From 31b6e15b9d6883a4bef546fea255f90d073104f5 Mon Sep 17 00:00:00 2001 From: Ann Ming Samborski Date: Tue, 8 Oct 2024 12:07:11 -0700 Subject: [PATCH 1/8] initial commit --- .../non-http/infrastructure-apps.mdx | 2 ++ .../ssh/ssh-infrastructure-access.mdx | 5 +++-- .../cloudflare-one/access/add-target.mdx | 2 +- .../cloudflare-one/ssh/ssh-proxy-ca.mdx | 22 +++++++++++++++++-- 4 files changed, 26 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx index 99691288714e5f5..f95997a94ed6c15 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx @@ -56,6 +56,8 @@ Certain protocols require configuring the server to trust connections through Ac Users connect to the target's IP address as if they were on your private network, using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/policies/gateway/resolver-policies/) to allow connections to the target's private hostname. +SSH with Access for Infrastructure also supports `scp` and `rsync` functions. At this time, `sftp` is not supported. + ### Connect to different VNET To connect to targets that are in different VNETS, users will need to [switch their connected virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/#connect-to-a-virtual-network) in the WARP client. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx index e711069ae6e591e..f63b29fe34825ec 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx @@ -25,8 +25,9 @@ import { Tabs, TabItem, Badge, Render } from "~/components"; To connect your devices to Cloudflare: 1. [Deploy the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your devices in Gateway with WARP mode. -2. Install and trust the [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your devices. -3. [Create device enrollment rules](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/) to determine which devices can enroll to your Zero Trust organization. +2. [Enable proxy mode for WARP](/cloudflare-one/connections/connect-networks/warp/warp-modes/#proxy-mode). +3. Install and trust the [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your devices. +4. [Create device enrollment rules](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/) to determine which devices can enroll to your Zero Trust organization. ## 3. Route private network IPs through WARP diff --git a/src/content/partials/cloudflare-one/access/add-target.mdx b/src/content/partials/cloudflare-one/access/add-target.mdx index b61a3131c9b34d0..85db5559e3a7d19 100644 --- a/src/content/partials/cloudflare-one/access/add-target.mdx +++ b/src/content/partials/cloudflare-one/access/add-target.mdx @@ -11,7 +11,7 @@ To create a new target: -1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Network** > **Targets**. +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Targets**. 2. Select **Add a target**. 3. In **Target hostname**, enter a user-friendly name for the target resource. We recommend using the server hostname, for example `production-server`. The hostname does not need to be unique and can be reused for multiple targets. Hostnames are used to define the subset of targets included in an infrastructure application and are not used in DNS address resolution.
diff --git a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx index 468dd2840eff89c..74723ab13f27b9a 100644 --- a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx +++ b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx @@ -5,7 +5,7 @@ import { Render } from "~/components" -1. Make a `POST` request to the Cloudflare API with your email address and [API key](/fundamentals/api/get-started/keys/) as request headers. +1. If you have not yet generated your Cloudflare SSH CA, make a `POST` request to the Cloudflare API with your email address and [API key](/fundamentals/api/get-started/keys/) as request headers. ```bash curl --request POST \ @@ -14,4 +14,22 @@ import { Render } from "~/components" --header "X-Auth-Key: " ``` -2. Copy the `public_key` value returned in the response. \ No newline at end of file +2. If you have already created your Cloudflare SSH CA or try the above and receive the error message, "access.api.error.gateway_ca_already_exists," modify the above command to a `GET` request instead. + + ```bash + curl --request GET \ + "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \ + --header "X-Auth-Email: " \ + --header "X-Auth-Key: " + ``` + +3. If you would like to use an API token instead of a Global API key, the token must have edit permissions for "Access: SSH Auditing" permissions. The `POST` or `GET` request should be modified to use the "Authorization: Bearer" value instead of "X-Auth-Key." + + ```bash + curl --request POST \ + "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \ + --header "X-Auth-Email: " \ + --header "Authorization: Bearer " + ``` + +4. Copy the `public_key` value returned in the response. \ No newline at end of file From d9106c1192f5fbf1b8625b277e110a77de0485e3 Mon Sep 17 00:00:00 2001 From: Ann Ming Samborski Date: Tue, 8 Oct 2024 13:43:04 -0700 Subject: [PATCH 2/8] More updates to SSH for Access for Infrastructure --- .../use-cases/ssh/ssh-infrastructure-access.mdx | 4 ++++ src/content/partials/cloudflare-one/access/add-target.mdx | 2 +- src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx index 84dd41962a676b1..ff3d8dffb8b1ab0 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx @@ -63,6 +63,10 @@ To generate a Cloudflare SSH CA and get its public key: ### Modify your SSHD config +:::note +For certain distributions, such as Amazon Linux 1 (based on RHEL), the certificate file permissions must be set to 600 in order for the configuration to work. " +::: + ### Restart your SSH server diff --git a/src/content/partials/cloudflare-one/access/add-target.mdx b/src/content/partials/cloudflare-one/access/add-target.mdx index 85db5559e3a7d19..deadf4d63998fe7 100644 --- a/src/content/partials/cloudflare-one/access/add-target.mdx +++ b/src/content/partials/cloudflare-one/access/add-target.mdx @@ -16,7 +16,7 @@ To create a new target: 3. In **Target hostname**, enter a user-friendly name for the target resource. We recommend using the server hostname, for example `production-server`. The hostname does not need to be unique and can be reused for multiple targets. Hostnames are used to define the subset of targets included in an infrastructure application and are not used in DNS address resolution.
