This guide makes the following assumptions
- You have a Cloudflare account
- You have a server / service you wish to expose via the tunnel
Before we start the deployment process let's first explain what the cloudflared agent does, by using the cloudflared agent you create an instance that can proxy more than just web traffic (e.g. nginx) and the agent can communicate directly back to cloudflare and controls the flow of traffic to your application sitting within your walled off garden (home lab). The agent is also responsible for ensuring your access to the application meets the conditional access policies defined within the dashboard.
Firstly, login to the (Cloudflare Dashboard)[https://one.dash.cloudflare.com]. This is your central control panel and in reality is much simpler than it first appears. If you've never logged in before you will be asked to configure a Team site name, this will form part of your url page e.g. mycoolteam.cloudflareaccess.com.
Our guide series doesn't focus on using Gateway however in a later tutorial we may cover this in depth, most of our configuration will occur within the 'Settings' tab.
This section covers the following six areas:
- Account - This is mainly for billing
- General - This covers some core settings, e.g. branding and domains
- Network - This covers Gateway network settings, e.g. filtering, exclusions and some firewall settings
- Authentication - This is where we configure our IdP, e.g. Azure AD, Auth0, Discord etc
- Warp Client - This covers Warp client agent settings
- Download - Public download links for agents, SSL Inspection Root CA Certs etc
The core ones covered in this setting are 'General', 'Authentication', 'Warp Client' and 'Download'
If you're in this page you're most likely looking for active user seat duration, this is the bottom setting and defines how long a user remains within your 'Users' tab after leaving the organisation. By default we use '2 months', the Cloudflare default at the time of writing is '3'.
The most important setting to note here is 'Team Site' URL, you can use this setting to view a central login dashboard with all of your Cloudflare tunnelled applications in one place.
While you can implement a domain / url redirect for your cloudflareaccess.com subdomain you cannot implement a custom domain via cname at this time.
The block page is part of Gateway so won't be used in this tutorial but the login page is so feel free to edit the colours, logos and any text you want displayed on the login page.
The only settings we turned on are:
- Gateway: Exclude PII
- Firewall: Proxy (UDP & TCP Traffic)
If you enable TLS decryption you will need to ensure all devices have the Cloudflare Root CA cert installed to prevent web browsing errors, for our needs this is not required.