Cloudflare Zero Trust Extensions

Owned by Charles Wernicke
Last updated: Dec 20, 2023
4 min read

Cloudflare offers (amongst it's rich services) a tunnel daemon that can expose your port to your customers while hiding your CAS server IP and protecting your system. The “cloudflared” daemon is used for this purpose.

This tunnel is useful for exposing the REST API required by:

  • lnurl for the Lightning network,

  • Onfido,

  • Morphis,

  • Operator Extensions.

The tunnel will not work with Veriff.

The essential idea is that these CAS services can thus be mapped to a subdomain on your website while utilizing the Cloudflare DNS to hide your server IP.

  • The DNS entry should be a little obscure to reduce your vulnerability to drive-by attacks.

  • This is a suitable replacement for an NGINX proxy server.

  • The tunnel will enjoy the same certification of your website.

You must have a Cloudflare account (free) and their DNS services to use this option.

Proxy the CAS REST API service

The internal port 7743 should be exposed to the tunnel daemon via a proxy server. This process is already laid out in this article: https://generalbytes.atlassian.net/l/cp/sxVekrvU

  • After that is completed, you’ll have local port 7443 proxied (from the example).

  • On the CAS system, you need not open any firewall ports for this. In fact, after it’s done - the ports that were opened - can now be blocked - increasing the security of your server.

  • For firewall info, see: https://generalbytes.atlassian.net/l/cp/L1vVcNWx

Security

Your CAS host should not expose any ports except those protected by a VPN. Using this method, you won’t be exposing the port 7443 (used in the NGINX example) directly.

  • All non-VPN ports (e.g. 80, 7743, and 7443) should be blocked with the UFW firewall.

Adjusting the nginx server block for tunnelling

Modify the default server block configuration file:

sudo nano /etc/nginx/conf.d/cas-rest-api.conf

Change to any unused port number between 1024 - 49151:

  • “8743” will be used in this example, so:

    • change listen 7443 ssl; to: listen 8743 ssl; in this file.

    • localhost should now be replaced with the “Master IP” reported by batm-manage info.

Create your Cloudflare tunnel

Navigate to: https://one.dash.cloudflare.com/

Create a tunnel.

Enter a name:

Save it:

Select your Operating System (debian) and architecture (64-bit):

Copy the installation command:

  • Paste it into your SSH window on your CAS system, and

  • press Enter.

Enter the tunnel endpoints.

  • All tunnel configuration is performed at this web page (none at the CAS server).

  • the Subdomain should be obfuscated, any text here is fine - but customers may see it - so don’t get crazy or use something that might cause you issues.

  • Choose your Domain (it should already be listed in the dropdown box).

  • Type must be HTTPS.

  • The URL for the CAS port is determined by the “Master IP” setting using batm-manage info.

    • The URL in this example: 10.3.2.1:8743

Open/expand “Additional application settings” towards the bottom:

  • Click on “TLS”, and

  • enable the option “No TLS Verify”.

Finally:

  • Save it (click “Save tunnel” in the bottom right corner).

The tunnel will now be active and should be “live”, forwarding the REST API from CAS to your subdomain.

Test the tunnel

Using a browser, navigate to: https://agent86.yourdomain.com/extensions/lnurl

The browser should show a simple line of text: “BATM LNURL REST Service"

Continue:

  • Configure CAS for Lightning

  • Setup Onfido

  • Setup Veriff

Troubleshooting

You may start the Cloudflared daemon in the foreground to watch live activity.

  1. Stop the daemon: sudo systemctl stop cloudflared

  2. Start it manually:

/usr/bin/cloudflared --no-autoupdate tunnel run --token insert_your_token_here

Logs

The default daemon behavior is to log to the system journal. To view the cloudflared entries:

sudo journalctl | grep cloudflare

Change the YAML file to modify the defaults, located at: /usr/local/etc/cloudflared/config.yml

For performance reasons, logging is disabled by default, but to turn it on for diagnostic reasons:

  1. Open the config file: nano /usr/local/etc/cloudflared/config.yml

  2. Add these lines (and save + exit):

    1. logfile: /var/log/cloudflared/cftunnel.log

    2. loglevel: debug

  3. Restart the tunnel:

    1. sudo systemctl restart cloudflared

  4. Watch the logging in real time:

    1. tail -f /var/log/cloudflared/cftunnel.log

On your CAS server, edit the lnurl configuration file with:

Add your lnurl target URL (e.g.: base_url=https://agent99.yourdomain.com/extension/lnurl)

  • Save and exit (Ctrl+X, then Y)

  • Leave filename unchanged (just press Enter).

 

Copyright © 2020-2024 General Bytes USA LLC