I did this for some self-hosted services that my wife accesses. Limited access to my email and hers with Google authorization. Passes the wife test and quite secure so I'm happy!
Hi buddy, Thanks for all the videos. They're always accurate and straight to the point. Thanks! Just one note: could you slow down a little? I find myself having to rewind 5 seconds about 50 times in a single video. Still, they’re great, and I’ve definitely subscribed. I’d just love to see a slower pace; I understand the videos will be longer, but (for me) it's worth it.
Thanks!! I talk fast. It's just who I am. Always have been. I've tried multiple times to slow down and I feel like I'm making fun of people. All I can say is to watch the video at .75 speed. Like... this has been enough of an issue over the years that I usually respond with this page that I put on my website years ago: dbtechreviews.com/i-talk-fast/
Fantastic!! I had a CF Application authenticating with the one-time email code, but I've been struggling with the Google authentication. Afgter following along with your video,...IT WORKS! Thank you for all you do!
For those exposing docker services to cloudflared, make sure said services are part of (generally) the 'bridge' network. Don't ignore docker networking when troubleshooting!
If I had known you were going to do all the hard work, I would have waited for your video. Alas, I took inspiration from your last video (and helpful comments) and figured it out about 24 hours before this video went live. Now for bonus points - I'm currently investigating using Google SSO for Portainer to auto sign me in too - The steps in the portainer documentation are nowhere near as helpful as Cloudflare's. Thanks again for the helpful videos!
Thanks for this! Looking forward to the Authelia integration as well! Using this to access my local Radarr and Sonarr applications because they have no auth. This should block access to people not approved but Authelia would be ideal.
Hi David. If I enable Google or Github auth to protect a Vaultwarden (running in a tunnel) instance what will happen to the Chrome Extension or the Android app? will I have access to these or I need to setup exclusions like in Authelia?
While I greatly appreciate your video on setting up Cloudflare Tunnels, there is a snag I've run into. I cannot get my domain through tunnels to connect to my Proxmox box, but all the VM's and Docker containers on it work with no problem.
Turn on No TLS verification under Additional Application Settings while configuring Proxmox. That should help. (Proxmox uses it's own TLS certification)
Thank you for such series. Really helpful, built myself at least 5 self hosted programs. Do u have any plan on making one for Nextcloud AIO docker+portainer+cloudflare tunnel? I tried it but sadly after enabling nextcloud containers part, the initial a logging doesnt work sadly with tunnel, it says bad tunnel.
I installed NextCloud AIO using [This Guide](ruclips.net/video/OCLq62KOqNU/видео.html) from Awesome Open Source, it works great, and I have it running through my Cloudflare tunnels. The AIO package makes NextCloud much easier to deploy and maintain. I actually find myself using NextCloud more as time goes on, there are some extremely useful add-ons that are quite lovely!
@@DBTechYT no worries. I like that a package contains all Nextcloud stuff in it, usually use office and talk, others I disable them in containers section. If I want to use them I can just enable them. I will be looking for solution online too. Again thank you for educational videos,
Great video as always! My question is how this affects other clients that are not browsers (i.e. Nextcloud, bitwarden, jellyfin, etc android clients). As I would like to setup this, but my concern is that they don't know how to interact with the new layer
Honestly I haven't tried it so I can't give much info. For my setup with those apps, I restrict by IP and either access at home or via my PIA VPN with a dedicated IP
@@DBTechYT I thought about that too. Will use that for restrictions then. Or something similar hehe. Thanks for your reply!!! Greetings from Argentina!
Very helpful - This will help me. I recently set up Authentik (very cool app) it is better then Authelia. I followed Cooptonian to set to configure it and just used the Authentik site with and .env file for email etc. Very cool though this will help me setup SMIL and cloud flair instead of Google or Github. :-)
Thanks, David. I'm curious about how to use multiple identity providers, e.g. check for an included ip and if that fails then verify by email or github. Can you explain the difference between "include" and "require"? I suspect they are implementations of boolean ANDs/ORs but I am just guessing.
did you add firewall rule allow access for this ip 0.0.0.0/0 on GCP ? actually I create wordpress on GKE and I want to restrict access to that wordpress using cloudflare , but I didn't know how to do that. I following your instruction using cloudflare, but the WordPress site still can be accessible for public
I wish I could find documentation on how to add a custom logo to the auth page (or to customize it further than the application OAUTH page) This was very helpful though. Thank you
Very interesting video. Thank you for your hard work! Quick question - will this result in having to authenticate via Google or GitHub (in your case) even if I'll try accessing the application from internal network?
