# Configure Cloudflare Access Email Allowlist ## Overview You can restrict access to your Proxmox UIs to specific email addresses using Cloudflare Access policies. ## Quick Setup ### Option 1: Interactive Script ```bash cd /home/intlc/projects/proxmox/scripts/cloudflare-tunnels ./scripts/configure-access-policies.sh ``` The script will prompt you to enter email addresses one by one. ### Option 2: Command Line ```bash cd /home/intlc/projects/proxmox/scripts/cloudflare-tunnels ./scripts/configure-access-policies.sh user1@example.com user2@example.com user3@example.com ``` ### Option 3: Via Cloudflare Dashboard 1. Go to: **https://one.dash.cloudflare.com/** 2. Navigate: **Zero Trust** → **Access** → **Applications** 3. Click on each application: - Proxmox ml110-01 - Proxmox r630-01 - Proxmox r630-02 4. Click **"Policies"** tab 5. Click **"Add a policy"** or edit existing 6. Set: - **Policy name**: "Allow Team Access" - **Action**: Allow - **Include**: Email → Add each allowed email - **Require**: Email (for email verification) 7. Save ## What Gets Configured The script/configures policies that: - ✅ **Allow** access (instead of block) - ✅ **Include** specific email addresses - ✅ **Require** email verification (MFA if enabled) - ✅ Apply to all 3 Proxmox UIs ## Policy Structure ```json { "name": "Allow Team Access", "decision": "allow", "include": [ {"email": {"email": "user1@example.com"}}, {"email": {"email": "user2@example.com"}} ], "require": [ {"email": {}} ] } ``` ## Adding More Emails Later ### Via Script ```bash ./scripts/configure-access-policies.sh user1@example.com user2@example.com user3@example.com ``` ### Via Dashboard 1. Go to Access → Applications → [App Name] → Policies 2. Edit the "Allow Team Access" policy 3. Add more emails to the Include section 4. Save ## Removing Access ### Via Dashboard 1. Go to Access → Applications → [App Name] → Policies 2. Edit the policy 3. Remove email from Include section 4. Save ## Advanced Options You can also configure: - **Groups**: Create email groups for easier management - **Service tokens**: For programmatic access - **Country restrictions**: Allow only specific countries - **IP restrictions**: Allow only specific IP ranges - **Device posture**: Require specific device checks See `docs/CLOUDFLARE_ACCESS_SETUP.md` for more details. ## Verification After configuring, test access: 1. Open https://ml110-01.d-bis.org in an incognito window 2. You should see Cloudflare Access login 3. Login with an allowed email 4. You should be granted access If you use a non-allowed email, access will be denied.