diff --git a/public/_redirects b/public/_redirects index 3db8d70a1602dd..da4f24bf258983 100644 --- a/public/_redirects +++ b/public/_redirects @@ -86,7 +86,7 @@ /access/ssh/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ 301 /cloudflare-one/tutorials/ssh/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ 301 /cloudflare-one/tutorials/ssh-browser/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ 301 -/access/ssh/short-live-cert-server/ /cloudflare-one/identity/users/short-lived-certificates/ 301 +/access/ssh/short-live-cert-server/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/ 301 /access/ssh/ssh-guide/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ 301 # ai @@ -1522,6 +1522,7 @@ /cloudflare-one/analytics/access/ /cloudflare-one/insights/analytics/access/ 301 /cloudflare-one/analytics/gateway/ /cloudflare-one/insights/analytics/gateway/ 301 /cloudflare-one/analytics/users/ /cloudflare-one/insights/logs/users/ 301 +/cloudflare-one/applications/non-http/arbitrary-tcp/ /cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/ 301 /cloudflare-one/connections/connect-apps/configuration/ /cloudflare-one/connections/connect-networks/configure-tunnels/ 301 /cloudflare-one/connections/connect-apps/install-and-setup/setup/ /cloudflare-one/connections/connect-networks/get-started/ 301 /cloudflare-one/connections/connect-apps/run-tunnel/deploy-cloudflared-replicas/ /cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/ 301 @@ -1608,6 +1609,7 @@ /cloudflare-one/insights/logs/logpush/rdata/ /cloudflare-one/insights/logs/logpush/#parse-logpush-logs 301 /cloudflare-one/applications/custom-pages/ /cloudflare-one/applications/ 301 /cloudflare-one/identity/service-auth/service-tokens/ /cloudflare-one/identity/service-tokens/ 301 +/cloudflare-one/identity/users/short-lived-certificates/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/ 301 /cloudflare-one/identity/users/validating-json/ /cloudflare-one/identity/authorization-cookie/validating-json/ 301 /cloudflare-one/policies/lists/ /cloudflare-one/policies/gateway/lists 301 /cloudflare-one/policies/zero-trust/ /cloudflare-one/policies/access/ 301 @@ -1654,7 +1656,7 @@ /cloudflare-one/tutorials/secure-dns-network/ /cloudflare-one/connections/connect-devices/agentless/dns/locations/ 301 /cloudflare-one/tutorials/share-new-site/ /cloudflare-one/connections/connect-networks/get-started/ 301 /cloudflare-one/tutorials/single-command/ /cloudflare-one/connections/connect-networks/get-started/ 301 -/cloudflare-one/tutorials/ssh-cert-bastion/ /cloudflare-one/identity/users/short-lived-certificates/ 301 +/cloudflare-one/tutorials/ssh-cert-bastion/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/ 301 /cloudflare-one/tutorials/ssh-service-token/ /cloudflare-one/identity/service-tokens/ 301 /cloudflare-one/tutorials/smb/ /cloudflare-one/connections/connect-networks/use-cases/smb/ 301 /cloudflare-one/tutorials/split-tunnel/ /cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/ 301 diff --git a/src/content/docs/cloudflare-one/account-limits.mdx b/src/content/docs/cloudflare-one/account-limits.mdx index 8f63938941a2ff..27267e589ad0dc 100644 --- a/src/content/docs/cloudflare-one/account-limits.mdx +++ b/src/content/docs/cloudflare-one/account-limits.mdx @@ -24,6 +24,7 @@ This page lists the default account limits for rules, applications, fields, and | Rules count per application | 1,000 | | Rules count per group | 1,000 | | Domains per application | 5 | +| Infrastructure targets | 300 | ## Gateway @@ -75,5 +76,6 @@ This page lists the default account limits for rules, applications, fields, and | mTLS certificates name | 350 | | Service token name | 350 | | IdP name | 350 | +| Target name | 255 | | Application URL | 63 | | Team domain | 63 | diff --git a/src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx b/src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx new file mode 100644 index 00000000000000..1179e407043f3f --- /dev/null +++ b/src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx @@ -0,0 +1,26 @@ +--- +pcx_content_type: how-to +title: Browser-rendered terminal +sidebar: + order: 3 + +--- + +Cloudflare can render certain non-web applications in your browser without the need for client software or end-user configuration changes. Cloudflare currently supports rendering a terminal for SSH and VNC connections in a user's browser. + +:::note +You can only enable browser rendering on domains and subdomains, not for specific paths. +::: + +## Enable browser rendering + +To enable browser rendering: + +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. +2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**. +3. In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications. +4. In the **Settings** tab, scroll down to **Additional settings**. +5. For **Browser rendering**, choose *SSH* or *VNC*. +6. Select **Save application**. + +When users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser. diff --git a/src/content/docs/cloudflare-one/applications/non-http/arbitrary-tcp.mdx b/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp.mdx similarity index 100% rename from src/content/docs/cloudflare-one/applications/non-http/arbitrary-tcp.mdx rename to src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp.mdx diff --git a/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication.mdx b/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication.mdx new file mode 100644 index 00000000000000..bd7941f02be4b8 --- /dev/null +++ b/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication.mdx @@ -0,0 +1,23 @@ +--- +pcx_content_type: how-to +title: Enable automatic cloudflared authentication +sidebar: + order: 2 + +--- + +When users connect to an Access application through `cloudflared`, the browser prompts them to allow access by displaying this page: + +![Access request prompt page displayed after logging in with cloudflared.](~/assets/images/cloudflare-one/applications/non-http/access-screen.png) + +Automatic `cloudflared` authentication allows users to skip this login page if they already have an active IdP session. + +To enable automatic `cloudflared` authentication: + +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. +2. Locate your application and select **Configure**. +3. In the **Settings** tab, scroll down to **Additional settings**. +4. Turn on **Enable automatic cloudflared authentication**. +5. Select **Save application**. + +This option will still prompt a browser window in the background, but authentication will now happen automatically. diff --git a/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication.mdx b/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/index.mdx similarity index 54% rename from src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication.mdx rename to src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/index.mdx index 73cdf55ad0001d..d8ddad2ac62ca5 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/index.mdx @@ -1,9 +1,9 @@ --- pcx_content_type: how-to -title: Connect using cloudflared +title: Client-side cloudflared sidebar: - order: 11 - + order: 4 +tableOfContents: false --- With Cloudflare Zero Trust, users can connect to non-HTTP applications via a public hostname without installing the WARP client. This method requires you to onboard a domain to Cloudflare and install `cloudflared` on both the server and the user's device. @@ -12,33 +12,14 @@ Users log in to the application by running a `cloudflared access` command in the :::note -Automated services should only authenticate with `cloudflared` if they cannot use a [service token](/cloudflare-one/identity/service-tokens/). Cloudflared authentication relies on WebSockets to establish a connection. WebSockets have a known limitation where persistent connections may close unexpectedly. We recommend either a [Service Auth policy](/cloudflare-one/policies/access/#service-auth) or using [Warp to Tunnel routing](/cloudflare-one/applications/non-http/) in these instances. +Automated services should only