Hi David, great video as always. Can you tell me what happens if you pick one of the other Gmail addresses. One that hasn't been given access. Does it handle it gracefully? Does it let you in anyway? Many thanks.
When I set this up, it only works as shown in the video in an incognito window. When I try this in a normal browser window, it appears to want to load my application (since I am already signed into google on my browser), but then I end up with a white screen. Is there something I am missing?
I have an application which uses a specific port and was wondering how you can use the method described in this video to do this.. any help is greatly appreciated.
Sir, Please can you help me one thing i am using cloudflared tunnel for my winodows 10 pc, I can access webserver using 80 port from outside but when i am going to use RDP i cant not access from outside from my home. Please can help me.
one thing that stumped me - that might help someone else. if you only want github access with NO email access. You must go to cloudflare zero trust/applications/authorization - then select add 'login methods' as the selector and 'Github' as the value. other wise you get a login error (That account does not have access)
it was working then i suddenly started getting errors for both Google and Github, "Unable to find your Access organization! It appears that you have attempted to reach an invalid URL. Please enter a valid team name." i have gone into settings and copy and past what i see is the team name.... just wondering if someone else has this issue
I haven't tested it, but several of people have said they use them together. I don't see the point/need to combine then, but there's no one right way to do things
@@DBTechYT thank you so much for your response. I am behind CG-NAT, don't want to route via VPS (NPM + VPN). I am hoping CF tunnel pushes all traffic thru tunnel to my NPM instance and then NPM takes care of routing to individual apps and integrate to Authentik or something similar.
Hi @DBTech, nice Video! I have a question. How do I restrict access with Google authentication to all of my Cloudflare tunnels with a single policy? If I just leave the subdomain blank, there will be no authentication anymore. If I put subdomain in, authentication is working fine, but only for that singe sub. Would be nice If someone could help me.
![BLACK BAG - Official Trailer [HD] - Only in Theaters March 14](http://i.ytimg.com/vi/Du0Xp8WX_7I/mqdefault.jpg)
I did this for some self-hosted services that my wife accesses. Limited access to my email and hers with Google authorization. Passes the wife test and quite secure so I'm happy!
Hell yes! That's awesome!
I did the same so my wife has access to some self-hosted services :D
Thank you for this very good video as usual, PLEASE do the Authelia / Cloudflare Tunnel Video 🙂
Wonderful😃..Thanks a lot, very helpful 🙏. Would love to watch more such videos related to CloudFlare since it is growing with lots of new features.
Thanks for this one. I understand the implementation so much better now I have walked through it while pausing the video. keep them coming.
Glad it helped!
Hi buddy,
Thanks for all the videos. They're always accurate and straight to the point. Thanks!
Just one note: could you slow down a little? I find myself having to rewind 5 seconds about 50 times in a single video. Still, they’re great, and I’ve definitely subscribed. I’d just love to see a slower pace; I understand the videos will be longer, but (for me) it's worth it.
Thanks!! I talk fast. It's just who I am. Always have been. I've tried multiple times to slow down and I feel like I'm making fun of people. All I can say is to watch the video at .75 speed. Like... this has been enough of an issue over the years that I usually respond with this page that I put on my website years ago: dbtechreviews.com/i-talk-fast/
THIS! This is the video I've been searching for. Thank you so much for helping me get my subdomains locked down with Google.
Glad it helped!
Fantastic!! I had a CF Application authenticating with the one-time email code, but I've been struggling with the Google authentication. Afgter following along with your video,...IT WORKS! Thank you for all you do!
Really glad the video was helpful!!
For those exposing docker services to cloudflared, make sure said services are part of (generally) the 'bridge' network. Don't ignore docker networking when troubleshooting!
Great vid love the cloudflare tunnels vids use them on my network and always learn so much from ur vids thanks
Excellent. Just the video I was waiting for.
Glad to hear it!
Thank you for your time and effort with this videos, it really really really helps a lot!!
Been a long time follower, I would love to see some videos on using NGrok and Cloudflare used together !
If I had known you were going to do all the hard work, I would have waited for your video. Alas, I took inspiration from your last video (and helpful comments) and figured it out about 24 hours before this video went live. Now for bonus points - I'm currently investigating using Google SSO for Portainer to auto sign me in too - The steps in the portainer documentation are nowhere near as helpful as Cloudflare's. Thanks again for the helpful videos!
