I’m having issues adding a bypass WAF rule.
I’m on a free plan so the WAF tab is only usable under the domain not the account, I can see the rule getting applied but an email is still required (maybe its the policy I’ve set in zero trust)
Great tutorial. I was able to follow until the WAF rules and certificates part for Android. I believe Cloudflare’s dashboard has changed since and I am not able to add rules. Any tip?
Also not working for me. I followed the steps, but it seems like client certificates are not working. I created a pem certificate and used openssl to output the combined certificate and key as a p12 file.
I installed the p12 certificate to my windows machine and android phone. I have setup only two WAF rules. 1) skip rule for client certificate and 2) a block rule for country equals and not equals same as the last rule from this guide.
I don’t see that the client certificate is triggered and with the country rule activated I cannot access the hostname anymore. I trialed to use the client certificate as a block rule, but the clients can pass this rule. So something is wrong with the certificate handling.
Would appreciate if you could share more detail on the certificate section. Also took me a time to create the p12 file as a newbie.
Thanks!
Perhaps it’s time for me to update the tut?
I’m not using the ZeroTrust component as of now (December 2024). I can’t recall why I changed.
I will review my original post and follow up.
I will review the original instructions and provide a follow up.
I know how it’s frustrating to find a great tutorial for some thing X, only to go through the steps and find that some thing Y is completely changed.
Cloudflare is constantly changing and moving things organizationally. It can be daunting if you’re starting fresh.
It may be a day or two, but I will get back with an update.
Thanks Lewis for your time and dedication on this! Much appreciated.
Thanks for this @Lewis. I imagine updating a guide for a solution you don’t you yourself anymore may not be urgent for you. It’s understandable.
You mentioned that you don’t use it anymore. May I ask what do you use? I just know the VPN alternative but I find it difficult to implement and maintain on other people’s phone and the added battery consumption drawback as well.
BIG CORRECTION: I do use Zero Trust, but not the App side of it all. Sorry for that slip. Zero Trust is where the tunnels are configured.
I have just now re-read my instructions, and all the comments and other responses…
When I’m logged in to my Dash on Cloudflare, and have selected the appropriate domain, the WAF rules are still in the same place in the menu tree today, as they were when I wrote the original post. This part has not appeared to change.
Perhaps the only difference now is that when clicking in the sidebar into the Security drop-down, then selecting WAF, the main page opens to “managed rules” with an “Upgrade to Pro” button.
Be sure to select the “Custom Rules” menu on the left end of the menu bar.
My WAF rules are exhausted. However, you should also have the “free” tier limit of five available rules.
Just to be sure, are you able to access this page?
On which OS are you using a terminal to create the certificate(s)?
The one I do NOT use is Windows… I mostly use MacOS, or Debian/Ubuntu. I don’t know how much this makes a difference or complicates the procedure. Windows may not have the appropriate packages in PowerShell. And I wouldn’t be the best to answer any questions about it, because I never use it.
However, there is a comment somewhere up this thread where another person asked about the terminal process, and I printed out my bash_history for reference.
Perhaps have a look at that and try to follow through the steps I took.
Certificates, writing, combining, converting from type to type is sometimes quite convoluted especially when coming to it all as you’re learning about them and teaching yourself.
I’ve not tried it for this specific instance, but you could also try copying your command structure into ChatGPT and asking it to check your command structure and syntax.
I’ve been using ChatGPT frequently for other Home Assistant “projects” I’ve tasked myself with, especially in yaml and JavaScript. It’s not always accurate and sometimes returns incorrect code, but if you believe the answer is wrong, challenge the Bot and it will fess up to the error and provide an alternative.
Other than that, I can’t really say much more, the guid to certificate generation I referenced above is still valid and (at least for me) easily followed.
Many thanks for those screenshots. They put me on track and I was able to finish the setup. The missing step for me was that I was searching for SSL/TLS in the main Cloudflare dashboard and I had to select the domain I wanted to work with. So I was going back and forth between the main dashboard and Zero Trust dashboard looking for it.
Summing it up:
I had the addon installed with Local Tunnel setup on ha.mydomain.com
In zero trust I created a selfhosted application with email OTP for ha.domain.com
This way you will only get 24h access or so.
So, in the addon, add an additional host similar to that:
- hostname: `app-ha.mydomain.com`
service: http://192.168.0.2:8123
Where service is your internal url for HA
Then follow this guide using app-ha.mydomain.com
When creating the certificate copypaste the code into notepad for example and save it as cf.pem and cf.key respectively. If you used those filenames then use linux, mac or wsl for windows and in the directory you saved them use:
openssl pkcs12 -export -out cf.pfx -inkey cf.key -in cf.pem
Give it a password or for some reason you won’t be able to install it later.
Bring that cf.pfx to your phone and install it. Go to settings, search for certtificate > install cert form storage > VPN ...
Add https://app-ha.mydomain.com as a external URL in the companion app. Enjoy.
I apologize if some of this overlaps what you already explained (in a more concise and understandable way) but I wanted to resume my process in case it helps somebody else.
For reference, I got some info from here: Home Assistant App through Cloudflare Tunnel with Auth (Android)
Good to read that you’ve got over some of the hurdles of confusion!
When I previously (and incorrectly) stated I didn’t use ZeroTrust anymore, what I actually meant was, I don’t use the self-hosted application anymore.
The reason for this was that the Companion App and VaultWarden wouldn’t always be able to connect through the Cloudflare ZeroTrust Application.
When I removed the Application route, consistency was returned.
