Skip to content

Add Zero Trust references (Access, Gateway, Devices, DLP) #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ruimarinho wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add Zero Trust references (Access, Gateway, Devices, DLP) #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 65 additions & 1 deletion skills/cloudflare/SKILL.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,16 @@
---
name: cloudflare
description: Comprehensive Cloudflare platform skill covering Workers, Pages, storage (KV, D1, R2), AI (Workers AI, Vectorize, Agents SDK), networking (Tunnel, Spectrum), security (WAF, DDoS), and infrastructure-as-code (Terraform, Pulumi). Use for any Cloudflare development task.
description: Comprehensive Cloudflare platform skill covering Workers, Pages, storage (KV, D1, R2), AI (Workers AI, Vectorize, Agents SDK), networking (Tunnel, Spectrum), security (WAF, DDoS), Zero Trust (Access, Gateway, WARP, DLP), and infrastructure-as-code (Terraform, Pulumi). Use for any Cloudflare development task.
references:
- workers
- pages
- d1
- durable-objects
- workers-ai
- access
- gateway
- devices
- dlp
---

# Cloudflare Platform Skill
Expand All @@ -25,6 +29,26 @@ Not authenticated? → `references/wrangler/auth.md`
- Interactive/local: `wrangler login` (one-time OAuth)
- CI/CD: Set `CLOUDFLARE_API_TOKEN` env var

### Zero Trust API Authentication

For Zero Trust API operations:

```bash
# Verify API token
curl -s -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
"https://api.cloudflare.com/client/v4/user/tokens/verify" | jq .

# Get account ID
curl -s -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
"https://api.cloudflare.com/client/v4/accounts" | jq '.result[] | {id, name}'
```

**Required permissions for Zero Trust:**
- Account > Zero Trust > Edit
- Account > Access: Apps and Policies > Edit
- Account > Zero Trust: Gateway > Edit
- Account > Zero Trust: Tunnels > Edit

## Quick Decision Trees

### "I need to run code"
Expand Down Expand Up @@ -94,6 +118,37 @@ Need security?
└─ Credential leak detection → waf/ (managed ruleset)
```

### "I need Zero Trust / secure access"

```
Need Zero Trust?
├─ Control who can access apps?
│ ├─ Web application with login page → access/ (self-hosted app)
│ ├─ SaaS application (Okta, GitHub) → access/ (SaaS app)
│ ├─ SSH/RDP/VNC access → access/ (infrastructure app)
│ ├─ Internal service via browser → access/ + tunnel/
│ └─ API/service-to-service auth → access/ (service tokens)
├─ Filter/inspect traffic?
│ ├─ Block malicious domains (DNS) → gateway/ (DNS policies)
│ ├─ Block categories (gambling, adult) → gateway/ (DNS policies)
│ ├─ Inspect/block HTTP traffic → gateway/ (HTTP policies)
│ └─ Custom allow/block lists → gateway/ (lists)
├─ Connect networks/services?
│ ├─ Expose local service securely → tunnel/
│ ├─ Connect office network → tunnel/ + devices/
│ ├─ Private network routing → tunnel/ (private networks)
│ └─ Replace VPN → tunnel/ + devices/ (WARP)
├─ Manage endpoint devices?
│ ├─ Deploy WARP client → devices/
│ ├─ Device compliance checks → devices/ (posture)
│ ├─ Split tunnel configuration → devices/ (policies)
│ └─ MDM integration → devices/ (posture integrations)
└─ Prevent data leaks?
├─ Detect PII/credit cards → dlp/ (profiles)
├─ Custom data patterns → dlp/ (custom entries)
└─ Block file uploads by type → gateway/ (HTTP policies)
```

### "I need media/content"

```
Expand Down Expand Up @@ -150,6 +205,15 @@ Need IaC? → pulumi/ (Pulumi), terraform/ (Terraform), or api/ (REST API)
| AI Gateway | `references/ai-gateway/` |
| AI Search | `references/ai-search/` |

### Zero Trust
| Product | Reference |
|---------|-----------|
| Access | `references/access/` |
| Gateway | `references/gateway/` |
| Tunnel | `references/tunnel/` |
| Devices (WARP) | `references/devices/` |
| DLP | `references/dlp/` |

### Networking & Connectivity
| Product | Reference |
|---------|-----------|
Expand Down
151 changes: 151 additions & 0 deletions skills/cloudflare/references/access/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,151 @@
# Cloudflare Access

Zero Trust application access control. Secure web apps, SSH, RDP, and APIs without a VPN.

