d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
proxmox/scripts/cloudflare-tunnels/docs/CLOUDFLARE_ACCESS_SETUP.md
defiQUG cb47cce074 Complete markdown files cleanup and organization 
- Organized 252 files across project
- Root directory: 187 → 2 files (98.9% reduction)
- Moved configuration guides to docs/04-configuration/
- Moved troubleshooting guides to docs/09-troubleshooting/
- Moved quick start guides to docs/01-getting-started/
- Moved reports to reports/ directory
- Archived temporary files
- Generated comprehensive reports and documentation
- Created maintenance scripts and guides

All files organized according to established standards.
2026-01-06 01:46:25 -08:00

323 lines
8.4 KiB
Markdown
Raw Permalink Blame History

# Cloudflare Access Setup Guide
This guide walks you through setting up Cloudflare Access (Zero Trust) to protect your Proxmox UI endpoints with SSO/MFA.
## Overview
Cloudflare Access provides:
-**Single Sign-On (SSO)** - Use your existing identity provider
-**Multi-Factor Authentication (MFA)** - Additional security layer
-**Device Posture Checks** - Require managed devices
-**Audit Logs** - Track all access attempts
-**Session Management** - Control session duration
## Prerequisites
1. ✅ Cloudflare account with Zero Trust enabled
2. ✅ Domain `d-bis.org` managed by Cloudflare
3. ✅ Tunnels created and configured (see main README)
4. ✅ DNS records created (CNAME pointing to tunnels)
## Step 1: Enable Cloudflare Zero Trust
1. **Navigate to Cloudflare Zero Trust:**
- Go to: https://one.dash.cloudflare.com
- Sign in with your Cloudflare account
2. **Verify Zero Trust is enabled:**
- If not enabled, you'll be prompted to enable it
- This is free for up to 50 users
## Step 2: Create Tunnels in Cloudflare Dashboard
For each Proxmox host, create a separate tunnel:
### 2.1 Create Tunnel for ml110-01
1. **Go to Zero Trust → Networks → Tunnels**
2. **Click "Create a tunnel"**
3. **Select "Cloudflared"**
4. **Enter tunnel name:** `tunnel-ml110`
5. **Click "Save tunnel"**
6. **Copy the tunnel token** (starts with `eyJ...`)
- Save this securely - you'll need it for VMID 102
### 2.2 Create Tunnel for r630-01
Repeat the same process:
- **Tunnel name:** `tunnel-r630-01`
- **Copy tunnel token**
### 2.3 Create Tunnel for r630-02
Repeat the same process:
- **Tunnel name:** `tunnel-r630-02`
- **Copy tunnel token**
## Step 3: Configure Tunnel Public Hostnames
For each tunnel, configure the public hostname:
### 3.1 Configure ml110-01 Tunnel
1. **Click on tunnel `tunnel-ml110`**
2. **Click "Configure"**
3. **Go to "Public Hostnames" tab**
4. **Click "Add a public hostname"**
5. **Configure:**
- **Subdomain:** `ml110-01`
- **Domain:** `d-bis.org`
- **Service:** `https://192.168.11.10:8006`
- **Type:** HTTP
6. **Click "Save hostname"**
### 3.2 Configure r630-01 Tunnel
Repeat for r630-01:
- **Subdomain:** `r630-01`
- **Domain:** `d-bis.org`
- **Service:** `https://192.168.11.11:8006`
### 3.3 Configure r630-02 Tunnel
Repeat for r630-02:
- **Subdomain:** `r630-02`
- **Domain:** `d-bis.org`
- **Service:** `https://192.168.11.12:8006`
## Step 4: Create DNS Records
Create CNAME records in Cloudflare DNS:
1. **Go to Cloudflare Dashboard → DNS → Records**
2. **Add records:**
| Type | Name | Target | Proxy | TTL |
|------|------|--------|-------|-----|
| CNAME | `ml110-01` | `<tunnel-id-ml110>.cfargotunnel.com` | 🟠 Proxied | Auto |
| CNAME | `r630-01` | `<tunnel-id-r630-01>.cfargotunnel.com` | 🟠 Proxied | Auto |
| CNAME | `r630-02` | `<tunnel-id-r630-02>.cfargotunnel.com` | 🟠 Proxied | Auto |
**Important:**
- ✅ Use CNAME (not A records)
- ✅ Enable proxy (orange cloud)
- ✅ Replace `<tunnel-id-*>` with actual tunnel IDs from Step 2
## Step 5: Configure Cloudflare Access Applications
For each Proxmox host, create an Access application:
### 5.1 Create Application for ml110-01
1. **Go to Zero Trust → Access → Applications**
2. **Click "Add an application"**
3. **Select "Self-hosted"**
4. **Configure Application:**
- **Application name:** `Proxmox ml110-01`
- **Application domain:** `ml110-01.d-bis.org`
- **Session duration:** `8 hours` (or your preference)
5. **Click "Next"**
### 5.2 Configure Access Policy
1. **Click "Add a policy"**
2. **Policy name:** `Allow Team Access`
3. **Action:** `Allow`
4. **Include:**
- **Select:** `Emails`
- **Value:** `@yourdomain.com` (or specific emails)
- **OR** select `Country` and choose your country
5. **Require:**
-**Multi-factor authentication** (MFA)
-**Email verification** (optional but recommended)
6. **Click "Next"**
