Cloudflare Access Setup for Protected Sections#

What Was Established#

• Methodology for securing specific website paths or subdomains using Cloudflare Zero Trust Access.
• Authentication bypasses traditional .htaccess or server-side auth; Cloudflare handles it at the edge.
• Prerequisites: Cloudflare domain, Paid/Zero Trust plan (free tier supports up to 50 users).

Key Decisions#

• Identity Provider Choice: One-time PIN (OTP) recommended for simplicity and shared access without managing user lists. Alternatives include Google/GitHub or specific email allowlists.
• Policy Structure: “Allow Authenticated Users” policy with wildcard email matching (*) or specific domain matching (*@domain.com).
• Edge-Based Protection: No server-side configuration changes required; protection occurs before requests hit the origin server.

Current Configuration#

• Pattern established but not yet applied to specific homelab services.
• Relevant to Nginx Proxy Manager (192.168.1.222) or Proxmox (192.168.1.69) admin interfaces if routed through Cloudflare.

Historical Notes#

• Conversation date: 2025-11-24.
• Focuses on the Cloudflare Zero Trust dashboard workflow for self-hosted applications.
• No changes to existing Cloudflare SSL/DNS integration patterns.

Open Questions#

• Which homelab services will leverage Cloudflare Access for admin/protected paths?
• Will static IP bypass policies be implemented for homelab admin access?

Related Pages#

• Cloudflare Integration: SSL & DNS
• Hinterflix Help Site - Cloudflare Deployment
• Proxy Management & Cloudflare Tunnels

Sources#

• ingested/chats/117-Setting Up Cloudflare Access for Website Protection.md
• DeepSeek conversation: 2025-11-24 (Setting Up Cloudflare Access for Website Protection)