-
Notifications
You must be signed in to change notification settings - Fork 5.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* move browser-rendered terminal to new page * account limits * new infrastructure access how-to * Update src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * non-http overview * move ssh note * define target * add SSH logging partial * use SSH logging partial * start reworking ssh page * Apply suggestions from code review Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/glossary/cloudflare-one.yaml * clean up warp to tunnel * ssh instructions * example warp-cli output * edit overviews * edit sidebar text * target ip requirements * create cloudflare authentication folder * redirect users from old SSH workflows * logpush is enterprise only * add "New" badge to sidebar * sharon's feedback * ann ming's feedback part 1 * fix broken link * fix broken link * rework IA * fix links * add api examples * edit cloudflared auth note * add step to install the Cloudflare cert * Update src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx Co-authored-by: Kody Jackson <kody@cloudflare.com> * remove warp-cli target list * remove ssh key in dash * add API example * edit code block format * link to API docs * apply sharon's feedback * clarify disable ssh command logging * clarify legacy label --------- Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> Co-authored-by: Kody Jackson <kody@cloudflare.com>
- Loading branch information
1 parent
3426d69
commit 54ffd03
Showing
35 changed files
with
721 additions
and
261 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26 changes: 26 additions & 0 deletions
26
src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
--- | ||
pcx_content_type: how-to | ||
title: Browser-rendered terminal | ||
sidebar: | ||
order: 3 | ||
|
||
--- | ||
|
||
Cloudflare can render certain non-web applications in your browser without the need for client software or end-user configuration changes. Cloudflare currently supports rendering a terminal for SSH and VNC connections in a user's browser. | ||
|
||
:::note | ||
You can only enable browser rendering on domains and subdomains, not for specific paths. | ||
::: | ||
|
||
## Enable browser rendering | ||
|
||
To enable browser rendering: | ||
|
||
1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. | ||
2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**. | ||
3. In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications. | ||
4. In the **Settings** tab, scroll down to **Additional settings**. | ||
5. For **Browser rendering**, choose *SSH* or *VNC*. | ||
6. Select **Save application**. | ||
|
||
When users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser. |
File renamed without changes.
23 changes: 23 additions & 0 deletions
23
...ns/non-http/cloudflared-authentication/automatic-cloudflared-authentication.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
--- | ||
pcx_content_type: how-to | ||
title: Enable automatic cloudflared authentication | ||
sidebar: | ||
order: 2 | ||
|
||
--- | ||
|
||
When users connect to an Access application through `cloudflared`, the browser prompts them to allow access by displaying this page: | ||
|
||
![Access request prompt page displayed after logging in with cloudflared.](~/assets/images/cloudflare-one/applications/non-http/access-screen.png) | ||
|
||
Automatic `cloudflared` authentication allows users to skip this login page if they already have an active IdP session. | ||
|
||
To enable automatic `cloudflared` authentication: | ||
|
||
1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. | ||
2. Locate your application and select **Configure**. | ||
3. In the **Settings** tab, scroll down to **Additional settings**. | ||
4. Turn on **Enable automatic cloudflared authentication**. | ||
5. Select **Save application**. | ||
|
||
This option will still prompt a browser window in the background, but authentication will now happen automatically. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
52 changes: 27 additions & 25 deletions
52
src/content/docs/cloudflare-one/applications/non-http/index.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,44 +1,46 @@ | ||
--- | ||
pcx_content_type: how-to | ||
title: Add non-HTTP applications | ||
pcx_content_type: concept | ||
title: Non-HTTP applications | ||
sidebar: | ||
order: 2 | ||
order: 1 | ||
|
||
--- | ||
|
||
You can secure non-HTTP applications by [connecting your private network](/cloudflare-one/connections/connect-networks/private-net/) to Cloudflare. Users reach the application by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access the application unless you build policies to allow or block specific users. | ||
Cloudflare offers both client-based and clientless ways to grant secure access to non-HTTP applications. | ||
|
||
## Setup | ||
:::note | ||
Non-HTTP applications require [connecting your private network](/cloudflare-one/connections/connect-networks/private-net/) to Cloudflare. For more details, refer to our [Replace your VPN](/learning-paths/replace-vpn/connect-private-network/) implementation guide. | ||
::: | ||
|
||
For a comprehensive overview of how to connect a private network, refer to our implementation guide: | ||
## WARP client | ||
|
||
* [Replace your VPN](/learning-paths/replace-vpn/connect-private-network/) | ||
Users can connect by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access the application unless you build policies to allow or block specific users. | ||
|
||
To connect to an application over a specific protocol, refer to these tutorials: | ||
If you would like to define how users access specific infrastructure servers within your network, create an infrastructure application in [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/). Access for Infrastructure provides an additional layer of control and visibility over how users access non-HTTP applications, including: | ||