authenticate with `cloudflared` if they cannot use a [service token](/cloudflare-one/identity/service-tokens/). Cloudflared authentication relies on WebSockets to establish a connection. WebSockets have a known limitation where persistent connections may close unexpectedly. We recommend either a [Service Auth policy](/cloudflare-one/policies/access/#service-auth) or using [Warp to Tunnel routing](/cloudflare-one/applications/non-http/) in these instances. ::: -## Setup - -For examples of how to connect to Access applications with `cloudflared`, refer to these tutorials: +For examples of how to connect to Access applications with client-side `cloudflared`, refer to these tutorials: * [Connect through Access using a CLI](/cloudflare-one/tutorials/cli/) * [Connect through Access using kubectl](/cloudflare-one/tutorials/kubectl/) -* [Connect over SSH with cloudflared](/cloudflare-one/connections/connect-networks/use-cases/ssh/#connect-to-ssh-server-with-cloudflared-access) +* [Connect over SSH with cloudflared](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-cloudflared-authentication/) (legacy) -- SSH connections are now managed through [Access for Infrastructure](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/). * [Connect over RDP with cloudflared](/cloudflare-one/connections/connect-networks/use-cases/rdp/#connect-to-rdp-server-with-cloudflared-access) * [Connect over SMB with cloudflared](/cloudflare-one/connections/connect-networks/use-cases/smb/) - -## Automatic `cloudflared` authentication - -When users connect to an Access application through `cloudflared`, the browser prompts them to allow access by displaying this page: - -![Access request prompt page displayed after logging in with cloudflared.](~/assets/images/cloudflare-one/applications/non-http/access-screen.png) - -Automatic `cloudflared` authentication allows users to skip this login page if they already have an active IdP session. - -To enable automatic `cloudflared` authentication: - -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. -2. Locate your application and select **Configure**. -3. In the **Settings** tab, scroll down to **Additional settings**. -4. Turn on **Enable automatic cloudflared authentication**. -5. Select **Save application**. - -This option will still prompt a browser window in the background, but authentication will now happen automatically. +* [Connect over arbitrary TCP with cloudflared](/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/) \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/applications/non-http/index.mdx b/src/content/docs/cloudflare-one/applications/non-http/index.mdx index 963048f19a0d03..d85108ddc67e80 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/index.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/index.mdx @@ -1,44 +1,46 @@ --- -pcx_content_type: how-to -title: Add non-HTTP applications +pcx_content_type: concept +title: Non-HTTP applications sidebar: - order: 2 + order: 1 --- -You can secure non-HTTP applications by [connecting your private network](/cloudflare-one/connections/connect-networks/private-net/) to Cloudflare. Users reach the application by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access the application unless you build policies to allow or block specific users. +Cloudflare offers both client-based and clientless ways to grant secure access to non-HTTP applications. -## Setup +:::note +Non-HTTP applications require [connecting your private network](/cloudflare-one/connections/connect-networks/private-net/) to Cloudflare. For more details, refer to our [Replace your VPN](/learning-paths/replace-vpn/connect-private-network/) implementation guide. +::: -For a comprehensive overview of how to connect a private network, refer to our implementation guide: +## WARP client -* [Replace your VPN](/learning-paths/replace-vpn/connect-private-network/) +Users can connect by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access the application unless you build policies to allow or block specific users. -To connect to an application over a specific protocol, refer to these tutorials: +If you would like to define how users access specific infrastructure servers within your network, create an infrastructure application in [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/). Access for Infrastructure provides an additional layer of control and visibility over how users access non-HTTP applications, including: +- Define fine-grained policies to govern who has access to specific servers and exactly how a user may access that server. +- Eliminate SSH keys by using short-lived certificates to authenticate users. +- Export SSH command logs to a storage service or SIEM solution using [Logpush](/logs/about/). -* [Connect over SSH with WARP to Tunnel](/cloudflare-one/connections/connect-networks/use-cases/ssh/#connect-to-ssh-server-with-warp-to-tunnel) -* [Connect over SMB with WARP to Tunnel](/cloudflare-one/connections/connect-networks/use-cases/smb/#connect-to-smb-server-with-warp-to-tunnel) -* [Connect over RDP with WARP to Tunnel](/cloudflare-one/connections/connect-networks/use-cases/rdp/#connect-to-rdp-server-with-warp-to-tunnel) +## Clientless access -## Enable browser rendering +Clientless access methods are suited for organizations that cannot deploy the WARP client or need to support third-party contractors where installing a client is not possible. Clientless access requires onboarding a domain to Cloudflare and configuring a public hostname in order to make the server reachable. Command logging is not supported, and user email prefixes must match their username on the server. -Cloudflare can render certain non-web applications in your browser without the need for client software or end-user configuration changes. Cloudflare currently supports rendering a terminal for SSH and VNC connections in a user's browser. - -:::note +### Browser-rendered terminal +Cloudflare's [browser-based terminal](/cloudflare-one/applications/non-http/browser-rendering/) allows users to connect over SSH and VNC without any configuration. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser. -You can only enable browser rendering on domains and subdomains, not for specific paths. - +### Client-side cloudflared (legacy) +:::note +Not recommended for new deployments. ::: -To enable browser rendering: +Users can log in to the application by installing `cloudflared` on their device and running a hostname-specific command in their terminal. For more information, refer to [cloudflared authentication](/cloudflare-one/applications/non-http/cloudflared-authentication/). -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. -2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**. -3. In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications. -4. In the **Settings** tab, scroll down to **Additional settings**. -5. For **Browser rendering**, choose *SSH* or *VNC*. -6. Select **Save application**. +## Related resources + +To connect to an application over a specific protocol, refer to these tutorials: -When users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser. +* [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/) +* [SMB](/cloudflare-one/connections/connect-networks/use-cases/smb/) +* [RDP](/cloudflare-one/connections/connect-networks/use-cases/rdp/) \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx new file mode 100644 index 00000000000000..8261114db9e56a --- /dev/null +++ b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx @@ -0,0 +1,70 @@ +--- +pcx_content_type: how-to +title: Add an infrastructure application +sidebar: + order: 2 + badge: + variant: tip + text: New +--- + +import { Badge, Details, Tabs, TabItem, Render } from "~/components" + +Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases in your private network. