Trying to figure out how to set policies in Zero Trust Tunnels
I want to make three sets of rules/policies, that i can choose, depending on what part of my network it is
- Level 1, Personal
- Only Germany can access that Page, and only with a Password
- Level 2, Restricted
- German- and English-Speaking Countries allowed, Password Protected
- Level 3, Public
- German- and English-Speaking Countries allowed, no Password
I dont wanna use One Time Password. Just a regular Password or even Credentials
27 Replies
ZT doesn't support that passwords or credentials directly. Can only use OTP or login/auth providers like google/Github/etc
Also it has no idea what languages countries speak/can't filter on that
Every successful login is a user as well (and you only have 50). For 3, you probably would want to use normal WAF and not Zero Trust
So i cant just setup credentials?
Correct sorry my first message was vague, edited
is there something simpler so that i can login without requiring google and stuff?
Potentially with a Worker or something else but nothing in Zero Trust itself
Can oyu help me figure this out?
I got a few services online that i want only accessible to me, but some like game servers, accessible to all
except chinese, and the likes, to avoid data crawlers
You can do Github or Google logins for free (https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/google/), https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/github/, it just takes a bit of setup, but is super secure and you can use 2fa/etc if enabled in them
can i decide that only my google works?
Personally I use Google/Github login for anything secure. Don't need to worry about country restrictions/wouldn't help in that case. It gets more complex if you want to share access easily with other people since you can't just do a password or anything
Yep! Just your email/google acct
okay, so lets start with google. What do i fill out in these things?
That's what makes it so nice. Zero Trust handles it all for you, and the only requests that get to your origin are authorized through your policy
email claim and stuff
If you want to use Google follow this guide here: https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/google/
and with a policy you would just do "Emails" selector
Cloudflare Docs
Google · Cloudflare Zero Trust docs
You can integrate Google authentication with Cloudflare Access without a Google Workspace account. The integration allows any user with a Google …
thing is, in access policy for my tunnels, i had options like include, exclude and stuff
and it talked about pwd authorization
applications
Anything you see in an access policy is just forcing specific things on the Identity Providers, like Google, that you configure
oooh.
so this is valid?
what does this do?
It would require the identity provider to pass that check
When users authenticate with their identity provider, the identity provider then shares their username with Cloudflare Access. Cloudflare Access then writes that value into the JSON Web Token (JWT) generated for the user. Certain identity providers can also share the multifactor authentication (MFA) method presented by the user to login. Cloudflare Access can add these values into the JWT and force. For example, if the user authenticated with their password and a physical hard key, the identity provider can send a confirmation to Cloudflare Access. Cloudflare Access then stores that method into the same JWT issued to the user. Cloudflare Access follows RFC 8176 , Authentication Method Reference Values, to define authentication methods.https://developers.cloudflare.com/cloudflare-one/policies/access/mfa-requirements/#adding-authentication-methods-into-the-jwt
im so confused.
im so new to all of this, and i barely figured out how to do tunnels
why doesnt cloudflare just have a login screen?
like a username and passwor thing?
It's just not how ZT works. The point is to connect and secure things, not be its own auth provider
It is a bit confusing. Basically all those selectors do is act on the responses from Identity Provider. So with that auth method set under require, they would only pass the policy if the Identity Provider (like Google) responds saying they auth'd with a password. This could be used to force security keys and such
how do i get the app id?
In your case it's just overcomplicating things. You could replace that policy with just Include:
Emails youremail, and that would work with OTP and Google (and under Auth of the application you can configure the specific ones supported)
iirc it's the oauth client id you get when you follow the guide
if you follow it, shouldn't have any issuesCan i give you my anydesk, and you help me set this up?
No, if you want an easier way you could just continue to use the OTP/one time tokens emailed
So i create an oauth client id?
Headaches, i hate it
cloudflare is complicated. All i want is a simple login screen. I cant even figure google out
i decided to just go with otp
its 2fa in a sense, so eh.