d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dc8abb06e2bbd33e30803ca59d284ead8ea970c6
proxmox/scripts/cloudflare-tunnels/DEPLOYMENT_SUMMARY.md
defiQUG cb47cce074 Complete markdown files cleanup and organization 
- Organized 252 files across project
- Root directory: 187 → 2 files (98.9% reduction)
- Moved configuration guides to docs/04-configuration/
- Moved troubleshooting guides to docs/09-troubleshooting/
- Moved quick start guides to docs/01-getting-started/
- Moved reports to reports/ directory
- Archived temporary files
- Generated comprehensive reports and documentation
- Created maintenance scripts and guides

All files organized according to established standards.
2026-01-06 01:46:25 -08:00

316 lines
7.8 KiB
Markdown
Raw Blame History

# Cloudflare Multi-Tunnel Deployment Summary
Complete implementation of Cloudflare Tunnel setup for Proxmox hosts with all recommended enhancements.
## ✅ What's Included
### 1. Separate Tunnels Per Host ✅
- `tunnel-ml110` → ml110-01.d-bis.org → 192.168.11.10:8006
- `tunnel-r630-01` → r630-01.d-bis.org → 192.168.11.11:8006
- `tunnel-r630-02` → r630-02.d-bis.org → 192.168.11.12:8006
### 2. Cloudflare Access Integration ✅
- Complete setup guide for SSO/MFA
- Step-by-step instructions
- Security best practices
### 3. Health Monitoring ✅
- Automated health checks
- Continuous monitoring script
- One-time health check utility
### 4. Alerting ✅
- Email notifications
- Webhook support (Slack, Discord, etc.)
- Configurable alert thresholds
### 5. Auto-Recovery ✅
- Automatic tunnel restart on failure
- Systemd service with restart policies
## 📁 File Structure
```
scripts/cloudflare-tunnels/
├── README.md # Main documentation
├── DEPLOYMENT_SUMMARY.md # This file
├── configs/ # Tunnel configurations
│ ├── tunnel-ml110.yml # ml110-01 config
│ ├── tunnel-r630-01.yml # r630-01 config
│ └── tunnel-r630-02.yml # r630-02 config
├── systemd/ # Systemd services
│ ├── cloudflared-ml110.service # ml110 service
│ ├── cloudflared-r630-01.service # r630-01 service
│ └── cloudflared-r630-02.service # r630-02 service
├── scripts/ # Management scripts
│ ├── setup-multi-tunnel.sh # Main setup script
│ ├── install-tunnel.sh # Install single tunnel
│ ├── monitor-tunnels.sh # Continuous monitoring
│ ├── check-tunnel-health.sh # Health check
│ ├── alert-tunnel-failure.sh # Alerting
│ └── restart-tunnel.sh # Restart utility
├── monitoring/ # Monitoring configs
│ ├── health-check.conf # Health check config
│ └── alerting.conf # Alerting config
└── docs/ # Documentation
├── CLOUDFLARE_ACCESS_SETUP.md # Access setup guide
├── TROUBLESHOOTING.md # Troubleshooting
└── MONITORING_GUIDE.md # Monitoring guide
```
## 🚀 Quick Start
### Step 1: Create Tunnels in Cloudflare
1. Go to Cloudflare Zero Trust → Networks → Tunnels
2. Create three tunnels:
- `tunnel-ml110`
- `tunnel-r630-01`
- `tunnel-r630-02`
3. Copy tunnel tokens/credentials
### Step 2: Run Setup Script
```bash
cd scripts/cloudflare-tunnels
./scripts/setup-multi-tunnel.sh
```
The script will:
- Install cloudflared (if needed)
- Copy configuration files
- Install systemd services
- Prompt for tunnel credentials
### Step 3: Configure DNS Records
In Cloudflare Dashboard → DNS → Records:
| Type | Name | Target | Proxy |
|------|------|--------|-------|
| CNAME | `ml110-01` | `<tunnel-id>.cfargotunnel.com` | 🟠 Proxied |
| CNAME | `r630-01` | `<tunnel-id>.cfargotunnel.com` | 🟠 Proxied |
| CNAME | `r630-02` | `<tunnel-id>.cfargotunnel.com` | 🟠 Proxied |
### Step 4: Configure Cloudflare Access
Follow the guide: `docs/CLOUDFLARE_ACCESS_SETUP.md`
### Step 5: Start Monitoring
```bash
# One-time health check
./scripts/check-tunnel-health.sh
# Continuous monitoring (daemon)
./scripts/monitor-tunnels.sh --daemon
```
## 📋 Pre-Deployment Checklist
Before running setup:
- [ ] Cloudflare account with Zero Trust enabled
- [ ] Domain `d-bis.org` managed by Cloudflare
- [ ] VMID 102 exists and is running
- [ ] Network connectivity from VMID 102 to Proxmox hosts verified
