So this is a neat feature where I can expose web services externally, but hidden and protected by Cloudflare. I’m thinking I want to expose my Evernote replacement Bookstack/Confluence (still not decided yet on which). This is where I keep information which contain confidential stuff like passwords and like. Previously I’ve kept those in Evernote, but I want to move away from that platform to something more open or atleast something which keep evolving.

So I’m hosting both an Atlassian Confluence instance as well as a Bookstack instance. In this writeup, I’m exposing my Bookstack via Cloudflare Access.

I’m securing my local origin using ip-restrictions from Cloudflare to only port-forward requests originating from Cloudflare CDN. These requests hits my Traefik reverse proxy which forward the traffic to whatever Docker instance is serving Bookstack.

Setup Cloudflare Access

This is basically the public login URL that hosts the options for authenticating the user. I consider this my base IDP thus the name. This page will display whatever authentication options available whenever the user hits one of my protected sites.

Setting up GitHub OAuth flow

I’m using the GitHub OAuth provider to protect access to my sites. I setup the consent in GitHub like this.

OAuth keys

These OAuth keys need to be copied to the Cloudflare integration settings with GitHub.

Adding GitHub as identity provider to Cloudflare

The keys from GitHub are provided here.

In action

When I don’t have a valid session, I’m prompted to authenticate with whatever identity provider I’ve configured, in this case GitHub only.

Provide valid credentials for any GitHub account

Authorization policies

Create authorization policies to control who can access depending on given valid authentication. In this case, you need to be a member of the “emryl” organization to be authorized.

Message when not being authorized