cloudflare/cloudflare-prometheus-exporter
TypeScript
Captured source
source ↗cloudflare/cloudflare-prometheus-exporter
Description: Export Cloudflare metrics to Prometheus. Built on Cloudflare Workers with Durable Objects for stateful metric accumulation.
Language: TypeScript
License: MIT
Stars: 163
Forks: 24
Open issues: 11
Created: 2025-12-01T20:54:25Z
Pushed: 2026-06-09T17:40:47Z
Default branch: main
Fork: no
Archived: no
README:
Cloudflare Prometheus Exporter
Export Cloudflare metrics to Prometheus. Built on Cloudflare Workers with Durable Objects for stateful metric accumulation.
Features
- 90+ Prometheus metrics - requests, bandwidth, threats, workers, load balancers, SSL certs, hostname-level analytics, network analytics, Magic Transit tunnel health/traffic/SLO, Magic Firewall per-rule visibility, stream video/live, and more
- Cloudflare Workers - serverless edge deployment
- Durable Objects - stateful counter accumulation for proper Prometheus semantics
- Background refresh - alarms fetch data every 60s; scrapes return cached data instantly
- Rate limiting - 200 req/10s with exponential backoff
- Multi-account - automatically discovers and exports all accessible accounts/zones
- Runtime config API - change settings without redeployment via REST endpoints
- Configurable - zone filtering, metric denylist, label exclusion, custom metrics path, and more
Quick Start
One-Click Deploy
Click the deploy button above. Configure CLOUDFLARE_API_TOKEN as a secret after deployment. Configure BASIC_AUTH_USER and BASIC_AUTH_PASSWORD to protect the exporter with HTTP Basic Auth.
Manual Deployment
git clone https://github.com/cloudflare/cloudflare-prometheus-exporter.git cd cloudflare-prometheus-exporter bun install wrangler secret put CLOUDFLARE_API_TOKEN bun run deploy
Configuration
Configuration is resolved in order: KV overrides → env vars → defaults. Use the [Runtime Config API](#runtime-config-api) for dynamic changes without redeployment.
Environment Variables
Set in wrangler.jsonc or via wrangler secret put:
| Variable | Default | Description | |----------|---------|-------------| | CLOUDFLARE_API_TOKEN | - | Cloudflare API token (secret) | | QUERY_LIMIT | 10000 | Max results per GraphQL query | | SCRAPE_DELAY_SECONDS | 300 | Delay before fetching metrics (data propagation) | | TIME_WINDOW_SECONDS | 60 | Query time window | | METRIC_REFRESH_INTERVAL_SECONDS | 60 | Background refresh interval | | LOG_LEVEL | info | Log level (debug/info/warn/error) | | LOG_FORMAT | json | Log format (pretty/json) | | ACCOUNT_LIST_CACHE_TTL_SECONDS | 600 | Account list cache TTL | | ZONE_LIST_CACHE_TTL_SECONDS | 1800 | Zone list cache TTL | | SSL_CERTS_CACHE_TTL_SECONDS | 1800 | SSL cert cache TTL | | HEALTH_CHECK_CACHE_TTL_SECONDS | 10 | Health check cache TTL | | EXCLUDE_HOST | false | Exclude host labels from metrics | | CF_HTTP_STATUS_GROUP | false | Group HTTP status codes (2xx, 4xx, etc.) | | DISABLE_UI | false | Disable landing page (returns 404) | | DISABLE_CONFIG_API | false | Disable config API endpoints (returns 404) | | METRICS_DENYLIST | - | Comma-separated list of metrics to exclude | | CF_ACCOUNTS | - | Comma-separated account IDs to include (default: all) | | CF_ZONES | - | Comma-separated zone IDs to include (default: all) | | CF_FREE_TIER_ACCOUNTS | - | Comma-separated account IDs using free tier (skips paid-tier metrics) | | HOST_METRICS_ALLOWLIST | - | Comma-separated hostnames for hostname-level metrics (max 50). Empty disables. Adds 1 extra GraphQL call per account per refresh cycle. EXCLUDE_HOST=true also disables. | | HOST_METRICS_DELAY_SECONDS | 60 | Ingestion delay for hostname metrics (seconds). Lower values = fresher data for alerting but risk incomplete data. Independent from SCRAPE_DELAY_SECONDS. | | METRICS_PATH | /metrics | Custom path for metrics endpoint | | BASIC_AUTH_USER | - | Username for basic auth (secret, default: no auth, requires BASIC_AUTH_PASSWORD) | | BASIC_AUTH_PASSWORD | - | Password for basic auth (secret, default: no auth, requires BASIC_AUTH_USER) |
Creating an API Token
Quick setup: Create token with pre-filled permissions
Manual setup:
| Permission | Access | Required | |------------|--------|----------| | Zone > Analytics | Read | Yes | | Account > Account Analytics | Read | Yes | | Account > Workers Scripts | Read | Yes | | Zone > SSL and Certificates | Read | Optional | | Zone > Firewall Services | Read | Optional | | Zone > Load Balancers | Read | Optional | | Account > Logs | Read | Optional | | Account > Magic Transit | Read | Optional |
Endpoints
| Path | Method | Description | |------|--------|-------------| | / | GET | Landing page (disable: DISABLE_UI) | | /metrics | GET | Prometheus metrics | | /health | GET | Health check ({"status":"healthy"}) | | /config | GET | Get all runtime config (disable: DISABLE_CONFIG_API) | | /config | DELETE | Reset all config to env defaults (disable: DISABLE_CONFIG_API) | | /config/:key | GET | Get single config value (disable: DISABLE_CONFIG_API) | | /config/:key | PUT | Set config override (persisted in KV) (disable: DISABLE_CONFIG_API) | | /config/:key | DELETE | Reset config key to env default (disable: DISABLE_CONFIG_API) |
Prometheus Configuration
scrape_configs: - job_name: 'cloudflare' scrape_interval: 60s scrape_timeout: 30s…
Excerpt shown — open the source for the full document.
Notability
notability 3.0/10Routine exporter repo with modest traction