d-bis/Sankofa
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Sankofa/cloudflare/README.md
defiQUG 6f28146ac3 Initial Phoenix Sankofa Cloud setup 
- Complete project structure with Next.js frontend
- GraphQL API backend with Apollo Server
- Portal application with NextAuth
- Crossplane Proxmox provider
- GitOps configurations
- CI/CD pipelines
- Testing infrastructure (Vitest, Jest, Go tests)
- Error handling and monitoring
- Security hardening
- UI component library
- Documentation
2025-11-28 12:54:33 -08:00

85 lines
2.0 KiB
Markdown
Raw Permalink Blame History

# Cloudflare Zero Trust Configuration
This directory contains all Cloudflare Zero Trust configurations for secure global access to the hybrid cloud control plane.
## Structure
```
cloudflare/
├── access-policies.yaml # Access policies for applications
├── tunnel-configs/ # Per-site tunnel configurations
├── gateway-policies.yaml # DNS and filtering policies
├── warp-config.json # WARP device enrollment
└── terraform/ # Terraform modules for Cloudflare
```
## Components
### Access Policies
Define who can access which applications based on:
- User identity (from Keycloak)
- Device posture
- IP address
- MFA requirements
- Time-based rules
### Tunnels
Outbound-only connections from Proxmox sites and control plane to Cloudflare:
- No public IPs required
- Automatic reconnection
- Load balancing across multiple tunnels
- Health checks
### Gateway Policies
DNS filtering and network security:
- Block malicious domains
- Log DNS queries
- Apply policies based on user/device
- Split DNS for internal services
### WARP
Device-level VPN for employees:
- Zero Trust network access
- Device posture checks
- Automatic enrollment
## Usage
### Apply Access Policies
```bash
# Using Cloudflare API
cloudflared access policy create --config access-policies.yaml
# Or via Terraform
cd terraform
terraform apply
```
### Deploy Tunnels
1. Create tunnel in Cloudflare dashboard
2. Copy tunnel token
3. Update tunnel config with token
4. Deploy cloudflared agent with config
```bash
cloudflared tunnel run --config tunnel-configs/site-1.yaml
```
### Configure WARP
1. Create WARP enrollment in Cloudflare dashboard
2. Update warp-config.json with enrollment details
3. Distribute config to devices
## Security Best Practices
- Use service tokens for API access
- Rotate tunnel tokens regularly
- Enable MFA for all access policies
- Use device posture checks
- Log all access attempts
- Review policies quarterly
Reference in New Issue View Git Blame Copy Permalink