Cloudflare Zero Trust for Admin
Summary
This article describes an alternative method to access the CAS administration web interface for CAS users via the Cloudflare “Zero Trust” tunnel: “cloudflared”.
Technical explanation
Cloudflare offers (amongst it's rich services) a tunnel daemon that can expose your port to your company while hiding your CAS server IP and protecting your system. The cloudflared daemon is used for this purpose. The recommended procedure for accessing the Admin interface is still via VPN, however the Cloudflare Zero Trust tunnel provides a more user-friendly alternative with sufficient security.
This tunnel is useful for exposing the Administration service - without a VPN. It further restricts access to specific emails and geographies - reducing the threats from foreign actors.
The tunnel requires your DNS to be hosted by Cloudflare.
The essential idea is that the CAS Admin service can thus be mapped to a subdomain on your website while utilizing the Cloudflare DNS to hide your server IP.
The DNS entry should be a little obscure to minimize your visibility to threat actors.
The tunnel will enjoy the same HTTPS certification of your website.
The tunnel can be used without without altering the integrated VPN settings.
You must have a Cloudflare account (free) and use their DNS services (not free) to employ this option.
Overview:
Create your Cloudflare tunnel
Navigate to: https://one.dash.cloudflare.com/
1. Create a tunnel.
2. Enter a descriptive name:
3. Save it.
4. Select your Operating System (debian) and architecture (64-bit):
5. Execute the installation command on your CAS HOST:
Paste it into your SSH window on your CAS system, and
press Enter.
6. Enter the tunnel endpoints.
All tunnel configuration is performed at this web page (no configuration at the CAS server).
the Subdomain will be used in your browser, i.e. the “admin” in:
https://admin.yourcasdomain.com
Choose your Domain (it should already be listed in the dropdown box).
Type must be
HTTPS
.The URL for the CAS admin is the same as “Admin IP” as shown by
batm-manage info
:e.g. 10.3.2.2:7777
Open/expand “Additional application settings” towards the bottom:
Click on “TLS”, and
enable the option “No TLS Verify”.
7. Finally:
Save it (click “Save tunnel” in the bottom right corner).
The tunnel will now be active and should be “live”, exposing the admin service from CAS to your subdomain. You’ll be able to access in your browser using https://admin.yourcasdomain.com
(replace “yourcasdomain.com” with your actual CAS domain).
It is not protected from threat actors though, and you’re not quite done yet. You’ll need to restrict access to the page by changing one more tunnel setting, and configuring Google access.
Restrict access via Cloudflare
You need to setup some authorization rules in a new Cloudflare “application”. These rules will determine who is permitted access to the newly shared subdomain.
Navigate to: https://one.dash.cloudflare.com/
Open “Access”, then “Applications”:
Create a new “Application”:
Choose “Self-hosted”
Fill in the details:
The Application name will be displayed on the login page, and is not critical.
Session Duration is the time before re-authorization is required. When the authorization expires, the user attempting to access your domain will have to either enter a new PIN, or login to Google (again).
Subdomain should be the same as what you entered in Step 6 of tunnel creation.
Domain is one of the Cloudflare-handled domains you have registered with them.
Scroll down, click NEXT.
Create an “Allow” Policy
Name the policy something meaningful for authorizing CAS access, e.g. “CAS Access”.
Action: “Allow” enables only people that pass the “included” rules to be permitted access.
Next, add “Include” rules to the new policy. All rules will “allow” access:
This example “Include rule” will allow access to anyone with a generalbytes.com email.
The rules are tricky. Keep it simple to get it working now, then play with the settings later. Add yourself (or your email domain if you have one) as the single rule and move on to the next step.
Scroll down, click NEXT. Skip the next page.
Scroll down, click Add application.
Finished:
Now you’ve restricted access to the subdomain to only the people that pass the “Include rules”.
To test the rules, navigate back to your Application policy and “Test your policies”.
Currently, Cloudflare will now offer this screen to every user attempting to access your domain:
Only people you’ve added to the “Include rules” will receive a PIN.
Next, you can (optionally) configure Google to automate more of this process.
Automating Access Authentication via Google
Google can authenticate users for you, and forward the authenticated info to Cloudflare for comparison against your rules. Currently (as configured above), Cloudflare will send a PIN to the email (if they’re on the Allow list) which is requesting access, and after entering the PIN - the user will be permitted to access the subdomain . If the user has a Google-managed email, then they can skip a step (if not - they’re stuck using a PIN).
You can enable a user’s Google login to authenticate them, and enable access automatically. Here’s how.
Instructions from Cloudflare:
Navigate to the Google Cloud Platform credentials page at: https://console.developers.google.com/apis/credentials
Create a new Google Cloud project: click Create Project then New Project.
Name your Cloud Project, then click Create.
On the project home page, go to APIs & Services on the sidebar and select Dashboard.
On the sidebar, go to Credentials and select Configure Consent Screen at the top of the page.
Choose
External
as the User Type (any user with a Gmail address can login).Name the application, add a support email, and input contact fields. Only enter required details!
Google Cloud Platform requires an email in your account.
In the Scopes section, we recommend adding the
userinfo.email
scope.You do not need to add test users.
Do not upload a logo, or Google will require review & verification.
Save your changes.
Return to the APIs & Services page, select Create Credentials > OAuth client ID, and name the application (e.g. “CAS Admin”).
Select “Web Application”.
Under Authorized JavaScript origins, in the URIs field, enter your team domain:
https://<your-team-name>
<your-team-name>
is found in Zero Trust: Settings: Custom Pages: Team domainexample:
https://yourcasdomain.cloudflareaccess.com
Under Authorized redirect URIs, in the URIs field, enter the following URL:
https://<your-team-name>/cdn-cgi/access/callback
<your-team-name>
is found in Zero Trust: Settings: Custom Pages: Team domainexample:
https://yourcasdomain.cloudflareaccess.com/cdn-cgi/access/callback
Save your changes.
Google will present the OAuth Client ID and Secret values.
The secret field functions like a password and should not be shared.
Copy both values. You’ll need them next on the Cloudflare API page.
You’re done at Google.
In Cloudflare Zero Trust, go to Settings > Authentication.
Under Login methods, select Add new. Choose Google on the next page.
Input the Client ID and Client Secret fields generated in Step 9.
(Optional) Enable Proof of Key Exchange (PKCE). PKCE will be performed on all login attempts.
Select Save.
Done.
Now, when you access the subdomain, you should also be offered a Google login (instead of just a PIN):
Troubleshooting
You may start the Cloudflared daemon in the foreground to watch live activity.
Stop the daemon:
sudo systemctl stop cloudflared
Start it manually:
/usr/bin/cloudflared --no-autoupdate tunnel run --token insert_your_token_here
Logs
Working directory for the daemon using this article:
/usr/local/etc/cloudflared
The default daemon behavior is to log to the system journal. To view the cloudflared
entries:
sudo journalctl | grep cloudflare
Change the YAML file to modify the defaults, located at: /usr/local/etc/cloudflared/config.yml
For performance reasons, logging is disabled by default, but to turn it on for diagnostic reasons:
Open the config file:
nano /usr/local/etc/cloudflared/config.yml
Add these lines (and save + exit):
logfile: /var/log/cloudflared/cftunnel.log
loglevel: debug
Restart the tunnel:
sudo systemctl restart cloudflared
Watch the logging in real time:
tail -f /var/log/cloudflared/cftunnel.log
Copyright © 2020-2024 General Bytes USA LLC