proxmox/scripts/cloudflare-tunnels/docs/CLOUDFLARE_ACCESS_SETUP.md

Cloudflare Access Setup Guide

This guide walks you through setting up Cloudflare Access (Zero Trust) to protect your Proxmox UI endpoints with SSO/MFA.

Overview

Cloudflare Access provides:

• ✅ Single Sign-On (SSO) - Use your existing identity provider
• ✅ Multi-Factor Authentication (MFA) - Additional security layer
• ✅ Device Posture Checks - Require managed devices
• ✅ Audit Logs - Track all access attempts
• ✅ Session Management - Control session duration

Prerequisites

1. ✅ Cloudflare account with Zero Trust enabled
2. ✅ Domain d-bis.org managed by Cloudflare
3. ✅ Tunnels created and configured (see main README)
4. ✅ DNS records created (CNAME pointing to tunnels)

Step 1: Enable Cloudflare Zero Trust

1. Navigate to Cloudflare Zero Trust:

   • Go to: https://one.dash.cloudflare.com
   • Sign in with your Cloudflare account

2. Verify Zero Trust is enabled:

   • If not enabled, you'll be prompted to enable it
   • This is free for up to 50 users

Step 2: Create Tunnels in Cloudflare Dashboard

For each Proxmox host, create a separate tunnel:

2.1 Create Tunnel for ml110-01

1. Go to Zero Trust → Networks → Tunnels
2. Click "Create a tunnel"
3. Select "Cloudflared"
4. Enter tunnel name: tunnel-ml110
5. Click "Save tunnel"
6. Copy the tunnel token (starts with eyJ...)
   • Save this securely - you'll need it for VMID 102

2.2 Create Tunnel for r630-01

Repeat the same process:

• Tunnel name: tunnel-r630-01
• Copy tunnel token

2.3 Create Tunnel for r630-02

Repeat the same process:

• Tunnel name: tunnel-r630-02
• Copy tunnel token

Step 3: Configure Tunnel Public Hostnames

For each tunnel, configure the public hostname:

3.1 Configure ml110-01 Tunnel

1. Click on tunnel tunnel-ml110
2. Click "Configure"
3. Go to "Public Hostnames" tab
4. Click "Add a public hostname"
5. Configure:
   • Subdomain: ml110-01
   • Domain: d-bis.org
   • Service: https://192.168.11.10:8006
   • Type: HTTP
6. Click "Save hostname"

3.2 Configure r630-01 Tunnel

Repeat for r630-01:

• Subdomain: r630-01
• Domain: d-bis.org
• Service: https://192.168.11.11:8006

3.3 Configure r630-02 Tunnel

Repeat for r630-02:

• Subdomain: r630-02
• Domain: d-bis.org
• Service: https://192.168.11.12:8006

Step 4: Create DNS Records

Create CNAME records in Cloudflare DNS:

1. Go to Cloudflare Dashboard → DNS → Records
2. Add records:

Type	Name	Target	Proxy	TTL
CNAME	ml110-01	<tunnel-id-ml110>.cfargotunnel.com	🟠 Proxied	Auto
CNAME	r630-01	<tunnel-id-r630-01>.cfargotunnel.com	🟠 Proxied	Auto
CNAME	r630-02	<tunnel-id-r630-02>.cfargotunnel.com	🟠 Proxied	Auto

Important:

• ✅ Use CNAME (not A records)
• ✅ Enable proxy (orange cloud)
• ✅ Replace <tunnel-id-*> with actual tunnel IDs from Step 2

Step 5: Configure Cloudflare Access Applications

For each Proxmox host, create an Access application:

5.1 Create Application for ml110-01

1. Go to Zero Trust → Access → Applications
2. Click "Add an application"
3. Select "Self-hosted"
4. Configure Application:
   • Application name: Proxmox ml110-01
   • Application domain: ml110-01.d-bis.org
   • Session duration: 8 hours (or your preference)
5. Click "Next"

5.2 Configure Access Policy

1. Click "Add a policy"
2. Policy name: Allow Team Access
3. Action: Allow
4. Include:
   • Select: Emails
   • Value: @yourdomain.com (or specific emails)
   • OR select Country and choose your country
5. Require:
   • ✅ Multi-factor authentication (MFA)
   • ✅ Email verification (optional but recommended)
6. Click "Next"

5.3 Configure Additional Settings

1. CORS settings: Leave default (not needed for Proxmox UI)
2. Cookie settings: Leave default
3. Click "Add application"

5.4 Repeat for Other Hosts

Repeat Steps 5.1-5.3 for:

• r630-01 → r630-01.d-bis.org
• r630-02 → r630-02.d-bis.org

Step 6: Configure Identity Providers (Optional but Recommended)

If you want to use SSO instead of email-based auth:

6.1 Add Identity Provider

1. Go to Zero Trust → Access → Authentication

2. Click "Add new" under Identity Providers

3. Select your provider:

   • Google Workspace
   • Microsoft Azure AD
   • Okta
   • Generic OIDC
   • Generic SAML
   • etc.

