d-bis/Sankofa
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4952ecf453f3dc76e84fcb264dd01ce27eee037c
Sankofa/docs/configs/cloudflare
History
defiQUG 9daf1fd378 Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements 
- Add comprehensive database migrations (001-024) for schema evolution
- Enhance API schema with expanded type definitions and resolvers
- Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth
- Implement new services: AI optimization, billing, blockchain, compliance, marketplace
- Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage)
- Update Crossplane provider with enhanced VM management capabilities
- Add comprehensive test suite for API endpoints and services
- Update frontend components with improved GraphQL subscriptions and real-time updates
- Enhance security configurations and headers (CSP, CORS, etc.)
- Update documentation and configuration files
- Add new CI/CD workflows and validation scripts
- Implement design system improvements and UI enhancements
2025-12-12 18:01:35 -08:00
..
README.md
Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements
2025-12-12 18:01:35 -08:00
tunnel-config.yaml
Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements
2025-12-12 18:01:35 -08:00

README.md

Cloudflare Tunnel Configuration Guide

Overview

This guide covers configuring the Cloudflare Tunnel VM for SMOM-DBIS-138 deployment to provide secure public access.

Prerequisites

  • Cloudflare Tunnel VM deployed and running
  • SSH access to the VM
  • Cloudflare account with Zero Trust enabled
  • Domain configured in Cloudflare

Quick Start

1. Get VM IP Address

kubectl get proxmoxvm cloudflare-tunnel-vm -n default -o jsonpath='{.status.ipAddress}'

2. Create Tunnel in Cloudflare

Option A: Via Cloudflare Dashboard

  1. Go to Zero Trust → Networks → Tunnels
  2. Click "Create a tunnel"
  3. Select "Cloudflared"
  4. Name it: smom-dbis-138-tunnel
  5. Copy the tunnel token

Option B: Via API

./scripts/configure-cloudflare.sh

3. SSH into the VM

ssh admin@<vm-ip-address>

4. Configure Tunnel Credentials

# Create credentials file
sudo mkdir -p /etc/cloudflared
sudo nano /etc/cloudflared/tunnel-credentials.json

Paste the tunnel credentials JSON:

{
  "AccountTag": "your-account-tag",
  "TunnelSecret": "your-tunnel-secret",
  "TunnelID": "your-tunnel-id",
  "TunnelName": "smom-dbis-138-tunnel"
}

5. Configure Tunnel

# Copy configuration template
sudo cp /path/to/tunnel-config.yaml /etc/cloudflared/config.yaml

# Edit configuration
sudo nano /etc/cloudflared/config.yaml

6. Start Tunnel Service

# Start service
sudo systemctl start cloudflared

# Enable auto-start
sudo systemctl enable cloudflared

# Check status
sudo systemctl status cloudflared

Configuration Details

Tunnel Credentials

Location: /etc/cloudflared/tunnel-credentials.json

Contains:

  • AccountTag: Your Cloudflare account ID
  • TunnelSecret: Secret key for the tunnel
  • TunnelID: Unique tunnel identifier
  • TunnelName: Human-readable tunnel name

Tunnel Configuration

Location: /etc/cloudflared/config.yaml

Key sections:

  • tunnel: Tunnel name (must match credentials)
  • credentials-file: Path to credentials JSON
  • ingress: Routing rules for services
  • metrics: Prometheus metrics endpoint
  • health-probe: Health check configuration

Ingress Rules

Pattern

ingress:
  - hostname: service.example.com
    service: http://backend-service:port
    originRequest:
      connectTimeout: 30s
      tcpKeepAlive: 30s

Important Notes

  • Rules are evaluated in order (first match wins)
  • Catch-all rule (http_status:404) must be last
  • Use internal hostnames or IPs for backend services

DNS Configuration

For each hostname in ingress rules, create a CNAME record:

Type: CNAME
Name: smom-api
Content: <tunnel-id>.cfargotunnel.com
Proxy: Enabled (orange cloud)

Or use Cloudflare API:

curl -X POST "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records" \
  -H "Authorization: Bearer {api_token}" \
  -H "Content-Type: application/json" \
  --data '{
    "type": "CNAME",
    "name": "smom-api",
    "content": "<tunnel-id>.cfargotunnel.com",
    "proxied": true
  }'

Monitoring

Check Tunnel Status

sudo systemctl status cloudflared

View Logs

sudo tail -f /var/log/cloudflared/tunnel.log

Metrics Endpoint

curl http://localhost:9090/metrics

Troubleshooting

Tunnel Not Connecting

  1. Verify credentials file is correct
  2. Check tunnel is created in Cloudflare dashboard
  3. Verify DNS records point to tunnel
  4. Check firewall allows outbound HTTPS (443)

Service Not Accessible

  1. Verify ingress rule matches hostname
  2. Check backend service is running
  3. Verify internal network connectivity
  4. Check tunnel logs for errors

Test Connection

# Test from Cloudflare Tunnel VM
curl http://backend-service:port

# Test from external
curl https://your-domain.com

Security Best Practices

  1. Rotate Tunnel Secrets: Regularly rotate tunnel credentials
  2. Use Access Policies: Configure Cloudflare Access for authentication
  3. Monitor Logs: Review tunnel logs for suspicious activity
  4. Limit Ingress Rules: Only expose necessary services
  5. Use Private Networks: Keep backend services on private networks

Next Steps

  1. Configure Cloudflare Access policies
  2. Set up monitoring and alerting
  3. Configure rate limiting
  4. Set up backup tunnel for redundancy
Reference in New Issue View Git Blame Copy Permalink