as
cloudflared tunnel --config config.yaml runno-autoupdate is true.