@cloudflare/vite-plugin 1.36.4 → 1.37.1

package/dist/index.mjs

@@ -1503,7 +1503,7 @@ async function assertWranglerVersion() {
 * The default compatibility date to use when the user omits one.
 * This value is injected at build time and remains fixed for each release.
 */
-const DEFAULT_COMPAT_DATE = "2026-05-12";
+const DEFAULT_COMPAT_DATE = "2026-05-15";
 
 //#endregion
 //#region ../../node_modules/.pnpm/@remix-run+node-fetch-server@0.8.0/node_modules/@remix-run/node-fetch-server/dist/node-fetch-server.js
@@ -1997,7 +1997,7 @@ var MetricsRegistry = class {
 };
 
 //#endregion
-//#region ../workers-utils/dist/chunk-XXCQEG76.mjs
+//#region ../workers-utils/dist/chunk-GMTGAG26.mjs
 var UserError = class extends Error {
 	static {
 		__name(this, "UserError");
@@ -4394,8 +4394,15 @@ function findRedirectedWranglerConfig(cwd, userConfigPath) {
 	};
 }
 __name(findRedirectedWranglerConfig, "findRedirectedWranglerConfig");
+function isRedirectedConfig(config) {
+	return config.configPath !== void 0 && config.configPath !== config.userConfigPath;
+}
+__name(isRedirectedConfig, "isRedirectedConfig");
 function isRedirectedRawConfig(rawConfig, configPath, userConfigPath) {
-	return configPath !== void 0 && configPath !== userConfigPath;
+	return isRedirectedConfig({
+		configPath,
+		userConfigPath
+	});
 }
 __name(isRedirectedRawConfig, "isRedirectedRawConfig");
 function configFormat(configPath) {
@@ -30887,9 +30894,9 @@ function normalizeAndValidateConfig(rawConfig, configPath, userConfigPath, args,
 	if (useServiceEnvironments) diagnostics.warnings.push("Service environments are deprecated, and will be removed in the future. DO NOT USE IN PRODUCTION.");
 	const isDispatchNamespace = typeof args["dispatch-namespace"] === "string" && args["dispatch-namespace"].trim() !== "";
 	const topLevelEnv = normalizeAndValidateEnvironment(diagnostics, configPath, rawConfig, isDispatchNamespace, preserveOriginalMain);
-	const isRedirectedConfig = isRedirectedRawConfig(rawConfig, configPath, userConfigPath);
+	const isRedirectedConfig2 = isRedirectedRawConfig(rawConfig, configPath, userConfigPath);
 	const definedEnvironments = Object.keys(rawConfig.env ?? {});
-	if (isRedirectedConfig && definedEnvironments.length > 0) diagnostics.errors.push(dedent`
+	if (isRedirectedConfig2 && definedEnvironments.length > 0) diagnostics.errors.push(dedent`
 				Redirected configurations cannot include environments but the following have been found:\n${definedEnvironments.map((env$1) => `	- ${env$1}`).join("\n")}
 
 
@@ -30900,7 +30907,7 @@ function normalizeAndValidateConfig(rawConfig, configPath, userConfigPath, args,
 	const envName = args.env ?? getCloudflareEnv();
 	assert(envName === void 0 || typeof envName === "string");
 	let activeEnv = topLevelEnv;
-	if (envName) if (isRedirectedConfig) {
+	if (envName) if (isRedirectedConfig2) {
 		if (!isPagesConfig(rawConfig) && rawConfig.targetEnvironment && rawConfig.targetEnvironment !== envName) {
 			const via = args.env !== void 0 ? "via the `--env/-e` CLI argument" : "via the CLOUDFLARE_ENV environment variable";
 			throw new Error(dedent`
@@ -30932,9 +30939,9 @@ Consider adding an environment configuration section to the ${configFileName(con
 	const config = {
 		configPath,
 		userConfigPath,
-		topLevelName: isRedirectedConfig ? rawConfig.topLevelName : rawConfig.name,
-		definedEnvironments: isRedirectedConfig ? rawConfig.definedEnvironments : definedEnvironments,
-		targetEnvironment: isRedirectedConfig ? rawConfig.targetEnvironment : envName,
+		topLevelName: isRedirectedConfig2 ? rawConfig.topLevelName : rawConfig.name,
+		definedEnvironments: isRedirectedConfig2 ? rawConfig.definedEnvironments : definedEnvironments,
+		targetEnvironment: isRedirectedConfig2 ? rawConfig.targetEnvironment : envName,
 		pages_build_output_dir: normalizeAndValidatePagesBuildOutputDir(configPath, rawConfig.pages_build_output_dir),
 		legacy_env: !useServiceEnvironments,
 		send_metrics: rawConfig.send_metrics,
@@ -31263,7 +31270,7 @@ var validateStreamingTailConsumers = /* @__PURE__ */ __name((diagnostics, field,
 }, "validateStreamingTailConsumers");
 function normalizeAndValidateEnvironment(diagnostics, configPath, rawEnv, isDispatchNamespace, preserveOriginalMain, envName = "top level", topLevelEnv, useServiceEnvironments, rawConfig) {