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach. + +:::note +Access for Infrastructure currently only supports [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/). +::: + +## Prerequisites + +- [Connect your private network](/cloudflare-one/connections/connect-networks/private-net/) to Cloudflare using `cloudflared` or WARP Connector. +- [Deploy the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on user devices in Gateway with WARP mode. +- Install and trust the [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on user devices. + +## 1. Add a target + + + +## 2. Add an infrastructure application + + + +## 3. Add a policy + + + +### Selectors + +The following [Access policy selectors](/cloudflare-one/policies/access/#selectors) are available for securing infrastructure applications: +- Email +- Emails ending in +- SAML group +- Country +- Authentication method +- Device posture +- Azure group, GitHub organization, Google Workspace group, Okta group + +## 4. Configure the server + +Certain protocols require configuring the server to trust connections through Access for Infrastructure. For more information, refer to the protocol-specific tutorial: + +- [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#7-configure-ssh-server) + +## Connect as a user + +Users connect to the target's IP address as if they were on your private network, using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/policies/gateway/resolver-policies/) to allow connections to the target's private hostname. + +### Connect to different VNET + +To connect to targets that are in different VNETS, users will need to [switch their connected virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/#connect-to-a-virtual-network) in the WARP client. + +:::note +If a user is connected to a target in VNET-A and needs to connect to a target in VNET-B, switching their VNET will not break any existing connections to targets within VNET-A. At present, connections are maintained between VNETs. +::: + + +## Revoke a user's session + +To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/identity/users/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target. + diff --git a/src/content/docs/cloudflare-one/identity/users/short-lived-certificates.mdx b/src/content/docs/cloudflare-one/applications/non-http/short-lived-certificates-legacy.mdx similarity index 80% rename from src/content/docs/cloudflare-one/identity/users/short-lived-certificates.mdx rename to src/content/docs/cloudflare-one/applications/non-http/short-lived-certificates-legacy.mdx index 29caaf7f4feedf..6faa76ee7b6fc5 100644 --- a/src/content/docs/cloudflare-one/identity/users/short-lived-certificates.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/short-lived-certificates-legacy.mdx @@ -1,18 +1,21 @@ --- -title: Short-lived certificates +title: Short-lived certificates (legacy) pcx_content_type: how-to sidebar: - order: 4 + order: 6 head: - tag: title - content: Configure short-lived certificates + content: Configure short-lived certificates (legacy) --- import { Render } from "~/components"; -Cloudflare Access can replace traditional SSH key models with short-lived certificates issued to your users based on the token generated by their Access login. In traditional models, users generate a keypair and commit their public key into an infrastructure management tool, like [Salt](https://github.com/saltstack/salt), or otherwise upload it to an administrator. These keys can remain unchanged for months or years. +:::note[Short-lived certificates are now managed through Access for Infrastructure.] +Cloudflare recommends configuring short-lived certificates through our new [Access for Infrastructure](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/) workflow. Access for Infrastructure supports differing SSH aliases out-of-the-box, removes the need for client SSH configuration, and allows for more granular security policies. +::: + + -Cloudflare Access removes the burden on the end user of generating a key, while also improving security of access to infrastructure with ephemeral certificates. ## 1. Secure the server behind Cloudflare Access @@ -24,7 +27,6 @@ To secure your server behind Cloudflare Access: 2. Create a [self-hosted Access application](/cloudflare-one/applications/configure-apps/self-hosted-apps/) for the server. :::note - If you do not wish to use Access, refer instead to our [SSH proxy instructions](/cloudflare-one/policies/gateway/network-policies/ssh-logging/). ::: @@ -83,7 +85,7 @@ Match host vm.example.com exec "/usr/local/bin/cloudflared access ssh-gen --host ### Connect through a browser-based terminal -End users can connect to the SSH session without any configuration by using Cloudflare's browser-based terminal. Users visit the URL of the application and Cloudflare's terminal handles the short-lived certificate flow. To enable, refer to [Enable browser rendering](/cloudflare-one/applications/non-http/#enable-browser-rendering). +End users can connect to the SSH session without any configuration by using Cloudflare's browser-based terminal. Users visit the URL of the application and Cloudflare's terminal handles the short-lived certificate flow. To enable, refer to [Browser-rendered terminal](/cloudflare-one/applications/non-http/browser-rendering/). --- diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/index.mdx index 91864dfd378d77..491a0e253627af 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/index.mdx @@ -10,7 +10,7 @@ If you are unable to install the WARP client on your devices (for example, Windo * **[Gateway DNS policies](/cloudflare-one/connections/connect-devices/agentless/dns/)** * **[Gateway HTTP policies](/cloudflare-one/connections/connect-devices/agentless/pac-files/)** without user identity and device posture -* **[Access policies](/cloudflare-one/policies/access/)** without device posture for [web applications](/cloudflare-one/applications/configure-apps/) and [browser-rendered](/cloudflare-one/applications/non-http/#enable-browser-rendering) SSH and VNC connections +* **[Access policies](/cloudflare-one/policies/access/)** without device posture for [web applications](/cloudflare-one/applications/configure-apps/) and [browser-rendered](/cloudflare-one/applications/non-http/browser-rendering/) SSH and VNC connections * **[Remote Browser Isolation](/cloudflare-one/policies/browser-isolation/)** via an [Access policy](/cloudflare-one/policies/access/isolate-application/), [prefixed URLs](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/), or a [non-identity on-ramp](/cloudflare-one/policies/browser-isolation/setup/non-identity/) * **[Cloud Access Security Broker (CASB)](/cloudflare-one/applications/scan-apps/)** * **[Data Loss Prevention (DLP)](/cloudflare-one/applications/scan-apps/casb-dlp/)** for SaaS applications integrated with Cloudflare CASB diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx index e489307bba33f0..cdae4700c0316c 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx @@ -8,6 +8,6 @@ sidebar: import { DirectoryListing } from "~/components" -Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. +Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh.mdx deleted file mode 100644 index 541e10b3a7c152..00000000000000 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh.mdx +++ /dev/null @@ -1,141 +0,0 @@ ---- -pcx_content_type: how-to -title: SSH -sidebar: - order: 1 ---- - -import { Render } from "~/components"; - -The Secure Shell Protocol (SSH) enables users to remotely access devices through the command line. With Cloudflare Zero Trust, you can make your SSH server available over the Internet without the risk of opening inbound ports on the server. - -Cloudflare Zero Trust offers two solutions to provide secure access to SSH servers: - -- [Private subnet routing with Cloudflare WARP to Tunnel](#connect-to-ssh-server-with-warp-to-tunnel) -- [Public hostname routing with `cloudflared access`](#connect-to-ssh-server-with-cloudflared-access) - -## Set up an SSH server in GCP - -This example walks through how to set up an SSH server on a Google Cloud Platform (GCP) virtual machine (VM), but you can use any machine that supports SSH connections. - -### 1. Create