Restrict Access to Your Cloudflare Tunnel Applications
HTML-код
- Опубликовано: 17 окт 2022
- This video is sponsored by Tuxedo Computers and the Aura 15 Gen 2.
Configure and buy one here: dbte.ch/aura15gen2
/=========================================/
In this video we're going to look at adding additional levels of restriction to your Cloudflare Tunnel setup.
First we're going to look at restricting access to your applications by IP address. Then we'll look at restricting by granting access by email address.
We'll take it an additional step and set up Access Groups for easier management of multiple applications.
I use Private Internet Access for my VPN when I'm away from home and I purchased a dedicated IP address from them so that I can use that IP in my rules to make sure I can always access my home servers even when I'm away from home.
Here's my PIA affiliate link:
dbte.ch/piavpn
You can find more about their Dedicated IP option in the left column once you're logged into your account.
Set up Cloudflare Tunnels: • Access Your Self Hoste...
/=========================================/
Get early, ad-free access to new content by becoming a channel member, a Patron or signing up for the members' only website!
✅ / dbtech
✅ dbtech.fans/
✅ / @dbtechyt
/=========================================/
The hardware in my recording studio is:
✔ Custom PC w/ Ryzen 2600, 32GB RAM, RTX 2070, Assorted Storage
✔ Panasonic LUMIX G7 4K Digital Camera: amzn.to/3IGEOcb
✔ SAMSUNG 34-Inch SJ55W Ultrawide Monitor: amzn.to/395g9BZ
✔ LG 27UK650-W 27” UHD IPS Display with HDR 10: amzn.to/398pg4S
✔ WALI Premium Dual Monitor Stand: amzn.to/398AiqM
✔ Neewer Lights: amzn.to/3nZcoSX
✔ Light Power Supply:amzn.to/3Konpqf
✔ 55" Gaming Desk: amzn.to/3AkgHgw
✔ Sabrent USB-C Hub: amzn.to/3qFcwbV
✔ Das Keyboard 4 Professional: amzn.to/3G9rPxM
✔ Fuqido Big and Tall Gaming Chair: amzn.to/3IGegrq
/=========================================/
The hardware in my current home servers:
✔ Synology DS1621xs+ (provided by Synology): amzn.to/2ZwTMgl
✔ 6x8TB Seagate Exos Enterprise HDDs (provided by Synology): amzn.to/3auLdcb
✔ 16GB DDR4 ECC RAM (provided by Synology): amzn.to/3do7avd
✔ 2TB NVMe Caching Drive (provided by Sabrent): amzn.to/3dwPCxj
✔ TerraMaster F5-221 (provided by TerraMaster): amzn.to/3IfH2QD
✔ 5x6TB WD Red Plus NAS: amzn.to/3LnbPvC
✔ 8GB DDR3: amzn.to/3kfLTX3
✔ TerraMaster F4-423 (provided by TerraMaster): amzn.to/3kjUms5
✔ 2x8TB Seagate Barracuda Compute: amzn.to/3xBAO95
✔ 16GB TEAMGROUP Elite DDR4: amzn.to/3MzzFV9
✔ 512GB Silicon Power NVMe Caching Drive: amzn.to/3MzkBae
All amzn.to links are affiliate links.
/=========================================/
✨Find all my social accounts here:
✅ dbte.ch/
✨Ways to support DB Tech:
✅ / dbtech
✅ www.paypal.me/DBTechReviews
✅ ko-fi.com/dbtech
✅ Cashapp: cash.app/$dbtechyt
✅ Venmo: venmo.com/dbtechyt
✨Come chat in Discord:
✅ dbte.ch/discord
✨Join this channel to get access to perks:
✅ / @dbtechyt
✨Hardware (Affiliate Links):
✅ TinyPilot KVM: dbte.ch/tpkvm
✅ LattePanda Delta 432: dbte.ch/dfrobot
✅ Lotmaxx SC-10 Shark: dbte.ch/sc10shark
✅ EchoGear 10U Rack: dbte.ch/echogear10u - Наука
Simple thank you. New to IT and try to learn by doing home IT projects. After trying other you tube examples, this is the one that worked for me. Big thanks and keep up the good work.
Thanks for the video, I used to use the Email method for sometime , but recently I managed to get the Cloudflare tunnel to use Authelia for authentication which gives me full control on what subdomains to bypass, single factor or two factor authentication.
Was done using the OpenID login method in Cloudflare authentication and adding a new client in Autherlia configurations file
Any writeup you have on how you did that. Also how is your Authelia exposed to the net via the tunnel as well?
