- Home
- Skills
- Vm0 Ai
- Vm0 Skills
- Cloudflare Tunnel
cloudflare-tunnel_skill
- Shell
39
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill vm0-ai/vm0-skills --skill cloudflare-tunnel- SKILL.md4.5 KB
Overview
This skill authenticates HTTP requests to services protected by Cloudflare Access / Cloudflare Tunnel using Service Token headers. It provides simple shell curl examples and patterns to include the required CF-Access headers for automated scripts and CI. Use it to call internal apps or APIs shielded by Cloudflare Zero Trust without interactive login.
How this skill works
The skill injects two HTTP headers—CF-Access-Client-Id and CF-Access-Client-Secret—into requests made from shell scripts or CI pipelines. It demonstrates curl commands for GET, POST, file download, basic auth, bearer tokens, and skipping SSL verification when necessary. Environment variables are recommended for secrets, and commands that pipe must be wrapped in bash -c to preserve env vars.
When to use it
- Access internal services exposed via Cloudflare Tunnel
- Call APIs or web apps protected by Cloudflare Zero Trust
- Automate requests that would otherwise hit the Cloudflare Access login page
- Combine Cloudflare Access auth with an app’s own credentials in scripts
- Download files or interact with services behind an Access policy from CI/CD pipelines
Best practices
- Store CF_ACCESS_CLIENT_ID and CF_ACCESS_CLIENT_SECRET in secure environment variables or a secrets manager
- Wrap piped curl commands in bash -c '...' so environment variables are preserved in shells used by some runtimes
- Rotate service token secrets regularly and update policies in the Zero Trust dashboard
- Add the service token to the application Access policy with a Service Token include rule
- Combine with additional headers (Authorization, Basic Auth) only when the app requires them
Example use cases
- Simple API GET using curl to an internal endpoint protected by Cloudflare Access
- POST JSON payloads to a protected service from automation or webhook handlers
- Download logs or artifacts from a tunneled service into CI using the CF headers
- Access an internal dashboard programmatically while also supplying a Bearer token for app-level auth
- Use -k in development to bypass SSL verification for self-signed certificates on tunneled services
FAQ
You must send CF-Access-Client-Id and CF-Access-Client-Secret with each HTTP request. The Client ID ends with .access.
Why wrap commands in bash -c?
Some runtimes clear environment variables when piping; wrapping the command in bash -c '...' preserves variables like CF_ACCESS_CLIENT_SECRET during piped executions.