d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
proxmox/scripts/cloudflare-tunnels/CONFIGURE_ACCESS_EMAILS.md

108 lines
2.6 KiB
Markdown
Raw Permalink Normal View History

Complete markdown files cleanup and organization - Organized 252 files across project - Root directory: 187 → 2 files (98.9% reduction) - Moved configuration guides to docs/04-configuration/ - Moved troubleshooting guides to docs/09-troubleshooting/ - Moved quick start guides to docs/01-getting-started/ - Moved reports to reports/ directory - Archived temporary files - Generated comprehensive reports and documentation - Created maintenance scripts and guides All files organized according to established standards.
2026-01-06 01:46:25 -08:00
# Configure Cloudflare Access Email Allowlist
## Overview
You can restrict access to your Proxmox UIs to specific email addresses using Cloudflare Access policies.
## Quick Setup
### Option 1: Interactive Script
```bash
cd /home/intlc/projects/proxmox/scripts/cloudflare-tunnels
./scripts/configure-access-policies.sh
```
The script will prompt you to enter email addresses one by one.
### Option 2: Command Line
```bash
cd /home/intlc/projects/proxmox/scripts/cloudflare-tunnels
./scripts/configure-access-policies.sh user1@example.com user2@example.com user3@example.com
```
### Option 3: Via Cloudflare Dashboard
1. Go to: **https://one.dash.cloudflare.com/**
2. Navigate: **Zero Trust****Access****Applications**
3. Click on each application:
- Proxmox ml110-01
- Proxmox r630-01
- Proxmox r630-02
4. Click **"Policies"** tab
5. Click **"Add a policy"** or edit existing
6. Set:
- **Policy name**: "Allow Team Access"
- **Action**: Allow
- **Include**: Email → Add each allowed email
- **Require**: Email (for email verification)
7. Save
## What Gets Configured
The script/configures policies that:
-**Allow** access (instead of block)
-**Include** specific email addresses
-**Require** email verification (MFA if enabled)
- ✅ Apply to all 3 Proxmox UIs
## Policy Structure
```json
{
"name": "Allow Team Access",
"decision": "allow",
"include": [
{"email": {"email": "user1@example.com"}},
{"email": {"email": "user2@example.com"}}
],
"require": [
{"email": {}}
]
}
```
## Adding More Emails Later
### Via Script
```bash
./scripts/configure-access-policies.sh user1@example.com user2@example.com user3@example.com
```
### Via Dashboard
1. Go to Access → Applications → [App Name] → Policies
2. Edit the "Allow Team Access" policy
3. Add more emails to the Include section
4. Save
## Removing Access
### Via Dashboard
1. Go to Access → Applications → [App Name] → Policies
2. Edit the policy
3. Remove email from Include section
4. Save
## Advanced Options
You can also configure:
- **Groups**: Create email groups for easier management
- **Service tokens**: For programmatic access
- **Country restrictions**: Allow only specific countries
- **IP restrictions**: Allow only specific IP ranges
- **Device posture**: Require specific device checks
See `docs/CLOUDFLARE_ACCESS_SETUP.md` for more details.
## Verification
After configuring, test access:
1. Open https://ml110-01.d-bis.org in an incognito window
2. You should see Cloudflare Access login
3. Login with an allowed email
4. You should be granted access
If you use a non-allowed email, access will be denied.
Reference in New Issue Copy Permalink