- [ ] Tunnels created in Cloudflare dashboard
- [ ] Tunnel tokens/credentials ready
## 🔧 Configuration
### Tunnel Configuration Files
Each tunnel has its own config file in `configs/`:
- `tunnel-ml110.yml` - ml110-01 configuration
- `tunnel-r630-01.yml` - r630-01 configuration
- `tunnel-r630-02.yml` - r630-02 configuration
**Before use:**
1. Replace `<TUNNEL_ID_*>` with actual tunnel IDs
2. Ensure credentials files are in `/etc/cloudflared/`
### Systemd Services
Each tunnel runs as a separate systemd service:
- `cloudflared-ml110.service`
- `cloudflared-r630-01.service`
- `cloudflared-r630-02.service`
**Features:**
- Auto-restart on failure
- Security hardening
- Resource limits
- Proper logging
## 🔒 Security Features
### Cloudflare Access
- ✅ SSO/MFA protection
- ✅ Device posture checks
- ✅ IP allowlisting
- ✅ Country blocking
- ✅ Session management
### Tunnel Security
- ✅ Separate tunnels per host (isolation)
- ✅ Encrypted connections
- ✅ No exposed ports on gateway
- ✅ Self-signed cert handling
## 📊 Monitoring
### Health Checks
Run comprehensive health checks:
```bash
./scripts/check-tunnel-health.sh
```
Checks:
- Service status
- DNS resolution
- HTTPS connectivity
- Internal connectivity
- Log errors
### Continuous Monitoring
Run continuous monitoring:
```bash
./scripts/monitor-tunnels.sh --daemon
```
Features:
- Automatic health checks
- Auto-restart on failure
- Alerting on failures
- Logging to file
## 🚨 Alerting
### Configure Alerts
Edit `monitoring/alerting.conf`:
```bash
ALERT_EMAIL="admin@yourdomain.com"
ALERT_WEBHOOK_URL="https://hooks.slack.com/..."
```
### Test Alerts
```bash
./scripts/alert-tunnel-failure.sh ml110 service_down
```
## 📚 Documentation
- **README.md** - Main documentation
- **CLOUDFLARE_ACCESS_SETUP.md** - Complete Access setup guide
- **TROUBLESHOOTING.md** - Common issues and solutions
- **MONITORING_GUIDE.md** - Monitoring setup and usage
## 🛠️ Management Commands
### Start/Stop Services
```bash
# Start all tunnels
systemctl start cloudflared-ml110 cloudflared-r630-01 cloudflared-r630-02
# Stop all tunnels
systemctl stop cloudflared-ml110 cloudflared-r630-01 cloudflared-r630-02
# Restart specific tunnel
./scripts/restart-tunnel.sh ml110
```
### Check Status
```bash
# All tunnels
systemctl status cloudflared-*
# Specific tunnel
systemctl status cloudflared-ml110
# Health check
./scripts/check-tunnel-health.sh
```
### View Logs
```bash
# All tunnels
journalctl -u cloudflared-* -f
# Specific tunnel
journalctl -u cloudflared-ml110 -f
# Last 100 lines
journalctl -u cloudflared-ml110 -n 100
```
## ✅ Verification
After deployment, verify:
1. **DNS Resolution:**
```bash
dig ml110-01.d-bis.org
dig r630-01.d-bis.org
dig r630-02.d-bis.org
```
2. **Service Status:**
```bash
systemctl status cloudflared-*
```
3. **HTTPS Access:**
```bash
curl -I https://ml110-01.d-bis.org
```
4. **Cloudflare Access:**
- Open browser
- Navigate to `https://ml110-01.d-bis.org`
- Should see Cloudflare Access login
## 🎯 Next Steps
After deployment:
1. ✅ Configure Cloudflare Access (see `docs/CLOUDFLARE_ACCESS_SETUP.md`)
2. ✅ Set up monitoring (see `docs/MONITORING_GUIDE.md`)
3. ✅ Configure alerting (edit `monitoring/alerting.conf`)
4. ✅ Test all three Proxmox hosts
5. ✅ Review access logs regularly
## 📞 Support
For issues:
1. Check [Troubleshooting Guide](docs/TROUBLESHOOTING.md)
2. Run health check: `./scripts/check-tunnel-health.sh`
3. Review logs: `journalctl -u cloudflared-*`
4. Check Cloudflare dashboard for tunnel status
## 🎉 Summary
This implementation provides:
**Separate tunnels per host** - Better isolation
**Cloudflare Access** - SSO/MFA protection
**Health monitoring** - Automated checks
**Alerting** - Email/webhook notifications
**Auto-recovery** - Automatic restart on failure
**Complete documentation** - Setup and troubleshooting guides
All recommended enhancements are included and ready to use!
Reference in New Issue View Git Blame Copy Permalink