If you setup CloudflareD (CloudFlare DDNS) and whitelist that hostname for access, then if your IP changes, you should still have full access via the DDNS hostname.
Amazing tutorial! As always straight to the point and resolutive.
Thank you!!
Great video, David. Thank you. Helped me out protecting my server.
Thanks for the clean instructions!
Absolutely loving what you do, sir. I've been going through your videos and perfecting my setup on my server and you do a great job of walking through installs. I would love to see you setup Shlink Url Shortener in containers. I have it running, but it has a bunch of quirks and setup can be tricky, would love to see your complete start to finish on it as I'm sure I'm still missing pieces
Excellent vid thanks loving the tunnels content thanks
Thanks for the demo and info, have a great day
You bet
Great content, better than others i have seen
Thanks!
super helpful. Thank you!
thanks a lot for this super tutorial. Very helpful!
I noticed a small security issue (display of personnel information).
I can tell you exactly where when available.
thanks again :)
This is useful for me ! Thanks
Wow... Fantastic video. Thank you very much.
Hey do you think you could do a video with SSD caching on Open Media Vault?
Hey, thanks for the video. Is there a way to add access restriction automatically or assign an access group directly to the tunnel application without creating duplicated app restrictions? That's a bunch of work if you have 30+ apps.
Do you have a writeup on this? Would be great to be able to copy/paste the commands and be able to read along instead of clicking back and forth
Such a great howto!
Keep em coming!!!!
Would love to see a video on how to bypass when my phone is on the WARP VPN. With this, apps like Homeassistant would automatically work, but I did not manage that :(
Thanks for the video. However i didn't find a configuration that works for me. The VPN solution is cool but i don't like running a VPN on every device just for this and the mail method brokes some apps implementations. (some apps don't have a method to allow the session when connecting throught the tunnel). Any suggestions?
Hey! I've followed the steps in one of your previous videos to setup a Nextcloud instance using Docker and Portainer. I'm using Cloudflare Tunnel to access it on the internet, but I'm unable to use video calls in Nextcloud Talk because it needs a Turn Server. Could you please make a video on how to set that up in Docker using Portainer?
Sorry for giving a late reply, that would be nice since there isn't a lot of information on setting those up, however do know that the entire point of a TURN server is that it sits outside your NAT exposed to the internet, which is exactly why I gave up on that idea, if you're going to do it then it would be best to host one on a VPS service away from your home network, otherwise if you really want to use Nextcloud Talk then I recommend just setting up a VPN or find a different service such as Jitsi Meet or Matrix.
The IP Methode is fine if you have static ones. Which is not easy to come by where i live. The Email method i also tries but i am not a Fan of waiting for an Email with a Code. So for me the best setup is to use keycloak with saml access. I love this and when setup its so easy to add new users. The best for me is then i can Set a temp password and after first login they are forced to change it. But to get this setup up first was a bit tricky.
Hey would love to do this but instead of using IP addresses I want to use URLS (because they a dyndns urls) would something like that be possible?
If i just do the top level doman will it require the authentication for all subdomains or will i have to set it up individually
Hi, can u discuss also the limitation of Cloudflare tunnel in your future video?
ty.
Great tutorial DB
Is there any way to add Authelia with cloudflare tunnels? Also can you please make a video for installing crater with cloudflare tunnels as all the tutorials online uses nginx proxy manager. I have been using tunnels from quite a some time and absolutely loving it and don't want to move to nginx for just one application. Thanks.
Amazing. Learning cloudflare tunnel. Can you make a video how to access your Windows PC on RDP via cloudflare tunnel? Tried couple of things but did not work.
Great video! Quick question - is it possible to set a bypass for one IP address (let's say my local IP so I don't have to authenticate myself locally) and at the same time set up one allowed email to have external access (with code, GitHub, Google, etc.)?
OK - there was no question. I've just had to add another policy separately.
Love it! Something I missed maybe. If you don't have a Reverse proxy like Nginx PM, how do you redirect each subdomain to your services running as docker containers linked to different ports like 5555:5555 or 1234:1234 for example? Do you also need to set on the Cloudflare GUI their port other than their domains (or subdomain)? Thanks
It all happens on the CloudFlare side of things like I show in this video: ruclips.net/video/VrV0udRUi8A/видео.html
@@DBTechYT thanks
Hey, I want to set up a vpn server into my home router / pc but my ISP don't provide a public ip. So please help me out so that i can setup a vpn to share my internet connection via cloudflare or other service !!!! Please.
Thank you!
Thanks for watching and commenting!!