 	deprecated(diagnostics, rawEnv, "node_compat", `The "node_compat" field is no longer supported as of Wrangler v4. Instead, use the \`nodejs_compat\` compatibility flag. This includes the functionality from legacy \`node_compat\` polyfills and natively implemented Node.js APIs. See https://developers.cloudflare.com/workers/runtime-apis/nodejs for more information.`, true, "Removed", "error");
-	experimental(diagnostics, rawEnv, "unsafe");
+	if (topLevelEnv === void 0 || rawConfig?.unsafe === void 0) experimental(diagnostics, rawEnv, "unsafe");
 	const route = normalizeAndValidateRoute(diagnostics, topLevelEnv, rawEnv);
 	const account_id = inheritableInWranglerEnvironments(diagnostics, useServiceEnvironments, topLevelEnv, mutateEmptyStringAccountIDValue(diagnostics, rawEnv), "account_id", isString$2, void 0, void 0);
 	const routes = validateRoutes(diagnostics, topLevelEnv, rawEnv);
@@ -31426,9 +31433,11 @@ var validateDefines = /* @__PURE__ */ __name((envName) => (diagnostics, field, v
 	if (configDefines.length > 0) {
 		if (typeof value === "object" && value !== null) {
 			const configEnvDefines = config === void 0 ? [] : Object.keys(value);
-			for (const varName of configDefines) if (!(varName in value)) diagnostics.warnings.push(`"define.${varName}" exists at the top level, but not on "${fieldPath}".
-This is not what you probably want, since "define" configuration is not inherited by environments.
-Please add "define.${varName}" to "env.${envName}".`);
+			const missingDefines = configDefines.filter((varName) => !(varName in value));
+			if (missingDefines.length > 0) diagnostics.warnings.push(`The following define entries exist at the top level, but not on "${fieldPath}".
+This is probably not what you want, since "define" configuration is not inherited by environments.
+Please add these entries to "env.${envName}.define":
+` + missingDefines.map((varName) => `- ${varName}`).join("\n"));
 			for (const varName of configEnvDefines) if (!configDefines.includes(varName)) diagnostics.warnings.push(`"${varName}" exists on "env.${envName}", but not on the top level.
 This is not what you probably want, since "define" configuration within environments can only override existing top level "define" configuration
 Please remove "${fieldPath}.${varName}", or add "define.${varName}".`);
@@ -31452,9 +31461,11 @@ var validateVars = /* @__PURE__ */ __name((envName) => (diagnostics, field, valu
 	const configVars = Object.keys(config?.vars ?? {});
 	if (configVars.length > 0) {
 		if (typeof value === "object" && value !== null) {
-			for (const varName of configVars) if (!(varName in value)) diagnostics.warnings.push(`"vars.${varName}" exists at the top level, but not on "${fieldPath}".
-This is not what you probably want, since "vars" configuration is not inherited by environments.
-Please add "vars.${varName}" to "env.${envName}".`);
+			const missingVars = configVars.filter((varName) => !(varName in value));
+			if (missingVars.length > 0) diagnostics.warnings.push(`The following vars exist at the top level, but not on "${fieldPath}".
+This is probably not what you want, since "vars" configuration is not inherited by environments.
+Please add these vars to "env.${envName}.vars":
+` + missingVars.map((varName) => `- ${varName}`).join("\n"));
 		}
 	}
 	return isValid2;
@@ -33475,27 +33486,36 @@ function startTunnel(options) {
 	const timeoutMs = options.timeoutMs ?? TUNNEL_STARTUP_TIMEOUT_MS;
 	const reminderIntervalMs = options.reminderIntervalMs ?? DEFAULT_TUNNEL_REMINDER_INTERVAL_MS;
 	const defaultExpiryMs = options.expiryMs ?? DEFAULT_TUNNEL_EXPIRY_MS;
+	const isNamedTunnel = options.token !== void 0;
 	const timeFormatter = new Intl.DateTimeFormat(void 0, { timeStyle: "short" });
-	const readyPromise = spawnCloudflared([
+	const readyPromise = spawnCloudflared(isNamedTunnel ? [
+		"tunnel",
+		"--no-autoupdate",
+		"run"
+	] : [
 		"tunnel",
 		"--no-autoupdate",
 		"--url",
 		options.origin.href
 	], {
 		stdio: "pipe",
+		env: options.token ? { TUNNEL_TOKEN: options.token } : void 0,
 		skipVersionCheck: true,
 		logger
 	}).then((process2) => {
 		cloudflaredProcess = process2;
 		if (disposed) terminateCloudflared(process2);
 		return process2;
-	}).then((process2) => waitForQuickTunnelReady(process2, timeoutMs, {
-		logger,
