I love Cloudflare – there I have said it! If you are looking for a way to keep your site secure and performant then Cloudflare is the way to go. Today I am going to be looking at just one aspect of Cloudflare and what it can do for you – Zero Trust.
What is Cloudflare?
I like to think of Cloudflare as the Swiss Army knife of cloud-based tools. It offers solutions for a variety of things from security to performance to domain registration to content delivery all packaged in an easy to understand and use web-based interface. And, for the most part, much of what it offers is available for free which is invaluable for hobbyists hosting their own blogs, such as me. Of course, as you move into more complex needs there is a price associated with that, for example, the company I work for pays to access things such as a Web Application Firewall but what I am discussing in this article is, at the date of writing, all free.
What is Zero Trust?
Zero Trust is a security model that at its heart trusts nobody until they have been verified. This means that you can control access to your internet-facing resources exposing things securely that previously you might have put either on a local network and/or accessed only via a VPN. If you have your domains routed through Cloudflare’s infrastructure then you can make use of Zero Trust to secure your resources.
In my particular case, I have three sites which I wanted access to outside the house but didn’t want others to have access to so I put them behind Cloudflare’s Zero Trust. The rest of the article explains how I did that.
Implementing Cloudflare Zero Trust
The first thing to note is that I am going to assume that you already have your domain(s) running through Cloudflare and proxied through their infrastructure.
Next, this is not going to be a comprehensive walkthrough of Cloudflare’s Zero Trust, if you want that I suggest you start with their documentation, rather this is a look at the specific use case of blocking access to your websites to only authorised persons. For this, we are going to allow access to specific IP addresses. For other, unknown IP addresses, access is only granted by receiving a six-digit code to an email on specific domains.
There are two basic concepts with Zero Trust: Groups and Applications.
- Applications are the resources that you want to control access to
- Groups are collections of things (domains, IP addresses etc) that you want to either grant or deny access to your applications.
Let’s take a look at them both.
Groups
As I said above you create Groups to bring together things that you want to either grant or deny access to your applications. Given that you by default want to deny access we’ll just look at creating the resources you want to grant access to.
To create a Group click the “+ Add a Group” button to get started. You will then be given an opportunity to name your Group. Make this descriptive enough such that you recognise it when attaching it to an Application.
If you want this Group to be applied to all future Applications you create tick the Set as default group check box.
Further down the same page, you can pick what Cloudflare calls Selectors. These are things that you want to grant or deny access to. Examples are IP address ranges, email domains or even whole countries. I’m going to look at IP address ranges and email domains here.
If you select IP ranges as the Selector you can then add, unsurprisingly, IP addresses. These could be addresses that you want to automatically allow or those that you want to permanently ban. Now, if you are on a dynamic IP address that your ISP changes frequently this isn’t going to be an option for you but it works well for static IP addresses.
The other likely option as a Selector is Emails ending in. Here I have put domains that I own and have email addresses associated with them. One thing that you MUST NOT do is add a public email domain such as gmail.com, outlook.com etc as if you do this anyone will be able to get access.
Applications
The other piece of the jigsaw is Applications which are the web-based apps that you want to be able to protect. Again to get started click the “+ Add an Application” button.
The first step in Application creation is to select the type of Application that you want to protect. The most likely, and the one that I am going to cover here, is Self-hosted so select that.
The next page allows you to give your Application a name – make this something that you recognise as you will be seeing it again! The Session Duration can be anything from expires immediately right up to 1 month. Getting the balance right here requires some thought but I have gone for 24 hours.
Next, select the domain that you want to associate with this Application. This domain must be one that is setup to use Cloudflare’s name servers and must be proxied. You can if you wish also add a subdomain or and/or path.
Now we can attached some polices to your Application. Policies have one or more Groups that you created above associated with them. For now, we are going to give the Policy a name and then select the IP address group that you created. Now, from the Action drop down, choose Bypass. What this is saying is that if traffic arrives from any of the IP addresses in this Group let it through without challenging.
Click through the next few pages setting any options you might want – I have left them all to the defaults. You will then be taken back to the Applications overview.
At this stage if you visit your application from somewhere that is not on your IP address list you should see the following page and if you are allowed it will take you straight through to the site.
Now we need to allow access to those with email addresses you have setup in your email Group. Select Configure from the pull down menu (three dots) on the right hand side. This will take you to the Policies page of your Application as shown below.
Now click the “+ Add a policy” button. This time select your email Group and set the Action to Allow.
Save this and once again you will be taken back to the application overview showing both your Polices.
Zero Trust in Action
Now you’re all setup so let’s take a look at what happens when you go to your Application from a location that isn’t in your bypass list.
Firstly, you will see the following screen asking you to enter your email address.
If you enter an email on a domain in your Group you will be sent a six-digit code to enter on the next screen.
Assuming you manage to put in the code successfully you will then be taken to your application. You can continue to access the app without having to authenticate again until the Session Duration period you set has expired.
This is a simple but effective way of securing your application and another reason to love Cloudflare!
One comment on “Cloudflare Zero Trust”