# Cloudflare Access Setup Guide

This guide walks you through setting up Cloudflare Access (Zero Trust) to protect your Proxmox UI endpoints with SSO/MFA.

## Overview

Cloudflare Access provides:
- ✅ **Single Sign-On (SSO)** - Use your existing identity provider
- ✅ **Multi-Factor Authentication (MFA)** - Additional security layer
- ✅ **Device Posture Checks** - Require managed devices
- ✅ **Audit Logs** - Track all access attempts
- ✅ **Session Management** - Control session duration

## Prerequisites

1. ✅ Cloudflare account with Zero Trust enabled
2. ✅ Domain `d-bis.org` managed by Cloudflare
3. ✅ Tunnels created and configured (see main README)
4. ✅ DNS records created (CNAME pointing to tunnels)

## Step 1: Enable Cloudflare Zero Trust

1. **Navigate to Cloudflare Zero Trust:**
   - Go to: https://one.dash.cloudflare.com
   - Sign in with your Cloudflare account

2. **Verify Zero Trust is enabled:**
   - If not enabled, you'll be prompted to enable it
   - This is free for up to 50 users

## Step 2: Create Tunnels in Cloudflare Dashboard

For each Proxmox host, create a separate tunnel:

### 2.1 Create Tunnel for ml110-01

1. **Go to Zero Trust → Networks → Tunnels**
2. **Click "Create a tunnel"**
3. **Select "Cloudflared"**
4. **Enter tunnel name:** `tunnel-ml110`
5. **Click "Save tunnel"**
6. **Copy the tunnel token** (starts with `eyJ...`)
   - Save this securely - you'll need it for VMID 102

### 2.2 Create Tunnel for r630-01

Repeat the same process:
- **Tunnel name:** `tunnel-r630-01`
- **Copy tunnel token**

### 2.3 Create Tunnel for r630-02

Repeat the same process:
- **Tunnel name:** `tunnel-r630-02`
- **Copy tunnel token**

## Step 3: Configure Tunnel Public Hostnames

For each tunnel, configure the public hostname:

### 3.1 Configure ml110-01 Tunnel

1. **Click on tunnel `tunnel-ml110`**
2. **Click "Configure"**
3. **Go to "Public Hostnames" tab**
4. **Click "Add a public hostname"**
5. **Configure:**
   - **Subdomain:** `ml110-01`
   - **Domain:** `d-bis.org`
   - **Service:** `https://192.168.11.10:8006`
   - **Type:** HTTP
6. **Click "Save hostname"**

### 3.2 Configure r630-01 Tunnel

Repeat for r630-01:
- **Subdomain:** `r630-01`
- **Domain:** `d-bis.org`
- **Service:** `https://192.168.11.11:8006`

### 3.3 Configure r630-02 Tunnel

Repeat for r630-02:
- **Subdomain:** `r630-02`
- **Domain:** `d-bis.org`
- **Service:** `https://192.168.11.12:8006`

## Step 4: Create DNS Records

Create CNAME records in Cloudflare DNS:

1. **Go to Cloudflare Dashboard → DNS → Records**
2. **Add records:**

| Type | Name | Target | Proxy | TTL |
|------|------|--------|-------|-----|
| CNAME | `ml110-01` | `<tunnel-id-ml110>.cfargotunnel.com` | 🟠 Proxied | Auto |
| CNAME | `r630-01` | `<tunnel-id-r630-01>.cfargotunnel.com` | 🟠 Proxied | Auto |
| CNAME | `r630-02` | `<tunnel-id-r630-02>.cfargotunnel.com` | 🟠 Proxied | Auto |

**Important:**
- ✅ Use CNAME (not A records)
- ✅ Enable proxy (orange cloud)
- ✅ Replace `<tunnel-id-*>` with actual tunnel IDs from Step 2

## Step 5: Configure Cloudflare Access Applications

For each Proxmox host, create an Access application:

### 5.1 Create Application for ml110-01

1. **Go to Zero Trust → Access → Applications**
2. **Click "Add an application"**
3. **Select "Self-hosted"**
4. **Configure Application:**
   - **Application name:** `Proxmox ml110-01`
   - **Application domain:** `ml110-01.d-bis.org`
   - **Session duration:** `8 hours` (or your preference)
5. **Click "Next"**

### 5.2 Configure Access Policy

1. **Click "Add a policy"**
2. **Policy name:** `Allow Team Access`
3. **Action:** `Allow`
4. **Include:**
   - **Select:** `Emails`
   - **Value:** `@yourdomain.com` (or specific emails)
   - **OR** select `Country` and choose your country
5. **Require:**
   - ✅ **Multi-factor authentication** (MFA)
   - ✅ **Email verification** (optional but recommended)
6. **Click "Next"**

### 5.3 Configure Additional Settings

1. **CORS settings:** Leave default (not needed for Proxmox UI)
2. **Cookie settings:** Leave default
3. **Click "Add application"**

### 5.4 Repeat for Other Hosts

Repeat Steps 5.1-5.3 for:
- **r630-01** → `r630-01.d-bis.org`
- **r630-02** → `r630-02.d-bis.org`

## Step 6: Configure Identity Providers (Optional but Recommended)

If you want to use SSO instead of email-based auth:

### 6.1 Add Identity Provider

1. **Go to Zero Trust → Access → Authentication**
2. **Click "Add new" under Identity Providers**
3. **Select your provider:**
   - Google Workspace
   - Microsoft Azure AD
   - Okta
   - Generic OIDC
   - Generic SAML
   - etc.