an SSH key pair - -Before creating your VM instance you will need to create an SSH key pair. - -1. Open a terminal and type the following command: - - ```sh - ssh-keygen -t rsa -f ~/.ssh/gcp_ssh -C - ``` - -2. Enter your passphrase when prompted. It will need to be entered twice. - - Two files will be generated: `gcp_ssh` which contains the private key, and `gcp_ssh.pub` which contains the public key. - -3. In the command line, enter: - - ```sh - cat ~/.ssh/gcp_ssh.pub - ``` - -4. Copy the output. This will be used when creating the VM instance in GCP. - -:::note - -You can configure SSH servers that do not require SSH keys and instead rely exclusively on Cloudflare Zero Trust policies or [short-lived certificates](/cloudflare-one/identity/users/short-lived-certificates/) to secure the server. -::: - -### 2. Create a VM instance in GCP - -Now that the SSH key pair has been created, you can create a VM instance. - -1. In your [Google Cloud Console](https://console.cloud.google.com/), [create a new project](https://developers.google.com/workspace/guides/create-project). -2. Go to **Compute Engine** > **VM instances**. -3. Select **Create instance**. -4. Name your VM instance, for example `ssh-server`. -5. Scroll down to **Advanced options** > **Security** > **Manage Access**. -6. Under **Add manually generated SSH keys**, select **Add item** and paste the public key that you have created. -7. Select **Create**. -8. Once your VM instance is running, open the dropdown next to **SSH** and select _Open in browser window_. - -:::note - -In order to be able to establish an SSH connection, do not enable [OS Login](https://cloud.google.com/compute/docs/oslogin) on the VM instance. -::: - -## Connect to SSH server with WARP to Tunnel - - - -### 1. Connect the server to Cloudflare - - - -### 2. Set up the client - - - -### 3. Route private network IPs through WARP - - - -### 4. Connect as a user - -Once you have set up the application and the user device, the user can now SSH into the machine using its private IP address. If your SSH server requires an SSH key, the key should be included in the command. - -```sh -ssh -i ~/.ssh/gcp_ssh @ -``` - -## Connect to SSH server with `cloudflared access` - - - -### 1. Connect the server to Cloudflare - -1. Create a Cloudflare Tunnel by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). - -2. In the **Public Hostnames** tab, choose a domain from the drop-down menu and specify any subdomain (for example, `ssh.example.com`). - -3. For **Service**, select _SSH_ and enter `localhost:22`. If the SSH server is on a different machine from where you installed the tunnel, enter `:22`. - -4. Select **Save hostname**. - -5. (Recommended) Add a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-apps/) to Cloudflare Access in order to manage access to your server. - -### 2. Connect as a user - -Users can connect from their device by [authenticating through `cloudflared`](#native-terminal), or from a [browser-rendered terminal](#browser-rendered-terminal). - -#### Native Terminal - -1. [Install `cloudflared`](/cloudflare-one/connections/connect-networks/downloads/) on the client machine. - -2. Make a one-time change to your SSH configuration file: - - ```sh - vim ~/.ssh/config - ``` - -3. Input the following values; replacing `ssh.example.com` with the hostname you created. - - ```txt - Host ssh.example.com - ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h - ``` - - The `cloudflared` path may be different depending on your OS and package manager. For example, if you installed `cloudflared` on macOS with Homebrew, the path is `/opt/homebrew/bin/cloudflared`. - -4. You can now test the connection by running a command to reach the service: - - ```sh - ssh @ssh.example.com - ``` - - When the command is run, `cloudflared` will launch a browser window to prompt you to authenticate with your identity provider before establishing the connection from your terminal. - -#### Browser-rendered terminal - -End users can connect to the SSH server without any configuration by using Cloudflare's browser-based terminal. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser. - -To enable, refer to [Enable browser rendering](/cloudflare-one/applications/non-http/#enable-browser-rendering). diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/index.mdx new file mode 100644 index 00000000000000..c743f9e9e1ade5 --- /dev/null +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/index.mdx @@ -0,0 +1,19 @@ +--- +pcx_content_type: navigation +title: SSH +hidden: false +sidebar: + order: 1 +tableOfContents: false +--- + +The Secure Shell Protocol (SSH) enables users to remotely access devices through the command line. With Cloudflare Zero Trust, you can make your SSH server available over the Internet without the risk of opening inbound ports on the server. + +Cloudflare offers four ways to secure SSH: + +- [SSH with Access for Infrastructure](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/) (recommended) +- [Self-managed SSH keys](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel/) +- [Browser-rendered SSH terminal](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-browser-rendering/) +- [SSH with client-side cloudflared](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-cloudflared-authentication/) (legacy) + +For an overview of these connection options, refer to [non-HTTP applications](/cloudflare-one/applications/non-http/). \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-browser-rendering.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-browser-rendering.mdx new file mode 100644 index 00000000000000..f378f5f8f5a3ac --- /dev/null +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-browser-rendering.mdx @@ -0,0 +1,25 @@ +--- +pcx_content_type: how-to +title: Connect to SSH in the browser +sidebar: + order: 4 + label: Browser-rendered SSH terminal +--- + +import { Render } from "~/components"; + +Cloudflare's browser-based terminal allows end users to connect to an SSH server without managing SSH keys or installing the WARP client. + +This method requires routing SSH access to the server through a public hostname. The traffic is proxied over this connection, and the user logs in to the server with their Cloudflare Access credentials. + +The browser-based terminal can be used in conjunction with [routing over WARP](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel/) and [Access for Infrastructure](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/) so that there are multiple ways to connect to the server. You can reuse the same Cloudflare Tunnel when configuring each connection method. + +## 1. Connect the server to Cloudflare + + + +## 2. Connect as a user + +To enable browser-rendering for SSH, refer to [Browser-rendered terminal](/cloudflare-one/applications/non-http/browser-rendering/). + +When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser. \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-cloudflared-authentication.