From 66a16752e4817aec105b6e17178939080993fb8b Mon Sep 17 00:00:00 2001 From: 4d62 Date: Thu, 30 May 2024 12:45:10 -0400 Subject: [PATCH] website/integrations: add cloudflare access (#9713) * init * rough draft * main docs * upd placeholder * Rebase pull request rough draft main docs upd placeholder * add to sidebar * lint * oops Signed-off-by: 4d62 <157558804+4d62ext@users.noreply.github.com> * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * apply suggestion Co-authored-by: Tana M Berry Signed-off-by: 4d62 * upd Signed-off-by: 4d62 --------- Signed-off-by: 4d62 <157558804+4d62ext@users.noreply.github.com> Signed-off-by: 4d62 Co-authored-by: Tana M Berry --- .../services/cloudflare-access/index.mdx | 64 +++++++++++++++++++ website/sidebarsIntegrations.js | 1 + 2 files changed, 65 insertions(+) create mode 100644 website/integrations/services/cloudflare-access/index.mdx diff --git a/website/integrations/services/cloudflare-access/index.mdx b/website/integrations/services/cloudflare-access/index.mdx new file mode 100644 index 0000000000..cb34dcd96d --- /dev/null +++ b/website/integrations/services/cloudflare-access/index.mdx @@ -0,0 +1,64 @@ +--- +title: Cloudflare Access +--- + +Support level: Community + +## What is Cloudflare Access + +> Cloudflare Access is a secure, cloud-based zero-trust solution for managing and authenticating user access to internal applications and resources. +> +> -- https://www.cloudflare.com/zero-trust/products/access/ + +## Preparation + +The following placeholders will be used: + +- `mysubdomain.cloudflareaccess.company` is the FQDN of your Cloudflare Access subdomain. +- `authentik.company` is the FQDN of the authentik install. + +To proceed, you need to register for a free Cloudflare Access account and have both a Cloudflare account and a publicly accessible authentik instance with a trusted SSL certificate. + +## authentik configuration + +### Step 1: Log in to authentik + +1. Log in to your authentik instance. +2. Click **Admin interface**. + +### Step 2: Create a new authentication provider + +3. Under **Application**, click **Providers** and create a new provider. +4. Choose **OAuth2/OpenID Provider** and then click **Next**. +5. Set the authorization flow to **Authorize Application** (`default-provider-authorization-explicit-consent`). +6. Set the client type to **Confidential**. +7. Set the redirect URI to `https://mysubdomain.cloudflareaccess.company/cdn-cgi/access/callback`. +8. Ensure that the signing key is set to **Authentik Self-signed Certificate**. +9. Click **Finish** to create the provider. + +### Step 3: Create a new application + +10. Create a new application and give it a name. +11. Set the provider to the one you just created. +12. Ensure that the **Policy engine mode** is set to **ANY, any policy must match to grant access**. +13. Click **Create** and then navigate to your [Cloudflare Access dashboard](https://one.dash.cloudflare.com). + +## Cloudflare Access configuration + +### Step 4: Configure Cloudflare Access + +1. Go to the Cloudflare One dashboard. +2. Click **Settings** at the bottom of the menu, then select **Authentication**. + +### Step 5: Add a login method + +3. From **Login methods** click **Add** and select **OpenID Connect"** +4. Enter a name for your login method. This can be anything. +5. Copy the following details from the authentik provider settings you previously created and paste them into the text boxes: + - **Client ID** -> App ID + - **Client Secret** -> Client Secret + - **Authorize URL** -> Auth URL + - **Token URL** -> Token URL + - **JWKS URL** -> Certificate URL +6. Click **Save**. +7. Click **Test** to verify your login provider. diff --git a/website/sidebarsIntegrations.js b/website/sidebarsIntegrations.js index a690339102..ae993c9869 100644 --- a/website/sidebarsIntegrations.js +++ b/website/sidebarsIntegrations.js @@ -80,6 +80,7 @@ module.exports = { "services/apache-guacamole/index", "services/argocd/index", "services/awx-tower/index", + "services/cloudflare-access/index", "services/globalprotect/index", "services/harbor/index", "services/hashicorp-vault/index",