-		origin: options.origin
-	})).then((result) => {
+	}).then((process2) => {
+		if (isNamedTunnel) return { mode: "named" };
+		return waitForQuickTunnelReady(process2, timeoutMs, {
+			logger,
+			origin: options.origin
+		});
+	}).then((result) => {
 		expiresAt = Date.now() + defaultExpiryMs;
 		scheduleExpiryTimeout();
-		scheduleReminder(result.publicUrl.origin);
+		scheduleReminder(result.mode === "quick" ? result.publicUrl.origin : void 0);
 		return result;
 	});
 	function disposeTunnel() {
@@ -33521,7 +33541,7 @@ function startTunnel(options) {
 				if (disposed) return;
 				const remainingMs = expiresAt - Date.now();
 				if (remainingMs <= 0) return;
-				logger?.log(`The tunnel is still open at ${publicURL}. It expires in ${formatTunnelDuration(remainingMs)}. ${options.extendHint ?? ""}`);
+				logger?.log(`${publicURL ? `The tunnel is still open at ${publicURL}.` : "The tunnel is still open."} It expires in ${formatTunnelDuration(remainingMs)}. ${options.extendHint ?? ""}`);
 			}, reminderIntervalMs);
 			reminderInterval.unref?.();
 		}
@@ -33555,6 +33575,7 @@ function startTunnel(options) {
 	__name(extendExpiry, "extendExpiry");
 	return {
 		ready: /* @__PURE__ */ __name(() => readyPromise, "ready"),
+		isOpen: /* @__PURE__ */ __name(() => !disposed, "isOpen"),
 		dispose: disposeTunnel,
 		extendExpiry
 	};
@@ -33600,7 +33621,10 @@ function waitForQuickTunnelReady(cloudflared, timeoutMs, options) {
 			if (match && !resolved) {
 				resolved = true;
 				clearTimeout(timeoutId);
-				resolve$4({ publicUrl: new URL(match[0]) });
+				resolve$4({
+					mode: "quick",
+					publicUrl: new URL(match[0])
+				});
 			}
 		});
 		cloudflared.on("error", (error) => {
@@ -33808,53 +33832,84 @@ var require_picocolors = /* @__PURE__ */ __commonJS$1({ "../../node_modules/.pnp
 //#endregion
 //#region src/plugins/tunnel.ts
 var import_picocolors$5 = /* @__PURE__ */ __toESM$1(require_picocolors(), 1);
-const COMMON_PUBLIC_EXPOSURE_CONCERNS = [
-	"Call ungated endpoints",
-	"Trigger logic that uses remote bindings",
-	"Reach internal services if your Worker proxies requests"
-];
-const COMMON_PUBLIC_EXPOSURE_GUIDANCE = "Consider using a named tunnel with Cloudflare Access to restrict access.";
-function createPublicExposureWarning(concerns, guidance) {
-	return [
-		"",
-		`     ${import_picocolors$5.default.dim("This URL is ")}publicly accessible${import_picocolors$5.default.dim(". Anyone with it can:")}`,
-		...concerns.map((concern) => import_picocolors$5.default.dim(`     • ${concern}`)),
+function createPublicExposureWarning(mode, name, shortcutPressed) {
+	const intro = name === void 0 ? import_picocolors$5.default.dim("Once connected, this tunnel will be ") + "publicly accessible" + import_picocolors$5.default.dim(". Anyone who can reach it can:") : import_picocolors$5.default.dim("Once connected, this tunnel may be reachable from the Internet. Anyone who can reach it can:");
+	const concerns = [
+		"Call ungated endpoints",
+		"Trigger logic that uses remote bindings",
+		"Reach internal services if your Worker proxies requests"
+	];
+	const hints = [name === void 0 ? "Consider using a named tunnel with Cloudflare Access to restrict access." : "Consider using Cloudflare Access to restrict access."];
+	if (mode === "dev") {
+		concerns.push("Request module source and other dev-server assets", "Access HMR messages, including absolute file system paths", "Observe file-change cadence and parts of the live module graph");
+		hints.unshift("If you only need to share a running build, use vite preview to avoid HMR and other dev-server exposure.");
+	}
+	const lines = [
+		intro,
+		...concerns.map((concern) => import_picocolors$5.default.dim(`• ${concern}`)),
 		"",
-		import_picocolors$5.default.dim(`     ${guidance}`),
+		...hints.map((guidance) => import_picocolors$5.default.dim(guidance)),
 		""
-	].join("\n");
+	];
+	if (shortcutPressed) lines.push("Press t + enter again to close the tunnel.", "");
+	const spacing = "     ";
+	return lines.map((line) => spacing + line).join("\n");
 }
-const DEV_PUBLIC_EXPOSURE_WARNING = createPublicExposureWarning([
-	...COMMON_PUBLIC_EXPOSURE_CONCERNS,
-	"Request module source and other dev-server assets",
-	"Access HMR messages, including absolute file system paths",
