d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
master
proxmox/scripts/cloudflare-tunnels/DEPLOYMENT_SUMMARY.md
defiQUG cb47cce074 Complete markdown files cleanup and organization 
- Organized 252 files across project
- Root directory: 187 → 2 files (98.9% reduction)
- Moved configuration guides to docs/04-configuration/
- Moved troubleshooting guides to docs/09-troubleshooting/
- Moved quick start guides to docs/01-getting-started/
- Moved reports to reports/ directory
- Archived temporary files
- Generated comprehensive reports and documentation
- Created maintenance scripts and guides

All files organized according to established standards.
2026-01-06 01:46:25 -08:00

7.8 KiB
Raw Permalink Blame History

Cloudflare Multi-Tunnel Deployment Summary

Complete implementation of Cloudflare Tunnel setup for Proxmox hosts with all recommended enhancements.

What's Included

1. Separate Tunnels Per Host

  • tunnel-ml110 → ml110-01.d-bis.org → 192.168.11.10:8006
  • tunnel-r630-01 → r630-01.d-bis.org → 192.168.11.11:8006
  • tunnel-r630-02 → r630-02.d-bis.org → 192.168.11.12:8006

2. Cloudflare Access Integration

  • Complete setup guide for SSO/MFA
  • Step-by-step instructions
  • Security best practices

3. Health Monitoring

  • Automated health checks
  • Continuous monitoring script
  • One-time health check utility

4. Alerting

  • Email notifications
  • Webhook support (Slack, Discord, etc.)
  • Configurable alert thresholds

5. Auto-Recovery

  • Automatic tunnel restart on failure
  • Systemd service with restart policies

📁 File Structure

scripts/cloudflare-tunnels/
├── README.md                          # Main documentation
├── DEPLOYMENT_SUMMARY.md              # This file
│
├── configs/                           # Tunnel configurations
│   ├── tunnel-ml110.yml              # ml110-01 config
│   ├── tunnel-r630-01.yml            # r630-01 config
│   └── tunnel-r630-02.yml            # r630-02 config
│
├── systemd/                           # Systemd services
│   ├── cloudflared-ml110.service      # ml110 service
│   ├── cloudflared-r630-01.service   # r630-01 service
│   └── cloudflared-r630-02.service   # r630-02 service
│
├── scripts/                           # Management scripts
│   ├── setup-multi-tunnel.sh          # Main setup script
│   ├── install-tunnel.sh              # Install single tunnel
│   ├── monitor-tunnels.sh             # Continuous monitoring
│   ├── check-tunnel-health.sh         # Health check
│   ├── alert-tunnel-failure.sh        # Alerting
│   └── restart-tunnel.sh              # Restart utility
│
├── monitoring/                        # Monitoring configs
│   ├── health-check.conf              # Health check config
│   └── alerting.conf                  # Alerting config
│
└── docs/                              # Documentation
    ├── CLOUDFLARE_ACCESS_SETUP.md     # Access setup guide
    ├── TROUBLESHOOTING.md             # Troubleshooting
    └── MONITORING_GUIDE.md            # Monitoring guide

🚀 Quick Start

Step 1: Create Tunnels in Cloudflare

  1. Go to Cloudflare Zero Trust → Networks → Tunnels
  2. Create three tunnels:
    • tunnel-ml110
    • tunnel-r630-01
    • tunnel-r630-02
  3. Copy tunnel tokens/credentials

Step 2: Run Setup Script

cd scripts/cloudflare-tunnels
./scripts/setup-multi-tunnel.sh

The script will:

  • Install cloudflared (if needed)
  • Copy configuration files
  • Install systemd services
  • Prompt for tunnel credentials

Step 3: Configure DNS Records

In Cloudflare Dashboard → DNS → Records:

Type Name Target Proxy
CNAME ml110-01 <tunnel-id>.cfargotunnel.com 🟠 Proxied
CNAME r630-01 <tunnel-id>.cfargotunnel.com 🟠 Proxied
CNAME r630-02 <tunnel-id>.cfargotunnel.com 🟠 Proxied

Step 4: Configure Cloudflare Access

Follow the guide: docs/CLOUDFLARE_ACCESS_SETUP.md

Step 5: Start Monitoring

# One-time health check
./scripts/check-tunnel-health.sh

# Continuous monitoring (daemon)
./scripts/monitor-tunnels.sh --daemon

📋 Pre-Deployment Checklist

Before running setup:

