Cloudflare Access
Hey, has anyone played with getting Cloudflare Access working with the Coder cli? I think it's an incredibly helpful usecase as it allows us to keep the coder service behind something like an Argo Tunnel and protect the underlying server while having a publicly accessible domain. Accessing the website in the browser obviously works fine but I think it may be a limitation of the CLI app that would likely need special support in order to deal with access auth. Would this be a feature worth considering in this case? Thanks!
20 Replies
Hey, Rover π How would you imagine this experience working? We could add configuration that allows for custom headers to API requests, then you could do something like this:
https://developers.cloudflare.com/cloudflare-one/tutorials/cli/
Connect through Cloudflare Access using a CLI Β· Cloudflare Zero Tru...
Cloudflare Oneβ’ is the culmination of engineering and technical development guided by conversations with thousands of customers about the future of the corporate network. It provides secure, fast, reliable, cost-effective network services, integrated with leading identity management and endpoint security providers. These docs contain step-by-ste...
I think that could be really handy honestly, just some way of interacting with it behind cloudflare access. So yeah if there was a way of setting custom HTTP headers that'd be incredibly handy. I'd be willing to contribute a wiki page explaining the process if this was implemented too, guiding others for the same (or similar) use ase
Are you aware of any other products that similarly expose the ability to add custom headers? I'd like to follow the prior-art if possible!
Unfortunately not, but I'll give it a quick google to see if there is
I mean a potential suggestion could be to take the headers at the call to
coder login then store the headers with the auth credentials, however it is that is currently being done?
so you could be looking at something along the lines of coder login https://localhost --headers "cf-access-token: <TOKEN>"I don't mind something like that. I'm nervous to do this without prior art, just because I want to get a better understanding as to why it is non-standard. Any thoughts here @maf ?
I think it's because they have to log-in with CF access to actually access the website
@Phorcys yup, but they'd still need that access token in a header for all CLI API requests.
yeah, maybe it needs to persist too then
hmm
the other potential pain point is token retention, its quite likely that every 24hrs the header will need to be changed. Obviously though this is more of a thing you just kinda take on the chin with this kind of configuration but it might be handy to have a way to update this header too π€
I don't see any immediate problems with exposing manual headers, although we might not want to tie it in with login (considering Cloudflare Access token lifetimes are unrelated to Coder login session). If we don't want to expose custom HTTP headers (yet), we could add support for Cloudflare Access explicitly (e.g.
CF_ACCESS_TOKEN).
I don't know if it's implemented in CF Access, but another option would be to set a proxy for Coder and the proxy would take care of adding the headers. But if there's nothing like that built for CF Access then it's a bit of a nuisance.yeah, but then you proxy a proxy to bypass the need of it
p sure it could cause security issues
I think cloudflare access built-in would be the best solution, like, when you do a request, if it detects that cf access is asking you to login then prompt the user
I was thinking more along the lines you run the CF Access injector proxy locally, and route coder through that, but yea, moving it off-machine would def. be weird.
hmm yeah why not, extra setup tho
Looks like
vault landed custom header functionality for this exact reason awhile back: https://github.com/hashicorp/vault/pull/12508GitHub
CLI: add new -header option to be able to add headers to all cli ht...
This PR add a new option to the vault cli: -header with can be specified multiple times. All the parameters specified like that will be added to HTTP headers for all requests.
For example, it will ...
I think the scope of fully supporting Cloudflare Access as a first class citizen (to the point of detecting login is needed) is a bit too large for now. We'd want to see more use among our users before doing that.
Yeah, I think customising headers might be a more agnostic way of doing this anyway, it'd offer flexibility for other possible edge cases like this one too
Just catching up on this... is there currently a way to do this in the CLI with headers, or is that a feature we'd need to do?
@Ben Currently not possible, we could add the
--header flag like in the vault PR I linked above. It's a pretty minimal change that would allow us to support CFA.Ahh awesome. I'll get an issue going
GitHub
Support
--header for CLI commands to support CloudFlare Access or...Problem statement We had a request from Discord to add this in order to support using the CLI when Coder is hosted under CloudFlare access. Vault did something similar: hashicorp/vault#12508 Defini...