This document serves as a guide for a Proof of Concept (POC) aimed at validating Cloudflare Zero Trust forwards using Traefik's forward-auth service. The nodeJS service is compatible with both Traefik 2.x and Traefik 3.x versions.

The primary goal is to demonstrate how to authenticate Traefik requests through Cloudflare Zero Trust, ensuring secure access control.

Additionally most configurations have moved to environmental variables which allow you to dockerise it, and since AUDs will come and go along with certificates the certficates refresh every 24hours while the auds refresh every hour using cloudflare APIS.

// setup a read only API token with permission: Account > Access: apps and policies > Read

CF_TOKEN=_this is your cf token_ 

// take from the cloudflare dashboard url https://dash.cloudflare.com/{your ORG ID}

CF_ORG=_this is your ID for cloudflare_ 

// what you have configured in cloudflare zero trust: team domain

CF_DOMAIN=https://{yourdomain}.cloudflareaccess.com 

traefik config such as auth.yml

http:
  middlewares:
    test-auth:
      forwardAuth:
        address: "http://IP:PORT/auth"

then under the domain specify the provider, you probably dont want to do this on a writable dashboard or API.

http:
  routers:
    dashboard:
      rule: Host(`{your domain}`)
      service: api@internal
      middlewares:
        - test-auth
      entryPoints:
        - "websecure"