Account Linking Alexa with Cloudflare

Website, Application, Performance Security
1

Hi all,

Based on this post (already closed), I was thinking on secure the account linking for my Alexa Skill (only used for Home Assistant).

Another approach which is already working on my environment is by using a Cloudflare Service Token just like it’s described here but I don’t like the idea to set public the function URL because I cannot enable IAM due to the request is generated by Aexa App during account linking.

Do you know if the solution shared by @dsm requires an Enterprise plan? Or it’s enough secure by following the cloudflare docs but setting the Service Auth policy in my Application to Include → Valid Certificate → Any valid certificate will be matched.? cc/ @jklimek

Also, @dsm if you are reading this:

  • What’s BASE_URL_EX?
  • Should I modify something to provide cert_file='client.pem', key_file='key.pem', cert_reqs='CERT_REQUIRED' in:
        http = HTTPSConnectionPool(base_url_ex, cert_file='client.pem', key_file='key.pem', cert_reqs='CERT_REQUIRED')

        #http = urllib3.connection_from_url(
        #    base_url,
        #    cert_file='client.pem',
        #    key_file='key.pem',
        #    cert_reqs='CERT_REQUIRED' if verify_ssl else 'CERT_NONE')

Thanks in advance for your support community!

2

I cannot edit my post due to permissions, the correct URLs are:

  • Old closed post: https://community.cloudflare.com/t/can-i-use-mtls-to-secure-home-web-server-re-alexa-flash-briefing-and-google-actions-apis/417629/3
  • Different approach using Service Tokens: https://www.reddit.com/r/homeassistant/comments/w6hnhz/comment/ik0d8ci/
  • Cloudflare docs: https://developers.cloudflare.com/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/
3

Hi,

The solution I previously posted about seems to be working just fine, you can have up to 5 firewall rules from memory on the free plan. At some point the certs will expire and I’ll need to refresh but that’s a few years away yet. I’ve confirmed multiple times that devices without the certs get rejected so it seems to be doing it’s job correctly.

The BASE_URL_EX is just the URL without the leading https://. So BASE_URL would be
https://something.example.com and BASE_URL_EX would be something.example.com

Hope this helps.

4

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.