Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ZT] Infrastructure access #16763

Merged
merged 45 commits into from
Sep 19, 2024
Merged
Show file tree
Hide file tree
Changes from 35 commits
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
841aa2b
move browser-rendered terminal to new page
ranbel Sep 9, 2024
1e3473c
account limits
ranbel Sep 10, 2024
1c9f7fb
new infrastructure access how-to
ranbel Sep 10, 2024
0e7bd17
Update src/content/docs/cloudflare-one/applications/non-http/infrastr…
ranbel Sep 10, 2024
45a8896
Merge branch 'production' into ranbel/infrastructure-access
ranbel Sep 10, 2024
35b3de5
non-http overview
ranbel Sep 12, 2024
e519cb9
move ssh note
ranbel Sep 12, 2024
d1b5864
define target
ranbel Sep 12, 2024
299785f
add SSH logging partial
ranbel Sep 12, 2024
7bb4eee
use SSH logging partial
ranbel Sep 12, 2024
13c9f4c
start reworking ssh page
ranbel Sep 12, 2024
d60bbb4
Apply suggestions from code review
ranbel Sep 12, 2024
53f00b0
Update src/content/glossary/cloudflare-one.yaml
ranbel Sep 12, 2024
32971ab
clean up warp to tunnel
ranbel Sep 13, 2024
3578843
ssh instructions
ranbel Sep 13, 2024
dcae6ea
example warp-cli output
ranbel Sep 13, 2024
a63a3d0
edit overviews
ranbel Sep 13, 2024
2232350
edit sidebar text
ranbel Sep 13, 2024
cd62681
target ip requirements
ranbel Sep 16, 2024
06bac8e
create cloudflare authentication folder
ranbel Sep 16, 2024
bc3ace2
redirect users from old SSH workflows
ranbel Sep 16, 2024
c0eebd6
logpush is enterprise only
ranbel Sep 16, 2024
e83691d
add "New" badge to sidebar
ranbel Sep 16, 2024
78af9ba
sharon's feedback
ranbel Sep 17, 2024
46a7c88
ann ming's feedback part 1
ranbel Sep 17, 2024
5c65f23
Merge branch 'production' into ranbel/infrastructure-access
ranbel Sep 17, 2024
0bc03d3
Merge branch 'production' into ranbel/infrastructure-access
ranbel Sep 17, 2024
8867cbf
Merge branch 'ranbel/infrastructure-access' of github.com:cloudflare/…
ranbel Sep 17, 2024
f9599c8
fix broken link
ranbel Sep 18, 2024
a089cd3
Merge branch 'production' into ranbel/infrastructure-access
ranbel Sep 18, 2024
61a683f
fix broken link
ranbel Sep 18, 2024
35e70b7
rework IA
ranbel Sep 18, 2024
6bea556
fix links
ranbel Sep 18, 2024
1e1af86
add api examples
ranbel Sep 18, 2024
ab2509b
edit cloudflared auth note
ranbel Sep 18, 2024
758a22d
add step to install the Cloudflare cert
ranbel Sep 18, 2024
20261c2
Update src/content/partials/cloudflare-one/access/add-infrastructure-…
ranbel Sep 18, 2024
78b0310
remove warp-cli target list
ranbel Sep 18, 2024
c11c372
remove ssh key in dash
ranbel Sep 18, 2024
f6e1902
add API example
ranbel Sep 18, 2024
fb282a1
edit code block format
ranbel Sep 18, 2024
4051e3b
link to API docs
ranbel Sep 18, 2024
7e8bee7
apply sharon's feedback
ranbel Sep 18, 2024
b5af325
clarify disable ssh command logging
ranbel Sep 18, 2024
205279c
clarify legacy label
ranbel Sep 19, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions public/_redirects
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@
/access/ssh/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ 301
/cloudflare-one/tutorials/ssh/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ 301
/cloudflare-one/tutorials/ssh-browser/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ 301
/access/ssh/short-live-cert-server/ /cloudflare-one/identity/users/short-lived-certificates/ 301
/access/ssh/short-live-cert-server/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/ 301
/access/ssh/ssh-guide/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ 301