Thanks for such great videos, as someone who has moved from ESXi and virtual machines on an old dell 2u server to running docker in Ubuntu and containerising everything your videos have been invaluable and given me some great ideas. There is one thing that I haven’t been able to find though. I want to be able to file share without port forwarding. I thought that Cloudflare might be able to let me do this but I want AFP shares, and I can’t even get SMB shares to work over CF. Any ideas on services that could achieve this??? Many thanks
I think with something like what you're looking at, you might consider something like Tailscale or Zerotier?
@@DBTechYT Thank you, I'll look into those.
@@DBTechYT A massive thank you, Zerotier does exactly as I need it to, I can now connect to all the services on my remote Synology as well as any Mac or PC in my remote office with Zerotier installed and a connection to my zerotier network, without a single port being forwarded! Really appreciate the pointer. Keep up the great work.
@@paul_grimsley Outstanding!! Glad it worked!
I am not sure if Tunnel is free - because it ask me for payment so i try to keep it cheap but it looks very usefull.
Hey, great video! can you please make a video tutorial of how to setup Cloudflare tunnel to work with Authelia in front of another docker container?
Point the Cloudflare Tunnel at an instance of Traefik with Authelia Middleware and you'll be good to go! Just add the labels to docker compose. This is what i do.
Do you have a resource with more details that you can share for anyone else who is interested?
Ibracorp has some great videos and documents on how to setup traefik and authelia together. He also has one on how to setup Cloudflared using CLI (this is what i do). This is how my ingress looks like -- pointing to my traefik instance.
```
ingress:
- service: Reverse-Proxy-IP:Port
originRequest:
noTLSVerify: true
```
My next mission is to set up SMB, SSH and RDP with my cloudflare tunnels!
Sir i am using homeserver with proxmox and install ubuntu 22.04 lts and install aapanel or add wp site but i am getting error 523 Origin is unreachable what i do please help me
Can you mix & match?
IP address if I am home, and email as a backup when you are out and about?
Yeah. You would just do a bypass on your home IP address and add email beyond that. I use a dedicated IP from my VPN and have that IP and my home IP set as bypass.
Have you tried getting access via Warp (1.1.1.1)? According to Cloudflare it should work, but I’m struggling for months now to get this working. I have Warp on my moble devices (phone/tablet) and my goal is to be able to access by home via the tunnel _without_ additional authentication when the Warp VPN is on.
I have been really enjoying the tutorials and they've helped me create my own accessible server. However, I do want to make it more secure. Is there any way to set up an SSL with CloudFlare Tunnel? it looks to have mTLS and I would love to learn how to use that in order to make sure only computers i give that certificate to, can access my server.
I hope you are able to help, as that seems like the most secure and fully free (hopefully) way to connect to the servers!
I'd start here: ruclips.net/video/Q5dG8g4-Sx0/видео.html
good day.
if i was to do the same with CASAOS would i be able to only allow access to a sersific folder using email address /
Should be the same
I tried setting this up with just IP address for access control and it presents me with a e-mail authentication page. How do I remove the e-mail and just have it use IP included?
What is a good way to restrict lets say an apache server from serving a guacamole login page hosted on Linode if the request does not originate from the cloudflare tunnel?
Yeah. Just install the CloudFlare tunnel agent in your server and then set up a firewall rule to block all incoming traffic other than your IP address. The tunnel should still have access.
how to use cloudflare tunnel services with aapanel panel with homeserver please make video tutorial i need help
Any idea about how to lock vaultwarden login page behind CF access?
Follow these steps, but put the restrictions you want on your VaultWarden URL
is there an option for just a simple user/ pass system?
I don't believe so
What configurations besides nameservers have you setup for your domain? I bought mine from a different service, not cloudflare.
I didn't buy mine from cloudflare either. I set the nameservers they told me to set. The rest was configured in cloudflare as I showed
@@DBTechYT Ah got it. I was totally confused by that GUI. Finally, I managed to expose my web apps on the internet through cloudflare even behind the extra layer of authorization via Microsoft Entra ID.
I use Pfsense and restrict access IP's to just Cloudflare's blocking everything else on ports 80 & 443
Is there a way to include a dynamic IP because my public IP changes daily
I think you can use a DDNS container for CloudFlare. I've got a video coming out today that allows you to use 3rd party authentication like Google or Github. Or you can get a VPN with a dedicated IP.
Thank you. The wording Cloudflare has chosen for the configuration page is rather confusing.
Thanks
Thank you for the support!
Do I understand correctly that this needs to be reconfigured on a monthly basis? That would appear to be the case. Do they allow policies to remain in place permanently for a fee?
Should only have to set it up once and I've never had to pay for it
@@DBTechYT Ok. The "Session "Duration" field under applications, which is required and only has time limited options, is throwing me off then. Maybe "No duration, expires immediately" is permanent? That's strange language if that's the case though.
