Cloudflare

From Wildsong
Jump to navigationJump to search

I use Cloudflare for DNS and for Zero Trust Networking.

Everything I am doing is at the free tier.

DNS

Not much to say about DNS right now. It works. It supports DDNS. It's free.

Zero Trust Networking

ZTN is not a tunnel in the normal VPN sense. The tunnel is created between Cloudflare and the private network (called "zero-trust" in my Docker) via a cloudflared container. Services also in Docker containers connect over that network, and they aren't visible anywhere else.

On the Cloudflare side (via Web UI) you attach hosts to that tunnel, and Cloudflare proxies them.

By default they are visible over the Internet but the IP address is hidden by Cloudflare.

I want some services to be visible, like for example this wiki. Others I want accessible only to me. I set those up in ZTN. Each device that needs to use them has to have a Cloudflare One client installed AKA "Cloudflare WARP".

Here is a guide for Dockerized cloudflared, https://fossengineer.com/selfhosting-cloudflared-tunnel-docker/

BTW Zero Trust tunnels use "QUIC" not TCP. QUIC is a faster replacement that runs over UDP.

Configure a host

Cloudflare is set to "Flexible" level encryption on SSL/TLS for the domains, which means traffic between Cloudflare and my servers is HTTP (but tunneled via Zero Trust and the tunnel encrypts) and any requests to Cloudflare in HTTP are automatically bumped over to HTTPS, and Cloudflare manages the certificates for me.

When creating a new public hostname, you have to use a unique subdomain, for example "static.wildsong.biz" can't already exist as a separate DNS entry. The create will also create a CNAME that points to Cloudflare's service.

Steps

  • Log into Cloudflare
  • Go to Zero Trust
  • Go to Networks -> Tunnels
  • Click on a network (currently "Home LAN" or "Tektonic") The sidebar pops up for that network. Click EDIT.

This brings up a page with a tab bar at the top, select Public Hostname that's where you will see this

In this example, wiki is running in a Docker in Bellman and vhpa is running directly.

So, I used the zero-trust subnet in Docker for Wiki and it has an internal IP address,

but for vhpa I used the host (bellman) ip address.


Since taking this screenshot, I have changed "hupi" to Tektonic since that's more descriptive.

Apparently the container_name entry in the Hupi compose.yaml is enough to identify the IP of the service for cloudflared.

So in Cloudflare under Public Hostname, the service description of http://hupi:82 is enough! I wonder how I ever figured that out?

Cloudflare WARP client

Since you have to use WARP to access private services, get that set up now.

  1. Install Cloudflare One Agent on device.
  2. Use client to log in to "my team". You will need your github credentials at this point.
  3. In Cloudflare you should be able to see both the device by nname and the user by name and email address. Look in Zero Trust "My team".

Secure a service

Now that you have a service accessible (you should be able to see it at https://servicename.wildsong.biz), you need to secure it.

  • Deactivate your WARP client the service. You should still be accessible right now.
  • In CF Zero Trust "Access", under Applications, "+ Add an application".
  • Select "Self-hosted".
  • Pick a name and session duration.
  • Put in the subdomain you picked when you set up the host above.
  • Other settings on this page currently I leave at defaults.
  • Click NEXT
  • Now it wants a policy. I use "basic" and set session duration again.
  • Click NEXT
  • I leave all other settings at defaults.
  • Try to access the service again, with WARP client disabled. You should be blocked.
  • Turn on WARP client. Try again. Now it should work.

Keycloak IDP

If you are searching for docs and help, remember the current version used to be the "keycloak-x" version. There is no longer a wildfly version. It's just the quarkus version now. Got all that?

Currently I have github set up as my identity provider but I want my own. I am thinking about setting up Keycloak.

https://wiki.brianturchyn.net/devops/keycloak-cloudflare/

Run in Docker

I run it in a docker container. I set it to run behind a reverse proxy. This is still mostly up to date. https://skycloak.io/blog/how-to-run-keycloak-behind-a-reverse-proxy/

First run

Bring up an instance of keycloak and make run the boot script, so that it initializes its persistent data with a temp admin/pass. Then edit compose.yaml to the permanent setup, run it again. Ta-da! Log in and create an admin account.

FIDO2

I want to use a FIDO2 yubikey with keycloak.

https://refactorfirst.com/setup-fido2-passwordless-authentication-with-keycloak