Calling a private service behind a cloudflared tunnel
I currently have service running in a private VPC on AWS that I want to talk to from CloudFlare Workers. So I set up a cloudflared tunnel to it. I got everything working by setting up a public hostname and protecting it with a "Self-Hosted" Application using aa service auth token.
However I'm a bit uncomfortable with having a public DNS record (even if it's technically protected by the Application policies). e.g. what if someone accidentally deletes the Application?
Is it possible to get rid of the public hostname altogether and call the
*.cfargotunnel.com address directly from Workers?8 Replies
Is it possible to get rid of the public hostname altogether and call the *.cfargotunnel.com address directly from Workers?No sadly, tried that before myself. Would be cool though.
However I'm a bit uncomfortable with having a public DNS record (even if it's technically protected by the Application policies). e.g. what if someone accidentally deletes the Application?Under Additional Application Settings -> Access, you can make it so that public hostname verifies the request passed through a specific application
slightly better screenshot
Let me know If I understand correctly: if I enable that option, when a user visits the hostname, CF will send an "application JWT" to cloudflared, which will automatically verify that JWT?
isn't that kind of unnecessary since the only way to access cloudflared in the first place is through the hostname?
when a user visits the hostname, CF will send an "application JWT" to cloudflared, which will automatically verify that JWT?When the user passes through the access application successfully, passing the application's policies, CF Access will send a JWT verifying they passed it, and cloudflared (running on your origin) will verify the token
isn't that kind of unnecessary since the only way to access cloudflared in the first place is through the hostname?No, as you said above
. what if someone accidentally deletes the Application?* it verifies they passed through the specific application you select too, not just any
ah I see, thanks for the clarification! That was helpful
btw, do you have any idea how to configure this via Terraform? Is it this option? https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/tunnel_config#nested-schema-for-configorigin_requestaccess
And if so, how do I specify the hostname? is it aud_tag / team_name?
idk much about terraform but yea, it's under the ingress rule and it's the aud_tag/team_name
your team name is under Settings -> Custom Pages and the Aud tag is under the Application Overview in the first section/Application Configuration in the zt dash