Add support for Cloudflare Access to trusted_networks auth provider

michaeldavie · July 14, 2019, 2:44am

I use Cloudflare Access as an authenticated reverse proxy for my Home Assistant instance, and to simplify my login flow I’ve whitelisted Cloudflare’s IP ranges using the trusted_networks authorization provider as shown below:

homeassistant:
  auth_providers:
    - type: trusted_networks
      trusted_networks:
        - 192.168.0.0/16
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 104.16.0.0/12
        - 108.162.192.0/18
        - 131.0.72.0/22
        - 141.101.64.0/18
        - 162.158.0.0/15
        - 172.64.0.0/13
        - 173.245.48.0/20
        - 188.114.96.0/20
        - 190.93.240.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
      allow_bypass_login: true

In order to make things simpler for other users, and to make this setup more resilient to changes on Cloudflare’s side, I’d like to add a boolean cloudflare_access configuration parameter to trusted_networks that would transparently fetch the latest IP list from Cloudflare and add them to the whitelist.

I had originally considered creating a separate authorization provider to handle this, but as it would be a near duplicate of trusted_networks, it seems like a better solution would be to simply add this functionality to the existing module.

@balloob, I’d be interested to hear your thoughts on this.

elyobelyob · February 8, 2021, 2:03am

michaeldavie:

        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 104.16.0.0/12
        - 108.162.192.0/18
        - 131.0.72.0/22
        - 141.101.64.0/18
        - 162.158.0.0/15
        - 172.64.0.0/13
        - 173.245.48.0/20
        - 188.114.96.0/20
        - 190.93.240.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17

It’s taken me an age to figure out my issues with x-forwarded-by and Cloudflare … it seems to me that an opt-in of trusted networks providers would be extremely useful.
For me, this post was extremely useful.

michaeldavie · February 8, 2021, 3:15am

Nice, glad I could help!

elyobelyob · February 8, 2021, 3:31am

If anyone comes here for answers … I have a cloudflare -> nginx proxy -> HA on TrueNas …

Adding the CloudFlare networks corrected the entire x-forwarded-by … otherwise I just received “Login attempt or request with invalid authentication from 162.158.165.218 (162.158.165.218). See the log for details.” Which was of no use.

HA needs a log of invalid authentication.

DavidFW1960 · February 8, 2021, 4:29am

doesn’t this mean anyone on a cloudflare IP address as specified gets straight in with no authentication?

michaeldavie · February 8, 2021, 1:06pm

Cloudflare Access is an identity-aware that provides the authentication. From Cloudflare:

To secure your origin, you must also enable Argo Tunnel or limit connections to your origin to allow only Cloudflare IPs and verify the JWT.

mgax · April 4, 2022, 5:14pm

FWIW, CloudFlare included their Tunnels feature in the free tier: https://blog.cloudflare.com/tunnel-for-everyone/ So you can set up a tunnel to CloudFlare and not allow any inboud traffic to your server.

michaeldavie · April 4, 2022, 11:15pm

Thanks, I didn’t know about this!

jaecktec · July 14, 2023, 12:47pm

Did anyone has had success with the cloudflared plugin?

Swallowtail · August 4, 2023, 11:26am

Yes, it works well. Followed instructions, added the add-on, configured a remote tunnel - done. I already had Cloudflare DNS setup, so that helped.

jaecktec · August 25, 2023, 9:38am

Yes so mine works as well, but I wasn’t able to get the authentication up and running
(basically I have two logins now)