Zero Trust Access to cPFence WebUI Using Cloudflare Tunnel and OTP

cPFence

cPFence Important Note:
Cloudflare Zero Trust has a 100-second timeout limit. If any cPFence WebUI operation takes too long (such as bulk actions across servers),
you may see a 524: A timeout occurred error. This is a Cloudflare limitation, not a cPFence issue.
Learn more here.
To avoid this, access the WebUI directly at: http://your-server-ip:9095 when performing long tasks.

In the latest version of cPFence, we’ve managed to bypass this limitation for most tasks. Enjoy!

koboh

Am I right in thinking that the same process would work for OLS Admin/Dashboard?

Would there likely be any additional steps to make it work? I have looked over forums here and on Enhance and I couldn't see anyone asking about this.

cPFence

koboh

Yes, you can expose as many panels as you like through a single Cloudflare Tunnel, you just need to add one ingress rule per panel in your config.yml and follow the same steps.

koboh

cPFence I Have tried but not had any luck, so I think I need to review the settings. I must have something wrong. I think it might be down to the OLS web admin port being blocked. Not sure how to expose it internally only.

SvenK

Am I correct in understanding that this only works if the DNS for the domain of the Enhance-Admin-Server is managed through Cloudfair?

cPFence

SvenK

No, you can use any domain you control on Cloudflare for the tunnel, for example, cpf.myotherdomain.com.

cPFence

koboh

Try this

# Edit your ingress
nano /etc/cloudflared/config.yml
  
ingress:
  - hostname: olsadmin.example.com
    service: https://127.0.0.1:7080
    originRequest:
      noTLSVerify: true

  - hostname: your-subdomain.example.com
    service: http://localhost:9095
  - service: http_status:404
   
# Add the new dns record 
cloudflared tunnel route dns cpfence-webui olsadmin.example.com

# Restart to apply   
sudo systemctl restart cloudflared

koboh

Awesome, that worked, thank you.

I was using localhost and adding the noTLSVerify helped too.

The only change I made was, I added:

- service: http_status:404

I added this because when I validated the config.yml, I was getting the below error:

The last ingress rule must match all URLs (i.e. it should not have a hostname or path filter)

Adding the http_status at the end, cleared that error.

Oldschool

I'm getting a 403 error after logging in to the tunnel and after logging into the cpfence webui saying the IP is not whitelisted after setting up the tunnel.

Is it wanting me to whitelist cloudflare tunnel IPs?

cPFence

Oldschool

No, you don’t need to whitelist Cloudflare tunnel IPs. If set up right, the WebUI only sees localhost. Just be sure to follow all steps then verify using:

dig +short your-subdomain.example.com  # should return Cloudflare ips, not your server IP
cloudflared tunnel info cpfence-webui  # should show healthy with "origin ip" as your server IP.
curl -s -o /dev/null -w "%{http_code}\n" http://localhost:9095   # should return 200

Oldschool

cPFence
dig shows 2 cloudflare IPs
info shows the tunnel
curl gives 200

I've restarted the webui, the tunnel is working, prompts me for email and gives me the code and then forwards me to the cpfence webui but when I put in the credentials it refreshes to the /webui page and says:
403 Forbidden

Your IP is not whitelisted to access this service.

cPFence

Oldschool

Make sure these files have the correct entries:

cat /opt/cpfence/webui/allowed_ips.txt
127.0.0.1
::1

cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback

If anything’s missing, fix it and then restart the WebUI:

cpfence --restart-webui

Oldschool

cPFence

::1 wasn't in the allowed_ips.txt
That fixed it, thank you!

microvax

Why not support dynamic DNS?

cPFence

microvax

Thank you for the suggestion, we may consider adding support for dynamic DNS in the future.

cPFence

Update:
Starting from version 3.3.85, cPFence WebUI now supports Auto SSL and automatically whitelists IPs when you log in via SSH. We recommend using direct WebUI access instead of Cloudflare tunnels to avoid timeout issues and limitations.