Cloudflared
Hey, I got a general question. So basically i use Cloudflare Zero Trust to secure my webpages, but i have a cdn (for example: cdn.mydomain.com) i want cdn.mydomain.com secured by zero trust, BUT NOT (example: api/cdn/download/images/) that. So is there a way to do that?
and also related to cloudflared/ ZT Networks:
If i have a domain directed to that webpage can i make it on my linux server only accessible by that domain and not by the Direct IP?
5 Replies
The most specific application takes precedence: https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/#policy-inheritance
You would make your cdn.mydomain.com self-hosted apps as normal, and then another one
/api/cdn/download/images/*, with just a single policy including Everyone w/ action bypass. I do it for a few things like public grafana dashboard and it works well.
If i have a domain directed to that webpage can i make it on my linux server only accessible by that domain and not by the Direct IP?If you're using cloudflared to expose your web server, you do not need any open ports. cloudflared connects outbound to Cloudflare
Cloudflare Docs
Application paths | Cloudflare Zero Trust docs
Application paths define the URLs protected by an Access policy. When adding a self-hosted web application to Access, you can choose to protect the entire website by entering its apex domain, or alternatively, protect specific subdomains and paths.
alright thank you very much. i will try it!
"If you're using cloudflared to expose your web server, you do not need any open ports. cloudflared connects outbound to Cloudflare"
That probably wont work if i use everything on docker... right?
like i cant block ports with ufw
so i dont know how i can block them either
there's a docker ufw patch: https://stackoverflow.com/questions/30383845/what-is-the-best-practice-of-docker-ufw-under-ubuntu
Stack Overflow
What is the best practice of docker + ufw under Ubuntu
I just tried out Docker. It is awesome but seems not work nicely with ufw. By default, docker will manipulate the iptables a little bit. The outcome is not a bug but not what I expected.
For more d...
then you can just normal ufw default deny incoming
Alright thanks