  • Cloudflare account with Zero Trust enabled
  • Domain d-bis.org managed by Cloudflare
  • VMID 102 exists and is running
  • Network connectivity from VMID 102 to Proxmox hosts verified
  • Tunnels created in Cloudflare dashboard
  • Tunnel tokens/credentials ready

🔧 Configuration

Tunnel Configuration Files

Each tunnel has its own config file in configs/:

  • tunnel-ml110.yml - ml110-01 configuration
  • tunnel-r630-01.yml - r630-01 configuration
  • tunnel-r630-02.yml - r630-02 configuration

Before use:

  1. Replace <TUNNEL_ID_*> with actual tunnel IDs
  2. Ensure credentials files are in /etc/cloudflared/

Systemd Services

Each tunnel runs as a separate systemd service:

  • cloudflared-ml110.service
  • cloudflared-r630-01.service
  • cloudflared-r630-02.service

Features:

  • Auto-restart on failure
  • Security hardening
  • Resource limits
  • Proper logging

🔒 Security Features

Cloudflare Access

  • SSO/MFA protection
  • Device posture checks
  • IP allowlisting
  • Country blocking
  • Session management

Tunnel Security

  • Separate tunnels per host (isolation)
  • Encrypted connections
  • No exposed ports on gateway
  • Self-signed cert handling

📊 Monitoring

Health Checks

Run comprehensive health checks:

./scripts/check-tunnel-health.sh

Checks:

  • Service status
  • DNS resolution
  • HTTPS connectivity
  • Internal connectivity
  • Log errors

Continuous Monitoring

Run continuous monitoring:

./scripts/monitor-tunnels.sh --daemon

Features:

  • Automatic health checks
  • Auto-restart on failure
  • Alerting on failures
  • Logging to file

🚨 Alerting

Configure Alerts

Edit monitoring/alerting.conf:

ALERT_EMAIL="admin@yourdomain.com"
ALERT_WEBHOOK_URL="https://hooks.slack.com/..."

Test Alerts

./scripts/alert-tunnel-failure.sh ml110 service_down

📚 Documentation

  • README.md - Main documentation
  • CLOUDFLARE_ACCESS_SETUP.md - Complete Access setup guide
  • TROUBLESHOOTING.md - Common issues and solutions
  • MONITORING_GUIDE.md - Monitoring setup and usage

🛠️ Management Commands

Start/Stop Services

# Start all tunnels
systemctl start cloudflared-ml110 cloudflared-r630-01 cloudflared-r630-02

# Stop all tunnels
systemctl stop cloudflared-ml110 cloudflared-r630-01 cloudflared-r630-02

# Restart specific tunnel
./scripts/restart-tunnel.sh ml110

Check Status

# All tunnels
systemctl status cloudflared-*

# Specific tunnel
systemctl status cloudflared-ml110

# Health check
./scripts/check-tunnel-health.sh

View Logs

# All tunnels
journalctl -u cloudflared-* -f

# Specific tunnel
journalctl -u cloudflared-ml110 -f

# Last 100 lines
journalctl -u cloudflared-ml110 -n 100

Verification

After deployment, verify:

  1. DNS Resolution:

    dig ml110-01.d-bis.org
dig r630-01.d-bis.org
dig r630-02.d-bis.org

  2. Service Status:

    systemctl status cloudflared-*

  3. HTTPS Access:

    curl -I https://ml110-01.d-bis.org

  4. Cloudflare Access:

    • Open browser
    • Navigate to https://ml110-01.d-bis.org
    • Should see Cloudflare Access login

🎯 Next Steps

After deployment:

  1. Configure Cloudflare Access (see docs/CLOUDFLARE_ACCESS_SETUP.md)
  2. Set up monitoring (see docs/MONITORING_GUIDE.md)
  3. Configure alerting (edit monitoring/alerting.conf)
  4. Test all three Proxmox hosts
  5. Review access logs regularly

📞 Support

For issues:

  1. Check Troubleshooting Guide
  2. Run health check: ./scripts/check-tunnel-health.sh
  3. Review logs: journalctl -u cloudflared-*
  4. Check Cloudflare dashboard for tunnel status

🎉 Summary

This implementation provides:

Separate tunnels per host - Better isolation
Cloudflare Access - SSO/MFA protection
Health monitoring - Automated checks
Alerting - Email/webhook notifications
Auto-recovery - Automatic restart on failure
Complete documentation - Setup and troubleshooting guides

All recommended enhancements are included and ready to use!

Reference in New Issue View Git Blame Copy Permalink