- Case insensitive - - Contain no more than 255 characters + - Contain no more than 253 characters - Contain only alphanumeric characters, `-`, or `.` (no spaces allowed) - Start and end with an alphanumeric character
diff --git a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx index 74723ab13f27b9a..abbb82f2a771b86 100644 --- a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx +++ b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx @@ -32,4 +32,4 @@ import { Render } from "~/components" --header "Authorization: Bearer " ``` -4. Copy the `public_key` value returned in the response. \ No newline at end of file +4. Copy the `public_key` value returned in the response. From 7664f75569c6b7c98accf620db9f6321ab2a068e Mon Sep 17 00:00:00 2001 From: Ann Ming Samborski Date: Tue, 8 Oct 2024 13:46:30 -0700 Subject: [PATCH 3/8] Update ssh-infrastructure-access.mdx small wording change --- .../use-cases/ssh/ssh-infrastructure-access.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx index ff3d8dffb8b1ab0..634de4e79533c48 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx @@ -64,7 +64,7 @@ To generate a Cloudflare SSH CA and get its public key: :::note -For certain distributions, such as Amazon Linux 1 (based on RHEL), the certificate file permissions must be set to 600 in order for the configuration to work. " +For certain distributions, such as Amazon Linux 1 (based on RHEL), the certificate file permissions must be set to 600. " ::: ### Restart your SSH server From 019d0b239b12ce7b07370827d974f9dedd8097f5 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Wed, 9 Oct 2024 18:23:47 -0400 Subject: [PATCH 4/8] update API commands --- .../cloudflare-one/ssh/ssh-proxy-ca.mdx | 50 ++++++++----------- 1 file changed, 22 insertions(+), 28 deletions(-) diff --git a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx index abbb82f2a771b86..1ee08d6eb0246ba 100644 --- a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx +++ b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx @@ -3,33 +3,27 @@ --- -import { Render } from "~/components" - -1. If you have not yet generated your Cloudflare SSH CA, make a `POST` request to the Cloudflare API with your email address and [API key](/fundamentals/api/get-started/keys/) as request headers. - - ```bash - curl --request POST \ - "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \ - --header "X-Auth-Email: " \ - --header "X-Auth-Key: " - ``` - -2. If you have already created your Cloudflare SSH CA or try the above and receive the error message, "access.api.error.gateway_ca_already_exists," modify the above command to a `GET` request instead. - - ```bash - curl --request GET \ - "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \ - --header "X-Auth-Email: " \ - --header "X-Auth-Key: " - ``` - -3. If you would like to use an API token instead of a Global API key, the token must have edit permissions for "Access: SSH Auditing" permissions. The `POST` or `GET` request should be modified to use the "Authorization: Bearer" value instead of "X-Auth-Key." - - ```bash - curl --request POST \ - "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \ - --header "X-Auth-Email: " \ - --header "Authorization: Bearer " - ``` +import { Render, Details } from "~/components" + +1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: + + | Type | Item | Permission | + | ------- | ---------------- | ---------- | + | Account | Access: SSH Auditing | Edit | + +2. If you have not yet generated a Cloudflare SSH CA, make a `POST` request to the Cloudflare API: + + ```bash + curl --request POST \ + "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \ + --header "Authorization: Bearer " + ``` + +3. If you have already created a Cloudflare SSH CA or receive the error message `access.api.error.gateway_ca_already_exists`, make a `GET` request instead: + + ```bash + curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca \ + --header "Authorization: Bearer " + ``` 4. Copy the `public_key` value returned in the response. From 6bec92a96da9364e27de269a6137b1cd6d8dada1 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 14 Oct 2024 12:41:40 -0400 Subject: [PATCH 5/8] move supported SSH commands --- .../applications/non-http/infrastructure-apps.mdx | 2 -- .../use-cases/ssh/ssh-infrastructure-access.mdx | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx index f95997a94ed6c15..99691288714e5f5 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx @@ -56,8 +56,6 @@ Certain protocols require configuring the server to trust connections through Ac Users connect to the target's IP address as if they were on your private network, using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/policies/gateway/resolver-policies/) to allow connections to the target's private hostname. -SSH with Access for Infrastructure also supports `scp` and `rsync` functions. At this time, `sftp` is not supported. - ### Connect to different VNET To connect to targets that are in different VNETS, users will need to [switch their connected virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/#connect-to-a-virtual-network) in the WARP client. