# Cloudflare Integration Guide ## Overview This document describes the Cloudflare Zero Trust and Tunnel integration for secure external access to the Azure Stack HCI environment without requiring inbound ports. ## Architecture ### Cloudflare Tunnel Architecture ``` ┌─────────────────────────────────────────────────────────┐ │ Cloudflare Zero Trust Network │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ Zero Trust │ │ WAF │ │ Tunnel │ │ │ │ Policies │ │ Rules │ │ Endpoints │ │ │ └──────────────┘ └──────────────┘ └──────────────┘ │ └─────────────────────────────────────────────────────────┘ │ │ Outbound HTTPS (443) │ ┌─────────────────────────────────────────────────────────┐ │ On-Premises Infrastructure │ │ │ │ ┌─────────────────────────────────────────────────────┐ │ │ │ Cloudflare Tunnel VM (VLAN 99) │ │ │ │ ┌──────────────┐ │ │ │ │ │ cloudflared │ │ │ │ │ │ daemon │ │ │ │ │ └──────────────┘ │ │ │ └─────────────────────────────────────────────────────┘ │ │ │ │ │ │ │ ┌─────────▼──────┐ ┌────▼────┐ ┌─────▼─────┐ │ │ │ WAC │ │ Proxmox │ │ Dashboards│ │ │ │ (VLAN 60) │ │ UI │ │ (VLAN 40) │ │ │ └────────────────┘ └──────────┘ └───────────┘ │ └─────────────────────────────────────────────────────────┘ ``` ## Components ### Cloudflare Tunnel (cloudflared) - **Purpose:** Secure outbound connection to Cloudflare network - **Location:** Ubuntu VM in VLAN 99 (DMZ) - **Protocol:** Outbound HTTPS (443) only - **Benefits:** No inbound ports required, encrypted tunnel ### Zero Trust Policies - **SSO Integration:** Azure AD, Okta, or other identity providers - **MFA Requirements:** Multi-factor authentication enforcement - **Device Posture:** Device health and compliance checks - **Access Policies:** Least privilege access control ### WAF (Web Application Firewall) - **Purpose:** Protect public ingress from attacks - **Rules:** Custom WAF rules for application protection - **Integration:** Works with Tunnel endpoints ## Installation ### Prerequisites - Cloudflare account with Zero Trust enabled - Ubuntu VM deployed in VLAN 99 - Network connectivity from Tunnel VM to services - Azure AD or other SSO provider (optional) ### Environment Configuration Before starting, ensure your `.env` file is configured with Cloudflare credentials: ```bash # Copy template if not already done cp .env.example .env # Edit .env and set: # - CLOUDFLARE_API_TOKEN (get from https://dash.cloudflare.com/profile/api-tokens) # - CLOUDFLARE_ACCOUNT_EMAIL # - CLOUDFLARE_ZONE_ID (optional) ``` ### Step 1: Create Cloudflare Zero Trust Organization 1. Log in to [Cloudflare Dashboard](https://dash.cloudflare.com) 2. Navigate to Zero Trust 3. Create or select organization 4. Note your organization name **Note**: If using automation scripts, ensure `CLOUDFLARE_API_TOKEN` is set in your `.env` file. ### Step 2: Install cloudflared On the Ubuntu Tunnel VM: ```bash # Download and install cloudflared curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o /usr/local/bin/cloudflared chmod +x /usr/local/bin/cloudflared # Verify installation cloudflared --version ``` ### Step 3: Authenticate cloudflared ```bash # Option 1: Interactive login (recommended for first-time setup) cloudflared tunnel login # This will open a browser for authentication # Follow the prompts to authenticate # Option 2: Using API token from .env (for automation) # Load environment variables if using .env export $(cat .env | grep -v '^#' | xargs) # Note: Tunnel credentials are stored in /etc/cloudflared/.json # This file should be secured (chmod 600) and not committed to version control ``` ### Step 4: Create Tunnel ```bash # Create a new tunnel cloudflared tunnel create azure-stack-hci # Note the tunnel ID for configuration ``` ## Configuration ### Tunnel Configuration File Create `/etc/cloudflared/config.yml`: ```yaml tunnel: credentials-file: /etc/cloudflared/.json ingress: # Windows Admin Center - hostname: wac.yourdomain.com service: https://10.10.60.20:443 originRequest: noHappyEyeballs: true tcpKeepAlive: 30 # Proxmox UI - hostname: proxmox.yourdomain.com service: https://10.10.60.10:8006 originRequest: noHappyEyeballs: true tcpKeepAlive: 30 # Grafana Dashboard - hostname: grafana.yourdomain.com service: http://10.10.40.10:3000 originRequest: noHappyEyeballs: true # Git Server - hostname: git.yourdomain.com service: https://10.10.30.10:443 originRequest: noHappyEyeballs: true # CI/CD - hostname: ci.yourdomain.com service: https://10.10.50.10:443 originRequest: noHappyEyeballs: true # Catch-all (must be last) - service: http_status:404 ``` ### DNS Configuration In Cloudflare Dashboard: 1. Navigate to Zero Trust > Access > Tunnels 