Argo Tunnels is a great feature that allows an entire server farm to allow remote and secure access via Cloudflare Access.
However, as a powerful tool it has the potential to create security holes, as once a tunnel daemon is authorized it is then has the ability to create multiple tunnels on its own. This means that any admin on a server can by a simple command write DNS rules that will bypass Access policies and open internal servers to the world.
For now we’re not using Tunnels due to this security concern and would love to here if there’s some intention to improve on the security constraints imposed on a Daemon.
There are multiple options here, with the best being requiring an authorization on Cloudflare side for each tunnel and not for each daemon.
Another good thing would be to have a functionality that allows to impose Access on Argo Tunnels ins such a way that no tunnel is accessible if it does not have an Access policy leading to it.
Thanks for the feedback! My understanding is solutions which would work include:
- Requiring you to ‘allow’ each tunnel in the Cloudflare UI somehow (or requiring you to preauthorize them by allowing tunnels to be attached to specific hostnames)
- An email confirmation before allowing a tunnel to be connected
- A setting which mandates some sort of Access policy before a tunnel can be created
- A variant of
Cloudflared login which only authorizes specific hostnames
Can you think of anything else?
I think you pretty much covered this. There is one more option for a seamless operation (given that DevOps and Security are not always on the same team): It is to configure a default behaviour for tunnels that will not condition creating a tunnel by creating a security setting or permission.
To clarify - the options you’ve outlined seem to require 2 people collaborating at the same time or at least one is dependent on the other. I’m thinking along the lines of DevOps can do whatever, but there’s a default policy - so they can go over multiple hosts and configure them at their own time, but it will stay protected with security defaults.
In my case DevOps do not have access to Cloudflare - this is considered a security infrastructure, so they can’t manage it, but do manage servers.