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-cloudflared-authentication.mdx new file mode 100644 index 00000000000000..da93af6ffa03fd --- /dev/null +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-cloudflared-authentication.mdx @@ -0,0 +1,48 @@ +--- +pcx_content_type: how-to +title: Connect to SSH with client-side cloudflared (legacy) +sidebar: + order: 5 + label: SSH with client-side cloudflared +--- + +import { Render } from "~/components"; + +:::note +Not recommended for new deployments. We recommend using [Access for Infrastructure](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/) to connect to SSH. +::: + +End users can connect to an SSH server without the WARP client by authenticating through `cloudflared` in their native terminal. This method requires having `cloudflared` installed on both the server machine and on the client machine, as well as an active zone on Cloudflare. The traffic is proxied over this connection, and the user logs in to the server with their Cloudflare Access credentials. + +Client-side `cloudflared` can be used in conjunction with [routing over WARP](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel/) and [Access for Infrastructure](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/) so that there are multiple ways to connect to the server. You can reuse the same Cloudflare Tunnel when configuring each connection method. + +## 1. Connect the server to Cloudflare + + + +## 2. Connect as a user + +1. [Install `cloudflared`](/cloudflare-one/connections/connect-networks/downloads/) on the client machine. + +2. Make a one-time change to your SSH configuration file: + + ```sh + vim ~/.ssh/config + ``` + +3. Input the following values; replacing `ssh.example.com` with the hostname you created. + + ```txt + Host ssh.example.com + ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h + ``` + + The `cloudflared` path may be different depending on your OS and package manager. For example, if you installed `cloudflared` on macOS with Homebrew, the path is `/opt/homebrew/bin/cloudflared`. + +4. You can now test the connection by running a command to reach the service: + + ```sh + ssh @ssh.example.com + ``` + + When the command is run, `cloudflared` will launch a browser window to prompt you to authenticate with your identity provider before establishing the connection from your terminal. \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx new file mode 100644 index 00000000000000..7e2e34bec65edf --- /dev/null +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx @@ -0,0 +1,123 @@ +--- +pcx_content_type: how-to +title: SSH with Access for Infrastructure (recommended) +sidebar: + order: 2 + label: SSH with Access for Infrastructure + badge: + variant: tip + text: New +--- + +import { Tabs, TabItem, Badge, Render } from "~/components"; + +[Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/) uses the same deployment model as [WARP-to-Tunnel](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel/) but unlocks more granular policy options and command logging functionality. + + +## 1. Connect the server to Cloudflare + +1. Create a Cloudflare Tunnel for your server by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). You can skip the connect an application step and go straight to connecting a network. + +2. In the **Private Networks** tab for the tunnel, enter the private IP address of your server (or a range that includes the server IP). + +## 2. Set up the client + +To connect your devices to Cloudflare: + +1. [Deploy the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your devices in Gateway with WARP mode. +2. Install and trust the [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your devices. +3. [Create device enrollment rules](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/) to determine which devices can enroll to your Zero Trust organization. + +## 3. Route private network IPs through WARP + + + +## 4. Add a target + + + +## 5. Add an infrastructure application + + + +## 6. Add a policy + + + +## 7. Configure SSH server + +Next, configure your SSH server to trust the Cloudflare SSH CA. This allows Access to authenticate using short-lived certificates instead of traditional SSH keys. + +### Generate a Cloudflare SSH CA + + +### Save the public key + + +### Modify your SSHD config + + +### Restart your SSH server + + +## 8. Connect as a user + +Users can use any SSH client to connect to the target, as long as they are logged into the WARP client on their device. Users do not need to modify any SSH configs on their device. For example, to SSH from a terminal: + +```sh +ssh @ +``` + +For more information, refer to the [Access for Infrastructure documentation](/cloudflare-one/applications/non-http/infrastructure-apps/#connect-as-a-user). + +## SSH command logs + +SSH command logs contain the actual SSH commands that a user ran on the target. These logs are encrypted using a public key provided by the customer and are not visible to Cloudflare. + +### Enable SSH command logging + + + +### Disable SSH command logging + +To turn off SSH command logging, delete your uploaded public key: + + + + +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network** > **SSH encryption public key**. + +2. Select **Remove**. + +3. Select **Remove key** to confirm. + +Cloudflare will stop logging SSH commands to your targets, as well as any commands subject to [Gateway Audit SSH](/cloudflare-one/policies/gateway/network-policies/ssh-logging/) policies. + + + + +To delete the SSH encryption public key using the [API](/api/operations/zero-trust-update-audit-ssh-settings): + +```sh +curl --request PUT https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/audit_ssh_settings \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--data '{ + "public_key": "" +}' +``` + + + +### View SSH logs + +SSH command logs are not visible from the dashboard itself and must be exported and decrypted. + +To manually retrieve logs: + +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Logs** > **Access**. +2. Select a user who was allowed to access the target. +3. Select **Download** to download the session's command log. +4. + +Enterprise customers can also export command logs using [Logpush](/cloudflare-one/insights/logs/logpush/). \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel.mdx new file mode 100644 index 00000000000000..c595cf33d22c93 --- /dev/null +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel.mdx @@ -0,0 +1,78 @@ +--- +pcx_content_type: how-to +title: Connect with self-managed SSH keys +sidebar: + order: 3 + label: Self-managed SSH keys +--- + +import { Render } from "~/components"; + +If you want to manage your own SSH keys, you can use Cloudflare Tunnel to create a secure, outbound-only connection from your server to Cloudflare's global network. This requires running the `cloudflared` daemon on the server (or any other host machine within the private network). Users with SSH keys that are trusted by the SSH server can access the server by installing the [Cloudflare WARP client](/cloudflare-one/connections/connect-devices/warp/) on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect as if they were on your private network. By default, all devices enrolled in your organization can SSH to the server unless you build policies to allow or block specific users. + +:::note + +If you want to create more granular access policies, allow Cloudflare to manage SSH keys for you, or to obtain command logs, consider using [Access for Infrastructure](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/) instead. +::: + +This example walks through how to set up an SSH server on a Google Cloud Platform (GCP) virtual machine (VM), but you can use any machine that supports SSH connections. + +## 1. Create an SSH key pair + +Before creating your VM instance you will need to create an SSH key pair. + +1. Open a terminal and type the following command: + + ```sh + ssh-keygen -t rsa -f ~/.ssh/gcp_ssh -C + ``` + +2. Enter your passphrase when prompted. It will need to be entered twice. + + Two files will be generated: `gcp_ssh` which contains the private key, and `gcp_ssh.pub` which contains the public key. + +3. In the command line, enter: + + ```sh + cat ~/.ssh/gcp_ssh.pub + ``` + +4. Copy the output. This will be used when creating the VM instance in GCP. + +## 2. Create a VM instance in GCP + +Now that the SSH key pair has been created, you can create a VM instance. + +1. In your [Google Cloud Console](https://console.cloud.google.com/), [create a new project](https://developers.google.com/workspace/guides/create-project). +2. Go to **Compute Engine** > **VM instances**. +3. Select **Create instance**. +4. Name your VM instance, for example `ssh-server`. +5. Scroll down to **Advanced options** > **Security** > **Manage Access**. +6. Under **Add manually generated SSH keys**, select **Add item** and paste the public key that you have created. +7. Select **Create**. +8. Once your VM instance is running, open the dropdown next to **SSH** and select _Open in browser window_. + +:::note + +In order to be able to establish an SSH connection, do not enable [OS Login](https://cloud.google.com/compute/docs/oslogin) on the VM instance. +::: + +## 3. Connect the server to Cloudflare + + + +## 4. Set up the client + + + +## 5. Route private network IPs through WARP + + + +## 6. Connect as a user + +Once you have set up the application and the user device, the user can now SSH into the machine using its private IP address. If your SSH server requires an SSH key, the key should be included in the command. + +```sh +ssh -i ~/.ssh/gcp_ssh @ +``` diff --git a/src/content/docs/cloudflare-one/faq/teams-troubleshooting.mdx b/src/content/docs/cloudflare-one/faq/teams-troubleshooting.mdx index 8347f2bc328a46..f893749e33ac66 100644 --- a/src/content/docs/cloudflare-one/faq/teams-troubleshooting.mdx +++ b/src/content/docs/cloudflare-one/faq/teams-troubleshooting.mdx @@ -87,7 +87,7 @@ This error occurs when the identity provider has not included the signing public ## I see `Error 0: Bad Request. Please create a ca for application.