index.adoc 2.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566
  1. [#cloudflare-access-tunnels]
  2. = Cloudflare Access & Tunnels
  3. include::partial$earlydoc.adoc[]
  4. Several uses use Cloudflare Access & Tunnels to grant access to OliveTin. There is no special configuration needed for OliveTin to work in this way, simply setup your Cloudflare tunnel to connect to OliveTin on port 1337.
  5. == Trusting the Cloudflare JWT Token
  6. . Get your **AUD** Tag (`authJwtAud`)
  7. .. Login to your CloudFlare dashboard and go to link:https://one.dash.cloudflare.com/[**Zero Trust**]
  8. .. Go to **Access > Applications.**
  9. .. Select **Configure** for your application.
  10. .. On the Overview tab, copy the **Application Audience (AUD) Tag**.
  11. . Get your **Team Domain** (`authJwtDomain`)
  12. .. Login to your CloudFlare dashboard and go to link:https://one.dash.cloudflare.com/[**Zero Trust**]
  13. .. Go to **Settings**
  14. .. Go to **Custom Pages**
  15. .. Your **Team Domain** is shown here
  16. . Get your Certs URL (`authJwtCertsURL`)
  17. .. Simply add `cdn-cgi/access/certs` to your **Team Domain** for CloudFlare
  18. . CloudFlare gives you an `email` in the claim (`authJwtClaimUsername`) and the Cookie is always called `CF_Authorization` (`authJwtCookieName`)
  19. . Setup your OliveTin config.yaml like follows;
  20. [source,yaml]
  21. .`config.yaml`
  22. ----
  23. authJwtAud: "asdf1234"
  24. authJwtDomain: "https://mydomain.cloudflareaccess.com"
  25. authJwtCertsURL: "https://mydomain.cloudflareaccess.com/cdn-cgi/access/certs"
  26. authJwtClaimUsername: email
  27. authJwtCookieName: "CF_Authorization"
  28. ----
  29. You may well want to set `logLevel: DEBUG` and `insecureAllowDumpJwtClaims: true` in your config when testing JWT for the first time.
  30. == Trusting the authentication header (not recommended)
  31. If you are using Cloudflare Access, and want to use the username given by Cloudflare in OliveTin ACLs, then you can use the Cloudflare cookie like this;
  32. [source,yaml]
  33. .`config.yaml`
  34. ----
  35. authHttpHeaderUsername: "Cf-Access-Authenticated-User-Email"
  36. defaultPermissions:
  37. view: false
  38. exec: false
  39. accessControlLists:
  40. - name: Admins
  41. addToEveryAction: true
  42. matchUsernames:
  43. - contact@jread.com
  44. permissions:
  45. view: true
  46. exec: true
  47. actions:
  48. - title: test apprise
  49. shell: date
  50. shellAfterCompleted: "apprise -c /config/apprise.yml -t 'notification: test' -b 'date is {{ stdout }}'"
  51. ----
  52. NOTE: OliveTin does support JWT cookies that Cloudflare uses, which is arguably more secure. It's just that nobody in the Discord has worked out how to get the keys needed from Cloudflare to decrypt this cookie yet! See the xref::security/jwt.adoc[JWT] documentation for some starter points. If you figure this out, it would be most welcome to share your solution with the community.