4. Follow provider-specific setup instructions

6.2 Update Access Policies

1. Go back to Applications
2. Edit each application policy
3. Change "Include" to use your identity provider
4. Save changes

Step 7: Advanced Security Settings (Recommended)

7.1 Device Posture Checks

Require managed devices:

1. Go to Zero Trust → Settings → WARP
2. Enable WARP for your organization
3. Go to Zero Trust → Access → Applications
4. Edit application policy
5. Add "Require" condition:
   • Select: Device Posture
   • Require: Managed device or WARP client

7.2 Country Blocking

Block access from specific countries:

1. Edit application policy
2. Add "Exclude" condition:
   • Select: Country
   • Value: Select countries to block

7.3 IP Allowlisting

Restrict to specific IPs:

1. Edit application policy
2. Add "Include" condition:
   • Select: IP Address
   • Value: Your office/home IP ranges

Step 8: Test Access

8.1 Test DNS Resolution

dig ml110-01.d-bis.org
dig r630-01.d-bis.org
dig r630-02.d-bis.org

Should resolve to Cloudflare IPs.

8.2 Test HTTPS Access

# Should redirect to Cloudflare Access login
curl -I https://ml110-01.d-bis.org

8.3 Test Browser Access

1. Open browser
2. Navigate to: https://ml110-01.d-bis.org
3. Should see Cloudflare Access login page
4. Login with your credentials
5. Complete MFA if required
6. Should redirect to Proxmox UI

Step 9: Monitor Access

9.1 View Access Logs

1. Go to Zero Trust → Access → Logs
2. View authentication attempts
3. Check for failed login attempts

9.2 Set Up Alerts

1. Go to Zero Trust → Settings → Notifications
2. Configure email alerts for:
   • Failed authentication attempts
   • Suspicious activity
   • Policy violations

Troubleshooting

Access Page Not Showing

Problem: Direct access to Proxmox UI, no Cloudflare Access page

Solutions:

1. Verify DNS record has proxy enabled (orange cloud)
2. Check tunnel is running: systemctl status cloudflared-ml110
3. Verify application is configured correctly
4. Check Cloudflare dashboard for tunnel status

MFA Not Working

Problem: MFA prompt not appearing

Solutions:

1. Verify MFA is enabled in policy
2. Check identity provider settings
3. Verify user has MFA configured

Can't Access After Login

Problem: Login successful but can't reach Proxmox UI

Solutions:

1. Check tunnel is running
2. Verify tunnel configuration points to correct IP:port
3. Check Proxmox UI is accessible internally
4. Review tunnel logs: journalctl -u cloudflared-ml110 -f

Security Best Practices

1. ✅ Always enable MFA - Required for admin interfaces
2. ✅ Use short session durations - 4-8 hours for admin access
3. ✅ Enable device posture checks - Require managed devices
4. ✅ Monitor access logs - Review regularly for suspicious activity
5. ✅ Use IP allowlisting - If you have static IPs
6. ✅ Enable email verification - Additional security layer
7. ✅ Set up alerts - Get notified of failed attempts

Quick Reference

Application URLs

• ml110-01: https://ml110-01.d-bis.org
• r630-01: https://r630-01.d-bis.org
• r630-02: https://r630-02.d-bis.org

Tunnel Names

• tunnel-ml110
• tunnel-r630-01
• tunnel-r630-02

Service Names

• cloudflared-ml110.service
• cloudflared-r630-01.service
• cloudflared-r630-02.service

Next Steps

After completing this setup:

1. ✅ Test access to all three Proxmox hosts
2. ✅ Configure monitoring (see MONITORING_GUIDE.md)
3. ✅ Set up alerting (see MONITORING_GUIDE.md)
4. ✅ Review access logs regularly
5. ✅ Update policies as needed

Support

For issues:

1. Check Troubleshooting Guide
2. Review Cloudflare Zero Trust documentation
3. Check tunnel logs: journalctl -u cloudflared-*