4. **Follow provider-specific setup instructions**

### 6.2 Update Access Policies

1. **Go back to Applications**
2. **Edit each application policy**
3. **Change "Include" to use your identity provider**
4. **Save changes**

## Step 7: Advanced Security Settings (Recommended)

### 7.1 Device Posture Checks

Require managed devices:

1. **Go to Zero Trust → Settings → WARP**
2. **Enable WARP for your organization**
3. **Go to Zero Trust → Access → Applications**
4. **Edit application policy**
5. **Add "Require" condition:**
   - **Select:** `Device Posture`
   - **Require:** `Managed device` or `WARP client`

### 7.2 Country Blocking

Block access from specific countries:

1. **Edit application policy**
2. **Add "Exclude" condition:**
   - **Select:** `Country`
   - **Value:** Select countries to block

### 7.3 IP Allowlisting

Restrict to specific IPs:

1. **Edit application policy**
2. **Add "Include" condition:**
   - **Select:** `IP Address`
   - **Value:** Your office/home IP ranges

## Step 8: Test Access

### 8.1 Test DNS Resolution

```bash
dig ml110-01.d-bis.org
dig r630-01.d-bis.org
dig r630-02.d-bis.org
```

Should resolve to Cloudflare IPs.

### 8.2 Test HTTPS Access

```bash
# Should redirect to Cloudflare Access login
curl -I https://ml110-01.d-bis.org
```

### 8.3 Test Browser Access

1. **Open browser**
2. **Navigate to:** `https://ml110-01.d-bis.org`
3. **Should see Cloudflare Access login page**
4. **Login with your credentials**
5. **Complete MFA if required**
6. **Should redirect to Proxmox UI**

## Step 9: Monitor Access

### 9.1 View Access Logs

1. **Go to Zero Trust → Access → Logs**
2. **View authentication attempts**
3. **Check for failed login attempts**

### 9.2 Set Up Alerts

1. **Go to Zero Trust → Settings → Notifications**
2. **Configure email alerts for:**
   - Failed authentication attempts
   - Suspicious activity
   - Policy violations

## Troubleshooting

### Access Page Not Showing

**Problem:** Direct access to Proxmox UI, no Cloudflare Access page

**Solutions:**
1. Verify DNS record has proxy enabled (orange cloud)
2. Check tunnel is running: `systemctl status cloudflared-ml110`
3. Verify application is configured correctly
4. Check Cloudflare dashboard for tunnel status

### MFA Not Working

**Problem:** MFA prompt not appearing

**Solutions:**
1. Verify MFA is enabled in policy
2. Check identity provider settings
3. Verify user has MFA configured

### Can't Access After Login

**Problem:** Login successful but can't reach Proxmox UI

**Solutions:**
1. Check tunnel is running
2. Verify tunnel configuration points to correct IP:port
3. Check Proxmox UI is accessible internally
4. Review tunnel logs: `journalctl -u cloudflared-ml110 -f`

## Security Best Practices

1. ✅ **Always enable MFA** - Required for admin interfaces
2. ✅ **Use short session durations** - 4-8 hours for admin access
3. ✅ **Enable device posture checks** - Require managed devices
4. ✅ **Monitor access logs** - Review regularly for suspicious activity
5. ✅ **Use IP allowlisting** - If you have static IPs
6. ✅ **Enable email verification** - Additional security layer
7. ✅ **Set up alerts** - Get notified of failed attempts

## Quick Reference

### Application URLs
- ml110-01: `https://ml110-01.d-bis.org`
- r630-01: `https://r630-01.d-bis.org`
- r630-02: `https://r630-02.d-bis.org`

### Tunnel Names
- `tunnel-ml110`
- `tunnel-r630-01`
- `tunnel-r630-02`

### Service Names
- `cloudflared-ml110.service`
- `cloudflared-r630-01.service`
- `cloudflared-r630-02.service`

## Next Steps

After completing this setup:

1. ✅ Test access to all three Proxmox hosts
2. ✅ Configure monitoring (see `MONITORING_GUIDE.md`)
3. ✅ Set up alerting (see `MONITORING_GUIDE.md`)
4. ✅ Review access logs regularly
5. ✅ Update policies as needed

## Support

For issues:
1. Check [Troubleshooting Guide](TROUBLESHOOTING.md)
2. Review Cloudflare Zero Trust documentation
3. Check tunnel logs: `journalctl -u cloudflared-*`