d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
master
proxmox/scripts/cloudflare-tunnels/CONFIGURE_ACCESS_EMAILS.md
defiQUG cb47cce074 Complete markdown files cleanup and organization 
- Organized 252 files across project
- Root directory: 187 → 2 files (98.9% reduction)
- Moved configuration guides to docs/04-configuration/
- Moved troubleshooting guides to docs/09-troubleshooting/
- Moved quick start guides to docs/01-getting-started/
- Moved reports to reports/ directory
- Archived temporary files
- Generated comprehensive reports and documentation
- Created maintenance scripts and guides

All files organized according to established standards.
2026-01-06 01:46:25 -08:00

2.6 KiB
Raw Permalink Blame History

Configure Cloudflare Access Email Allowlist

Overview

You can restrict access to your Proxmox UIs to specific email addresses using Cloudflare Access policies.

Quick Setup

Option 1: Interactive Script

cd /home/intlc/projects/proxmox/scripts/cloudflare-tunnels
./scripts/configure-access-policies.sh

The script will prompt you to enter email addresses one by one.

Option 2: Command Line

cd /home/intlc/projects/proxmox/scripts/cloudflare-tunnels
./scripts/configure-access-policies.sh user1@example.com user2@example.com user3@example.com

Option 3: Via Cloudflare Dashboard

  1. Go to: https://one.dash.cloudflare.com/
  2. Navigate: Zero TrustAccessApplications
  3. Click on each application:
    • Proxmox ml110-01
    • Proxmox r630-01
    • Proxmox r630-02
  4. Click "Policies" tab
  5. Click "Add a policy" or edit existing
  6. Set:
    • Policy name: "Allow Team Access"
    • Action: Allow
    • Include: Email → Add each allowed email
    • Require: Email (for email verification)
  7. Save

What Gets Configured

The script/configures policies that:

  • Allow access (instead of block)
  • Include specific email addresses
  • Require email verification (MFA if enabled)
  • Apply to all 3 Proxmox UIs

Policy Structure

{
  "name": "Allow Team Access",
  "decision": "allow",
  "include": [
    {"email": {"email": "user1@example.com"}},
    {"email": {"email": "user2@example.com"}}
  ],
  "require": [
    {"email": {}}
  ]
}

Adding More Emails Later

Via Script

./scripts/configure-access-policies.sh user1@example.com user2@example.com user3@example.com

Via Dashboard

  1. Go to Access → Applications → [App Name] → Policies
  2. Edit the "Allow Team Access" policy
  3. Add more emails to the Include section
  4. Save

Removing Access

Via Dashboard

  1. Go to Access → Applications → [App Name] → Policies
  2. Edit the policy
  3. Remove email from Include section
  4. Save

Advanced Options

You can also configure:

  • Groups: Create email groups for easier management
  • Service tokens: For programmatic access
  • Country restrictions: Allow only specific countries
  • IP restrictions: Allow only specific IP ranges
  • Device posture: Require specific device checks

See docs/CLOUDFLARE_ACCESS_SETUP.md for more details.

Verification

After configuring, test access:

  1. Open https://ml110-01.d-bis.org in an incognito window
  2. You should see Cloudflare Access login
  3. Login with an allowed email
  4. You should be granted access

If you use a non-allowed email, access will be denied.

Reference in New Issue View Git Blame Copy Permalink