Protocols for published applications
When you add a published application route to a Cloudflare Tunnel, you are instructing Cloudflare to proxy requests for your public hostname to a service running privately behind cloudflared.
The table below lists the service types you can route to a public hostname. Non-HTTP services require installing cloudflared on the client for end users to connect.
| Service type | Description | Example service value |
|---|---|---|
| HTTP | Proxies incoming HTTPS requests to your local web service over HTTP. | http://localhost:8000 |
| HTTPS | Proxies incoming HTTPS requests directly to your local web service. You can disable TLS verification for self-signed certificates. | https://localhost:8000 |
| UNIX | Same as HTTP, but uses a Unix socket. | unix:/home/production/echo.sock |
| UNIX + TLS | Same as HTTPS, but uses a Unix socket. | unix+tls:/home/production/echo.sock |
| TCP | Streams TCP over a WebSocket connection. End users run cloudflared access tcp to connect. For long-lived connections, use WARP-to-Tunnel instead. | tcp://localhost:2222 |
| SSH | Streams SSH over a WebSocket connection. End users run cloudflared access ssh to connect. For long-lived connections, use WARP-to-Tunnel instead. | ssh://localhost:22 |
| RDP | Streams RDP over a WebSocket connection. For more information, refer to Connect to RDP with client-side cloudflared. | rdp://localhost:3389 |
| SMB | Streams SMB over a WebSocket connection. For more information, refer to Connect to SMB with client-side cloudflared. | smb://localhost:445 |
| HTTP_STATUS | Responds to all requests with a fixed HTTP status code. | http_status:404 |
| BASTION | Allows cloudflared to act as a jump host, providing access to any local address. | bastion |
| HELLO_WORLD | Test server for validating your Cloudflare Tunnel connection (for locally managed tunnels only). | hello_world |