## Overview

Cloudflare Access provides:
- **Identity-aware proxy** - Authenticate users before they reach your app
- **Multiple app types** - Self-hosted, SaaS, infrastructure (SSH/RDP/VNC)
- **Flexible policies** - Based on identity, device posture, location, and more
- **Service tokens** - Machine-to-machine authentication

**Architecture**: User → Cloudflare Edge → Access Policy Check → Origin Application

## Application Types

| Type | Use Case | Example |
|------|----------|---------|
| `self_hosted` | Web apps you control | Internal dashboard at `app.example.com` |
| `saas` | Third-party SaaS apps | Okta, Salesforce, GitHub |
| `infrastructure` | SSH/RDP/VNC/SMB | Server at `ssh.example.com` |
| `bookmark` | Quick links in App Launcher | Link to external tool |
| `app_launcher` | User portal | Central access hub |

## Quick Start

### 1. Create Self-Hosted Application

```bash
curl -X POST "https://api.cloudflare.com/client/v4/accounts/$CLOUDFLARE_ACCOUNT_ID/access/apps" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Internal Dashboard",
"domain": "dashboard.example.com",
"type": "self_hosted",
"session_duration": "24h"
}'
```

### 2. Create Policy for Application

```bash
# Get the app_id from step 1
curl -X POST "https://api.cloudflare.com/client/v4/accounts/$CLOUDFLARE_ACCOUNT_ID/access/apps/$APP_ID/policies" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Allow Engineering Team",
"decision": "allow",
"include": [
{"group": {"id": "GROUP_UUID"}}
],
"precedence": 1
}'
```

### 3. Connect Application via Tunnel

```bash
# Create tunnel
cloudflared tunnel create dashboard-tunnel

# Configure ingress (in config.yml)
# tunnel: <TUNNEL_ID>
# ingress:
# - hostname: dashboard.example.com
# service: http://localhost:8080
# - service: http_status:404

# Route DNS
cloudflared tunnel route dns dashboard-tunnel dashboard.example.com

# Run
cloudflared tunnel run dashboard-tunnel
```

## Policy Decisions

| Decision | Effect |
|----------|--------|
| `allow` | Grant access if rules match |
| `deny` | Block access if rules match |
| `bypass` | Skip authentication (public access) |
| `non_identity` | Allow service tokens only |

## Policy Rules

Policies use `include`, `exclude`, and `require` arrays:

```json
{
"name": "Engineering Access",
"decision": "allow",
"include": [
{"group": {"id": "engineering-group-uuid"}},
{"email": {"email": "admin@example.com"}}
],
"exclude": [
{"ip_range": {"ip": "192.168.1.0/24"}}
],
"require": [
{"device_posture": {"integration_uid": "posture-check-uuid"}}
]
}
```

**Logic:**
- `include` - User must match at least one (OR)
- `require` - User must match all (AND)
- `exclude` - User must not match any (NOT)

## Common Rule Types

| Type | Example | Description |
|------|---------|-------------|
| `email` | `{"email": "user@example.com"}` | Specific email |
| `email_domain` | `{"email_domain": "example.com"}` | Email domain |
| `group` | `{"id": "uuid"}` | Access Group |
| `everyone` | `{}` | All authenticated users |
| `ip_range` | `{"ip": "10.0.0.0/8"}` | IP/CIDR range |
| `country` | `{"code": "US"}` | Country code |
| `device_posture` | `{"integration_uid": "uuid"}` | Posture check |
| `service_token` | `{"id": "uuid"}` | Service token |
| `certificate` | `{}` | mTLS certificate |

## Session Duration

```json
{
"session_duration": "24h", // How long before re-auth
"same_site_cookie_attribute": "lax"
}
```

**Values:** `30m`, `1h`, `6h`, `12h`, `24h`, `168h` (1 week)

## In This Reference

- [Policies](./policies.md) - Policy configuration details
- [Groups](./groups.md) - Access Groups for rule reuse
- [Identity Providers](./identity-providers.md) - IdP configuration
- [Service Tokens](./service-tokens.md) - Machine authentication
- [API](./api.md) - Full API reference
- [Gotchas](./gotchas.md) - Common issues and limits

## See Also

- [Gateway](../gateway/README.md) - DNS/HTTP filtering
- [Tunnel](../tunnel/README.md) - Secure connectivity
- [Devices](../devices/README.md) - Device posture integration
Loading