[Guide] How to use AMP by Cubecoders with Cloudflare ACCESS
Access protects internal resources by authenticating against identity providers you already use. With Access, you can control which users and groups can reach sensitive materials without a VPN or making code changes to your site.
I try hard as i can to expose as little as possible to the internet regarding services and only allow traffic from everyone on applications that need it. Therefore i see no reson for AMP to be public accessible trough internet. I've been using an VPN so far to connect to my amps and now it has grown to an large amount of servers. I tested the target/controller thingy a while back and at the time it was too unstable to use. It has changed today but it has some few problems left. So alot of terminal use on several servers was needed to connect all of our servers to our webserver. Just a little warning when moving to an sentralised system, you also loose acces if controller goes down.
My reason to use cloudflare access is that my team (admins etc) don't need to use vpn and get local access to the network, I do use PFSENSE and i can make it secure, but i still rather not give them vpn access. Remember that the free plan only allows you to have a limited set of users. Visit their site https://www.cloudflare.com/teams/access/ for more information
I'll be showing an similar setup of mine and everyones setup is different. I run my AMP controller in an docker container on my webserver. This makes it easier to manage. This means that i run reverse proxy on the amp instance. I use APACHE for this job. This allows me to host several domains on one server.
Modules to activate on Apache
mod_proxy mod_proxy_connect mod_proxy_http mod_ssl
Virtual Host config on Apache that does the reverse proxy on an AMP instance located in an docker container wich is in the same webserver
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so <VirtualHost *:443> ProxyPreserveHost On ProxyRequests Off ServerName amp.mydomain.com SSLProxyEngine On SSLProxyCheckPeerCN on SSLProxyCheckPeerExpire on ServerAlias mydomain ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/ <Proxy *> Order deny,allow Allow from all </Proxy> # SSL Cloudflare Origin Certificates SSLCertificateFile /path/to/amp.mydomain.com.pem SSLCertificateKeyFile /path/to/amp.mydomain.com.key # Cloudflare Authenticated Origin Pulls SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile /path/to/origin-pull-ca.pem </VirtualHost>
As you can see from the config, amp is not running https, and that makes the job alot easier. Main reason for this is that its an service in the same server but also
Security.IgnoreAuthServerTLSFailure=True does not work when setting up an amp server for the first time or doing the wizard again. So only public valid certificates (self signed and cloudflare origin are not public valid) can be used, also remember that you need to setup host overrides on your DNS resolver wich serves the amp servers so it will actually point to your controller amp if youre securing traffic between controller and target servers. Host overried is needed since each amp need an domain to connect securely trough https. Running HTTP in the local network is fine for now, the amount of work needed is not worth it if the LAN network for the servers are secure and not connected to random devices. Just remember it's still possible to do man-in-the-middle attack in the LAN network but if its secure it wont be a problem. Apache does the https part just fine bewteen cloudflare and webserver.
In this case im using cloudflare origin certificate and origin pull since it was faster than setting up the certbot to do that job, remember amp is hosting the webpage and we cant use the standard certbot wizard. Using cloudflare origin certificate for tls is fine since we're already going to use their access portal and its an valid certificate for them. To verify the TLS link, use Full (strict) TLS mode on cloudflare.
In your router/firewall you need block all traffic going to port 80 and only allow traffic from Cloudflare on port 443, this will make it more secure and to access the webserver you must go trough cloudflare. With proxy on, only cloudflare will know that your ip hosts an webserver. This will remove alot of spam traffic from the internet.
Cloudflare have a list over what ip ranges they use: https://www.cloudflare.com/ips/
In my PFSENSE box i have put https://www.cloudflare.com/ips-v4 under URLS in Aliases under Firewall. This allows pfsense to automaticly update the ip list for cloudflare. This also makes it easier to make the firewall rules.
Using this list, i have made an rule that only allows traffic from this list to port 443. Remember that cloudflare has an HTTPS redirect with proxy enabled and thats why you dont need to open port 80.
If youre using pfsense like me you can use the Dynamic DNS in pfsense for cloudflare. So that when you change ip, the dns table gets updated with the new ip, remember that you must select the proxy option both on cloudflare and in the dynamic dns. You might need to install Cron package to get Dynamic DNS to work.
So far we've have achived that when going to amp.domain.com we can only go trough cloudflares proxy server, even we try to connect the ip directly. And its only encrypted traffic. With PFSENSE blocking traffic from other's than cloudflare, bots will not find any webserver hosted at this ip.
Time for setting up the access portal. (To much personal information, so no pictures :()
- Go to access
- You need to add login methods, i have activated One-Time Pin and Github.
- Create an Access Policy, fill in the information. 3.1 At the button of the form when creating an access policy, add an logout bar, note: this will hide the AMP menu on phones. Don't add if you dont need it.
While VPN is more secure with stronger encryption it's giving the user local access but it can be mitigated. And while Cloudflare Access in this setup ain't the most secure, its alot better than exposing AMP and not using VPN at all. Cloudflare ACCESS is alot more user friendly and no need for vpn software.
- Block port 80 on firewall and webserver
- Port 443 only allows traffic from cloudflare both on firewall and webserver
- Activate origin pull on cloudflare
- With cloudflare access you add an login portal that only allows authenticated users to your intranet
To get origin pull certificate, go to certificate value at https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull#zone-level--cloudflare-certificates
codeblock for origin pull
SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile /path/to/origin-pull-ca.pem