d-bis/loc_az_hci
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
loc_az_hci/docs/deployment/cloudflare-integration.md

388 lines
11 KiB
Markdown
Raw Permalink Normal View History

Initial commit: loc_az_hci (smom-dbis-138 excluded via .gitignore) Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-08 09:04:46 -08:00
# Cloudflare Integration Guide
## Overview
This document describes the Cloudflare Zero Trust and Tunnel integration for secure external access to the Azure Stack HCI environment without requiring inbound ports.
## Architecture
### Cloudflare Tunnel Architecture
```
┌─────────────────────────────────────────────────────────┐
│ Cloudflare Zero Trust Network │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Zero Trust │ │ WAF │ │ Tunnel │ │
│ │ Policies │ │ Rules │ │ Endpoints │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
└─────────────────────────────────────────────────────────┘
│ Outbound HTTPS (443)
┌─────────────────────────────────────────────────────────┐
│ On-Premises Infrastructure │
│ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Cloudflare Tunnel VM (VLAN 99) │ │
│ │ ┌──────────────┐ │ │
│ │ │ cloudflared │ │ │
│ │ │ daemon │ │ │
│ │ └──────────────┘ │ │
│ └─────────────────────────────────────────────────────┘ │
│ │ │ │ │
│ ┌─────────▼──────┐ ┌────▼────┐ ┌─────▼─────┐ │
│ │ WAC │ │ Proxmox │ │ Dashboards│ │
│ │ (VLAN 60) │ │ UI │ │ (VLAN 40) │ │
│ └────────────────┘ └──────────┘ └───────────┘ │
└─────────────────────────────────────────────────────────┘
```
## Components
### Cloudflare Tunnel (cloudflared)
- **Purpose:** Secure outbound connection to Cloudflare network
- **Location:** Ubuntu VM in VLAN 99 (DMZ)
- **Protocol:** Outbound HTTPS (443) only
- **Benefits:** No inbound ports required, encrypted tunnel
### Zero Trust Policies
- **SSO Integration:** Azure AD, Okta, or other identity providers
- **MFA Requirements:** Multi-factor authentication enforcement
- **Device Posture:** Device health and compliance checks
- **Access Policies:** Least privilege access control
### WAF (Web Application Firewall)
- **Purpose:** Protect public ingress from attacks
- **Rules:** Custom WAF rules for application protection
- **Integration:** Works with Tunnel endpoints
## Installation
### Prerequisites
- Cloudflare account with Zero Trust enabled
- Ubuntu VM deployed in VLAN 99
- Network connectivity from Tunnel VM to services
- Azure AD or other SSO provider (optional)
### Environment Configuration
Before starting, ensure your `.env` file is configured with Cloudflare credentials:
```bash
# Copy template if not already done
cp .env.example .env
# Edit .env and set:
# - CLOUDFLARE_API_TOKEN (get from https://dash.cloudflare.com/profile/api-tokens)
# - CLOUDFLARE_ACCOUNT_EMAIL
# - CLOUDFLARE_ZONE_ID (optional)
```
### Step 1: Create Cloudflare Zero Trust Organization
1. Log in to [Cloudflare Dashboard](https://dash.cloudflare.com)
2. Navigate to Zero Trust
3. Create or select organization
4. Note your organization name
**Note**: If using automation scripts, ensure `CLOUDFLARE_API_TOKEN` is set in your `.env` file.
### Step 2: Install cloudflared
On the Ubuntu Tunnel VM:
```bash
# Download and install cloudflared
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o /usr/local/bin/cloudflared
chmod +x /usr/local/bin/cloudflared
# Verify installation
cloudflared --version
```
### Step 3: Authenticate cloudflared
```bash
# Option 1: Interactive login (recommended for first-time setup)
cloudflared tunnel login
# This will open a browser for authentication
# Follow the prompts to authenticate
# Option 2: Using API token from .env (for automation)
# Load environment variables if using .env
export $(cat .env | grep -v '^#' | xargs)
# Note: Tunnel credentials are stored in /etc/cloudflared/<tunnel-id>.json
# This file should be secured (chmod 600) and not committed to version control
```
### Step 4: Create Tunnel
```bash
# Create a new tunnel
cloudflared tunnel create azure-stack-hci
# Note the tunnel ID for configuration
```
## Configuration
### Tunnel Configuration File
Create `/etc/cloudflared/config.yml`:
```yaml
tunnel: <tunnel-id>
credentials-file: /etc/cloudflared/<tunnel-id>.json
ingress:
# Windows Admin Center
- hostname: wac.yourdomain.com
service: https://10.10.60.20:443
originRequest:
noHappyEyeballs: true
tcpKeepAlive: 30
# Proxmox UI
- hostname: proxmox.yourdomain.com
service: https://10.10.60.10:8006
originRequest:
noHappyEyeballs: true
tcpKeepAlive: 30
# Grafana Dashboard
- hostname: grafana.yourdomain.com
service: http://10.10.40.10:3000
originRequest:
noHappyEyeballs: true
# Git Server
- hostname: git.yourdomain.com
service: https://10.10.30.10:443
originRequest:
noHappyEyeballs: true
# CI/CD
- hostname: ci.yourdomain.com
service: https://10.10.50.10:443
originRequest:
noHappyEyeballs: true