` when attempting to connect to SSH with a short-lived certificate. -This error will appear if a certificate has not been generated for the Access application users are attempting to connect to. For more information on how to generate a certificate for the application on the Access Service Auth SSH page, refer to [these instructions](/cloudflare-one/identity/users/short-lived-certificates/). +This error will appear if a certificate has not been generated for the Access application users are attempting to connect to. For more information on how to generate a certificate for the application on the Access Service Auth SSH page, refer to [these instructions](/cloudflare-one/applications/non-http/short-lived-certificates-legacy/). ## Mobile applications warn of an invalid certificate, even though I installed the Cloudflare certificate on my system. diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/ssh-logging.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/ssh-logging.mdx index 6eee9f716e278f..465a324b3fc25b 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/ssh-logging.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/ssh-logging.mdx @@ -7,6 +7,11 @@ sidebar: import { Render } from "~/components"; + +:::note +Cloudflare recommends configuring SSH command logs through our new [Access for Infrastructure](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/) workflow. Access for Infrastructure supports differing SSH aliases out-of-the-box, custom SSH ports, and Logpush integrations. +::: + Cloudflare Zero Trust supports SSH proxying and command logging using Secure Web Gateway and the WARP client. You can create network policies to manage and monitor SSH access to your applications. When a device connects to your origin server over SSH, a session log will be generated showing which user connected, the session duration, and optionally a full replay of all commands run during the session. @@ -28,25 +33,14 @@ Instead of traditional SSH keys, Gateway uses short-lived certificates to authen :::note -Other short-lived CAs, such as those used to [secure SSH servers behind Cloudflare Access](/cloudflare-one/identity/users/short-lived-certificates/), are incompatible with the Gateway SSH proxy. For SSH logging to work, you must create a new CA using the `gateway_ca` API endpoint. +Other short-lived CAs, such as those used to [secure SSH servers behind Cloudflare Access](/cloudflare-one/applications/non-http/short-lived-certificates-legacy/), are incompatible with the Gateway SSH proxy. For SSH logging to work, you must create a new CA using the `gateway_ca` API endpoint. ::: To generate a Gateway SSH proxy CA and get its public key: -1. Make a `POST` request to the Cloudflare API with your email address and [API key](/fundamentals/api/get-started/keys/) as request headers. - - ```bash - curl --request POST \ - "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \ - --header "X-Auth-Email: " \ - --header "X-Auth-Key: " - ``` + -2. A success response will include a `public_key` value. Save the key for configuring your server. - -## 3. Save your public key - -1. Copy the `public_key` value returned by the API request in Step 2. +## 3. Save the public key @@ -106,42 +100,15 @@ ssh-keygen -R ## (Optional) Configure SSH Command Logging -If you enabled **SSH Command Logging** in an [Audit SSH policy](#7-create-an-audit-ssh-policy), you will need to generate an HPKE key pair and upload the public key to your dashboard. - -1. [Download](https://github.com/cloudflare/ssh-log-cli/releases/latest/) the Cloudflare `ssh-log-cli` utility. - -2. Using the `ssh-log-cli` utility, generate a public and private key pair. - - ```sh - ./ssh-log-cli generate-key-pair -o sshkey - ls - ``` - - ```sh output - README.md ssh-log-cli sshkey sshkey.pub - ``` - - This command outputs two files, an `sshkey.pub` public key and a matching `sshkey` private key. - -3. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**. - -4. In the **SSH encryption public key** field, paste the contents of `sshkey.pub` and select **Save**. Note that this a different public key from the `ca.pub` file you used to configure the origin server. - -All proxied SSH commands are immediately encrypted using this public key. The matching private key is required to [view logs](#view-ssh-logs). + ## View SSH Logs -1. In Zero Trust, go to **Logs** > **Gateway** > **SSH**. +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Logs** > **Gateway** > **SSH**. 2. If you enabled the **SSH Command Logging** feature, you can **Download** a session's command log. -3. To decrypt the log, follow the instructions in the [SSH Logging CLI repository](https://github.com/cloudflare/ssh-log-cli/). The following example uses the private key generated in [Configure SSH Command Logging](#optional-configure-ssh-command-logging): - - ```sh - ./ssh-log-cli decrypt -i sshlog -k sshkey - ``` - - This command outputs a `sshlog-decrypted.zip` file with the decrypted logs. +3. ## Limitations diff --git a/src/content/glossary/cloudflare-one.yaml b/src/content/glossary/cloudflare-one.yaml index efc9a7014321d2..e9121f40ae4fe9 100644 --- a/src/content/glossary/cloudflare-one.yaml +++ b/src/content/glossary/cloudflare-one.yaml @@ -199,6 +199,10 @@ entries: general_definition: |- Single Sign-On (SSO) is a technology that combines multiple application logins into one, requiring users to enter credentials only once. + - term: target + general_definition: |- + a resource with an IP address or hostname that is reachable by Cloudflare, such as a server or web application. + - term: team domain general_definition: |- a unique subdomain assigned to your Cloudflare account (for example, `.cloudflareaccess.com`), where users will find the apps you have secured behind Cloudflare Zero Trust. diff --git a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx new file mode 100644 index 00000000000000..cf3f4c58d365cc --- /dev/null +++ b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx @@ -0,0 +1,71 @@ +--- +{} + +--- + +import { Tabs, TabItem, Render } from "~/components" + + + + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**. +2. Select **Add an application**. +3. Select **Infrastructure**. +4. Enter any name for the application. +5. In **Target criteria**, select the target hostname(s) that will represent the application. The application definition will apply to all targets that share the selected hostname, including any targets added in the future. +6. Enter the **Protocol** and **Port** that will be used to connect to the server. +7. (Optional) If a protocol runs on more than one port, select **Add new target criteria** and reconfigure the same target hostname and protocol with a different port number. +8. Select **Next**. + + + +To add an infrastructure application using the [API](/api/operations/access-applications-add-an-application): + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps \ +--header "Authorization: Bearer " \ +--header "Content-Type: application/json" \ +--data '{ + "name": "example app", + "type": "infrastructure", + "target_criteria": [ + { + "target_attributes": { + "hostname": [ + "infra-access-target" + ] + }, + "port": 22, + "protocol": "SSH" + } + ], + "policies": [ + { + "name": "Allow a specific email", + "decision": "allow", + "include": [ + { + "email": { + "email": "jdoe@company.com" + } + } + ], + "connection_rules": { + "ssh": { + "usernames": [ + "root", + "ec2-user" + ] + } + } + } + ] +}' +``` + + + + +:::note +Access for Infrastructure only supports assigning one protocol per port. You can reuse a port/protocol pairing across infrastructure applications, but the port cannot be reassigned to another protocol. +::: \ No newline at end of file diff --git a/src/content/partials/cloudflare-one/access/add-infrastructure-policy.mdx b/src/content/partials/cloudflare-one/access/add-infrastructure-policy.mdx new file mode 100644 index 00000000000000..7cf23b612f4163 --- /dev/null +++ b/src/content/partials/cloudflare-one/access/add-infrastructure-policy.mdx @@ -0,0 +1,19 @@ +--- +{} + +--- + +import { Tabs, TabItem, Render } from "~/components" + +To secure your targets, configure a policy that defines who can connect and how they can connect: + +1. Enter any name for your policy. +2. Create a rule that matches the users who are allowed to reach the targets. For more information, refer to [Access policies](/cloudflare-one/policies/access/). +3. In **Connection context**, enter the UNIX usernames that users can log in as (for example, `root` or `ec2-user`). +4. Select **Add application**. + +The targets in this application are now secured by your infrastructure policies. + +:::note +Gateway [network policies](/cloudflare-one/policies/gateway/network-policies/) take precedence over infrastructure policies. For example, if you block port `22` for all users in Gateway, then no one can SSH over port `22` to your targets. +::: \ No newline at end of file diff --git a/src/content/partials/cloudflare-one/access/add-target.mdx b/src/content/partials/cloudflare-one/access/add-target.mdx new file mode 100644 index 00000000000000..542c623db8c2df --- /dev/null +++ b/src/content/partials/cloudflare-one/access/add-target.mdx @@ -0,0 +1,54 @@ +--- +{} + +--- + +import { Tabs, TabItem, Render, Details } from "~/components" + +A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare. Targets are protocol-agnostic, meaning that you do not need to define a new target for each protocol that runs on the server. + +To create a new target: + + + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Network** > **Targets**. +2. Select **Add a target**. +3. In **Target hostname**, enter a user-friendly name for the target resource. We recommend using the server hostname, for example `production-server`. The hostname does not need to be unique and can be reused for multiple targets. +
+ - Case insensitive + - Contain no more than 255 characters + - Contain only alphanumeric characters, `-`, or `.` (no spaces allowed) + - Start and end with an alphanumeric character +
+4. In **IP addresses**, enter the private IPv4 and/or IPv6 address of the target resource. If the IP address overlaps across multiple private networks, select the [virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) where the resource is located. +:::note[IP address requirements] +- Public IPs are not currently supported. +- The IP address must be reachable through Cloudflare Tunnel. +- You must input the full IP address. The selector in the UI does not do partial matches. +::: +5. Select **Add target**. +
+ + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/infrastructure/targets \ +--header "Authorization: Bearer " \ +--data '{ + "hostname": "infra-access-target", + "ip": { + "ipv4": { + "ip_addr": "187.26.29.249", + "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" + }, + "ipv6": { + "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", + "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" + } + } +}' +``` + + +
+ +Next, create an infrastructure application to secure the target. \ No newline at end of file diff --git a/src/content/partials/cloudflare-one/access/self-hosted-policy.mdx b/src/content/partials/cloudflare-one/access/self-hosted-policy.mdx index 868f510a8729dd..a46113c7dd3bb7 100644 --- a/src/content/partials/cloudflare-one/access/self-hosted-policy.mdx +++ b/src/content/partials/cloudflare-one/access/self-hosted-policy.mdx @@ -5,7 +5,7 @@ You can now configure an [Access policy](/cloudflare-one/policies/access/) to control who can connect to your application. -1. Enter any name for your rule. +1. Enter any name for your policy. 2. Specify a policy [action](/cloudflare-one/policies/access/#actions). diff --git a/src/content/partials/cloudflare-one/access/self-hosted-settings.mdx b/src/content/partials/cloudflare-one/access/self-hosted-settings.mdx index e59bba09453618..fd32963e1a2866 100644 --- a/src/content/partials/cloudflare-one/access/self-hosted-settings.mdx +++ b/src/content/partials/cloudflare-one/access/self-hosted-settings.mdx @@ -7,7 +7,7 @@ You can configure the following advanced settings for your application: * [Cross-Origin Resource Sharing (CORS)](/cloudflare-one/identity/authorization-cookie/cors/) * [Cookie settings](/cloudflare-one/identity/authorization-cookie/#cookie-settings) -* [Automatic `cloudflared` authentication](/cloudflare-one/applications/non-http/cloudflared-authentication/#automatic-cloudflared-authentication) -* [Browser rendering](/cloudflare-one/applications/non-http/#enable-browser-rendering) +* [Automatic `cloudflared` authentication](/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication/) +* [Browser rendering](/cloudflare-one/applications/non-http/browser-rendering/) To finish configuring the application, select **Add application**. diff --git a/src/content/partials/cloudflare-one/access/short-lived-certs-intro.mdx b/src/content/partials/cloudflare-one/access/short-lived-certs-intro.mdx new file mode 100644 index 00000000000000..59cd7984934ccd --- /dev/null +++ b/src/content/partials/cloudflare-one/access/short-lived-certs-intro.mdx @@ -0,0 +1,9 @@ +--- +params: + - intro + +--- + +import { Markdown } from "~/components" + +{props.intro} traditional SSH keys with short-lived certificates issued to your users based on the token generated by their Access login. In traditional models, users generate an SSH keypair and administrators grant access to individual SSH servers by deploying their users' public keys to those servers. These SSH keys can remain unchanged on these servers for months or years. Cloudflare Access removes the burden of managing SSH keys, while also improving security by replacing long-lived SSH keys with ephemeral SSH certificates. \ No newline at end of file diff --git a/src/content/partials/cloudflare-one/ssh/decrypt-ssh-log.mdx b/src/content/partials/cloudflare-one/ssh/decrypt-ssh-log.mdx new file mode 100644 index 00000000000000..41541ce5b9dac6 --- /dev/null +++ b/src/content/partials/cloudflare-one/ssh/decrypt-ssh-log.mdx @@ -0,0 +1,11 @@ +--- +{} +--- + +To decrypt the log, follow the instructions in the [SSH Logging CLI repository](https://github.com/cloudflare/ssh-log-cli/). In the following example, `sshkey` is the private key that matches the public key uploaded to Cloudflare. + + ```sh + ./ssh-log-cli decrypt -i sshlog -k sshkey + ``` + + This command outputs a `sshlog-decrypted.zip` file with the decrypted logs. diff --git a/src/content/partials/cloudflare-one/ssh/public-key.mdx b/src/content/partials/cloudflare-one/ssh/public-key.mdx index b8a65c592594f4..c8e0e92038180e 100644 --- a/src/content/partials/cloudflare-one/ssh/public-key.mdx +++ b/src/content/partials/cloudflare-one/ssh/public-key.mdx @@ -2,23 +2,23 @@ {} --- -2. Use the following command to change directories to the SSH configuration directory on the remote target machine: +1. Use the following command to change directories to the SSH configuration directory