Metabase app1/5/2024 Run a few curls to make sure all the places that should have access correctly do indeed have access and ensure you cannot access /api from an ip that isn't in the allowed service auth list. Nevertheless, you should finally have the following setup. I wish Cloudflare for teams would allow organizing paths in one central place, so you can easily view all rules at once regardless of path (some vendors have multiple path prefixes which causes a sprawl of cloudflare applications in the dashboard) - and they're not sorted alphabetically either! Some feedback for the Cloudflare team: it is difficult that all paths need to be considered their own separate application. Now you'll need to create 2 access control rules (the first is for and the other is for /api):įor the main application all you need to set is GSuite Auth:įor the API rule you can do either a bypass or a service token, but in both cases you should explicitly set the allowed IPS: Setup your GSuite Organization auth here (follow the instructions provided): Now time to setup cloudflare access by visiting. Now confirm you can access in your browser. Once your nameservers have been pointed over create an CNAME record to aptible: You should confirm you can no longer access the domain from your system by visiting the URL in your browser and seeing it hangs indefinitely. Now let's setup the ip allow list from here /ips: Then confirm its running:Īptible config: set -app metabase FORCE_SSL=true Step 3: Create endpoint and force ssl on it. Step 2: Deploy to app aptible deploy -app metabase -docker-image metabase/metabase Also all the domains here are just examples ( may be totally down when you're reading this). This article only applies for HTTP(s) Internal tools that operators will be using from chrome. Also, do NOT put your databases on any external IP space (there's almost always better ways than hole punching - ex: vpc peering or a reverse ssh proxy). However cloudflare doesn't allow someone to change the Host Header when accessing an IP address directly (this effectively means your origin nginx should be checking host header and routing based on it): /t/not-possible-to-.Īs a caveat, even with cloudflare access you should always secure the internal tool with it's own auth system as well. There is a possibility of MITM if someone else's service is hosted on CF (since they'd be able to hit your origin from CF ip space). Indeed if you needed it to be on the private network you could also use cloudflared, I may post about this at a later time. This way we'll ensure that end users must auth through Cloudflare access, still allow api endpoints to be accessed by known hosts if the path starts with /api, and restrict all other access. In this post we'll set up an installation of Metabase (the best business intelligence tool out there - seriously check them out) in Aptible and then secure it with Cloudflare access. Cloudflare offers an additional option through their zero trust model in Cloudflare Access.Ĭloudflare access supports a wide range of access control rules from multiple auth providers to fine grained access control of things like country, emails, IP ranges, browser type, certificates and request parameters such as path prefixes. Although a vendors product may have Google auth / security controls, it's good to be overly cautious and further protect access by restricting external access using a VPN device or something like tailscale in order to access internal endpoints. Often times there are applications you need to run on premise for compliance reasons related to governance and security controls (yubikey, 2fa, auditing).
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |