Assuming that you use a service token to login to CF access (–service-token-id , --service-token-secret), is it possible to configure « cloudflared access tcp » using the confie.yml file and then run « cloudflared access tcp » as a service on the client side ?
Any other way to configure and run « cloudflared access tcp » as a service with the appropriate configuration ?
Desired action / conf :
cloudflared access tcp –-hostname ${HOSTNAME} --url 127.0.0.1:${PORT} --service-token-id ${ID} --service-token-secret ${SECRET}
- As a service dependency to our app
- Authenticate
- Forward tcp from « 127.0.0.1:${PORT} » to the ${HOSTNAME} tunnel
- Restart if cloudflared crashes
You should look at using [remote configured tunnels(Via the dashboard · Cloudflare Zero Trust docs) they offer an easier way to manage your tunnels’ configuration.
Hi,
You can’t configure « access » thru remote tunnels
Remote tunnels, like the cloudflared config.yml, seam to only allow the client side config :
Client App —access—> CF <—tunnel— Server
Leaving a note to myself / the community :
Until “cloudflared access” can be configured remotly or using config.yml, I endend up using a simple systemd unit file :
[Unit]
Description=cloudflared access tcp to tunnel
After=network.target
[Service]
TimeoutStartSec=0
Type=simple
EnvironmentFile=/etc/cf-access/secrets
ExecStart=cloudflared access tcp --hostname REDACETD_HOSTNAME --url 127.0.0.1:1025
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
Service token being stored in a “chmod 0400” file :
cat /etc/cf-access
cat /etc/cf-access/secrets
TUNNEL_SERVICE_TOKEN_ID="REDACTED_ID"
TUNNEL_SERVICE_TOKEN_SECRET="REDACTED_SECRET"
REMINDER : The resulting running process envvar (including the sercrets) can be read by the “User=” and “Group=” of the unit / service thru “/proc/${PID}/environ” (Can’t wrap my head around systemd’s “==SetCredential” … leaving it as this for now)