-	"Observe file-change cadence and parts of the live module graph"
-], `If you only need to share a running build, use vite preview to avoid HMR and other dev-server exposure. ${COMMON_PUBLIC_EXPOSURE_GUIDANCE}`);
-const PREVIEW_PUBLIC_EXPOSURE_WARNING = createPublicExposureWarning(COMMON_PUBLIC_EXPOSURE_CONCERNS, COMMON_PUBLIC_EXPOSURE_GUIDANCE);
 const QUICK_TUNNEL_SSE_WARNING = "Quick tunnels do not support Server-Sent Events (SSE). Use a named Cloudflare Tunnel if you need SSE over a public URL.";
 const QUICK_TUNNEL_ALLOWED_HOST = ".trycloudflare.com";
 var TunnelManager = class {
 	#logger;
 	#origin;
-	#publicUrl;
+	#publicUrls;
+	#requestedTunnel;
 	#tunnel;
+	#abortController;
 	#hasWarnedAboutSse = false;
 	constructor(logger) {
 		this.#logger = logger;
 	}
-	isStarted(origin) {
-		return this.#origin === origin && this.#tunnel !== void 0;
+	isStarted(origin, name) {
+		return this.#origin === origin && this.#requestedTunnel === name;
+	}
+	isOpen() {
+		if (!this.#tunnel) return this.#origin !== void 0;
+		const isOpen = this.#tunnel.isOpen();
+		if (!isOpen) {
+			this.#tunnel = void 0;
+			this.dispose();
+		}
+		return isOpen;
 	}
-	async startTunnel(origin) {
+	async startTunnel(options) {
 		try {
-			if (this.#origin === origin && this.#tunnel) return await this.#waitForPublicUrl(this.#tunnel);
-			this.#logger.info(import_picocolors$5.default.dim("\n  ➜  Starting tunnel (usually takes a few seconds)...\n"));
 			if (this.#tunnel) this.dispose();
-			this.#origin = origin;
-			this.#publicUrl = void 0;
+			const abortController = new AbortController();
+			this.#abortController = abortController;
+			this.#origin = options.origin;
+			this.#requestedTunnel = options.name;
+			this.#logger.info(import_picocolors$5.default.dim("\n  ➜  Starting tunnel (usually takes a few seconds)...\n"));
+			this.#logger.warn(createPublicExposureWarning(options.mode, options.name, options.shortcutPressed ?? false));
+			const namedTunnel = options.name !== void 0 ? await wrangler.unstable_resolveNamedTunnel(options.name, new URL(options.origin), {
+				accountId: options.accountId,
+				complianceRegion: options.complianceRegion
+			}) : void 0;
+			if (abortController.signal.aborted) return null;
+			if (namedTunnel) this.#publicUrls = namedTunnel.hostnames.map((hostname) => `https://${hostname}`);
+			if (options.mode === "preview") {
+				if (namedTunnel) {
+					const allowedUrls = getAllowedTunnelUrls(this.#publicUrls ?? [], options.allowedHosts);
+					if (allowedUrls.length === 0) {
+						const suggestedAllowedHosts = getSuggestedAllowedHosts(namedTunnel.hostnames);
+						throw new Error("The resolved tunnel hostnames are not allowed by Vite preview host validation.\n\nAdd at least one of these hosts to `preview.allowedHosts` in your Vite config.\nYou can use exact hostnames or a domain suffix:\n" + suggestedAllowedHosts.map((hostname) => `  - ${hostname}`).join("\n") + "\n");
+					}
+					this.#publicUrls = allowedUrls;
+				} else if (!isQuickTunnelAllowed(options.allowedHosts)) throw new Error(`Quick tunnel hostnames are not allowed by Vite preview host validation.
+Add \`${QUICK_TUNNEL_ALLOWED_HOST}\` to \`preview.allowedHosts\` in your Vite config.\n`);
+			}
 			const tunnel = startTunnel({
-				origin: new URL(origin),
-				extendHint: "Press t + enter to extend by 1 hour.",
+				origin: new URL(options.origin),
+				token: namedTunnel?.token,
+				extendHint: "Press a + enter to extend by 1 hour.",
 				logger: {
 					log: (message) => this.#logger.info(message),
 					warn: (message) => this.#logger.warn(message),
@@ -33862,47 +33917,54 @@ var TunnelManager = class {
 				}
 			});
 			this.#tunnel = tunnel;
-			return await this.#waitForPublicUrl(tunnel);
+			return await this.#waitForPublicUrls(tunnel);
 		} catch (error) {
-			throw new Error(`Failed to start tunnel: ${error instanceof Error ? error.message : String(error)}`, { cause: error });
+			this.#origin = void 0;
+			this.#publicUrls = void 0;
+			this.#requestedTunnel = void 0;
+			throw error;
 		}
 	}
-	async #waitForPublicUrl(tunnel) {
+	async #waitForPublicUrls(tunnel) {
 		try {
-			const { publicUrl } = await tunnel.ready();
+			const result = await tunnel.ready();
 			if (this.#tunnel !== tunnel) {
-				debuglog("Tunnel was restarted before it finished starting. Ignoring this tunnel's public URL:", publicUrl);