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx index 634de4e79533c48..6e650c3e27b27b3 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx @@ -78,6 +78,8 @@ Users can use any SSH client to connect to the target, as long as they are logge ssh @ ``` +SSH with Access for Infrastructure also supports `scp` and `rsync` commands. At this time, `sftp` is not supported. + For more information, refer to the [Access for Infrastructure documentation](/cloudflare-one/applications/non-http/infrastructure-apps/#connect-as-a-user). ## SSH command logs From 30c4bdd918dbde65a799e488d2cb7fcf61c169fe Mon Sep 17 00:00:00 2001 From: Ann Ming Samborski Date: Mon, 21 Oct 2024 16:32:25 -0700 Subject: [PATCH 6/8] Responding to comments and removing unneeded step to install CF root CA --- .../applications/non-http/infrastructure-apps.mdx | 1 - .../use-cases/ssh/ssh-infrastructure-access.mdx | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx index 89468a834912b71..592f0a06bc74d3c 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx @@ -37,7 +37,6 @@ Access for Infrastructure currently only supports [SSH](/cloudflare-one/connecti - [Connect your private network](/cloudflare-one/connections/connect-networks/private-net/) to Cloudflare using `cloudflared` or WARP Connector. - [Deploy the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on user devices in Gateway with WARP mode. -- Install and trust the [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on user devices. ## 1. Add a target diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx index 2928fb896f108c0..af1a915912f55b5 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx @@ -60,7 +60,9 @@ To generate a Cloudflare SSH CA and get its public key: :::note -For certain distributions, such as Amazon Linux 1 (based on RHEL), the certificate file permissions must be set to 600. " +For certain distributions, such as Amazon Linux 1 (based on RHEL), the certificate file permissions must be set to 600. + +This can be done with the following command: `chmod 600 /etc/ssh/ca.pub`. ::: ### Restart your SSH server From 90a6bdcdc916d18ef127a66f3d02336373abaead Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Tue, 22 Oct 2024 12:23:52 -0400 Subject: [PATCH 7/8] Apply suggestions from code review --- .../use-cases/ssh/ssh-infrastructure-access.mdx | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx index af1a915912f55b5..eac3388a7c2793c 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx @@ -25,9 +25,8 @@ import { Tabs, TabItem, Badge, Render } from "~/components"; To connect your devices to Cloudflare: 1. [Deploy the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your devices in Gateway with WARP mode. -2. [Enable proxy mode for WARP](/cloudflare-one/connections/connect-networks/warp/warp-modes/#proxy-mode). -3. Install and trust the [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your devices. -4. [Create device enrollment rules](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/) to determine which devices can enroll to your Zero Trust organization. +2. [Enable the Gateway proxy for TCP](/cloudflare-one/policies/gateway/proxy/#enable-the-gateway-proxy). +3. [Create device enrollment rules](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/) to determine which devices can enroll to your Zero Trust organization. ## 3. Route private network IPs through WARP From 1407f2c108f121729b372a80fa9a3319bf812d00 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 22 Oct 2024 12:41:30 -0400 Subject: [PATCH 8/8] style guide update --- .../use-cases/ssh/ssh-infrastructure-access.mdx | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx index eac3388a7c2793c..29d7dd649fe6854 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx @@ -59,9 +59,11 @@ To generate a Cloudflare SSH CA and get its public key: :::note -For certain distributions, such as Amazon Linux 1 (based on RHEL), the certificate file permissions must be set to 600. +For certain distributions, such as Amazon Linux 1 (based on RHEL), the certificate file permissions must be set to `600`. You can set file permissions with the following command: -This can be done with the following command: `chmod 600 /etc/ssh/ca.pub`. +```sh +chmod 600 /etc/ssh/ca.pub +``` ::: ### Restart your SSH server