aladac/chat
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d2638e0650118ba7feab527cfc61e4fd59a332fb
chat/_archive-ttyd/cloudflare/dashboard-setup.md
T
marauder-actual 96ba8f4b6e chore: initial commit — chat-saiden web chat baseline
2026-05-29 13:47:34 +02:00

150 lines
4.4 KiB
Markdown
Raw Blame History

# Cloudflare dashboard setup — chat.saiden.dev (token-based)
Two artefacts get created in the Zero Trust dashboard:
1. **A tunnel** (`chat-saiden`) with its public hostname.
2. **An Access application** with Google IdP + whitelist.
Both are token/UI-managed (no local config files for tunnel ingress) to match the
existing `cloudflared-mesh` and `cloudflared-tensors-art` pattern on junkpile.
---
## Part A — Create the tunnel (5 minutes)
### 1. Open the Networks → Tunnels page
Zero Trust → **Networks****Tunnels****Create a tunnel**.
### 2. Pick connector type
Choose **Cloudflared**. Click Next.
### 3. Name + save
Tunnel name: `chat-saiden`. Click **Save tunnel**.
### 4. Get the token (DO NOT close this page)
The wizard shows install instructions for several platforms. The token is the
long base64 string inside the displayed command, e.g.:
```
cloudflared.exe service install eyJhIjoiOTVhZDNiYWEyYTRlY2RhMWUzODM0MmRm... # ← THIS PART
```
**Copy just the token string** (everything after `service install` for the
Windows command, or after `--token` for the Linux command — same string either
way). Save it for the next step.
### 5. Place the token on junkpile
```bash
ssh junkpile
sudo mkdir -p /etc/cloudflared
sudo tee /etc/cloudflared/chat-saiden.env > /dev/null <<'EOF'
TUNNEL_TOKEN=PASTE_THE_LONG_TOKEN_HERE
EOF
sudo chown root:chi /etc/cloudflared/chat-saiden.env
sudo chmod 0640 /etc/cloudflared/chat-saiden.env
```
⚠ Verify the file looks right:
```bash
sudo ls -la /etc/cloudflared/chat-saiden.env # should be -rw-r----- root:chi
```
### 6. Configure the public hostname
Back in the wizard → **Next****Public Hostname** tab → **Add a public hostname**:
| Field | Value |
|-------|-------|
| Subdomain | `chat` |
| Domain | `saiden.dev` |
| Path | (leave blank) |
| Type | `HTTP` |
| URL | `localhost:7681` |
**Additional application settings → TLS → No TLS Verify** can stay off (localhost).
**Additional application settings → Connection → Disable Chunked Encoding** must stay OFF.
Click **Save hostname**.
CF will auto-create the `chat.saiden.dev` proxy CNAME for you.
### 7. Verify the tunnel page
The tunnel page should now show:
- Connector: **Healthy** (or "No connectors yet" if you haven't started the service)
- Public hostname: `chat.saiden.dev → http://localhost:7681`
---
## Part B — CF Access application (5 minutes)
### 1. Add the Access application
Zero Trust → **Access****Applications****Add an application****Self-hosted**.
| Field | Value |
|-------|-------|
| Application name | `chat-saiden` |
| Session duration | `24 hours` |
| Application domain | `chat.saiden.dev` |
| Path | (leave blank) |
| Identity providers | Google |
| Instant Auth | enabled |
Save → continue to policies.
### 2. Add the whitelist policy (THE SECURITY BOUNDARY)
| Field | Value |
|-------|-------|
| Policy name | `pilot-whitelist` |
| Action | **Allow** |
| Include rule | **Emails** = `adam.ladachowski@gmail.com` |
Save policy.
### 3. WebSocket support
Application **Settings → Advanced → WebSocket support** → enable.
This is mandatory; ttyd is WS-based.
### 4. Default deny (implicit, but verify)
With only one Allow rule, anyone not matching is denied by default — no extra
deny rule needed. To double-check, look at the policies list: it should show
**one** policy (`pilot-whitelist`, Allow) and nothing else.
---
## Part C — Google IdP setup (one-time, skip if already done)
Zero Trust → **Settings → Authentication → Login methods → Add new → Google**.
OAuth client ID + secret come from
https://console.cloud.google.com → APIs & Services → Credentials.
Authorized redirect URI:
```
https://<your-team>.cloudflareaccess.com/cdn-cgi/access/callback
```
Replace `<your-team>` with the team domain shown at the top of the Zero Trust
dashboard. Save in CF wizard → click **Test**. Must succeed before moving on.
---
## Operational hygiene
- The TUNNEL_TOKEN is a long-lived bearer credential. If junkpile is compromised
or you suspect the token leaked: dashboard → tunnel → **Refresh token**.
Update `/etc/cloudflared/chat-saiden.env` and `systemctl restart
cloudflared-chat-saiden`.
- Audit access logs weekly: Zero Trust → **Logs → Access**.
- To revoke a whitelist entry: edit `pilot-whitelist` policy, save. Existing
sessions are cut on next request (session lifetime ≤ 24h by config).
Reference in New Issue View Git Blame Copy Permalink