You might start here: ruclips.net/video/IUBqsl_7uuc/видео.html
@@DBTechYT you’re good people David!
Merry Christmas!
Thanks David! Very easy to follow
Followed step by step and it worked flawlessly! Thanks!!!
Great to hear! Thanks for the comment!!! :)
Best tutorial, still aplicable.
Thanks for this! Looking forward to the Authelia integration as well! Using this to access my local Radarr and Sonarr applications because they have no auth. This should block access to people not approved but Authelia would be ideal.
Great content! Please do the Authelia / Cloudflare Tunnel Video
thanks you for making this video this is what I wanted a video about becuse it is so complicated.
Glad it was helpful!
These videos are incredible.
Thanks for doing this, I feel safe now
Thanks, great tutorial and comment for the algorithm.
Works like a champ. Thanks!!!
if people only knew how powerful this content really is....Thank you! @DBTechYT
It's why I'm try to make content about it :)
great job DB
Hi David. If I enable Google or Github auth to protect a Vaultwarden (running in a tunnel) instance what will happen to the Chrome Extension or the Android app? will I have access to these or I need to setup exclusions like in Authelia?
While I greatly appreciate your video on setting up Cloudflare Tunnels, there is a snag I've run into. I cannot get my domain through tunnels to connect to my Proxmox box, but all the VM's and Docker containers on it work with no problem.
Turn on No TLS verification under Additional Application Settings while configuring Proxmox. That should help. (Proxmox uses it's own TLS certification)
Thank you . 🌹🌹🌷🌷🌷
Thank you for such series. Really helpful, built myself at least 5 self hosted programs. Do u have any plan on making one for Nextcloud AIO docker+portainer+cloudflare tunnel? I tried it but sadly after enabling nextcloud containers part, the initial a logging doesnt work sadly with tunnel, it says bad tunnel.
I'll have to look into it. I don't really care for NextCloud to start with and I'm not sure what the point of NextCloud AIO is...
I installed NextCloud AIO using [This Guide](ruclips.net/video/OCLq62KOqNU/видео.html) from Awesome Open Source, it works great, and I have it running through my Cloudflare tunnels. The AIO package makes NextCloud much easier to deploy and maintain. I actually find myself using NextCloud more as time goes on, there are some extremely useful add-ons that are quite lovely!
@@DBTechYT no worries. I like that a package contains all Nextcloud stuff in it, usually use office and talk, others I disable them in containers section. If I want to use them I can just enable them. I will be looking for solution online too. Again thank you for educational videos,
Very helpful, thank you!
Great video as always! My question is how this affects other clients that are not browsers (i.e. Nextcloud, bitwarden, jellyfin, etc android clients). As I would like to setup this, but my concern is that they don't know how to interact with the new layer
Honestly I haven't tried it so I can't give much info. For my setup with those apps, I restrict by IP and either access at home or via my PIA VPN with a dedicated IP
@@DBTechYT I thought about that too. Will use that for restrictions then. Or something similar hehe. Thanks for your reply!!! Greetings from Argentina!
Very helpful - This will help me. I recently set up Authentik (very cool app) it is better then Authelia. I followed Cooptonian to set to configure it and just used the Authentik site with and .env file for email etc. Very cool though this will help me setup SMIL and cloud flair instead of Google or Github. :-)
Thanks, David. I'm curious about how to use multiple identity providers, e.g. check for an included ip and if that fails then verify by email or github. Can you explain the difference between "include" and "require"? I suspect they are implementations of boolean ANDs/ORs but I am just guessing.
Based on my knowledge, you're spot on
did you add firewall rule allow access for this ip 0.0.0.0/0 on GCP ? actually I create wordpress on GKE and I want to restrict access to that wordpress using cloudflare , but I didn't know how to do that. I following your instruction using cloudflare, but the WordPress site still can be accessible for public
Great video thank you for sharing.
Excellent videos, really useful! Have you played with the Private Network feature within the Zero Trust Tunnel? Is it useful at all?
Thanks! I haven't done much of anything with Private Networks as of yet.
@@DBTechYT This is where a good video guide comes in (as the documentation is really quite hard going!).
Great tutorial 🙌
I wish I could find documentation on how to add a custom logo to the auth page (or to customize it further than the application OAUTH page)
This was very helpful though. Thank you
thanks so much. it finaly works
Glad it helped
yes, please to a video with authelia and cloudflare
Thanks man
Very interesting video. Thank you for your hard work!
Quick question - will this result in having to authenticate via Google or GitHub (in your case) even if I'll try accessing the application from internal network?
