Guide to Securing Self-Hosted Applications with Cloudflare Zero Trust
This guide is a result of my search for the best and most secure solution for self-hosted applications, such as Jellyfin, FreePBXand anything else you want to be able to access from the web without exposing your personal IP. While it may not be the ultimate solution, it should be more than sufficient for non-critical applications. It is a great alternative to ngrok or localtunnel. If you are new to this type of thing and are interested in self-hosting apps like your own web server, music library, or Google Drive alternatives, I highly recommend starting with a Raspberry Pi or Orange Pi (my personal favorite, it’s a powerhouse). If you are on a budget, then I can’t recommend the Raspberry Pi 4 Model B with 4GB RAM enough.
We’ll be using Cloudflare Zero Trust, which is available for free with a Cloudflare account. Note that this solution works seamlessly if your domain is registered via Cloudflare. Others work, just make sure your DNS for the domain is hosted with Cloudflare.
Understanding Cloudflare Zero Trust
Let’s break down the key components used in this guide: Zero Trust Tunnel and Zero Trust Application Access.
Zero Trust Tunnel acts as a site-to-site VPN between your network and Cloudflare Zero Trust servers. It allows Cloudflare to access your local resources via a local IP address, resolve them, and assign them a public IP. Essentially, it routes all traffic through Cloudflare’s public IPv4 and IPv6 addresses via their proxy to your designated local IPv4 addresses. If you perform an nslookup
on your hostname, you’ll only see Cloudflare’s IP ranges.
Zero Trust Application Access secures access to your applications by enforcing authentication through Cloudflare-hosted pages before allowing access to your service’s login screen.
Steps for Setting Up a Zero Trust Tunnel
Navigate to Zero Trust Tunnels:
- Go to your Cloudflare Dashboard.
- Select Zero Trust -> Networks -> Tunnels.
- Follow the detailed instructions to install and connect the
cloudflared
daemon, which acts as a connector to your home network. If you use virtualization like Proxmox, consider setting up a small VM/CT to act as your connector.
Configure the Tunnel:
- Add Public Hostnames and local IP addresses of your services.
- Important Caveats:
- Select HTTP, not HTTPS. Cloudflare Zero Trust adds its own SSL/TLS reverse proxy.
- Change the default port from 80 to another port. Cloudflare doesn’t add its own SSL/TLS if your service is on port 80.
Now you can access your services from outside using the hostnames you set up. However, this setup is still not secure enough. Anyone can access your services if they know the URL. To enhance security, we’ll use Cloudflare Zero Trust Access. While this is optional, it will potentially save you a lot of grief if you plan on using this permanently.
Cloudflare Zero Trust Access
Cloudflare Zero Trust Access is a powerful tool that redirects users to a Cloudflare-hosted authentication page before granting access to your services. By default, it uses OTP authentication via email, but it offers multiple levels of authentication:
- Multiple Authentication Methods: OTP, login via various sites (Facebook, GitHub, LinkedIn), OAuth2 (Google, Azure, Google Workspaces), OneLogin, OpenID, with timeout options from 1 minute to 1 month.
- Restrictions: Based on email address, geolocation, IP range, service token.
- Justification Requirement: Users must state why they need access, with manual review and approval.
- WARP Requirement: Users must use Cloudflare’s WARP VPN, with additional policies and restrictions.
- WARP Client Restrictions: Such as encrypted hard drive, specific file presence, and WARP login status.
For our purposes, OTP with email restrictions should suffice. Here’s a simplified setup process:
Create a New Application:
- Select self-hosted.
- Add domains from your Tunnel Public Hostnames.
- Set up policies: Include – Everyone, Require – Emails – your email only.
Reconfigure Each Hostname:
- Go back to Tunnels.
- Enable Access and select the Application you just created.
Now, when you enter your service URL, you’ll be redirected to the Cloudflare Access page, requiring email authentication. Only your specified email will receive the OTP code.
By following these steps, you can significantly enhance the security of your self-hosted applications using Cloudflare Zero Trust.
Please let me know if you have issues or need some advice!