chore: initial commit — chat-saiden web chat baseline
This commit is contained in:
marauder-actual
@@ -0,0 +1,149 @@
|
||||
# Cloudflare dashboard setup — chat.saiden.dev (token-based)
|
||||
|
||||
Two artefacts get created in the Zero Trust dashboard:
|
||||
1. **A tunnel** (`chat-saiden`) with its public hostname.
|
||||
2. **An Access application** with Google IdP + whitelist.
|
||||
|
||||
Both are token/UI-managed (no local config files for tunnel ingress) to match the
|
||||
existing `cloudflared-mesh` and `cloudflared-tensors-art` pattern on junkpile.
|
||||
|
||||
---
|
||||
|
||||
## Part A — Create the tunnel (5 minutes)
|
||||
|
||||
### 1. Open the Networks → Tunnels page
|
||||
|
||||
Zero Trust → **Networks** → **Tunnels** → **Create a tunnel**.
|
||||
|
||||
### 2. Pick connector type
|
||||
|
||||
Choose **Cloudflared**. Click Next.
|
||||
|
||||
### 3. Name + save
|
||||
|
||||
Tunnel name: `chat-saiden`. Click **Save tunnel**.
|
||||
|
||||
### 4. Get the token (DO NOT close this page)
|
||||
|
||||
The wizard shows install instructions for several platforms. The token is the
|
||||
long base64 string inside the displayed command, e.g.:
|
||||
|
||||
```
|
||||
cloudflared.exe service install eyJhIjoiOTVhZDNiYWEyYTRlY2RhMWUzODM0MmRm... # ← THIS PART
|
||||
```
|
||||
|
||||
**Copy just the token string** (everything after `service install` for the
|
||||
Windows command, or after `--token` for the Linux command — same string either
|
||||
way). Save it for the next step.
|
||||
|
||||
### 5. Place the token on junkpile
|
||||
|
||||
```bash
|
||||
ssh junkpile
|
||||
sudo mkdir -p /etc/cloudflared
|
||||
sudo tee /etc/cloudflared/chat-saiden.env > /dev/null <<'EOF'
|
||||
TUNNEL_TOKEN=PASTE_THE_LONG_TOKEN_HERE
|
||||
EOF
|
||||
sudo chown root:chi /etc/cloudflared/chat-saiden.env
|
||||
sudo chmod 0640 /etc/cloudflared/chat-saiden.env
|
||||
```
|
||||
|
||||
⚠ Verify the file looks right:
|
||||
```bash
|
||||
sudo ls -la /etc/cloudflared/chat-saiden.env # should be -rw-r----- root:chi
|
||||
```
|
||||
|
||||
### 6. Configure the public hostname
|
||||
|
||||
Back in the wizard → **Next** → **Public Hostname** tab → **Add a public hostname**:
|
||||
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Subdomain | `chat` |
|
||||
| Domain | `saiden.dev` |
|
||||
| Path | (leave blank) |
|
||||
| Type | `HTTP` |
|
||||
| URL | `localhost:7681` |
|
||||
|
||||
**Additional application settings → TLS → No TLS Verify** can stay off (localhost).
|
||||
**Additional application settings → Connection → Disable Chunked Encoding** must stay OFF.
|
||||
|
||||
Click **Save hostname**.
|
||||
|
||||
CF will auto-create the `chat.saiden.dev` proxy CNAME for you.
|
||||
|
||||
### 7. Verify the tunnel page
|
||||
|
||||
The tunnel page should now show:
|
||||
- Connector: **Healthy** (or "No connectors yet" if you haven't started the service)
|
||||
- Public hostname: `chat.saiden.dev → http://localhost:7681`
|
||||
|
||||
---
|
||||
|
||||
## Part B — CF Access application (5 minutes)
|
||||
|
||||
### 1. Add the Access application
|
||||
|
||||
Zero Trust → **Access** → **Applications** → **Add an application** → **Self-hosted**.
|
||||
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Application name | `chat-saiden` |
|
||||
| Session duration | `24 hours` |
|
||||
| Application domain | `chat.saiden.dev` |
|
||||
| Path | (leave blank) |
|
||||
| Identity providers | Google |
|
||||
| Instant Auth | enabled |
|
||||
|
||||
Save → continue to policies.
|
||||
|
||||
### 2. Add the whitelist policy (THE SECURITY BOUNDARY)
|
||||
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Policy name | `pilot-whitelist` |
|
||||
| Action | **Allow** |
|
||||
| Include rule | **Emails** = `adam.ladachowski@gmail.com` |
|
||||
|
||||
Save policy.
|
||||
|
||||
### 3. WebSocket support
|
||||
|
||||
Application **Settings → Advanced → WebSocket support** → enable.
|
||||
|
||||
This is mandatory; ttyd is WS-based.
|
||||
|
||||
### 4. Default deny (implicit, but verify)
|
||||
|
||||
With only one Allow rule, anyone not matching is denied by default — no extra
|
||||
deny rule needed. To double-check, look at the policies list: it should show
|
||||
**one** policy (`pilot-whitelist`, Allow) and nothing else.
|
||||
|
||||
---
|
||||
|
||||
## Part C — Google IdP setup (one-time, skip if already done)
|
||||
|
||||
Zero Trust → **Settings → Authentication → Login methods → Add new → Google**.
|
||||
|
||||
OAuth client ID + secret come from
|
||||
https://console.cloud.google.com → APIs & Services → Credentials.
|
||||
|
||||
Authorized redirect URI:
|
||||
```
|
||||
https://<your-team>.cloudflareaccess.com/cdn-cgi/access/callback
|
||||
```
|
||||
|
||||
Replace `<your-team>` with the team domain shown at the top of the Zero Trust
|
||||
dashboard. Save in CF wizard → click **Test**. Must succeed before moving on.
|
||||
|
||||
---
|
||||
|
||||
## Operational hygiene
|
||||
|
||||
- The TUNNEL_TOKEN is a long-lived bearer credential. If junkpile is compromised
|
||||
or you suspect the token leaked: dashboard → tunnel → **Refresh token**.
|
||||
Update `/etc/cloudflared/chat-saiden.env` and `systemctl restart
|
||||
cloudflared-chat-saiden`.
|
||||
- Audit access logs weekly: Zero Trust → **Logs → Access**.
|
||||
- To revoke a whitelist entry: edit `pilot-whitelist` policy, save. Existing
|
||||
sessions are cut on next request (session lifetime ≤ 24h by config).
|
||||
Reference in New Issue
Block a user