Cloudflare Access and reverse proxies

So I have a question that is multifaceted regarding Cloudflare Access (product) and certificates.

I have 2 servers both using Argo tunnels to connect in with Cloudflare Access applications, one lets call it Server1 has a reverse proxy (swag - which gets letsencrypt certs for the domain) which was in use before Cloudflare access was put in. So the Cloudflare applications point to the reverse proxy port and then are routed to the application. This works, but what want to know is from a security perspective do I need this reverse proxy at all?

Seeing as on Server2 there is no reverse proxy and you can point a Cloudflare access application to on the machine to access any application and it presents the user with no ssl issues in browser and shows the Cloudflare sni cert.

I just really want to know if this is an issue on Server1 adding complexity and not much more security or an issue on Server2 where I need to add a reverse proxy and certificates ?

**note the reason for the reverse proxy on Server1 was pre Cloudflare access to manage connections using https to non https services running in docker.

Any clarification on how certs work in Cloudflare access would be great. Thanks.

Whilst the scenario confuses me a little bit (haven’t had any coffee yet) - are you pointing a Cloudflare Tunnel at a reverse proxy?

Tunnels themselves are reverse proxies & can do mapping of hostnames to http/https on various ports.

Certificates aren’t needed when running cloudflared and the websites on the same host - there’s no traffic going over a network to be MITM’d.

Ahh this makes sense, so I can remove the reverse proxy from the equation without any security issues for apps on the same host in docker, the only thing I think I need to keep is for things outside that host which makes sense. A further question then regarding headers as I use the reverse proxy to bypass my 2fa container for api access to apps when X-Api-Key is presented etc, is there a way to mimic this in Cloudflare Access or is the only way to do it to add in the service token headers etc.

Cloudflare Access can be bypassed by Service Tokens (theoretically you can do it by IP but I’d very much recommend service tokens) which are inputted into headers, yeah.

Perfect thanks that clears it up for me thanks.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.