Cloudflare Access
What is Cloudflare Access
Cloudflare Access is a secure, cloud-based zero-trust solution for managing and authenticating user access to internal applications and resources.
Preparation
The following placeholders will be used:
mysubdomain.cloudflareaccess.company
is the FQDN of your Cloudflare Access subdomain.authentik.company
is the FQDN of the authentik install.
To proceed, you need to register for a free Cloudflare Access account and have both a Cloudflare account and a publicly accessible authentik instance with a trusted SSL certificate.
authentik configuration
Step 1: Log in to authentik
- Log in to your authentik instance.
- Click Admin interface.
Step 2: Create a new authentication provider
- Under Application, click Providers and create a new provider.
- Choose OAuth2/OpenID Provider and then click Next.
- Set the authorization flow to Authorize Application (
default-provider-authorization-explicit-consent
). - Set the client type to Confidential.
- Set the redirect URI to
https://mysubdomain.cloudflareaccess.company/cdn-cgi/access/callback
. - Ensure that the signing key is set to Authentik Self-signed Certificate.
- Click Finish to create the provider.
Step 3: Create a new application
- Create a new application and give it a name.
- Set the provider to the one you just created.
- Ensure that the Policy engine mode is set to ANY, any policy must match to grant access.
- Click Create and then navigate to your Cloudflare Access dashboard.
Cloudflare Access configuration
Step 4: Configure Cloudflare Access
- Go to the Cloudflare One dashboard.
- Click Settings at the bottom of the menu, then select Authentication.
Step 5: Add a login method
- From Login methods click Add and select OpenID Connect"
- Enter a name for your login method. This can be anything.
- Copy the following details from the authentik provider settings you previously created and paste them into the text boxes:
- Client ID -> App ID
- Client Secret -> Client Secret
- Authorize URL -> Auth URL
- Token URL -> Token URL
- JWKS URL -> Certificate URL
- Click Save.
- Click Test to verify your login provider.