Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloudflare Access Guide #9710

Open
4d62ext opened this issue May 13, 2024 · 1 comment · May be fixed by #9713
Open

Cloudflare Access Guide #9710

4d62ext opened this issue May 13, 2024 · 1 comment · May be fixed by #9713
Labels
enhancement New feature or request

Comments

@4d62ext
Copy link
Contributor

4d62ext commented May 13, 2024
edited

Is your feature request related to a problem? Please describe.
A part of my selfhosted applications are running on Cloudflare Tunnels which allow easy protection with Access. Unfortunately, Authentik does not provide a guide on how to setup an "application" for CF Access.

Describe the solution you'd like
Documentation created. I set it up myself and I wouldn't mind opening a pull request with my implementation. I'll probably create one in a few hours.

Describe alternatives you've considered
Proxying all applications with a reverse proxy. It's just not possible 100% of the time in certain use cases

Additional context
Add any other context or screenshots about the feature request here.
@4d62ext 4d62ext added the enhancement New feature or request label May 13, 2024
@4d62ext 4d62ext linked a pull request May 13, 2024 that will close this issue
Open
6 tasks
@gitmotion
Copy link

gitmotion commented May 22, 2024
edited

assuming you have a reverse proxy installed already that is exposed to your cloudflare tunnel and have authentik working locally, you would use the local proxy url of your application in the host section of cf tunnels. so instead of exposing the docker container directly in your ct tunnel, you would use the mydockerinstance.local.mydomain.com if that makes sense. you would also need to map/expose the actual external url host.domain.com subdomain in your reverse proxy that points to your container or authentik instance depending on how you are proxying with authentik. that way when you access the external url from cloudflare your reverse proxy manager routes it to the resource, which in this case would be attached to/with authentik

in authentik i treated internal and external access as two separate brands by creating a separate outposts to handle local and external requests. this means you'll have to create separate versions of local vs external providers, applications, and brand. then add all the local providers/apps to the local outpost and external providers/apps to the external outpost. and point the local outpost to the local url and the external outpost to point to the external url. most of the settings will be the same when setting up the two providers and applications just the url, referencing provider, names, and slugs will be different.

that way when you're accessing externally it redirects to external authentik and when accessing internally it redirects to the local authentik. this is assuming you also included authentik in your cloudflare tunnel. i didn't see any documentation on this either so i'm not sure if this is the official way/feels lowkey hacky but i was able to get it working this way. i did it this way so i didn't have to create a whole separate instance of authentik for local vs external.

  • if any devs/mods are reading this it would be great if we could define multiple hosts/domains/urls for one provider in the proxy section

then in your reverse proxy create a host that handles both or just create a wildcard subdomain if possible for both external and local versions independently if that makes sense

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

website/integrations: add cloudflare access 4d62ext/authentik
2 participants
@gitmotion @4d62ext