Cloudflare Access & Tunnels

This page is marked as "earlydoc", which means that it more of a collection of notes and an early draft before this page turns into good documentation later on. It is hoped that this early form of documentation is useful to you, but please understand that most documentation pages are higher quality than this. If you have suggestions or comments, please do get in contact or consider contributing your suggestions to the OliveTin documentation.

Several uses use Cloudflare Access & Tunnels to grant access to OliveTin. There is no special configuration needed for OliveTin to work in this way, simply setup your Cloudflare tunnel to connect to OliveTin on port 1337.

Trusting the Cloudflare JWT Token

  1. Get your AUD Tag (authJwtAud)

    1. Login to your CloudFlare dashboard and go to Zero Trust

    2. Go to Access > Applications.

    3. Select Configure for your application.

    4. On the Overview tab, copy the Application Audience (AUD) Tag.

  2. Get your Team Domain (authJwtDomain)

    1. Login to your CloudFlare dashboard and go to Zero Trust

    2. Go to Settings

    3. Go to Custom Pages

    4. Your Team Domain is shown here

  3. Get your Certs URL (authJwtCertsURL)

    1. Simply add cdn-cgi/access/certs to your Team Domain for CloudFlare

  4. CloudFlare gives you an email in the claim (authJwtClaimUsername) and the Cookie is always called CF_Authorization (authJwtCookieName)

  5. Setup your OliveTin config.yaml like follows;

config.yaml
authJwtAud: "asdf1234"
authJwtDomain: "https://mydomain.cloudflareaccess.com"
authJwtCertsURL: "https://mydomain.cloudflareaccess.com/cdn-cgi/access/certs"
authJwtClaimUsername: email
authJwtCookieName: "CF_Authorization"

You may well want to set logLevel: DEBUG and insecureAllowDumpJwtClaims: true in your config when testing JWT for the first time.

Trusting the authentication header (not recommended)

If you are using Cloudflare Access, and want to use the username given by Cloudflare in OliveTin ACLs, then you can use the Cloudflare cookie like this;

config.yaml
authHttpHeaderUsername: "Cf-Access-Authenticated-User-Email"

defaultPermissions:
    view: false
    exec: false

accessControlLists:
    - name: Admins
      addToEveryAction: true
      matchUsernames:
        - contact@jread.com
      permissions:
        view: true
        exec: true

actions:
  - title: test apprise
    shell: date
    shellAfterCompleted: "apprise -c /config/apprise.yml -t 'notification: test' -b 'date is {{ stdout }}'"
OliveTin does support JWT cookies that Cloudflare uses, which is arguably more secure. It’s just that nobody in the Discord has worked out how to get the keys needed from Cloudflare to decrypt this cookie yet! See the [jwt] documentation for some starter points. If you figure this out, it would be most welcome to share your solution with the community.