Authentication

Cloudflare Access Setup for Protected Sections

May 1, 2026

Cloudflare, Zero-Trust, Security, Access, Authentication

Cloudflare Access Setup for Protected Sections#

What Was Established#

• Methodology for securing specific website paths or subdomains using Cloudflare Zero Trust Access.
• Authentication bypasses traditional .htaccess or server-side auth; Cloudflare handles it at the edge.
• Prerequisites: Cloudflare domain, Paid/Zero Trust plan (free tier supports up to 50 users).

Key Decisions#

• Identity Provider Choice: One-time PIN (OTP) recommended for simplicity and shared access without managing user lists. Alternatives include Google/GitHub or specific email allowlists.
• Policy Structure: “Allow Authenticated Users” policy with wildcard email matching (*) or specific domain matching (*@domain.com).
• Edge-Based Protection: No server-side configuration changes required; protection occurs before requests hit the origin server.

Current Configuration#

• Pattern established but not yet applied to specific homelab services.
• Relevant to Nginx Proxy Manager (192.168.1.222) or Proxmox (192.168.1.69) admin interfaces if routed through Cloudflare.

Historical Notes#

• Conversation date: 2025-11-24.
• Focuses on the Cloudflare Zero Trust dashboard workflow for self-hosted applications.
• No changes to existing Cloudflare SSL/DNS integration patterns.

Open Questions#

• Which homelab services will leverage Cloudflare Access for admin/protected paths?
• Will static IP bypass policies be implemented for homelab admin access?

Related Pages#

• Cloudflare Integration: SSL & DNS
• Hinterflix Help Site - Cloudflare Deployment
• Proxy Management & Cloudflare Tunnels

Sources#

• ingested/chats/117-Setting Up Cloudflare Access for Website Protection.md
• DeepSeek conversation: 2025-11-24 (Setting Up Cloudflare Access for Website Protection)

Git Push Authentication

May 1, 2026

Git, Github, Authentication, Troubleshooting, Pat

Git Push Authentication#

What Was Established#

• GitHub deprecated password authentication for Git over HTTPS. Even if passwords worked previously, they are now rejected with password not supported.
• Personal Access Tokens (PAT) or SSH keys are required for authentication.
• 403 Permission Denied errors typically indicate stale cached credentials or insufficient token scopes.

Key Decisions#

• Use Personal Access Tokens (PAT) for HTTPS Git operations.
• Classic tokens require the repo scope for private repositories.
• Fine-grained tokens require Contents (Read and write) and Metadata (Read) permissions, explicitly scoped to the target repository.

Current Configuration#

• GitHub Username: NK-Iluvatar
• Target Repository: MBTADashboard
• Remote URL: https://github.com/NK-Iluvatar/MBTADashboard.git

Historical Notes#

• Password Deprecation: GitHub enforced its 2021 policy change retroactively, blocking account passwords for Git operations over HTTPS.
• 403 Troubleshooting: Resolved by clearing cached credentials (git credential reject or OS credential manager) and verifying token scopes (repo for classic, Contents for fine-grained).
• Token Testing: Verified token validity using curl -H "Authorization: token TOKEN" https://api.github.com/user.

Open Questions#

• None.

Related Pages#

• Git Pull Strategies
• Homelab Dashboard

Sources#

• DeepSeek conversation (2026-02-18) regarding MBTADashboard push failures and PAT configuration.