- Define fine-grained policies to govern who has access to specific servers and exactly how a user may access that server. | ||
- Eliminate SSH keys by using short-lived certificates to authenticate users. | ||
- Export SSH command logs to a storage service or SIEM solution using [Logpush](/logs/about/). | ||
|
||
* [Connect over SSH with WARP to Tunnel](/cloudflare-one/connections/connect-networks/use-cases/ssh/#connect-to-ssh-server-with-warp-to-tunnel) | ||
* [Connect over SMB with WARP to Tunnel](/cloudflare-one/connections/connect-networks/use-cases/smb/#connect-to-smb-server-with-warp-to-tunnel) | ||
* [Connect over RDP with WARP to Tunnel](/cloudflare-one/connections/connect-networks/use-cases/rdp/#connect-to-rdp-server-with-warp-to-tunnel) | ||
## Clientless access | ||
|
||
## Enable browser rendering | ||
Clientless access methods are suited for organizations that cannot deploy the WARP client or need to support third-party contractors where installing a client is not possible. Clientless access requires onboarding a domain to Cloudflare and configuring a public hostname in order to make the server reachable. Command logging is not supported, and user email prefixes must match their username on the server. | ||
|
||
Cloudflare can render certain non-web applications in your browser without the need for client software or end-user configuration changes. Cloudflare currently supports rendering a terminal for SSH and VNC connections in a user's browser. | ||
|
||
:::note | ||
### Browser-rendered terminal | ||
|
||
Cloudflare's [browser-based terminal](/cloudflare-one/applications/non-http/browser-rendering/) allows users to connect over SSH and VNC without any configuration. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser. | ||
|
||
You can only enable browser rendering on domains and subdomains, not for specific paths. | ||
|
||
### Client-side cloudflared (legacy) | ||
|
||
:::note | ||
Not recommended for new deployments. | ||
::: | ||
|
||
To enable browser rendering: | ||
Users can log in to the application by installing `cloudflared` on their device and running a hostname-specific command in their terminal. For more information, refer to [cloudflared authentication](/cloudflare-one/applications/non-http/cloudflared-authentication/). | ||
|
||
1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. | ||
2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**. | ||
3. In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications. | ||
4. In the **Settings** tab, scroll down to **Additional settings**. | ||
5. For **Browser rendering**, choose *SSH* or *VNC*. | ||
6. Select **Save application**. | ||
## Related resources | ||
|
||
To connect to an application over a specific protocol, refer to these tutorials: | ||
|
||
When users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser. | ||
* [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/) | ||
* [SMB](/cloudflare-one/connections/connect-networks/use-cases/smb/) | ||
* [RDP](/cloudflare-one/connections/connect-networks/use-cases/rdp/) |
70 changes: 70 additions & 0 deletions
70
src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
--- | ||
pcx_content_type: how-to | ||
title: Add an infrastructure application | ||
sidebar: | ||
order: 2 | ||
badge: | ||
variant: tip | ||
text: New | ||
--- | ||
|
||
import { Badge, Details, Tabs, TabItem, Render } from "~/components" | ||
|
||
Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases in your private network. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach. | ||
|
||
:::note | ||
Access for Infrastructure currently only supports [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/). | ||
::: | ||
|
||
## Prerequisites | ||
|
||
- [Connect your private network](/cloudflare-one/connections/connect-networks/private-net/) to Cloudflare using `cloudflared` or WARP Connector. | ||
- [Deploy the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on user devices in Gateway with WARP mode. | ||
- Install and trust the [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on user devices. | ||
|
||
## 1. Add a target | ||
|
||
<Render file="access/add-target" /> | ||
|
||
## 2. Add an infrastructure application | ||
|
||
<Render file="access/add-infrastructure-app" /> | ||
|
||
## 3. Add a policy | ||
|
||
<Render file="access/add-infrastructure-policy" /> | ||
|
||
### Selectors | ||
|
||
The following [Access policy selectors](/cloudflare-one/policies/access/#selectors) are available for securing infrastructure applications: | ||
- Emails ending in | ||
- SAML group | ||
- Country | ||
- Authentication method | ||
- Device posture | ||
- Azure group, GitHub organization, Google Workspace group, Okta group | ||
|
||
## 4. Configure the server | ||
|
||
Certain protocols require configuring the server to trust connections through Access for Infrastructure. For more information, refer to the protocol-specific tutorial: | ||
|
||
- [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#7-configure-ssh-server) | ||
|
||
## Connect as a user | ||
|
||
Users connect to the target's IP address as if they were on your private network, using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/policies/gateway/resolver-policies/) to allow connections to the target's private hostname. | ||
|
||
### Connect to different VNET | ||
|
||
To connect to targets that are in different VNETS, users will need to [switch their connected virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/#connect-to-a-virtual-network) in the WARP client. | ||
|
||
:::note | ||
If a user is connected to a target in VNET-A and needs to connect to a target in VNET-B, switching their VNET will not break any existing connections to targets within VNET-A. At present, connections are maintained between VNETs. | ||
::: | ||
|
||
|
||
## Revoke a user's session | ||
|
||
To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/identity/users/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target. | ||
|
Oops, something went wrong.