Cloudflare
I use Cloudflare for DNS and for Zero Trust Networking.
Everything I am doing is at the free tier.
DNS
Not much to say about DNS right now. It works. It supports DDNS. It's free.
Zero Trust Networking
ZTN is not a tunnel in the normal VPN sense. The tunnel is created between Cloudflare and the private network (called "zero-trust" in my Docker) via a cloudflared container. Services also in Docker containers connect over that network, and they aren't visible anywhere else.
On the Cloudflare side (via Web UI) you attach hosts to that tunnel, and Cloudflare proxies them.
By default they are visible over the Internet but the IP address is hidden by Cloudflare.
I want some services to be visible, like for example this wiki. Others I want accessible only to me. I set those up in ZTN. Each device that needs to use them has to have a Cloudflare One client installed AKA "Cloudflare WARP".
Here is a guide for Dockerized cloudflared, https://fossengineer.com/selfhosting-cloudflared-tunnel-docker/
BTW Zero Trust tunnels use "QUIC" not TCP. QUIC is a faster replacement that runs over UDP.
Configure a host
Cloudflare is set to "Flexible" level encryption on SSL/TLS for the domains, which means traffic between Cloudflare and my servers is HTTP (but tunneled via Zero Trust and the tunnel encrypts) and any requests to Cloudflare in HTTP are automatically bumped over to HTTPS, and Cloudflare manages the certificates for me.
When creating a new public hostname, you have to use a unique subdomain, for example "static.wildsong.biz" can't already exist as a separate DNS entry. The create will also create a CNAME that points to Cloudflare's service.
Steps
- Log into Cloudflare
- Go to Zero Trust
- Go to Networks -> Tunnels
- Click on a network (currently "Home LAN" or "Tektonic") The sidebar pops up for that network. Click EDIT.
This brings up a page with a tab bar at the top, select Public Hostname that's where you will see this
In this example, wiki is running in a Docker in Bellman and vhpa is running directly.
So, I used the zero-trust subnet in Docker for Wiki and it has an internal IP address,
but for vhpa I used the host (bellman) ip address.
Since taking this screenshot, I have changed "hupi" to Tektonic since that's more descriptive.
Apparently the container_name entry in the Hupi compose.yaml is enough to identify the IP of the service for cloudflared.
So in Cloudflare under Public Hostname, the service description of http://hupi:82 is enough! I wonder how I ever figured that out?
Cloudflare WARP client
Since you have to use WARP to access private services, get that set up now.
- Install Cloudflare One Agent on device.
- Use client to log in to "my team". You will need your github credentials at this point.
- In Cloudflare you should be able to see both the device by nname and the user by name and email address. Look in Zero Trust "My team".
Secure a service
Now that you have a service accessible (you should be able to see it at https://servicename.wildsong.biz), you need to secure it.
If you deactivate your WARP client the service should still be accessible right now.
Keycloak IDP
Currently I have github set up as my identity provider but I want my own. I am thinking about setting up Keycloak.