+				debuglog("Tunnel was restarted before it finished starting. Ignoring this tunnel's public URL:", result.mode === "quick" ? result.publicUrl : this.#publicUrls);
 				return null;
 			}
+			if (result.mode === "named") return this.#publicUrls ?? null;
+			const { publicUrl } = result;
 			debuglog("Tunnel is ready with public URL:", publicUrl);
-			this.#publicUrl = publicUrl.toString();
-			return publicUrl.toString();
+			this.#publicUrls = [publicUrl.toString()];
+			return this.#publicUrls;
 		} catch (error) {
 			if (this.#tunnel !== tunnel) return null;
-			this.#publicUrl = void 0;
 			this.#tunnel = void 0;
 			throw error;
 		}
 	}
-	get publicUrl() {
-		return this.#publicUrl;
+	get publicUrls() {
+		return this.#publicUrls;
 	}
 	extendExpiry() {
 		this.#tunnel?.extendExpiry();
 	}
 	warnIfQuickTunnelSseResponse(contentType) {
-		if (this.#hasWarnedAboutSse || !this.#tunnel || contentType === null || !contentType.toLowerCase().startsWith("text/event-stream")) return;
+		if (this.#hasWarnedAboutSse || this.#requestedTunnel !== void 0 || !this.#tunnel || contentType === null || !contentType.toLowerCase().startsWith("text/event-stream")) return;
 		this.#hasWarnedAboutSse = true;
 		this.#logger.warn(QUICK_TUNNEL_SSE_WARNING);
 	}
 	dispose() {
 		const tunnel = this.#tunnel;
+		this.#abortController?.abort();
 		this.#origin = void 0;
-		this.#publicUrl = void 0;
+		this.#publicUrls = void 0;
+		this.#requestedTunnel = void 0;
 		this.#tunnel = void 0;
 		this.#hasWarnedAboutSse = false;
 		debuglog("Disposing tunnel...");
 		if (tunnel) tunnel.dispose();
+		this.#logger.info("  ➜  Tunnel closed");
 	}
 	disposeOnExit() {
 		try {
@@ -33922,6 +33984,19 @@ function warnIfQuickTunnelSseResponse(contentType) {
 function extendTunnelExpiry() {
 	tunnelManager?.extendExpiry();
 }
+function isTunnelOpen() {
+	return tunnelManager?.isOpen() ?? false;
+}
+async function toggleTunnel(server, ctx) {
+	if (!tunnelManager) return;
+	if (tunnelManager.isOpen()) {
+		ctx.clearTunnelHostnames();
+		tunnelManager.dispose();
+		return;
+	}
+	if ("restart" in server) await setupDevTunnel(server, ctx, tunnelManager, true);
+	else await setupPreviewTunnel(server, ctx, tunnelManager, true);
+}
 /**
 * Resolve the dev tunnel origin from the running server.
 *
@@ -33952,8 +34027,8 @@ async function resolveDevTunnelOrigin(server) {
 async function resolvePreviewTunnelOrigin(server) {
 	const { preview } = server.config;
 	const host = typeof preview.host === "string" ? preview.host : void 0;
-	let resolvedPort;
-	if (preview.port === 0) resolvedPort = await getPorts({
+	let resolvedPort = preview.port;
+	if (!server.httpServer.listening) if (preview.port === 0) resolvedPort = await getPorts({
 		port: 0,
 		host
 	});
@@ -33978,18 +34053,28 @@ async function resolvePreviewTunnelOrigin(server) {
 		secure: !!preview.https
 	}));
 }
-async function setupDevTunnel(server, ctx, manager) {
+async function setupDevTunnel(server, ctx, manager, shortcutPressed) {
 	const origin = await resolveDevTunnelOrigin(server);
-	if (manager.isStarted(origin)) {
+	const tunnel = ctx.resolvedPluginConfig.tunnel;
+	if (manager.isStarted(origin, tunnel.name)) {
 		debuglog("Tunnel is already started on", origin);
 		return;
 	}
-	const publicUrl = await manager.startTunnel(origin);
-	if (!publicUrl) return;
+	const publicUrls = await manager.startTunnel({
+		mode: "dev",
+		origin,
+		shortcutPressed,
+		name: tunnel.name,
+		accountId: ctx.entryWorkerConfig?.account_id,
+		complianceRegion: ctx.entryWorkerConfig?.compliance_region,
+		allowedHosts: true
+	});
+	if (!publicUrls) return;
 	const allowedHosts = server.config.server.allowedHosts;
-	const tunnelHostnames = [new URL(publicUrl).hostname];
+	const tunnelHostnames = publicUrls.map((url) => new URL(url).hostname);
 	ctx.replaceTunnelHostnames(tunnelHostnames);
 	if (allowedHosts !== true && tunnelHostnames.some((hostname) => !allowedHosts.includes(hostname))) await server.restart();
+	if (shortcutPressed) server.printUrls();
 }
 /**
 * Start a preview tunnel on the resolved preview origin.
@@ -33997,7 +34082,7 @@ async function setupDevTunnel(server, ctx, manager) {
 * We write the resolved port back to preview config so the server binds the
 * same port that the tunnel is sharing.