2. Select your tunnel 3. Configure public hostnames: - `wac.yourdomain.com` → Tunnel - `proxmox.yourdomain.com` → Tunnel - `grafana.yourdomain.com` → Tunnel - `git.yourdomain.com` → Tunnel - `ci.yourdomain.com` → Tunnel ### Systemd Service Create `/etc/systemd/system/cloudflared.service`: ```ini [Unit] Description=Cloudflare Tunnel After=network.target [Service] Type=simple User=cloudflared ExecStart=/usr/local/bin/cloudflared tunnel --config /etc/cloudflared/config.yml run Restart=on-failure RestartSec=5s [Install] WantedBy=multi-user.target ``` Enable and start: ```bash sudo systemctl enable cloudflared sudo systemctl start cloudflared sudo systemctl status cloudflared ``` ## Zero Trust Policies ### SSO Configuration 1. Navigate to Zero Trust > Access > Authentication 2. Add identity provider: - **Azure AD:** Configure Azure AD app registration - **Okta:** Configure Okta application - **Other:** Follow provider-specific instructions ### Access Policies 1. Navigate to Zero Trust > Access > Applications 2. Create application: - **Application name:** WAC Access - **Application domain:** `wac.yourdomain.com` - **Session duration:** 24 hours 3. Configure policy: - **Action:** Allow - **Include:** - Emails: `admin@yourdomain.com` - Groups: `IT-Admins` - **Require:** - MFA: Yes - Device posture: Optional ### Device Posture Checks 1. Navigate to Zero Trust > Settings > WARP 2. Configure device posture: - **OS version:** Require minimum OS version - **Disk encryption:** Require disk encryption - **Firewall:** Require firewall enabled ## WAF Configuration ### WAF Rules 1. Navigate to Security > WAF 2. Create custom rules: **Rule 1: Block Common Attacks** - **Expression:** `(http.request.uri.path contains "/wp-admin" or http.request.uri.path contains "/phpmyadmin")` - **Action:** Block **Rule 2: Rate Limiting** - **Expression:** `(rate(10m) > 100)` - **Action:** Challenge **Rule 3: Geographic Restrictions** - **Expression:** `(ip.geoip.country ne "US" and ip.geoip.country ne "CA")` - **Action:** Block (if needed) ## Proxmox Tunnel Example ### Community Patterns For exposing Proxmox UI through Cloudflare Tunnel: ```yaml # In config.yml ingress: - hostname: proxmox.yourdomain.com service: https://10.10.60.10:8006 originRequest: noHappyEyeballs: true tcpKeepAlive: 30 connectTimeout: 10s tlsTimeout: 10s tcpKeepAliveTimeout: 30s httpHostHeader: proxmox.yourdomain.com ``` ### Proxmox Certificate Considerations - Proxmox uses self-signed certificates by default - Cloudflare Tunnel handles SSL termination - Consider using Cloudflare's SSL/TLS mode: "Full (strict)" if using valid certificates ## Monitoring ### Tunnel Status ```bash # Check tunnel status sudo systemctl status cloudflared # View tunnel logs sudo journalctl -u cloudflared -f # Test tunnel connectivity cloudflared tunnel info ``` ### Cloudflare Dashboard - Navigate to Zero Trust > Access > Tunnels - View tunnel status and metrics - Monitor connection health - Review access logs ## Troubleshooting ### Tunnel Not Connecting **Problem:** Tunnel shows as disconnected - **Solution:** - Check network connectivity from VM - Verify credentials file exists - Check cloudflared service status - Review logs: `journalctl -u cloudflared` ### Services Not Accessible **Problem:** Can't access services through Tunnel - **Solution:** - Verify ingress rules in config.yml - Check service connectivity from Tunnel VM - Verify DNS configuration - Check Zero Trust policies ### Authentication Issues **Problem:** SSO not working - **Solution:** - Verify identity provider configuration - Check application policies - Verify user email addresses - Check MFA configuration ### Performance Issues **Problem:** Slow performance through Tunnel - **Solution:** - Check network latency - Verify originRequest settings - Consider using Cloudflare's Argo Smart Routing - Review WAF rules for false positives ## Security Best Practices 1. **Use Zero Trust Policies:** - Always require authentication - Enforce MFA for sensitive services - Use device posture checks 2. **WAF Rules:** - Enable WAF for all public endpoints - Configure rate limiting - Block known attack patterns 3. **Tunnel Security:** - Run cloudflared as non-root user - Secure credentials file (chmod 600) - Monitor tunnel logs for anomalies 4. **Network Isolation:** - Keep Tunnel VM in DMZ (VLAN 99) - Use firewall rules to restrict access - Only allow necessary ports ## Related Documentation - [Complete Architecture](complete-architecture.md) - Full architecture overview - [Network Topology](network-topology.md) - VLAN/IP schema - [Bring-Up Checklist](bring-up-checklist.md) - Installation guide