Configure your Server for SSH through Access

Cloudflare Access controls who can reach your web application, API, or server. Access can protect a web application already using Cloudflare when you add a single policy. To protect a server you need to reach over SSH, you first need to expose that machine to the Cloudflare network using Argo Tunnel.

Argo Tunnel connects your server to Cloudflare without the need to configure firewall ports or ACLs. Configuring a tunnel ensures that Cloudflare evaluates all requests to your machine for security benefits like web application firewall and unmetered DDOS mitigation. The tunnel also applies the identity policies you configure in Cloudflare Access to control who is allowed to reach the server.

You will need to first create a new zone in your Cloudflare account with a hostname that will represent the server. Once available, you can apply an Access policy to lock it down while you configure Argo Tunnel to expose your machine to the Cloudflare network and allow SSH traffic to reach your server. In this example, we’ll place an example server behind a subdomain at our site: monday.example.com

Requirements

  • A Cloudflare account
  • The cloudflared daemon
  • An active zone on Cloudflare
  • An active subscription to Argo which you can enable in the Cloudflare dashboard in the traffic tab
  • A client configured to connect via Access

Known Limitations

  • If you have an origin that serves both SSH and HTTP/S requests, you will need to place those at separate domains or subdomains. Otherwise, errors will occur when attempting to reach the machine over different protocols. For example, requests made in a web browser will be routed over SSH and fail.

1. Create a Hostname for your Machine

Start by creating a hostname for your machine that your team will use to reach the server. You can use a subdomain or full domain. You will need to follow the instructions here to make that hostname an active zone in Cloudflare.

2. Enable Access and Lock Down the Hostname

Once your zone is active in Cloudflare, navigate to the Access tab in the dashboard. To begin, create a policy for the hostname that prevents any traffic to that hostname from reaching your server. You will configure policies to allow traffic once your setup is complete.

In the Policy creator, select the “Deny” as the Decision and, under “Include,” select “Everyone.” This rule will prevent any requests to that hostname from bypassing Access. If you do not first set a policy before configuring Argo Tunnel, Access will not be able to control who can reach that machine in the time between setup and the creation of your first Access rule.

3. Install Argo Tunnel

Next, you will need to install Argo Tunnel on your server. Argo Tunnel exposes web servers securely to the internet, without opening up firewall ports and configuring ACLs. Argo Tunnel ensures requests route through Cloudflare before reaching the web server so you can authenticate traffic with Access.

Follow the instructions provided here to install Argo Tunnel. Once complete, you can try the tunnel by sending a request. It will be unsuccessful due to the Access restriction you placed.

4. Configure SSH through Access

Argo Tunnel permits traffic over HTTP and HTTPS. To reach the server over SSH, Cloudflare Access opens a secure connection to proxy SSH traffic through Cloudflare’s network.

On the machine, run the following command to assign the hostname. Access will default to port 22 for SSH connections.

$ cloudflared tunnel --hostname monday.example.com --url ssh://localhost:22

This command will create a proxy to forward traffic at port 22 to the hostname.

5. Configure Access Policies

Now that your server is connected to the Cloudflare network, you can create policies to control who can reach your server in Cloudflare Access. You can find details on how to create policies here.

6. Connecting to the server over SSH

Clients connecting to the server using Cloudflare Access need to be configured to do so. You can find details on configuring your client here