Benefits of Cloudflare Access - eviltoast

For a self-hosted application with a valid SSL certificate and support for OAuth, what are the benefits that Cloudflare Access provides? From what I can tell, it also filters traffic to possibly block attacks? Can it even be used with a self-hosted app if you aren’t also running Cloudflare Tunnel? Is there a better alternative (that also integrates with major OAuth providers like Google, Github, etc) for self-hosters? Thanks for the help in understanding how this works.

  • ElevenNotes@alien.topB
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    Don’t forget that Cloudflare offers no protection against traffic from within Cloudflare. There were several incidents in the past where Cloudflares services where used to break into other clients services (hijacking).

    • trisanachandler@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Do you have the examples of this so I can take a look? Was it ports forwarded that were opened to all cloudflare ranges, or tunnels and a backend exploit?

      • ElevenNotes@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        You can look online. Basically Cloudflares blocking features exclude Cloudflares own IP ranges. Someone used their own services (in their own IP range) to attack services and since the request came from a Cloudflare IP it was not blocked or filtered. Pretty embarassing if you ask me. But this is normal in the cloud.

  • chin_waghing@alien.topB
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    I use it within my Kubernetes to expose services outsides my house, and then I use Azure AD to manage access.

    I know this isn’t very self hosted, but for me where I have a dynamic IP and don’t want to play with port forwarding, it’s really good. Nice and easy especially with Kubernetes and the helm chart I wrote

      • chin_waghing@alien.topB
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        For cloudflare tunnels no, it does a nat punch through I think it’s called, where it connects from inside your network out to 2 edge locations to cloudlfare, where it then can send traffic back and forwards.

        If I wanted to expose by port forwarding, then yes you are correct, I could configure ddns.

        Personally, I would configure my own version of DDNS where it’s just a cron job once every 5 minutes to run terraform and check if my public IP has changed, and if it has run an apply.

        Does that answer the question?

  • avdept@alien.topB
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    There’s not much reasons of exposing any of your local services to internet. Use vpn to have access to your local resources. This is best you can come up with for your home lab

    • tradinghumble@alien.topB
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      Question : what if I need to access my home computer from a work laptop and I’m not allowed to install things such as the WireGuard VPN client. Do I use native say Windows VPN?

      • adamshand@alien.topB
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        Assuming it’s a Linux server at home and you can use SSH on your work computer, there’s a couple ways to do this.

        • Install a web based terminal client
        • Setup Cloudflare tunnels on your home server and use the the SSH proxy. I do this with a simple helper in ~/.ssh/config:
        Match host "*.cf"
          ProxyCommand /usr/local/bin/cloudflared access ssh --hostname $(echo %h | sed 's/\.cf$/.homelab.nz/')
          ForwardAgent yes