on the remote target machine: ```sh cd /etc/ssh ``` -3. Once there, you can use the following command to both generate the file and open a text editor to input/paste the public key. +2. Once there, you can use the following command to both generate the file and open a text editor to input/paste the public key. ```sh vim ca.pub ``` -4. In the `ca.pub` file, paste the public key without any modifications. +3. In the `ca.pub` file, paste the public key without any modifications. The `ca.pub` file can hold multiple keys, listed one per line. Empty lines and comments starting with `#` are also allowed. -5. Save the `ca.pub` file. In some systems, you may need to use the following command to force the file to save depending on your permissions: +4. Save the `ca.pub` file. In some systems, you may need to use the following command to force the file to save depending on your permissions: ```bash :w !sudo tee % diff --git a/src/content/partials/cloudflare-one/ssh/restart-server.mdx b/src/content/partials/cloudflare-one/ssh/restart-server.mdx index 4128517039f35f..07628005412a34 100644 --- a/src/content/partials/cloudflare-one/ssh/restart-server.mdx +++ b/src/content/partials/cloudflare-one/ssh/restart-server.mdx @@ -2,9 +2,12 @@ {} --- +import { Tabs, TabItem, Render } from "~/components" + Once you have modified your SSHD configuration, restart the SSH service on the remote machine. -### Debian/Ubuntu + + For older Debian/Ubuntu versions: @@ -17,8 +20,8 @@ For newer Debian/Ubuntu versions: ```sh sudo systemctl restart ssh ``` - -### CentOS/RHEL + + For CentOS/RHEL 6 and older: @@ -31,3 +34,6 @@ For CentOS/RHEL 7 and newer: ```sh sudo systemctl restart sshd ``` + + + diff --git a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx new file mode 100644 index 00000000000000..468dd2840eff89 --- /dev/null +++ b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx @@ -0,0 +1,17 @@ +--- +{} + +--- + +import { Render } from "~/components" + +1. Make a `POST` request to the Cloudflare API with your email address and [API key](/fundamentals/api/get-started/keys/) as request headers. + + ```bash + curl --request POST \ + "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \ + --header "X-Auth-Email: " \ + --header "X-Auth-Key: " + ``` + +2. Copy the `public_key` value returned in the response. \ No newline at end of file diff --git a/src/content/partials/cloudflare-one/ssh/tunnel-public-hostname.mdx b/src/content/partials/cloudflare-one/ssh/tunnel-public-hostname.mdx new file mode 100644 index 00000000000000..53634e5e490628 --- /dev/null +++ b/src/content/partials/cloudflare-one/ssh/tunnel-public-hostname.mdx @@ -0,0 +1,13 @@ +--- +{} +--- + +1. Create a Cloudflare Tunnel by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). + +2. In the **Public Hostnames** tab, choose a domain from the drop-down menu and specify any subdomain (for example, `ssh.example.com`). + +3. For **Service**, select _SSH_ and enter `localhost:22`. If the SSH server is on a different machine from where you installed the tunnel, enter `:22`. + +4. Select **Save hostname**. + +5. (Recommended) Add a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-apps/) to Cloudflare Access in order to manage access to your server. diff --git a/src/content/partials/cloudflare-one/ssh/upload-ssh-key.mdx b/src/content/partials/cloudflare-one/ssh/upload-ssh-key.mdx new file mode 100644 index 00000000000000..3011c093af3ea3 --- /dev/null +++ b/src/content/partials/cloudflare-one/ssh/upload-ssh-key.mdx @@ -0,0 +1,29 @@ +--- +params: + - note +--- + +import { Markdown } from "~/components" + +To log SSH commands, you will need to generate an HPKE key pair and upload the public key to Cloudflare. + +1. [Download](https://github.com/cloudflare/ssh-log-cli/releases/latest/) the Cloudflare `ssh-log-cli` utility. + +2. Using the `ssh-log-cli` utility, generate a public and private key pair. + + ```sh + ./ssh-log-cli generate-key-pair -o sshkey + ls + ``` + + ```sh output + README.md ssh-log-cli sshkey sshkey.pub + ``` + + This command outputs two files, an `sshkey.pub` public key and a matching `sshkey` private key. + +3. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**. + +4. In **SSH encryption public key**, paste the contents of `sshkey.pub` and select **Save**. + +All proxied SSH commands are immediately encrypted using this public key. The matching private key is required to view logs. diff --git a/src/content/partials/cloudflare-one/tunnel/cloudflared-access.mdx b/src/content/partials/cloudflare-one/tunnel/cloudflared-access.mdx index 1d78710712431d..a038fdfb2bb4ca 100644 --- a/src/content/partials/cloudflare-one/tunnel/cloudflared-access.mdx +++ b/src/content/partials/cloudflare-one/tunnel/cloudflared-access.mdx @@ -5,4 +5,4 @@ Cloudflare Tunnel can also route applications through a public hostname, which allows users to connect to the application without the WARP client. This method requires having `cloudflared` installed on both the server machine and on the client machine, as well as an active zone on Cloudflare. The traffic is proxied over this connection, and the user logs in to the server with their Cloudflare Access credentials. -The public hostname method can be implemented in conjunction with [routing over WARP](/cloudflare-one/connections/connect-networks/use-cases/ssh/#connect-to-ssh-server-with-warp-to-tunnel) so that there are multiple ways to connect to the server. You can reuse the same tunnel for both the private network and public hostname routes. +The public hostname method can be implemented in conjunction with routing over WARP so that there are multiple ways to connect to the server. You can reuse the same tunnel for both the private network and public hostname routes. diff --git a/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-client.mdx b/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-client.mdx index f4f4821d8aba3d..466d2947f6cf7e 100644 --- a/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-client.mdx +++ b/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-client.mdx @@ -5,5 +5,5 @@ To connect your devices to Cloudflare: -1. [Deploy the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your devices in Gateway with WARP mode. The Cloudflare certificate is only required if you want to display a custom block page or filter HTTPS traffic. +1. [Deploy the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your devices in Gateway with WARP mode. 2. [Create device enrollment rules](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/) to determine which devices can enroll to your Zero Trust organization. diff --git a/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-intro.mdx b/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-intro.mdx index 621f6c3bf51a5e..52d7380fe027c4 100644 --- a/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-intro.mdx +++ b/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-intro.mdx @@ -3,4 +3,4 @@ --- -You can use Cloudflare Tunnel to create a secure, outbound-only connection from your server to Cloudflare's edge. This requires running the `cloudflared` daemon on the server. Users reach the service by installing the [Cloudflare WARP client](/cloudflare-one/connections/connect-devices/warp/) on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect as if they were on your private network. By default, all devices enrolled in your organization can access the service unless you build policies to allow or block specific users. +You can use Cloudflare Tunnel to create a secure, outbound-only connection from your server to Cloudflare's global network. This requires running the `cloudflared` daemon on the server. Users reach the service by installing the [Cloudflare WARP client](/cloudflare-one/connections/connect-devices/warp/) on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect as if they were on your private network. By default, all devices enrolled in your organization can access the service unless you build policies to allow or block specific users.