 */
-async function setupPreviewTunnel(server, manager) {
+async function setupPreviewTunnel(server, ctx, manager, shortcutPressed) {
 	const { preview } = server.config;
 	const originalPort = preview.port;
 	const resolvedOrigin = await resolvePreviewTunnelOrigin(server);
@@ -34005,17 +34090,58 @@ async function setupPreviewTunnel(server, manager) {
 	preview.port = resolvedPort;
 	preview.strictPort = true;
 	if (originalPort !== 0 && resolvedPort !== originalPort) server.config.logger.info(import_picocolors$5.default.dim(`Port ${originalPort} is in use, using ${resolvedPort} instead for preview tunnel sharing.\n`));
-	await manager.startTunnel(resolvedOrigin.toString());
-}
-function patchPrintUrls(server, warning) {
+	const tunnel = ctx.resolvedPluginConfig.tunnel;
+	const origin = resolvedOrigin.toString();
+	if (manager.isStarted(origin, tunnel.name)) {
+		debuglog("Tunnel is already started on", origin);
+		return;
+	}
+	if (!await manager.startTunnel({
+		mode: "preview",
+		origin,
+		shortcutPressed,
+		name: tunnel.name,
+		allowedHosts: preview?.allowedHosts,
+		accountId: ctx.allWorkerConfigs[0]?.account_id,
+		complianceRegion: ctx.allWorkerConfigs[0]?.compliance_region
+	})) return;
+	if (shortcutPressed) server.printUrls();
+}
+function patchPrintUrls(server) {
 	const serverPrintUrls = server.printUrls.bind(server);
 	server.printUrls = () => {
 		serverPrintUrls();
-		const publicUrl = tunnelManager?.publicUrl;
-		if (!publicUrl) return;
-		server.config.logger.info(`${import_picocolors$5.default.green("  ➜")}  ${import_picocolors$5.default.bold("Tunnel:")}  ${import_picocolors$5.default.cyan(publicUrl)}`);
-		server.config.logger.warnOnce(warning);
-	};
+		const publicUrls = tunnelManager?.publicUrls;
+		if (!publicUrls || publicUrls.length === 0) return;
+		for (let i$1 = 0; i$1 < publicUrls.length; i$1++) if (i$1 === 0) server.config.logger.info(`${import_picocolors$5.default.green("  ➜")}  ${import_picocolors$5.default.bold("Tunnel:")}  ${import_picocolors$5.default.cyan(publicUrls[i$1])}`);
+		else server.config.logger.info(`              ${import_picocolors$5.default.cyan(publicUrls[i$1])}`);
+		server.config.logger.info("");
+	};
+}
+function isQuickTunnelAllowed(allowedHosts) {
+	if (allowedHosts === void 0) return false;
+	if (allowedHosts === true) return true;
+	return allowedHosts.some((allowedHost) => allowedHost.toLowerCase() === QUICK_TUNNEL_ALLOWED_HOST);
+}
+function getAllowedTunnelUrls(publicUrls, allowedHosts) {
+	if (allowedHosts === void 0) return [];
+	if (allowedHosts === true) return publicUrls;
+	return publicUrls.filter((publicUrl) => {
+		const hostname = new URL(publicUrl).hostname.toLowerCase();
+		return allowedHosts.some((allowedHost) => {
+			const normalizedAllowedHost = allowedHost.toLowerCase();
+			if (normalizedAllowedHost.startsWith(".")) return hostname === normalizedAllowedHost.slice(1) || hostname.endsWith(normalizedAllowedHost);
+			return hostname === normalizedAllowedHost;
+		});
+	});
+}
+function getSuggestedAllowedHosts(hostnames) {
+	const suggestions = new Set(hostnames);
+	for (const hostname of hostnames) {
+		const segments = hostname.split(".");
+		if (segments.length > 2) suggestions.add(`.${segments.slice(1).join(".")}`);
+	}
+	return Array.from(suggestions);
 }
 const tunnelPlugin = createPlugin("tunnel", (ctx) => {
 	function stopTunnel() {
@@ -34028,12 +34154,9 @@ const tunnelPlugin = createPlugin("tunnel", (ctx) => {
 		},
 		configureServer(server) {
 			assertIsNotPreview(ctx);
-			if (!ctx.resolvedPluginConfig.tunnel) {
-				stopTunnel();
-				return;
-			}
 			tunnelManager ??= new TunnelManager(server.config.logger);
-			patchPrintUrls(server, DEV_PUBLIC_EXPOSURE_WARNING);
+			patchPrintUrls(server);
+			if (!ctx.resolvedPluginConfig.tunnel.autoStart) return;
 			const serverListen = server.listen.bind(server);
 			server.listen = async (...args) => {
 				const result = await serverListen(...args);
@@ -34050,13 +34173,9 @@ const tunnelPlugin = createPlugin("tunnel", (ctx) => {
 		},
 		async configurePreviewServer(server) {
 			assertIsPreview(ctx);
-			if (!ctx.resolvedPluginConfig.tunnel) {
-				stopTunnel();
-				return;
-			}
 			tunnelManager ??= new TunnelManager(server.config.logger);
-			patchPrintUrls(server, PREVIEW_PUBLIC_EXPOSURE_WARNING);
-			await setupPreviewTunnel(server, tunnelManager);
+			patchPrintUrls(server);
+			if (ctx.resolvedPluginConfig.tunnel.autoStart) await setupPreviewTunnel(server, ctx, tunnelManager);
 			const closePreviewServer = server.close.bind(server);
 			server.close = async () => {
 				const closePromise = closePreviewServer();
@@ -34102,7 +34221,8 @@ function createRequestHandler(handler) {
 		let request$2;
 		try {
 			if (req.originalUrl) req.url = req.originalUrl;
-			request$2 = createRequest(req, res);
+			const protocol = getForwardedProto(req);
+			request$2 = createRequest(req, res, protocol ? { protocol } : void 0);
 			let response = await handler(toMiniflareRequest(request$2), req);
 			if (req.httpVersionMajor === 2) {
 				response = new Response$1(response.body, response);
@@ -34135,6 +34255,20 @@ function toMiniflareRequest(request$2) {
 	});
 }
 const isRolldown = "rolldownVersion" in vite;
+/**
+* Parses the `X-Forwarded-Proto` header from an incoming Node.js request.
