Connect using cloudflared

With Cloudflare Zero Trust, users can connect to non-HTTP applications via a public hostname without installing the WARP client. This method requires you to onboard a domain to Cloudflare and install cloudflared on both the server and the user’s device.

Users log in to the application by running a cloudflared access command in their terminal. cloudflared will launch a browser window and prompt the user to authenticate with your identity provider.

Note

Automated services should only authenticate with cloudflared if they cannot use a service token. Cloudflared authentication relies on WebSockets to establish a connection. WebSockets have a known limitation where persistent connections may close unexpectedly. We recommend either a Service Auth policy or using Warp to Tunnel routing in these instances.

Setup

For examples of how to connect to Access applications with cloudflared, refer to these tutorials:

• Connect through Access using a CLI
• Connect through Access using kubectl
• Connect over SSH with cloudflared
• Connect over RDP with cloudflared
• Connect over SMB with cloudflared

Automatic cloudflared authentication

When users connect to an Access application through cloudflared, the browser prompts them to allow access by displaying this page:

Automatic cloudflared authentication allows users to skip this login page if they already have an active IdP session.

To enable automatic cloudflared authentication:

1. In Zero Trust ↗, go to Access > Applications.
2. Locate your application and select Configure.
3. In the Settings tab, scroll down to Additional settings.
4. Turn on Enable automatic cloudflared authentication.
5. Select Save application.

This option will still prompt a browser window in the background, but authentication will now happen automatically.