# ai
Expand Down Expand Up @@ -1522,6 +1522,7 @@
/cloudflare-one/analytics/access/ /cloudflare-one/insights/analytics/access/ 301
/cloudflare-one/analytics/gateway/ /cloudflare-one/insights/analytics/gateway/ 301
/cloudflare-one/analytics/users/ /cloudflare-one/insights/logs/users/ 301
/cloudflare-one/applications/non-http/arbitrary-tcp/ /cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/ 301
/cloudflare-one/connections/connect-apps/configuration/ /cloudflare-one/connections/connect-networks/configure-tunnels/ 301
/cloudflare-one/connections/connect-apps/install-and-setup/setup/ /cloudflare-one/connections/connect-networks/get-started/ 301
/cloudflare-one/connections/connect-apps/run-tunnel/deploy-cloudflared-replicas/ /cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/ 301
Expand Down Expand Up @@ -1607,6 +1608,7 @@
/cloudflare-one/identity/login-page/ /cloudflare-one/applications/login-page/ 301
/cloudflare-one/applications/custom-pages/ /cloudflare-one/applications/ 301
/cloudflare-one/identity/service-auth/service-tokens/ /cloudflare-one/identity/service-tokens/ 301
/cloudflare-one/identity/users/short-lived-certificates/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/ 301
/cloudflare-one/identity/users/validating-json/ /cloudflare-one/identity/authorization-cookie/validating-json/ 301
/cloudflare-one/policies/lists/ /cloudflare-one/policies/gateway/lists 301
/cloudflare-one/policies/zero-trust/ /cloudflare-one/policies/access/ 301
Expand Down Expand Up @@ -1653,7 +1655,7 @@
/cloudflare-one/tutorials/secure-dns-network/ /cloudflare-one/connections/connect-devices/agentless/dns/locations/ 301
/cloudflare-one/tutorials/share-new-site/ /cloudflare-one/connections/connect-networks/get-started/ 301
/cloudflare-one/tutorials/single-command/ /cloudflare-one/connections/connect-networks/get-started/ 301
/cloudflare-one/tutorials/ssh-cert-bastion/ /cloudflare-one/identity/users/short-lived-certificates/ 301
/cloudflare-one/tutorials/ssh-cert-bastion/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/ 301
/cloudflare-one/tutorials/ssh-service-token/ /cloudflare-one/identity/service-tokens/ 301
/cloudflare-one/tutorials/smb/ /cloudflare-one/connections/connect-networks/use-cases/smb/ 301
/cloudflare-one/tutorials/split-tunnel/ /cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/ 301
Expand Down
2 changes: 2 additions & 0 deletions src/content/docs/cloudflare-one/account-limits.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ This page lists the default account limits for rules, applications, fields, and
| Rules count per application | 1,000 |
| Rules count per group | 1,000 |
| Domains per application | 5 |
| Infrastructure targets | 300 |

## Gateway

Expand Down Expand Up @@ -75,5 +76,6 @@ This page lists the default account limits for rules, applications, fields, and
| mTLS certificates name | 350 |
| Service token name | 350 |
| IdP name | 350 |
| Target name | 255 |
| Application URL | 63 |
| Team domain | 63 |
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
pcx_content_type: how-to
title: Browser-rendered terminal
sidebar:
order: 3

---

Cloudflare can render certain non-web applications in your browser without the need for client software or end-user configuration changes. Cloudflare currently supports rendering a terminal for SSH and VNC connections in a user's browser.

:::note
You can only enable browser rendering on domains and subdomains, not for specific paths.
:::

## Enable browser rendering

To enable browser rendering:

1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**.
3. In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications.
4. In the **Settings** tab, scroll down to **Additional settings**.
5. For **Browser rendering**, choose *SSH* or *VNC*.
6. Select **Save application**.

When users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser.
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---
pcx_content_type: how-to
title: Enable automatic cloudflared authentication
sidebar:
order: 2

---

When users connect to an Access application through `cloudflared`, the browser prompts them to allow access by displaying this page:

![Access request prompt page displayed after logging in with cloudflared.](~/assets/images/cloudflare-one/applications/non-http/access-screen.png)

Automatic `cloudflared` authentication allows users to skip this login page if they already have an active IdP session.

To enable automatic `cloudflared` authentication:

1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
2. Locate your application and select **Configure**.
3. In the **Settings** tab, scroll down to **Additional settings**.
4. Turn on **Enable automatic cloudflared authentication**.
5. Select **Save application**.

This option will still prompt a browser window in the background, but authentication will now happen automatically.
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
---
pcx_content_type: how-to
title: Connect using cloudflared
title: Client-side cloudflared (legacy)
sidebar:
order: 11

order: 4
tableOfContents: false
---

With Cloudflare Zero Trust, users can connect to non-HTTP applications via a public hostname without installing the WARP client. This method requires you to onboard a domain to Cloudflare and install `cloudflared` on both the server and the user's device.
Expand All @@ -12,33 +12,14 @@ Users log in to the application by running a `cloudflared access` command in the

:::note

Automated services should only authenticate with `cloudflared` if they cannot use a [service token](/cloudflare-one/identity/service-tokens/). Cloudflared authentication relies on WebSockets to establish a connection. WebSockets have a known limitation where persistent connections may close unexpectedly. We recommend either a [Service Auth policy](/cloudflare-one/policies/access/#service-auth) or using [Warp to Tunnel routing](/cloudflare-one/applications/non-http/) in these instances.
Automated services should only authenticate with `cloudflared` if they cannot use a [service token](/cloudflare-one/identity/service-tokens/). Cloudflared authentication relies on WebSockets to establish a connection. WebSockets have a known limitation where persistent connections may close unexpectedly. We recommend either a [Service Auth policy](/cloudflare-one/policies/access/#service-auth) or using [Warp to Tunnel routing](/cloudflare-one/applications/non-http/) in these instances.
:::

## Setup

For examples of how to connect to Access applications with `cloudflared`, refer to these tutorials:

