Cloudflare Access controls who can reach your web application, API, or server. To protect a server you need to reach over SSH, you first need to expose that machine to the Cloudflare network using Argo Tunnel.
Argo Tunnel connects your server to Cloudflare without the need to configure firewall ports or ACLs. Configuring a tunnel ensures that Cloudflare evaluates all requests to your machine for security benefits like web application firewall and unmetered DDOS mitigation. The tunnel also applies the identity policies you configure in Cloudflare Access to control who is allowed to reach the server.
You will need to first create a new zone in your Cloudflare account with a hostname that will represent the server. Once available, you can apply an Access policy to lock it down while you configure Argo Tunnel to expose your machine to the Cloudflare network and allow SSH traffic to reach your server. In this example, we’ll place an example server behind a subdomain at our site: monday.example.com
Start by creating a hostname for your machine that your team will use to reach the server. You can use a subdomain or full domain. You will need to follow the instructions here to make that hostname an active zone in Cloudflare.
Once your zone is active in Cloudflare, navigate to the Access tab in the dashboard. To begin, create a policy for the hostname that prevents any traffic to that hostname from reaching your server. You will configure policies to allow traffic once your setup is complete.
In the Policy creator, select the “Deny” as the
Decision and, under “Include,” select “Everyone.” This rule will prevent any requests to that hostname from bypassing Access. If you do not first set a policy before configuring Argo Tunnel, Access will not be able to control who can reach that machine in the time between setup and the creation of your first Access rule.
Next, you will need to install Argo Tunnel on your server. Argo Tunnel exposes web servers securely to the internet, without opening up firewall ports and configuring ACLs. Argo Tunnel ensures requests route through Cloudflare before reaching the web server so you can authenticate traffic with Access.
Follow the instructions provided here to install Argo Tunnel. Once complete, you can try the tunnel by sending a request. It will be unsuccessful due to the Access restriction you placed.
Argo Tunnel permits traffic over HTTP and HTTPS. To reach the server over SSH, Cloudflare Access opens a secure connection to proxy SSH traffic through Cloudflare’s network.
On the machine, run the following command to assign the hostname. Access will default to port 22 for SSH connections.
$ cloudflared tunnel --hostname monday.example.com --url ssh://localhost:22
This command will create a proxy to forward traffic at port 22 to the hostname.
Now that your server is connected to the Cloudflare network, you can create policies to control who can reach your server in Cloudflare Access. You can find details on how to create policies here.
Clients connecting to the server using Cloudflare Access need to be configured to do so. You can find details on configuring your client here