No it doesn't. Only if you access via CloudFlare.
Hi David, great video as always. Can you tell me what happens if you pick one of the other Gmail addresses. One that hasn't been given access. Does it handle it gracefully? Does it let you in anyway? Many thanks.
It'll just tell you that that account doesn't have access
Awesome as always bro , if possible can u do a video on setting up samba on cloudflare tunnels
What are you trying to accomplish with samba on CF tunnels?
@@DBTechYT remote access
So use a file management application and access it that way via tunnels? It would be a much easier solution and give you more options
@@DBTechYT have u done any videos on that bro ? If yes can u please link to it
FileRun: ruclips.net/video/jaLGcgrAyto/видео.html
FileCloud: ruclips.net/video/CCGMc6iheWM/видео.html
When I set this up, it only works as shown in the video in an incognito window. When I try this in a normal browser window, it appears to want to load my application (since I am already signed into google on my browser), but then I end up with a white screen. Is there something I am missing?
maybe do setup of SSO provider like Authelia Authentik Keycloak tutorial and integration more content to come!!
What a legend
Followed this process for Google auth, but seem to be getting error 1033? Argo Tunnel error?
I have an application which uses a specific port and was wondering how you can use the method described in this video to do this.. any help is greatly appreciated.
Watch the video linked in the video description
All this after I setup my Nginx container :( thanks for the vid!
Love u DB Tech...Ty from Brazil!
Thanks for watching!
Sir, Please can you help me one thing i am using cloudflared tunnel for my winodows 10 pc, I can access webserver using 80 port from outside but when i am going to use RDP i cant not access from outside from my home. Please can help me.
My company uses gitea instead of github .. is there any option to check.
Else authelia we use these two things..
Any advice or suggestions
Vijey
Best!
How this works for things like Plex and Vaultwarden where you have an app running in your phone ?
how to add multiple email in the google authentication?
one thing that stumped me - that might help someone else. if you only want github access with NO email access. You must go to cloudflare zero trust/applications/authorization - then select add 'login methods' as the selector and 'Github' as the value. other wise you get a login error (That account does not have access)
Any option to use the tunnel for other protocols, e.g. RDP?
You can easily login to your Cloudflare account and see all the protocols available
it was working then i suddenly started getting errors for both Google and Github, "Unable to find your Access organization!
It appears that you have attempted to reach an invalid URL. Please enter a valid team name." i have gone into settings and copy and past what i see is the team name.... just wondering if someone else has this issue
yup trying to figure it out rn
is anyone else having trouble getting this to work. I setup the self hosted app but it is not restricting access to my tunnel
Is it possible to add multiple authorized email addresses this way?
In the spot in CloudFlare where you add your email, you can add multiple emails there.
@@DBTechYT Thanks, seems obvious now that you say it.
Is it possible to use Nginx Proxy Manager with Cloudflare Tunnels ?
I haven't tested it, but several of people have said they use them together. I don't see the point/need to combine then, but there's no one right way to do things
@@DBTechYT thank you so much for your response. I am behind CG-NAT, don't want to route via VPS (NPM + VPN). I am hoping CF tunnel pushes all traffic thru tunnel to my NPM instance and then NPM takes care of routing to individual apps and integrate to Authentik or something similar.
Is there a way to use Google Authenticator to get access to a application that run on a cloudflare tunnel?
@@MrRalf2201 You could put 2FA on your email address and use that for your authentication
Well this doesn't play nicely when trying to access your staging server's API endpoints. It keeps asking to authenticate with github :(
This isn't meant for API endpoints.
Hi @DBTech, nice Video!
I have a question. How do I restrict access with Google authentication to all of my Cloudflare tunnels with a single policy?
If I just leave the subdomain blank, there will be no authentication anymore. If I put subdomain in, authentication is working fine, but only for that singe sub.
Would be nice If someone could help me.
You'll need to create an access group with the emails you want to authorize. Then apply that access group to any of the applications you want
This not working I add e-mail verification and remove. Everybody with mail still can has access
Then you missed a step in your configuration
getting "Error 400: redirect_uri_mismatch" when trying to test google
figured out that issue, since i copied it from yt it mistook the g as a q... but now im getting access blocked
Are you using the paid version of cloudflare.. please advise
There are things with CloudFlare that I pay for but everything in these videos are available on their free tier
Can’t even transfer a simple TLS session. It has to be https or http or else it’s useless!
Also, I just posted in r/kasmweb about this....
Thanks!