The session duration is how long do you want the cookie to stay valid before it expires and the user has to log back in
@@DBTechYT Excellent. Sorry. I thought this was how long the policy lasted. This is awesome. Thanks!
Hello, another great video. Do you happen to use this for Synology DSM? I’ve set this up for all of my self hosted apps and it works great. The only hiccup I encountered is setting it up for the synology DSM application I have set up through cloudflare tunnel. The access policy sets up correctly, I get the authentication code to the email address I set up in the policy and I do get redirected to my synology dsm login page. After entering my DSM credentials I get an error message “unable to sign into the system. Try again later or contact synology support.” However, if I remove the access policy, I have no issues going through the tunnel and logging into DSM. Any thoughts?
I use the IP address method for remote access to my Synology, but haven't tried the email authentication method.
@@DBTechYT what are your thoughts on the GitHub authentication method? I use the email method and I use a gmail account specifically for my self hosted stuff. Any other auth method you recommend to be better for this purpose?
I've always tried to stay away from 3rd party auths like GitHub, Facebook, etc. If one of the involved parties changes their API integration and the other doesn't update quickly enough, you're gonna have problems getting logged in. I like to use the IP method as it's the least likely to cause me issues.
@@DBTechYT makes sense. In regards to the ip method, would that be the ip from the location I am accessing from? What if I’m accessing from my mobile device on the road and not on any specific network?
So in the IP address block, you'll put your home IP. If you want access while away, I use PIA with a dedicated IP for my setup. The extra IP is like $30/year, but it sure is convenient
Are restrictions/access by MAC-addresses also possible?
Not that I'm aware of, no
Simplest trick to restrict access to your tunnel apps is to just use cloudflare firewall rules plus set up allowed IPs in Configurations>Lists. This way I only allow my home IP and my mobile provider range to safely access what I really need without the vpn, like bitwarden or nextcloud.
Thanks for the info
the dread gmail dark mode... yet the email opens in light mode...
curious why would you use PIA and not Cloudflares WARP?
Depends on the needs of whoever is using it. I've since switched to Warp, but for people who don't want to use it, you can also get a dedicated IP from a lot of VPNs and use that dedicated IP as a way to restrict access.
@@DBTechYT perfect thanks!
I’ve been messing with this recently to connect to a services on a VPS running some containers to try get a HA setup for when my home server goes down. But tbh Tailscale seems a better solution for me as nothing needs to be publicly exposed. I know you’ve done videos on both. But can I ask why you use this over Tailscale?
I use this because I want my services to be publicly available to me wherever I am
@@DBTechYT thanks for the reply. I’m debating over which option is best for me. Do you expose all of your services publicly with this method? Or are there some things you keep only on your local network? For example portainer?
Do you have any videos on using warp? I'd like to block an application to everything UNLESS you're connected using a device using WARP and added as a device in CloudFlare zero trust
I don't yet. But it's what I'm currently using on my self-hosted stuff to help make sure that no one can access my stuff if I don't want them to. I'll look into making some content about it soon-ish :)
@@DBTechYT the only thing I’m not a huge fan of is the application screen where you have to input an Authenticator. I haven’t been able to find out yet if you can just disable this screen. If I’m secured with a vpn requiring warp there’s really no reason for all these extra security steps. I’d prefer it just go directly to my application as normal. In the end tailscale ended up being a better solution for what I wanted to do.
Is it also good for accessing vaultwarden?
it's how I access my own instance of vaultwarden
@@DBTechYT Thanks :)
@@DBTechYT I can't seem to enable HTTPS... :(
In your zero trust dashboard, open the tunnel you created for your vaultwarden app. Then go to the "public hostname" tab. edit the vaultwarden public hostname. if your "Service Type" is set to https, then click "Additional application settings" and then make sure that the "No TLS Verify" option is enabled.
What's the best way to setup wireguard behind CGNAT? Cloudflare zero trust tunnels don't support UDP yet and I don't fully understand WARP
14:53 you can see all your emails
Ip kinda makes zero sense if you're public hosting. Like if you work from anywhere but home, you can never guarantee your ip. And if you're gonna vpn to get on that ip then why even publicly host the service just use it over VPN.
Everyone likes to do things differently. I'm sure you'll find something that works for you :)
Videos starts at 20:00
And now I'll consider blocking your comments from showing up on my channel again
Good content! But please don’t talk so fast.
I talk fast. I don't know what to tell you other than what I (and others) have been responding with for years with comments like this: You can play the videos at .75 or .5 speed and there's also a Play/Pause button you can utilize.