Oct 31st 2025 · 3 min read · #access #argo #cloudflare #nightmare #oidc #rant #tunnels #usabiility #ux #zero-trust

I have, again, spent far too much time wandering the chaotic wilds of Cloudflare’s web UI to set up a new tunnelled web application (a trivial proxy to be able to use my Supernote Nomad as a whiteboard from the Azure Virtual Desktop I live inside of), and to avoid having to go through the whole thing again, I decided to take some notes.

Keep in mind that what I want to do here is both map an internal URL to a public hostname and bind it to my OIDC setup, which should be an automatic process but actually requires traipsing around Cloudflare’s portal in what I can only describe as a random walk.

Here’s the sequence I followed the third time around, after checking my previous (incomplete) notes, Cloudflare’s documentation, and making several attempts at ignoring the AI summaries that every single search engine threw at me while searching.

• Go into the Dashboard, select your account (I have access to several)
• This takes you into another portal.
• Pick Zero Trust from the sitebar.
• This takes you into another portal (seriously, this is not a dupe).
• Pick Networks, Tunnels.
• This takes you into a listing of your tunnels, which should be navigable vertically.
• Spend 15 seconds trying to figure out how to edit a tunnel because for some unfathomable reason the hamburger menu has scrolled out of your screen off to the side even though you have a full screen browser window. I have no explanation for this.
• This takes you into another section where navigation is tab-based.
• Pick Published Application Routes, because, well, a simpler name like “tunnel hostnames” would clearly be too easy.
• Click Add a Published Application Route.
• This takes you to a form that is confusingly identical to the Applications form under Access that you thought (some 30 minutes ago in your second try), would be the right place to add an application to a tunnel. This is important because I always go there first, and I have omitted those initial 30 minutes from this blow-by-blow account because I am never getting them back and really want to forget them.
• Add the hostname and pick the domain you want to associate it to (this will create a “magic” DNS entry under that domain), and map it to the Service (or URL) you will be specifying under it (astute readers will have noticed that this is yet another name for the same thing, but naming things is hard and inconsistency seems to be a theme here).
• You will notice that Additional Application Settings is collapsed. That is because it is hiding (per chance on purpose) the Enforce Access JSON Web Token (JWT) validation setting, which requires you to pick… An unlabeled something, which is not there.
• At this point, you notice (by clicking on that drop down) that the options are the names of the applications you glimpsed in the Applications list under Access that you were trying to forget.
• Pick Access from the sidebar and Applications. This takes you to a list of existing applications.
• Hit Add an Application. This takes you to a grid of the five types of applications that you can create, three of which have nearly indistinguishable icons. Scroll down and hit Select under Self-Hosted, because clicking on the icon does nothing.
• Create a new application in the confusingly almost identical form to the Add a Published Application Route. Spend 30 seconds trying to figure out why you’d need a subdomain for this, then ensure your OIDC provider is picked and hit Next a few times because there is no good reason to use any of the other options.
• Now go back to Networks, Tunnels, Published Application Routes and expand Additional Application Settings, scroll to the bottom and pick the new application you have created.
• Test it. It usually works after a few minutes of DNS propagation.

That’s it. The reason my first and second attempts failed was, apparently, that I kept trying to create the Application without the magic DNS entry being there, and nothing worked from that point. But I’ve been using tunnels for a long time now, and I’m pretty sure the original Argo Tunnels UI was much simpler to use.