Cloudflare Access

Back in January 2018, Cloudflare introduced a new service, Cloudflare Access. As is their generous habit for many of their features, CF even made it available on the free tier. CF describes Access as “a perimeter-less access control solution for cloud and on-premise applications”. Basically, Access lets me host internal applications on the Internet, where use is controlled, authorized, authenticated, and encrypted. For the end user, it works very similar to two-factor authentication. But it all happens on Cloudflare’s servers.

An example… Suppose I decide to host a suite of internal applications on my site. The apps will reside on the Internet, but will only be accessible by a select group of authorized users.

I log into Cloudflare and click over to the Access tab. I make sure I chose the Access Basic plan with a maximum 5 users, which is free.

On the next screen, I accept the default Login Page Domain. I select One-Time PIN as the login method. I customize my login page, adding the URL of my preferred logo.

I note the warning message “To secure your origin, you must also enable Argo Tunnel or limit connections to your origin to allow only Cloudflare IPs and verify the JWT”. OK, well, I’m not going to pay for Argo. I can allow only Cloudflare IPs, but the JWT business is a bit beyond me – and I gotta admit I don’t know what the ramifications are, if any.

Next, I click ‘Create Access Policy’.  I’ll use ‘WPPOV Internal Apps’ as the Application Name. The Application Domain in this example is wppov.com/internal-apps. I’ll leave Session Duration at the default of 24 hours. I carefully enter the emails of all users for whom I want to provide access, replacing the example emails shown.

And … JWT or no JWT, it seems to work. Now when I enter the URL wppov.com/internal-apps, I get the expected send-me-a-code screen.

I enter an authorized email address to have a login code sent to me. I then enter the login code and get access to the secure internal applications.

WPPOV supports freedom from Net Neutrality and the GDPR. The Internet of the people, by the people, for the people, shall not perish from the Earth.