Where to find API endpoints to create internal/external hostnames?
I have a Cloudflare tunnel setup to my home network for some personal self-hosted services. While learning my way around the dashboard, I decided to try to use the API to help make creating DNS entries faster.
In my investigation, I learned how to manage DNS entries, but I could not figure out how to create "Public Hostname" entries via the API within my tunnel, and made the following observations:
1) If I create a hostname entry via the dashboard GUI, it'll automatically create a DNS CNAME entry, but the converse is not true
2) I can create DNS entries with a POST to https://api.cloudflare.com/api/v4/zones/{{CF-Zone-ID}}/dns_records, but I cannot figure out how do #1 via the API (create a hostname entry)
3) When viewing the network tab of the browser developer tools to try to reverse engineer it, the only thing I'm finding is the same POST above, though it uses dash.cloudflare.com/api, which I'm assuming is a different API for the dashboard vs. the raw API, which makes me think some functions are only available via the dashboard. The user-facing API URL is https://api.cloudflare.com/client/v4
I'd appreciate any guidance on how to do this (add a new tunnel public hostname/DNS mapping) programmatically, thanks!
11 Replies
The nice interface today that exists for Cloudflare tunnels came a while after they were launched. It was first just local config (in yaml) and local tunnel management.
So the endpoints aren't really nice. What the dash does is store the entire tunnel config in json and load it/save it back on each modification. You're looking for the configurations endpoint call. Here's the endpoint: https://developers.cloudflare.com/api/operations/cloudflare-tunnel-configuration-put-configuration
Cloudflare API Documentation
Interact with Cloudflare's products and services via the Cloudflare API
That is exactly what I was looking for, thank you so much for pointing me in the right direction.
I wouldn't have ended up there organically, I don't think.
Only your account can CNAME to tunnels belonging to your account. Once you CNAME to the tunnel, requests go down the tunnel, and then are processed by the local config, specifically the ingress part, to the right local service
yea it's kind of messy lol, it PUTs the entire config back on each change
Your pattern would have to be like:
Post DNS Record CNAME -> Tunnel
GET Tunnel Config
..Modify Tunnel config/add public hostname(s)/etc
PUT back entire tunnel config, and on this action the tunnel will be automagically notified the config updated and know where to route the now incoming requests
Well, your explanation is very concise and well-explained, I really have no further questions right now. I'll play around with it and I'm sure it'll fit the bill. Thanks so much for a quick response! I posted on Reddit in /r/cloudflare but never got a single response 😦
This especially is super helpful - I'm not a programmer/developer, just like to tinker, and trying to figure out the flow of API's always trips me up since it's multiple calls that formulate a single flow.
Thank you again. Is there a way to mark this solved?
I see it just changed, thanks
Under Edit Tags -> Solved, I did it for you
You're phenomenal
yea, one nice thing about CF is the dashboard uses all the same APIs you use, so you can kind of easily reverse engineer it, makes up for the meh API Docs
Yup. I'm a network engineer by trade, so always comfortable looking in the developer tools network tab 🙂
feels like home.
When you add a Public Hostname you should be able to see the DNS Record add and the configuration put, those are the two important ones
Noted, ty. You've just unblocked me, so I can get back to the fun stuff 🙂
And to answer your third original question, the dash.cloudflare.com/api and api.cloudflare.com are generally the same API with the same endpoints but just different hostnames/initial path. The dash is Bot protected so you don't want to use it headless.
Pretty much all the same endpoints are available on both. Some are undocumented in api.cf meaning they may change in the future but still work. The only ones that I can think of which are protected are a few like Registrar API (Enterprise only), Email Verification API (no bots) which exist in dash but not api.cf