A visual guide to understanding traffic sequence / flow through Cloudflare in displayed in the WAF Custom Rules setup page, on the far right side.
There is even a method to simulate flow (for troubleshooting).
Perhaps this will give you a better comprehension of how Cloudlfare works.
It’s after all of those steps that it, if not dropped, enters the ZeroTrust.
Now, if the WAF rules have only allowed clients with your certificate, and dropped everything else, then perhaps the added condition of the ZeroTrust Application with IdP is not necessarily necessary. At least, that’s the logic I’m using.
And since this time, only my own devices are able to pass through to my Cloudflare Tunnel and into my HA.
It all works so well, I’ve mostly put it out of mind because I don’t need to worry about it at all.
There is only one function that does not work, and that is editing or saving passwords in VaultWarden. Mostly because I haven’t taken the time to sleuth out what url structure is being used when VaultWarden is attempting to save an entry. But if I connect to VPN (through Unifi), the save works without issue.
Thanks mate, this is the page I have
There’s a country and UA rule I put in place as a bypass for iOS and it is getting hit as per the logs but it still loads zerotrust
Thank you for your explanation. I think I’m getting the hang of it.
Last question if you don’t mind. You mention that you don’t use Zero Trust anymore. Does that mean you only use certificate access? What if you want to access externally through a browser? In that case you would normally use an identifier such as OTP through email. Right?
I don’t use the Web Application with IdP inside ZeroTrust.
The trust is established with the WAF rules.
Android uses client certificate + ISP filter.
iOS uses ISP filter + agent matching.
So, sure, if someone knows my sub.domain.tld AND is on the same mobile carrier network, then yes, that someone would pass my Cloudflare WAF rules. However, the likelihood of this occurring is very insignificant. And also, my HA instance is SSL and does have users/passwords and fail2ban.
I’m not too concerned beyond this.
And for the maybe two times in 6 years I needed to access my HA instance from somewhere else to do something in a computer browser that was just too clumsy to be accomplished on a mobile device, I used my mobile as a tether and connected by VPN (over my Unifi gateway). But this is only due to using NodeRED for 99.3% of my automations, and something was not functioning and my family was submitting reports that I needed to address when not at home.
As for my final Rule #5 in my WAF, I’ve actually moved away from a country blacklist, and went with a simple “deny all internet” rule. The Cloudflare expression is this:
(ip.src in {0.0.0.0/0})
So, if traffic has not skipped the remaining previous 4 rules, then EVERYTHING will be blocked.
Ok. That makes sense. It is so customizable that it can be overwhelming to the newcomers. I’ve been learning a lot with this implementation (Idp, WAF, openssh and certs, DNS records, etc…) and specially with your tutorial. So thank you very much for the time you put on this.
Hey, thanks for your work!
I initally decided to only go the route of: mTLS rule, installing the certificate on my browser and my Android Phone and a WAF rule which blocks ALL traffic that does not equal certificate.
However, I still had some security concerns since I still had the feeling that quite some people are connecting to my domain… So i have setup Zero Trust which feels way better… but yeah, my Companion App is broken now and I urgently want to track devices for automations when I am leaving/coming home. Do you really feel perfectly safe with only Client Certificate + a single rule, that blocks all traffic without certificate? Or is there any good way to bypass Zero Trust (With a Bypass rule?) when opening it with the HA Mobile App?
(also see my question here which is basically the same: Is my Cloudflare Setup safe?)
Has anyone managed to get this to work on Windows? I’ve gotten up to the point of installing the client certificate into Windows’ certificate manager (certmgr.msc), and I am able to successfully access my website from the Command Prompt using curl:
curl -v --cert CurrentUser\MY\<thumbprint_of_cert> https://mydomain.com/
This returns a successful response and I can see the contents of my website in the HTML.
However, I cannot for the life of me get any web browser to prompt for the client certificate. I have tried Chrome and Edge browsers, but when I go to https://mydomain.com/ it doesn’t ask for a certificate, it just gives me Cloudflare’s 403 forbidden “Sorry, you have been blocked” page.
I downloaded the Cloudflare root certificate from my Zero Trust dashboard which was marked as “AVAILABLE” + “IN USE”, and installed that into Windows Trusted Root Certification Authorities, although I don’t know if this step was necessary.
When I view my client certificate it says: “Windows does not have enough information to verify this certificate.”
I don’t know if this is normal, or if this is the problem.
Could really use some advice on this one, I’m at a loss!
Thanks
I don’t use Windows, so I’m not quite sure of how or where to import store custom certificates and trust them.
However, the browser should be requesting a certificate on page load. (At least, that’s how it worked for me on MacOS for either Chrome or Safari.)
And come to think of it, this is only when loading the HA webUI through the Cloudflare tunnel. It’s actually Cloudflare that wants the certificate, to validate according to the WAF rule.
But I would suggest, it’s all somewhat irrelevant if accessing HA locally. I mean, if you trust yourself, there isn’t much need to get too secure?
For my setup, I do use internal and external FQDNs ( + subdomain for external, domain.tld for internal).
Through DNS rewrites, I manage local device connections to route to the local LAN IP, regardless of the domain in the request.
Doing this bypasses the CF Tunnel, which is ok, because I trust myself.
after some playing around on zerotrust I was able to add a rule by country to bypass policy:
I then had to change the access rule on the tunnel to turn off “Protect with Access”
This is even with a WAF rule, I can see the rule being hit but the skip step seams to get missed.
Would be good to have the WAF rule working for iOS so I can have the network, country, user agent rules (access has less of these options)