66a16752e4
* init * rough draft * main docs * upd placeholder * Rebase pull request rough draft main docs upd placeholder * add to sidebar * lint * oops Signed-off-by: 4d62 <157558804+4d62ext@users.noreply.github.com> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * apply suggestion Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: 4d62 <ext@4d62.me> * upd Signed-off-by: 4d62 <ext@4d62.me> --------- Signed-off-by: 4d62 <157558804+4d62ext@users.noreply.github.com> Signed-off-by: 4d62 <ext@4d62.me> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
65 lines
2.5 KiB
Plaintext
65 lines
2.5 KiB
Plaintext
---
|
|
title: Cloudflare Access
|
|
---
|
|
|
|
<span class="badge badge--secondary">Support level: Community</span>
|
|
|
|
## What is Cloudflare Access
|
|
|
|
> Cloudflare Access is a secure, cloud-based zero-trust solution for managing and authenticating user access to internal applications and resources.
|
|
>
|
|
> -- https://www.cloudflare.com/zero-trust/products/access/
|
|
|
|
## Preparation
|
|
|
|
The following placeholders will be used:
|
|
|
|
- `mysubdomain.cloudflareaccess.company` is the FQDN of your Cloudflare Access subdomain.
|
|
- `authentik.company` is the FQDN of the authentik install.
|
|
|
|
To proceed, you need to register for a free Cloudflare Access account and have both a Cloudflare account and a publicly accessible authentik instance with a trusted SSL certificate.
|
|
|
|
## authentik configuration
|
|
|
|
### Step 1: Log in to authentik
|
|
|
|
1. Log in to your authentik instance.
|
|
2. Click **Admin interface**.
|
|
|
|
### Step 2: Create a new authentication provider
|
|
|
|
3. Under **Application**, click **Providers** and create a new provider.
|
|
4. Choose **OAuth2/OpenID Provider** and then click **Next**.
|
|
5. Set the authorization flow to **Authorize Application** (`default-provider-authorization-explicit-consent`).
|
|
6. Set the client type to **Confidential**.
|
|
7. Set the redirect URI to `https://mysubdomain.cloudflareaccess.company/cdn-cgi/access/callback`.
|
|
8. Ensure that the signing key is set to **Authentik Self-signed Certificate**.
|
|
9. Click **Finish** to create the provider.
|
|
|
|
### Step 3: Create a new application
|
|
|
|
10. Create a new application and give it a name.
|
|
11. Set the provider to the one you just created.
|
|
12. Ensure that the **Policy engine mode** is set to **ANY, any policy must match to grant access**.
|
|
13. Click **Create** and then navigate to your [Cloudflare Access dashboard](https://one.dash.cloudflare.com).
|
|
|
|
## Cloudflare Access configuration
|
|
|
|
### Step 4: Configure Cloudflare Access
|
|
|
|
1. Go to the Cloudflare One dashboard.
|
|
2. Click **Settings** at the bottom of the menu, then select **Authentication**.
|
|
|
|
### Step 5: Add a login method
|
|
|
|
3. From **Login methods** click **Add** and select **OpenID Connect"**
|
|
4. Enter a name for your login method. This can be anything.
|
|
5. Copy the following details from the authentik provider settings you previously created and paste them into the text boxes:
|
|
- **Client ID** -> App ID
|
|
- **Client Secret** -> Client Secret
|
|
- **Authorize URL** -> Auth URL
|
|
- **Token URL** -> Token URL
|
|
- **JWKS URL** -> Certificate URL
|
|
6. Click **Save**.
|
|
7. Click **Test** to verify your login provider.
|