Setting Up Cloudflare Access

Setting Up Cloudflare Access

I’ve been a fan of Cloudflare for a while now. I love how fast they can propagate DNS changes and I typically like to use them as a DNS resolver. An issue that I’ve ran into many times, is how to protect something with MFA (Multi-Factor Authentication) that doesn’t have any support for MFA.

This problem is common with legacy web applications and very common with SCADA (Supervisory Control And Data Acquisition) web applications. The issue I was trying to solve was how to put MFA in front of a SCADA web application.

I decided to use Cloudflare Access. Cloudflare Access goes by a few names some of them are Cloudflare Zero Trust Network Access (ZTNA), Cloudflare Access, and Cloudflare Zero Trust Access. For simplicity I’m going to refer to it as Cloudflare Access.

Cloudflare Access is really nice because you can put it in front of any web application and it will require the user to authenticate before they can even reach the website.

If you have a lot of applications like this you can even set it up so the users can login to a portal to see all of the applications that are available to them. You can do all of this without the user having to install anything. What’s even better is that it’s free for 50 users.

Here’s how I setup a SCADA web app with Cloudflare Access.

Prerequisites

For everything to go smoothly here are a few things that should be in place first

You can also use a Cloudflare tunnel. My post Cloudflare Tunnel with Docker will show you how to set up the tunnel.

Initial setup

Cloudflare Zero Trust Access Applications
Add a Cloudflare Zero Trust Access Application
Self-hosted option for Add a Cloudflare Zero Trust Access Application

Configuring the app

Session duration is how long the user can access the application until they need to login to Cloudflare Access again.

Your settings should look similar to this.

Cloudflare Zero Trust Access SCADA application example

You also have the option to show the app in an app launcher.

Cloudflare Zero Trust Access App Launcher options
Cloudflare Zero Trust Access App Identity Providers

Configuring the policies

Now we need to configure the Policies

It should look something like this

Cloudflare Zero Trust Access App Policy

It should look something like this. (I set mine to only allow access to one specific email address)

Cloudflare Zero Trust Access App policies include rule example
Completing Cloudflare Zero Trust Access application addition

Now you should see your application in your Applications list

Cloudflare Zero Trust Access list of Applications

Testing it

If you go to the URL of the web application you should now see a Cloudflare Access login page.

Here’s what mine looks like.

Cloudflare Zero Trust Access Login Wall Example

Now If I enter the email address I specified in the Allow SCADA Access policy, I will get an email with the code and I will be able to access the SCADA web app.

Here’s an example of the login code email

Example of the One-time PIN email

A few things to note

Cloudflare Access is part of Cloudflare Zero Trust platform once you start playing with it the sky’s the limit. You can read more about Cloudflare Access here.

Exit mobile version