You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/dedis/securing_your_network.mdx
+13-11Lines changed: 13 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -44,8 +44,8 @@ You'll most likely want the same people to have SSH access across all of your de
44
44
1. Under "My Team" -> "Groups", click "Add a group".
45
45
1. If you're only using CloudFlare Teams for SSH access, you might want to turn on "Set as default group". You won't need to assign this group manually to applications when you set up each application in the steps below.
46
46
1. Set up the include and require rules to restrict access to your team members. An example set up would be:
47
-
- Include: "Emails ending in @company.com"
48
-
- Require: "Login methods - Google Workspace"
47
+
- Include: "Emails ending in @company.com"
48
+
- Require: "Login methods - Google Workspace"
49
49
50
50
## Create an application for the dedicated server
51
51
@@ -57,25 +57,26 @@ For each dedicated server you have, you need to create an application in the Clo
57
57
1. Set the session duration to the maximum length of time you want to allow an SSH connection to be open before the user has to re-authenticate. You can lower this from 24 hours to increase security.
58
58
1. Set the domain to the domain you registered (e.g. `companyinternal.dev`). Leave the path blank.
59
59
1. Set the subdomain. As suggested above, it should be something like `west-europe-01`.
60
-
- Ignore the warning about "No DNS record found for this domain". We'll create one later.
60
+
- Ignore the warning about "No DNS record found for this domain". We'll create one later.
61
61
1. Untick "Show this app in App Launcher". There's no need for it to be visible there.
62
62
1. Select the identity providers you want to use to authenticate SSH access with at the bottom of the page.
63
63
1. Click "Next".
64
64
1. Set a name for the policy; a suggestion would be "Internal Employee Access".
65
65
1. If you set up an access group above, select this access group. Otherwise, manually add the access rules to only allow team member access.
66
66
1. Click "Next".
67
67
1. Underneath "Additional settings":
68
-
- Turn on "Enable automatic cloudflared authentication".
69
-
- Set "Browser rendering" to "SSH".
68
+
- Turn on "Enable automatic cloudflared authentication".
69
+
- Set "Browser rendering" to "SSH".
70
70
71
71
## Set up an SSH tunnel
72
72
73
73
For the application we just set up, we now need to create a tunnel configuration so that CloudFlare knows how to route it. This will also install the tunnel software on our dedicated server.
74
74
75
-
1. Under "Access" -> "Tunnels", click "Create a tunnel".
75
+
1. Under "Network" -> "Tunnels", click "Create a tunnel".
76
+
1. Select "Cloudflared".
76
77
1. Set the tunnel name to match the application name; e.g. `west-europe-01`.
77
78
1. Click "Save tunnel".
78
-
1. For operating system, select "Debian".
79
+
1. For operating system, select "Debian", "64-bit".
79
80
1. Copy the command shown for "If you don’t have cloudflared installed on your machine:".
80
81
1. SSH into your dedicated server via the public Internet. Your local provider will have given you the SSH credentials for the dedicated server when they provisioned it. Usually these credentials are emailed to you. You can SSH to your machine at the command-line like so:
81
82
@@ -89,10 +90,10 @@ ssh user@host
89
90
1. You should see the connector appear on CloudFlare Teams after a few seconds with a status of "Connected".
90
91
1. Click "Next" in the CloudFlare Teams portal.
91
92
1. Set the public hostname to the same hostname you gave the application in the previous step. That means:
92
-
- The subdomain should be something like `west-europe-01`.
93
-
- The domain should be the domain you registered, like `companyinternal.dev`.
94
-
- The path should be left blank.
95
-
- Again, ignore the warning about "No DNS record found for this domain". When you save the tunnel in a moment, it will create the DNS record we need automatically.
93
+
- The subdomain should be something like `west-europe-01`.
94
+
- The domain should be the domain you registered, like `companyinternal.dev`.
95
+
- The path should be left blank.
96
+
- Again, ignore the warning about "No DNS record found for this domain". When you save the tunnel in a moment, it will create the DNS record we need automatically.
96
97
1. For service, set the scheme to "SSH" and the address field to `127.0.0.1:22`.
97
98
1. Click "Save tunnel" at the bottom of the page.
98
99
@@ -188,6 +189,7 @@ lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
188
189
```
189
190
190
191
The interface names might differ slightly, but the important thing is:
192
+
191
193
-`eth0` is the private network interface. It has an IP address like `10.x.x.x`, `192.168.x.x`, etc.
192
194
-`eth1` is the public network interface. It has an IP address associated with the public Internet. This IP address should also be visible in any management portal that your local provider gives you.
0 commit comments