+*
+* If multiple proxies are in the chain, the header may be a comma-separated
+* list — the left-most value is the original client-facing protocol.
+* Returns `undefined` if the header is missing or holds an unsupported value.
+*/
+function getForwardedProto(req) {
+	const raw = req.headers["x-forwarded-proto"];
+	const value = Array.isArray(raw) ? raw[0] : raw;
+	if (!value) return;
+	const first = value.split(",")[0]?.trim().toLowerCase();
+	if (first === "http" || first === "https") return `${first}:`;
+}
 
 //#endregion
 //#region src/export-types.ts
@@ -41274,7 +41408,10 @@ function resolvePluginConfig(pluginConfig, userConfig, viteEnv) {
 	const shared = {
 		persistState: pluginConfig.persistState ?? true,
 		inspectorPort: pluginConfig.inspectorPort,
-		tunnel: pluginConfig.tunnel ?? false,
+		tunnel: typeof pluginConfig.tunnel === "boolean" ? { autoStart: pluginConfig.tunnel } : {
+			autoStart: pluginConfig.tunnel?.autoStart ?? false,
+			name: pluginConfig.tunnel?.name
+		},
 		experimental: { headersAndRedirectsDevModeSupport: pluginConfig.experimental?.headersAndRedirectsDevModeSupport }
 	};
 	const root = userConfig.root ? nodePath.resolve(userConfig.root) : process.cwd();
@@ -48520,10 +48657,7 @@ function validateWorkerEnvironmentOptions(resolvedPluginConfig, resolvedViteConf
 const configPlugin = createPlugin("config", (ctx) => {
 	return {
 		config(userConfig, env$1) {
-			if (ctx.resolvedPluginConfig.type === "preview") return {
-				appType: "custom",
-				preview: { allowedHosts: getAllowedHosts(ctx.resolvedPluginConfig.tunnel ? [QUICK_TUNNEL_ALLOWED_HOST] : [], userConfig.preview?.allowedHosts ?? userConfig.server?.allowedHosts) }
-			};
+			if (ctx.resolvedPluginConfig.type === "preview") return { appType: "custom" };
 			if (!ctx.hasShownWorkerConfigWarnings) {
 				ctx.setHasShownWorkerConfigWarnings(true);
 				const workerConfigWarnings = getWarningForWorkersConfigs(ctx.resolvedPluginConfig.rawConfigs);
@@ -52760,7 +52894,8 @@ function handleWebSocket(httpServer, miniflare, entryWorkerName) {
 	httpServer.on("upgrade", async (request$2, socket, head) => {
 		socket.on("error", () => socket.destroy());
 		const rawHost = request$2.headers.host ?? UNKNOWN_HOST;
-		const base = /^https?:\/\//i.test(rawHost) ? rawHost : `http://${rawHost}`;
+		const protocol = getForwardedProto(request$2) ?? "http:";
+		const base = /^https?:\/\//i.test(rawHost) ? rawHost : `${protocol}//${rawHost}`;
 		const url = new URL(request$2.url ?? "", base);
 		const isViteRequest = request$2.headers["sec-websocket-protocol"]?.startsWith("vite");
 		const isSandboxRequest = hasSandboxOrigin(url.origin);
@@ -53740,22 +53875,16 @@ const shortcutsPlugin = createPlugin("shortcuts", (ctx) => {
 		async configureServer(viteDevServer) {
 			if (!isCustomShortcutsSupported) return;
 			assertIsNotPreview(ctx);
-			addBindingsShortcut(viteDevServer, ctx);
-			addExplorerShortcut(viteDevServer);
-			if (ctx.resolvedPluginConfig.tunnel) addTunnelShortcut(viteDevServer);
+			addShortcuts(viteDevServer, ctx);
 		},
 		async configurePreviewServer(vitePreviewServer) {
 			if (!isCustomShortcutsSupported) return;
 			assertIsPreview(ctx);
-			addBindingsShortcut(vitePreviewServer, ctx);
-			addExplorerShortcut(vitePreviewServer);
-			if (ctx.resolvedPluginConfig.tunnel) addTunnelShortcut(vitePreviewServer);
+			addShortcuts(vitePreviewServer, ctx);
 		}
 	};
 });
-function addBindingsShortcut(server, ctx) {
-	const workerConfigs = ctx.allWorkerConfigs;
-	if (workerConfigs.length === 0) return;
+function addShortcuts(server, ctx) {
 	if (!process.stdin.isTTY) return;
 	const registryPath = getDefaultDevRegistryPath();
 	const printBindingsShortcut = {
@@ -53763,6 +53892,7 @@ function addBindingsShortcut(server, ctx) {
 		description: "list configured Cloudflare bindings",
 		action: (viteServer) => {
