marauder-actual
4.4 KiB
Cloudflare dashboard setup — chat.saiden.dev (token-based)
Two artefacts get created in the Zero Trust dashboard:
- A tunnel (
chat-saiden) with its public hostname. - An Access application with Google IdP + whitelist.
Both are token/UI-managed (no local config files for tunnel ingress) to match the
existing cloudflared-mesh and cloudflared-tensors-art pattern on junkpile.
Part A — Create the tunnel (5 minutes)
1. Open the Networks → Tunnels page
Zero Trust → Networks → Tunnels → Create a tunnel.
2. Pick connector type
Choose Cloudflared. Click Next.
3. Name + save
Tunnel name: chat-saiden. Click Save tunnel.
4. Get the token (DO NOT close this page)
The wizard shows install instructions for several platforms. The token is the long base64 string inside the displayed command, e.g.:
cloudflared.exe service install eyJhIjoiOTVhZDNiYWEyYTRlY2RhMWUzODM0MmRm... # ← THIS PART
Copy just the token string (everything after service install for the
Windows command, or after --token for the Linux command — same string either
way). Save it for the next step.
5. Place the token on junkpile
ssh junkpile
sudo mkdir -p /etc/cloudflared
sudo tee /etc/cloudflared/chat-saiden.env > /dev/null <<'EOF'
TUNNEL_TOKEN=PASTE_THE_LONG_TOKEN_HERE
EOF
sudo chown root:chi /etc/cloudflared/chat-saiden.env
sudo chmod 0640 /etc/cloudflared/chat-saiden.env
⚠ Verify the file looks right:
sudo ls -la /etc/cloudflared/chat-saiden.env # should be -rw-r----- root:chi
6. Configure the public hostname
Back in the wizard → Next → Public Hostname tab → Add a public hostname:
| Field | Value |
|---|---|
| Subdomain | chat |
| Domain | saiden.dev |
| Path | (leave blank) |
| Type | HTTP |
| URL | localhost:7681 |
Additional application settings → TLS → No TLS Verify can stay off (localhost). Additional application settings → Connection → Disable Chunked Encoding must stay OFF.
Click Save hostname.
CF will auto-create the chat.saiden.dev proxy CNAME for you.
7. Verify the tunnel page
The tunnel page should now show:
- Connector: Healthy (or "No connectors yet" if you haven't started the service)
- Public hostname:
chat.saiden.dev → http://localhost:7681
Part B — CF Access application (5 minutes)
1. Add the Access application
Zero Trust → Access → Applications → Add an application → Self-hosted.
| Field | Value |
|---|---|
| Application name | chat-saiden |
| Session duration | 24 hours |
| Application domain | chat.saiden.dev |
| Path | (leave blank) |
| Identity providers | |
| Instant Auth | enabled |
Save → continue to policies.
2. Add the whitelist policy (THE SECURITY BOUNDARY)
| Field | Value |
|---|---|
| Policy name | pilot-whitelist |
| Action | Allow |
| Include rule | Emails = adam.ladachowski@gmail.com |
Save policy.
3. WebSocket support
Application Settings → Advanced → WebSocket support → enable.
This is mandatory; ttyd is WS-based.
4. Default deny (implicit, but verify)
With only one Allow rule, anyone not matching is denied by default — no extra
deny rule needed. To double-check, look at the policies list: it should show
one policy (pilot-whitelist, Allow) and nothing else.
Part C — Google IdP setup (one-time, skip if already done)
Zero Trust → Settings → Authentication → Login methods → Add new → Google.
OAuth client ID + secret come from https://console.cloud.google.com → APIs & Services → Credentials.
Authorized redirect URI:
https://<your-team>.cloudflareaccess.com/cdn-cgi/access/callback
Replace <your-team> with the team domain shown at the top of the Zero Trust
dashboard. Save in CF wizard → click Test. Must succeed before moving on.
Operational hygiene
- The TUNNEL_TOKEN is a long-lived bearer credential. If junkpile is compromised
or you suspect the token leaked: dashboard → tunnel → Refresh token.
Update
/etc/cloudflared/chat-saiden.envandsystemctl restart cloudflared-chat-saiden. - Audit access logs weekly: Zero Trust → Logs → Access.
- To revoke a whitelist entry: edit
pilot-whitelistpolicy, save. Existing sessions are cut on next request (session lifetime ≤ 24h by config).