Versions Compared

Old Version 19

changes.mady.by.user Charles Wernicke

Saved on

compared with

New Version 20

changes.mady.by.user Charles Wernicke

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Summary

This article describes an alternative method to access the CAS administration web interface by for CAS users using Cloudflare Zero Trust tunnel product. Recommended the most secure procedure for accessing admin interface is still via VPN however Cloudflare Zero Trust tunnel provides more user friendly alternative with sufficient security levelvia the Cloudflare “Zero Trust” tunnel: “cloudflared.

Technical explanation

Cloudflare offers (amongst it's rich services) a tunnel daemon that can expose your port to your company while hiding your CAS server IP and protecting your system. The “cloudflared” cloudflared daemon is used for this purpose. The recommended procedure for accessing the Admin interface is still via VPN, however the Cloudflare Zero Trust tunnel provides a more user-friendly alternative with sufficient security.

This tunnel is useful for exposing the Administration service - without a VPN. It further restricts access to specific emails and geographies - reducing the threats from foreign actors.

...

  • The DNS entry should be a little obscure to minimize your visibility to threat actors.

  • The tunnel will enjoy the same HTTPS certification of your website.

  • The tunnel can be used without without altering the integrated VPN settings.

You must have a Cloudflare account (free) and use their DNS services to employ this option.

...

Overview:

Create your Cloudflare tunnel

Restrict access via Cloudflare

Automating access via Google

Troubleshooting

...

Create your Cloudflare tunnel

Navigate to: https://one.dash.cloudflare.com/

1. Create a tunnel.

...

2. Enter a descriptive name:

...

3. Save it.

...

4. Select your Operating System (debian) and architecture (64-bit):

...

5. Execute the installation command on your CAS HOST:

...

  • Paste it into your SSH window on your CAS system, and

  • press Enter.

...

6. Enter the tunnel endpoints.

...

  • All tunnel configuration is performed at this web page (no configuration at the CAS server).

  • the Subdomain will be used in your browser, i.e. the “admin” in: https://admin.yourcasdomain.com

  • Choose your Domain (it should already be listed in the dropdown box).

  • Type must be HTTPS.

  • The URL for the CAS admin is the same as “Admin IP” as shown by batm-manage info: e.g. 10.3.2.2:7777

...

  • Click on “TLS”, and

  • enable the option “No TLS Verify”.

...

7. Finally:

  • Save it (click “Save tunnel” in the bottom right corner).

...

It is not protected from threat actors though, and you’re not quite done yet. You’ll need to restrict access to the page by changing one more tunnel setting, and configuring Google access.

...

Restrict access via Cloudflare

You need to setup some authorization rules in a new Cloudflare “application”. These rules will determine who is permitted access to the newly shared subdomain.

Navigate to: https://one.dash.cloudflare.com/

Open “Access”, then “Applications”:

...

Create a new “Application”:

...

  • Choose “Self-hosted”

Fill in the details:

...

  • The Application name will be displayed on the login page, and is not critical.

  • Session Duration is the time before re-authorization is required. When the authorization expires, the user attempting to access your domain will have to either enter a new PIN, or login to Google (again).

  • Subdomain should be the same as what you entered in Step 6 of tunnel creation.

  • Domain is one of the Cloudflare-handled domains you have registered with them.

Scroll down, click NEXT.

Create an “Allow” Policy

...

  • Name the policy something meaningful for authorizing CAS access, e.g. “CAS Access”.

  • Action: “Allow” enables only people that pass the “included” rules to be permitted access.

Next, add “Include” rules to the new policy. All rules will “allow” access:

...

  • This example “Include rule” will allow access to anyone with a generalbytes.com email.

  • The rules are tricky. Keep it simple to get it working now, then play with the settings later. Add yourself (or your email domain if you have one) as the single rule and move on to the next step.

Scroll down, click NEXT. Skip the next page.

Scroll down, click Add application.

...

Finished:

Now you’ve restricted access to the subdomain to only the people that pass the “Include rules”.

...

  • Only people you’ve added to the “Include rules” will receive a PIN.

  • Next, you can (optionally) configure Google to automate more of this process.

...

Automating access via Google

Google can authenticate users for you, and forward the authenticated info to Cloudflare for comparison against your rules. Currently (as configured above), Cloudflare will send a PIN to the email (if they’re on the Allow list) which is requesting access, and after entering the PIN - the user will be permitted to access the subdomain . If the user has a Google-managed email, then they can skip a step (if not - they’re stuck using a PIN).

...

Now, when you access the subdomain, you should also be offered a Google login (instead of just a PIN):

...

Troubleshooting

You may start the Cloudflared daemon in the foreground to watch live activity.

  1. Stop the daemon: sudo systemctl stop cloudflared

  2. Start it manually:

Code Block
/usr/bin/cloudflared --no-autoupdate tunnel run --token insert_your_token_here

Logs

...