 			viteServer.config.logger.info("");
+			const workerConfigs = ctx.allWorkerConfigs;
 			for (const workerConfig of workerConfigs) {
 				const bindings = wrangler.unstable_convertConfigBindingsToStartWorkerBindings(workerConfig);
 				wrangler.unstable_printBindings(bindings, workerConfig.tail_consumers, workerConfig.streaming_tail_consumers, workerConfig.containers, {
@@ -53775,15 +53905,6 @@ function addBindingsShortcut(server, ctx) {
 			}
 		}
 	};
-	const bindCLIShortcuts = server.bindCLIShortcuts.bind(server);
-	server.bindCLIShortcuts = (options) => {
-		if (server.httpServer && process.stdin.isTTY && !process.env.CI && options?.print) server.config.logger.info(import_picocolors.default.dim(import_picocolors.default.green("  ➜")) + import_picocolors.default.dim("  press ") + import_picocolors.default.bold(`${printBindingsShortcut.key} + enter`) + import_picocolors.default.dim(` to ${printBindingsShortcut.description}`));
-		bindCLIShortcuts(options);
-	};
-	server.bindCLIShortcuts({ customShortcuts: [printBindingsShortcut] });
-}
-function addExplorerShortcut(server) {
-	if (!process.stdin.isTTY) return;
 	const openExplorerShortcut = {
 		key: "e",
 		description: "open local explorer",
@@ -53799,22 +53920,38 @@ function addExplorerShortcut(server) {
 			});
 		}
 	};
-	const bindCLIShortcuts = server.bindCLIShortcuts.bind(server);
-	server.bindCLIShortcuts = (options) => {
-		if (server.httpServer && process.stdin.isTTY && !process.env.CI && options?.print) server.config.logger.info(import_picocolors.default.dim(import_picocolors.default.green("  ➜")) + import_picocolors.default.dim("  press ") + import_picocolors.default.bold(`${openExplorerShortcut.key} + enter`) + import_picocolors.default.dim(` to ${openExplorerShortcut.description}`));
-		bindCLIShortcuts(options);
-	};
-	server.bindCLIShortcuts({ customShortcuts: [openExplorerShortcut] });
-}
-function addTunnelShortcut(server) {
-	if (!process.stdin.isTTY) return;
-	server.bindCLIShortcuts({ customShortcuts: [{
+	const toggleTunnelShortcut = {
 		key: "t",
+		description: "start or close tunnel",
+		action: () => {
+			toggleTunnel(server, ctx).catch((error) => {
+				const message = error instanceof Error ? error.message : String(error);
+				server.config.logger.error(import_picocolors.default.red(`Error: ${message}`));
+			});
+		}
+	};
+	const extendTunnelExpiryShortcut = {
+		key: "a",
 		description: "extend tunnel by 1 hour",
 		action: () => {
 			extendTunnelExpiry();
 		}
-	}] });
+	};
+	const bindCLIShortcuts = server.bindCLIShortcuts.bind(server);
+	server.bindCLIShortcuts = (options) => {
+		if (server.httpServer && process.stdin.isTTY && !process.env.CI && options?.print) {
+			if (ctx.allWorkerConfigs.length > 0) server.config.logger.info(import_picocolors.default.dim(import_picocolors.default.green("  ➜")) + import_picocolors.default.dim("  press ") + import_picocolors.default.bold(`${printBindingsShortcut.key} + enter`) + import_picocolors.default.dim(` to ${printBindingsShortcut.description}`));
+			server.config.logger.info(import_picocolors.default.dim(import_picocolors.default.green("  ➜")) + import_picocolors.default.dim("  press ") + import_picocolors.default.bold(`${openExplorerShortcut.key} + enter`) + import_picocolors.default.dim(` to ${openExplorerShortcut.description}`));
+			server.config.logger.info(import_picocolors.default.dim(import_picocolors.default.green("  ➜")) + import_picocolors.default.dim("  press ") + import_picocolors.default.bold(`${toggleTunnelShortcut.key} + enter`) + import_picocolors.default.dim(` to ${isTunnelOpen() ? "close tunnel" : "start tunnel"}`));
+		}
+		bindCLIShortcuts(options);
+	};
+	server.bindCLIShortcuts({ customShortcuts: [
+		printBindingsShortcut,
+		openExplorerShortcut,
+		toggleTunnelShortcut,
+		extendTunnelExpiryShortcut
+	] });
 }
 
 //#endregion