Initial Phoenix Sankofa Cloud setup
- Complete project structure with Next.js frontend - GraphQL API backend with Apollo Server - Portal application with NextAuth - Crossplane Proxmox provider - GitOps configurations - CI/CD pipelines - Testing infrastructure (Vitest, Jest, Go tests) - Error handling and monitoring - Security hardening - UI component library - Documentation
This commit is contained in:
defiQUG
84
cloudflare/README.md
Normal file
84
cloudflare/README.md
Normal file
@@ -0,0 +1,84 @@
|
||||
# Cloudflare Zero Trust Configuration
|
||||
|
||||
This directory contains all Cloudflare Zero Trust configurations for secure global access to the hybrid cloud control plane.
|
||||
|
||||
## Structure
|
||||
|
||||
```
|
||||
cloudflare/
|
||||
├── access-policies.yaml # Access policies for applications
|
||||
├── tunnel-configs/ # Per-site tunnel configurations
|
||||
├── gateway-policies.yaml # DNS and filtering policies
|
||||
├── warp-config.json # WARP device enrollment
|
||||
└── terraform/ # Terraform modules for Cloudflare
|
||||
```
|
||||
|
||||
## Components
|
||||
|
||||
### Access Policies
|
||||
Define who can access which applications based on:
|
||||
- User identity (from Keycloak)
|
||||
- Device posture
|
||||
- IP address
|
||||
- MFA requirements
|
||||
- Time-based rules
|
||||
|
||||
### Tunnels
|
||||
Outbound-only connections from Proxmox sites and control plane to Cloudflare:
|
||||
- No public IPs required
|
||||
- Automatic reconnection
|
||||
- Load balancing across multiple tunnels
|
||||
- Health checks
|
||||
|
||||
### Gateway Policies
|
||||
DNS filtering and network security:
|
||||
- Block malicious domains
|
||||
- Log DNS queries
|
||||
- Apply policies based on user/device
|
||||
- Split DNS for internal services
|
||||
|
||||
### WARP
|
||||
Device-level VPN for employees:
|
||||
- Zero Trust network access
|
||||
- Device posture checks
|
||||
- Automatic enrollment
|
||||
|
||||
## Usage
|
||||
|
||||
### Apply Access Policies
|
||||
|
||||
```bash
|
||||
# Using Cloudflare API
|
||||
cloudflared access policy create --config access-policies.yaml
|
||||
|
||||
# Or via Terraform
|
||||
cd terraform
|
||||
terraform apply
|
||||
```
|
||||
|
||||
### Deploy Tunnels
|
||||
|
||||
1. Create tunnel in Cloudflare dashboard
|
||||
2. Copy tunnel token
|
||||
3. Update tunnel config with token
|
||||
4. Deploy cloudflared agent with config
|
||||
|
||||
```bash
|
||||
cloudflared tunnel run --config tunnel-configs/site-1.yaml
|
||||
```
|
||||
|
||||
### Configure WARP
|
||||
|
||||
1. Create WARP enrollment in Cloudflare dashboard
|
||||
2. Update warp-config.json with enrollment details
|
||||
3. Distribute config to devices
|
||||
|
||||
## Security Best Practices
|
||||
|
||||
- Use service tokens for API access
|
||||
- Rotate tunnel tokens regularly
|
||||
- Enable MFA for all access policies
|
||||
- Use device posture checks
|
||||
- Log all access attempts
|
||||
- Review policies quarterly
|
||||
|
||||
Reference in New Issue
Block a user