### 5.3 Configure Additional Settings
1. **CORS settings:** Leave default (not needed for Proxmox UI)
2. **Cookie settings:** Leave default
3. **Click "Add application"**
### 5.4 Repeat for Other Hosts
Repeat Steps 5.1-5.3 for:
- **r630-01** → `r630-01.d-bis.org`
- **r630-02** → `r630-02.d-bis.org`
## Step 6: Configure Identity Providers (Optional but Recommended)
If you want to use SSO instead of email-based auth:
### 6.1 Add Identity Provider
1. **Go to Zero Trust → Access → Authentication**
2. **Click "Add new" under Identity Providers**
3. **Select your provider:**
- Google Workspace
- Microsoft Azure AD
- Okta
- Generic OIDC
- Generic SAML
- etc.
4. **Follow provider-specific setup instructions**
### 6.2 Update Access Policies
1. **Go back to Applications**
2. **Edit each application policy**
3. **Change "Include" to use your identity provider**
4. **Save changes**
## Step 7: Advanced Security Settings (Recommended)
### 7.1 Device Posture Checks
Require managed devices:
1. **Go to Zero Trust → Settings → WARP**
2. **Enable WARP for your organization**
3. **Go to Zero Trust → Access → Applications**
4. **Edit application policy**
5. **Add "Require" condition:**
- **Select:** `Device Posture`
- **Require:** `Managed device` or `WARP client`
### 7.2 Country Blocking
Block access from specific countries:
1. **Edit application policy**
2. **Add "Exclude" condition:**
- **Select:** `Country`
- **Value:** Select countries to block
### 7.3 IP Allowlisting
Restrict to specific IPs:
1. **Edit application policy**
2. **Add "Include" condition:**
- **Select:** `IP Address`
- **Value:** Your office/home IP ranges
## Step 8: Test Access
### 8.1 Test DNS Resolution
```bash
dig ml110-01.d-bis.org
dig r630-01.d-bis.org
dig r630-02.d-bis.org
```
Should resolve to Cloudflare IPs.
### 8.2 Test HTTPS Access
```bash
# Should redirect to Cloudflare Access login
curl -I https://ml110-01.d-bis.org
```
### 8.3 Test Browser Access
1. **Open browser**
2. **Navigate to:** `https://ml110-01.d-bis.org`
3. **Should see Cloudflare Access login page**
4. **Login with your credentials**
5. **Complete MFA if required**
6. **Should redirect to Proxmox UI**
## Step 9: Monitor Access
### 9.1 View Access Logs
1. **Go to Zero Trust → Access → Logs**
2. **View authentication attempts**
3. **Check for failed login attempts**
### 9.2 Set Up Alerts
1. **Go to Zero Trust → Settings → Notifications**
2. **Configure email alerts for:**
- Failed authentication attempts
- Suspicious activity
- Policy violations
## Troubleshooting
### Access Page Not Showing
**Problem:** Direct access to Proxmox UI, no Cloudflare Access page
**Solutions:**
1. Verify DNS record has proxy enabled (orange cloud)
2. Check tunnel is running: `systemctl status cloudflared-ml110`
3. Verify application is configured correctly
4. Check Cloudflare dashboard for tunnel status
### MFA Not Working
**Problem:** MFA prompt not appearing
**Solutions:**
1. Verify MFA is enabled in policy
2. Check identity provider settings
3. Verify user has MFA configured
### Can't Access After Login
**Problem:** Login successful but can't reach Proxmox UI
**Solutions:**
1. Check tunnel is running
2. Verify tunnel configuration points to correct IP:port
3. Check Proxmox UI is accessible internally
4. Review tunnel logs: `journalctl -u cloudflared-ml110 -f`
## Security Best Practices
1.**Always enable MFA** - Required for admin interfaces
2.**Use short session durations** - 4-8 hours for admin access
3.**Enable device posture checks** - Require managed devices
4.**Monitor access logs** - Review regularly for suspicious activity
5.**Use IP allowlisting** - If you have static IPs
6.**Enable email verification** - Additional security layer
7.**Set up alerts** - Get notified of failed attempts
## Quick Reference
### Application URLs
- ml110-01: `https://ml110-01.d-bis.org`
- r630-01: `https://r630-01.d-bis.org`
- r630-02: `https://r630-02.d-bis.org`
### Tunnel Names
- `tunnel-ml110`
- `tunnel-r630-01`
- `tunnel-r630-02`
### Service Names
- `cloudflared-ml110.service`
- `cloudflared-r630-01.service`
- `cloudflared-r630-02.service`
## Next Steps
After completing this setup:
1. ✅ Test access to all three Proxmox hosts
2. ✅ Configure monitoring (see `MONITORING_GUIDE.md`)
3. ✅ Set up alerting (see `MONITORING_GUIDE.md`)
4. ✅ Review access logs regularly
5. ✅ Update policies as needed
## Support
For issues:
1. Check [Troubleshooting Guide](TROUBLESHOOTING.md)
2. Review Cloudflare Zero Trust documentation
3. Check tunnel logs: `journalctl -u cloudflared-*`
Reference in New Issue View Git Blame Copy Permalink