* [Connect through Access using a CLI](/cloudflare-one/tutorials/cli/)
* [Connect through Access using kubectl](/cloudflare-one/tutorials/kubectl/)
* [Connect over SSH with cloudflared](/cloudflare-one/connections/connect-networks/use-cases/ssh/#connect-to-ssh-server-with-cloudflared-access)
* [Connect over RDP with cloudflared](/cloudflare-one/connections/connect-networks/use-cases/rdp/#connect-to-rdp-server-with-cloudflared-access)
* [Connect over SMB with cloudflared](/cloudflare-one/connections/connect-networks/use-cases/smb/)

## Automatic `cloudflared` authentication

When users connect to an Access application through `cloudflared`, the browser prompts them to allow access by displaying this page:

![Access request prompt page displayed after logging in with cloudflared.](~/assets/images/cloudflare-one/applications/non-http/access-screen.png)

Automatic `cloudflared` authentication allows users to skip this login page if they already have an active IdP session.

To enable automatic `cloudflared` authentication:

1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
2. Locate your application and select **Configure**.
3. In the **Settings** tab, scroll down to **Additional settings**.
4. Turn on **Enable automatic cloudflared authentication**.
5. Select **Save application**.

This option will still prompt a browser window in the background, but authentication will now happen automatically.
* [Connect over arbitrary TCP with cloudflared](/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/)
52 changes: 27 additions & 25 deletions src/content/docs/cloudflare-one/applications/non-http/index.mdx
Original file line number Diff line number Diff line change
@@ -1,44 +1,46 @@
---
pcx_content_type: how-to
title: Add non-HTTP applications
pcx_content_type: concept
title: Non-HTTP applications
sidebar:
order: 2
order: 1

---

You can secure non-HTTP applications by [connecting your private network](/cloudflare-one/connections/connect-networks/private-net/) to Cloudflare. Users reach the application by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access the application unless you build policies to allow or block specific users.
Cloudflare offers both client-based and clientless ways to grant secure access to non-HTTP applications.

## Setup
:::note
Non-HTTP applications require [connecting your private network](/cloudflare-one/connections/connect-networks/private-net/) to Cloudflare. For more details, refer to our [Replace your VPN](/learning-paths/replace-vpn/connect-private-network/) implementation guide.
:::

For a comprehensive overview of how to connect a private network, refer to our implementation guide:
## WARP client

* [Replace your VPN](/learning-paths/replace-vpn/connect-private-network/)
Users can connect by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access the application unless you build policies to allow or block specific users.

To connect to an application over a specific protocol, refer to these tutorials:
If you would like to define how users access specific infrastructure servers within your network, create an infrastructure application in [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/). Access for Infrastructure provides an additional layer of control and visibility over how users access non-HTTP applications, including:
- Define fine-grained policies to govern who has access to specific servers and exactly how a user may access that server.
- Eliminate SSH keys by using short-lived certificates to authenticate users.
- Export SSH command logs to a storage service or SIEM solution using [Logpush](/logs/about/).

* [Connect over SSH with WARP to Tunnel](/cloudflare-one/connections/connect-networks/use-cases/ssh/#connect-to-ssh-server-with-warp-to-tunnel)
* [Connect over SMB with WARP to Tunnel](/cloudflare-one/connections/connect-networks/use-cases/smb/#connect-to-smb-server-with-warp-to-tunnel)
* [Connect over RDP with WARP to Tunnel](/cloudflare-one/connections/connect-networks/use-cases/rdp/#connect-to-rdp-server-with-warp-to-tunnel)
## Clientless access

## Enable browser rendering
Clientless access methods are suited for organizations that cannot deploy the WARP client or need to support third-party contractors where installing a client is not possible. Clientless access requires onboarding a domain to Cloudflare and configuring a public hostname in order to make the server reachable. Command logging is not supported, and user email prefixes must match their username on the server.

Cloudflare can render certain non-web applications in your browser without the need for client software or end-user configuration changes. Cloudflare currently supports rendering a terminal for SSH and VNC connections in a user's browser.

:::note
### Browser-rendered terminal

Cloudflare's [browser-based terminal](/cloudflare-one/applications/non-http/browser-rendering/) allows users to connect over SSH and VNC without any configuration. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser.

You can only enable browser rendering on domains and subdomains, not for specific paths.

### Client-side cloudflared (legacy)

:::note
Not recommended for new deployments.
:::
ranbel marked this conversation as resolved.
Show resolved Hide resolved

To enable browser rendering:
Users can log in to the application by installing `cloudflared` on their device and running a hostname-specific command in their terminal. For more information, refer to [cloudflared authentication](/cloudflare-one/applications/non-http/cloudflared-authentication/).

1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**.
3. In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications.
4. In the **Settings** tab, scroll down to **Additional settings**.
5. For **Browser rendering**, choose *SSH* or *VNC*.
6. Select **Save application**.
## Related resources

To connect to an application over a specific protocol, refer to these tutorials:
ranbel marked this conversation as resolved.
Show resolved Hide resolved

When users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser.
* [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/)
* [SMB](/cloudflare-one/connections/connect-networks/use-cases/smb/)
* [RDP](/cloudflare-one/connections/connect-networks/use-cases/rdp/)
Loading
Loading