Securely hosting admin panels
Hey, I just want to ask, how are admin panels hosted in production? I have no real company experience because I am too young (sadly 😦 ). Let's take for example admin tools like grafana (or even prometheus), portainer, custom admin websites, how developers access them once they are on prod? I've read quite a bit about techniques to do that, but I'm left confused. SSH tunneling doesn't sound good considering I'd want to host dev k8s (docker compose) locally and SSH would bind local ports. Domains don't sound cool neither - everyone could know what tools we host if it was grafana.example.com etc. VPNs - I don't know what's bad about them, but people seem to not enjoy them (I think because one credential would leak entire host).
Also what if I'd want to access prod database? Or that's a bad idea and I shouldn't expose database in any scenario?
Oh and I'm not using AWS, GCP or any of the clouds, rather on-premise VPS server 🙂
I've asked same question on official Go server, but after some talking they redirected me here.
24 Replies
Cloudflare Tunnels plus Cloudflare Access, or a VPN setup like Cloudflare WARP or third-party like Tailscale.
For domains, I would just give them generic names like
monitoring.example.com if you don't want the world to know what services are in use.
Also what if I'd want to access prod database? Or that's a bad idea and I shouldn't expose database in any scenario?I don't think it's always bad to want to access the prod database, especially at small company size, but I'd be wary exposing it to the internet without appropriate security and ensure only relevant people can get to it.
I've heard about Zero Trust which after some digging seems to be Cloudflare Tunnels, I enjoy the all-in-one solution for secure accessing private networks and I will be for sure looking into it!
About database part; If I was going to actually deploy real big prod application, yes I'd create accounts based on least privilege principle and require SSL
I've heard about Zero Trust which after some digging seems to be Cloudflare TunnelsTo better clarify, Cloudflare Tunnels is one piece of the wider Zero Trust suite which includes Tunnels, Gateway, Access, WARP and more
Sorry If I sound in any way rude, but do companies really just expose databases to the internet?
Not usually without strict identity verification through a system like Cloudflare Access or hiding it inside a VPN network using e.g, WARP
Okay, thanks, If I have any more questions in future I will for sure ask them here. Thanks for professional support
And quick response times ^
For domains, I would just give them generic names like monitoring.example.com if you don't want the world to know what services are in use.What if I don't want world to know servers in use (thru for example A records), but also I don't want to give developers struggle of managing/memorizing few ipv4's if not ipv6's, rather let them access servers thru some aliased hostnames (eu-prod-1, us-dev-2 etc) via idk internal dns? Or that's not even valid problem in real world
internal dns is indeed what youd do there
but realistically it doesnt rly matter
there are huge companies (such as Cloudflare, Discord, and I believe even Twitter) that have publicly resolvable hostnames for internal services and theyre fine
oh hell yeah
7k subdomains
Then I guess it won't be an issue or off-standards practice
I've also stumbled upon one article from Cloudflare about how they used to access their db thru public bastion
yeah
cloudflare has a whole thing for accessing ssh securely: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/
Cloudflare Docs
SSH | Cloudflare Zero Trust docs
The Secure Shell Protocol (SSH) enables users to remotely access devices through the command line. With Cloudflare Zero Trust, you can make your SSH server available over the Internet without the risk of opening inbound ports on the server.
Yep, I'm in process of deciphering it and making it "scallable" if more machines joined zero trust
Trying to figure out most optimal way
*Perfectionism *
if you like reading, they have some very lengthy architecture deep dives you can follow: https://developers.cloudflare.com/reference-architecture/design-guides/zero-trust-for-startups/
Cloudflare Docs
Building zero trust architecture into your startup | Cloudflare Ref...
Most of Cloudflare’s documentation (and, generally, documentation by most vendors in the space) is written with the assumption that adopting Zero Trust products will require shifting away from something. In scenarios in which nothing is built, or there is no tool that fulfills the goals which your team is trying to accomplish, this can sometimes...
that page is very big
Thanks, haven't found it yet
I will give it a read for sure!
Sorry to bother you, but I've decided to use Github as idp, I have created new organization and added "Github Organization" policy in device enrollment rules however this policy fails for unknown reason.
Do you know by any chance what could've gone wrong?
You need to give Cloudflare Access permission to access org information when signing in with it
shows as "Organization access" on the github authorisation page
whooops, sorry for that
Ive authenticated previously with same account before I realized I need org
And it just kept reusing the oauth without org access
Or something, not quite sure, once clicked no window appeared
go to https://github.com/settings/applications
find it on the list, click it and then you can change the settings or remove and readd
yeah thanks ❤️
Is xyz.internal.example.com possible to achieve with Local Domain Fallback?
I'm not even sure if that's correct way of doing what I have in mind, maybe reserved tlds such as .local are better suited?
Currently dig results in SERVFAIL "; EDE: 22 (No Reachable Authority): (Upstream request timed out)" which I find weird because once I'm off zero trust vpn and I try to query private dns it works just fine - but it defeats purpose of zero trust
I'm actually struggling with the same. I want to deploy my apps using docker compose on private servers that have cloudflare tunnel running. The tunnel allows me to SSH in without evening knowing the IP address. I think this is the most amazing part because no one can DDoS if they don't know it.
The problem, however, is how do I expose several services such as web server, database from those docker compose projects.
I recall reading that running a separate cloudflare tunnel service thus adding to multiple services on the same physical server is a bad service.
Binding ports to host is bad, I really don't want to do that.
Creating some shared docker network and then system of labels that I could route to using CF tunnel feels the most reasonable approach. I would absolutely love to hear what the community is doing.
I'm not an enterprise but neither a lazy guy to trade security for fastness.
What I ended up doing is:
- Adding cloudflared to docker compose
- Setting up private dns server (and adding it to local domain faillback)
- Setting up dns like grafana.internal.example.com
- Add private network via cloudflare tunnel (10.0.0.0/16)
- Remember to remove 10.0.0.0/8 from split tunnels exclude ^
- Routing grafana.internal.example.com with reverse proxy to local service
this way once i connect with warp I can simply access https://grafana.internal.example.com from web browser
but I dont really enjoy the solution since if service is non-http such as db I can still access it thru private ip (10.0.0.1:5432)
In my head I imagined rather grafana.internal.example.com actually resolving to actual service in docker compose and not the server host
Right now grafana.internal.example.com:5432 connects me with db which I dont want, it works with server ports and not individual services
This post describes exactly what I want to achieve
https://gtzsec.medium.com/accessing-kubernetes-services-using-cloudflare-zero-trust-cb594435da22
But docker compose is just...
Medium
Accessing kubernetes services using cloudflare zero trust
In this tutorial I want to show you how secure access to services running inside a kubernetes cluster, this is useful for Dev teams…
also http://any-subdomain-resolved-to-that-server.internal.example.com:3000 grants access to grafana service (service, not reverse proxy) via server bound port
which was never intended to be a thing in first place
I'm not an enterprise but neither a lazy guy to trade security for fastness. - This is very accurate description of me too, I just want to do stuff correctly, like it'd be done in big tech