Access and Authenticating Apps

Hi all, been using Cloudflare for a while for DNS and DDoS mitigation and trying out Access now. I managed to put my Nextcloud server behind Access and setup G Suite as my IDP. This all works well via a browser.

How does Access work when it comes to things like Android apps that are traditionally configured with a URI of a resource and only need a username/password? (I’m thinking the Nexcloud app and another I have to view IP cameras).

In the case of the IP camera app, I’d typically authenticate to the VPN and then the app is configured with private IP addresses and users a username/password combo to log into individual cameras.

The Nextcloud app doesn’t work at all and comes up with the error “Malformed Server Configuration” when attempting to reach the public URL of my server.

Any ideas?
H

You have two options for non interactive applications such as these. Service Tokens, and mTLS. Documentation available here:

Thanks @michael, I had a look at those and it doesn’t seem too clear as to how I’d get any of that going in my situation.

Will try and learn a bit more about Access and see what others have done.
H

Perhaps I’ve gotten the wrong idea. Is this a third party app? It expects to use just basic HTTP authentication? Is this just for your and your family to access a device in the home (and not something for the general public, or an app you are building)?

In that case you could build a Worker that performs the Basic HTTP Authorization (essentially check for the presence of the header, and match the value against the known basic auth hashes). You’ll find examples using your preferred search engine.

Hi @michael, thanks for the reply.

The Nextcloud Android app requires you to input the URL of the server and once connected, requires a username/password. This app works when on my LAN as essentially the local DNS server resolves to the private IP address of the Nextcloud box and bypasses Cloudflare.

In the case of the other app for viewing IP cameras, it basically works in a similar way. The IP address or FQDN of the camera is set in the app and then a username/password supplied. I used to do a port-forward on my router to get this working, but subsequently changed that and left the cameras on LAN and accessed them through the VPN instead. The flow was:

Android OpenVPN Client > NGFW running OpenVPN Server > Onto the LAN and use the app to access the camera stream.

I will take a look at workers and see if that’s something that can help.
H