Published Wed Apr 01 2026 08:00:00 GMT+0800 (中国标准时间)
deploymentCloudflareops
Production-grade Cloudflare Tunnel tuning for AI support
One-command Cloudflare Tunnel for Chatwoot + Dify hides production gotchas — WebSocket drops, timeouts, monitoring blind spots. A checklist.
5 issues defaults won’t tell you#
- WebSocket drops after 1 hour — default connection timeout
- Large file uploads fail — 100 MB default body cap
- Long LLM responses get truncated — 100s edge HTTP timeout
- Streaming responses arrive choppy — buffering not disabled
- No metrics out of the box — default logging doesn’t emit anything useful
Tuning checklist#
1. Origin request shape#
tunnel: <UUID>
ingress:
- hostname: support.yourdomain.com
service: http://localhost:3000
originRequest:
noTLSVerify: false
connectTimeout: 30s
keepAliveConnections: 100
keepAliveTimeout: 90s
disableChunkedEncoding: false
- service: http_status:4042. Carve out streaming paths#
- hostname: dify.yourdomain.com
path: /api/.*/streaming.*
service: http://localhost:5001
originRequest:
connectTimeout: 30s
tlsTimeout: 10s
tcpKeepAlive: 30s
- hostname: dify.yourdomain.com
service: http://localhost:50013. Cloudflare Dashboard#
| Setting | Path | Value |
|---|---|---|
| Body size | Rules → Configuration Rules | Up to 500 MB |
| Cache bypass | Caching → Cache Rules | Bypass /api/* /cable |
| Buffering | Speed → Optimization | Disable Rocket Loader, Auto Minify |
4. Metrics#
Expose tunnel metrics:
metrics: 0.0.0.0:8081Then scrape cloudflared_tunnel_* from Prometheus.
5. HA — dual tunnels#
Run two cloudflared processes (on different hosts) with the same tunnel UUID — automatic load balancing.
When NOT to use Tunnel#
- Latency-critical real-time voice → public IP + Cloudflare in front
- < 8 GB RAM hosts → cloudflared isn’t free on memory
- Heavy file uploads → use R2 direct uploads