# Catch-all (must be last)
- service: http_status:404
```
### DNS Configuration
In Cloudflare Dashboard:
1. Navigate to Zero Trust > Access > Tunnels
2. Select your tunnel
3. Configure public hostnames:
- `wac.yourdomain.com` → Tunnel
- `proxmox.yourdomain.com` → Tunnel
- `grafana.yourdomain.com` → Tunnel
- `git.yourdomain.com` → Tunnel
- `ci.yourdomain.com` → Tunnel
### Systemd Service
Create `/etc/systemd/system/cloudflared.service`:
```ini
[Unit]
Description=Cloudflare Tunnel
After=network.target
[Service]
Type=simple
User=cloudflared
ExecStart=/usr/local/bin/cloudflared tunnel --config /etc/cloudflared/config.yml run
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
```
Enable and start:
```bash
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
sudo systemctl status cloudflared
```
## Zero Trust Policies
### SSO Configuration
1. Navigate to Zero Trust > Access > Authentication
2. Add identity provider:
- **Azure AD:** Configure Azure AD app registration
- **Okta:** Configure Okta application
- **Other:** Follow provider-specific instructions
### Access Policies
1. Navigate to Zero Trust > Access > Applications
2. Create application:
- **Application name:** WAC Access
- **Application domain:** `wac.yourdomain.com`
- **Session duration:** 24 hours
3. Configure policy:
- **Action:** Allow
- **Include:**
- Emails: `admin@yourdomain.com`
- Groups: `IT-Admins`
- **Require:**
- MFA: Yes
- Device posture: Optional
### Device Posture Checks
1. Navigate to Zero Trust > Settings > WARP
2. Configure device posture:
- **OS version:** Require minimum OS version
- **Disk encryption:** Require disk encryption
- **Firewall:** Require firewall enabled
## WAF Configuration
### WAF Rules
1. Navigate to Security > WAF
2. Create custom rules:
**Rule 1: Block Common Attacks**
- **Expression:** `(http.request.uri.path contains "/wp-admin" or http.request.uri.path contains "/phpmyadmin")`
- **Action:** Block
**Rule 2: Rate Limiting**
- **Expression:** `(rate(10m) > 100)`
- **Action:** Challenge
**Rule 3: Geographic Restrictions**
- **Expression:** `(ip.geoip.country ne "US" and ip.geoip.country ne "CA")`
- **Action:** Block (if needed)
## Proxmox Tunnel Example
### Community Patterns
For exposing Proxmox UI through Cloudflare Tunnel:
```yaml
# In config.yml
ingress:
- hostname: proxmox.yourdomain.com
service: https://10.10.60.10:8006
originRequest:
noHappyEyeballs: true
tcpKeepAlive: 30
connectTimeout: 10s
tlsTimeout: 10s
tcpKeepAliveTimeout: 30s
httpHostHeader: proxmox.yourdomain.com
```
### Proxmox Certificate Considerations
- Proxmox uses self-signed certificates by default
- Cloudflare Tunnel handles SSL termination
- Consider using Cloudflare's SSL/TLS mode: "Full (strict)" if using valid certificates
## Monitoring
### Tunnel Status
```bash
# Check tunnel status
sudo systemctl status cloudflared
# View tunnel logs
sudo journalctl -u cloudflared -f
# Test tunnel connectivity
cloudflared tunnel info <tunnel-id>
```
### Cloudflare Dashboard
- Navigate to Zero Trust > Access > Tunnels
- View tunnel status and metrics
- Monitor connection health
- Review access logs
## Troubleshooting
### Tunnel Not Connecting
**Problem:** Tunnel shows as disconnected
- **Solution:**
- Check network connectivity from VM
- Verify credentials file exists
- Check cloudflared service status
- Review logs: `journalctl -u cloudflared`
### Services Not Accessible
**Problem:** Can't access services through Tunnel
- **Solution:**
- Verify ingress rules in config.yml
- Check service connectivity from Tunnel VM
- Verify DNS configuration
- Check Zero Trust policies
### Authentication Issues
**Problem:** SSO not working
- **Solution:**
- Verify identity provider configuration
- Check application policies
- Verify user email addresses
- Check MFA configuration
### Performance Issues
**Problem:** Slow performance through Tunnel
- **Solution:**
- Check network latency
- Verify originRequest settings
- Consider using Cloudflare's Argo Smart Routing
- Review WAF rules for false positives
## Security Best Practices
1. **Use Zero Trust Policies:**
- Always require authentication
- Enforce MFA for sensitive services
- Use device posture checks
2. **WAF Rules:**
- Enable WAF for all public endpoints
- Configure rate limiting
- Block known attack patterns
3. **Tunnel Security:**
- Run cloudflared as non-root user
- Secure credentials file (chmod 600)
- Monitor tunnel logs for anomalies
4. **Network Isolation:**
- Keep Tunnel VM in DMZ (VLAN 99)
- Use firewall rules to restrict access
- Only allow necessary ports
## Related Documentation
- [Complete Architecture](complete-architecture.md) - Full architecture overview
- [Network Topology](network-topology.md) - VLAN/IP schema
- [Bring-Up Checklist](bring-up-checklist.md) - Installation guide
Reference in New Issue Copy Permalink