I have successfully setup Cloudflare Access with the Gsuite SSO option. I also have an access policy created whitelisting my email address. I use an ZTE wireless/wired router and have configured a DDNS service in its settings for which I have added a subdomain A-record in Cloudflare (proxied/orange setting). It works to access the subdomain and Cloudflare Access login screen shows, SSO works and upon loading the Router login screen, I am dealt a 522 cloudflare error page.
Do I need to upload my cloudflare Origin ceriticate to my router admin settings page for the access to work?
So you are hosting your website on your own private ISP connection? In this case the certificate should go on the webserver where Cloudflare is connecting to.
A 522 is not a certificate related error but refers to an issue with the connection itself. Best guess, you havent configured your router properly to internally forward connections (port forwarding).
I am simply trying to reach my office router’s login page, which is available on a local IP: 192.168.100.1
I use a DDNS service (dynu) to bind intranet.[mydomainnamehere].com to my office’s dynamic ISP-provided IP address. The DDNS client is running insided the actual routuer itself, ensuring the public IP address is always updated on dynu.
Port forwarding can be setup on the router, perhaps this is the missing link, however I thought that because my Cloudflare account is using Force SSL on my domain, the internal router page also need this certificate to function, I might be missing something?
You’re right, the login page is not associated with a domain.
This is what I have tried now:
In the cloudflare access policy settings I have used intranet.[mydomainnamehere].com/:10000 as the access URL. In the router settings port forwarding page I have entered a TCP connection profile forwarding 10000 port calls for intranet.[mydomainnamehere].com to 192.168.100.1 with port number 80 (port 80 seems to work when trying to access the router page in a local browser from the local ip address).
In that case you technically can configure an Origin certificate, but there will be little point in that as that certificate wont be any more valid than the self-signed certificate routers usually ship with.
I’d either keep the default certificate or (if you really want it to validate in your browser) get a Lets Encrypt one.
OK thank you, noted on the certificates. However, I still can’t seem to be able to reach the actual router login page. typing in intranet.[nydomainnamehere].com/:10000 does direct me to the CF Access Login screen. The SSO is set up correctly, but after authenticating, the browser still returns a 522 code.
Here is a screenshot of the router port forwarding setting. I have used hostname of 0.0.0.0 before - this is because when trying to enter a domain name in there, it complains, it needs an IP address, so here I am unsure.
sure got it, will do. As per the above information however, are my settings for Cloudflare Access configured in a way that should make this work? My idea is in the right direction?
the domain name used for the entire cloudflare account runs a website on the www subdomain. The server IP for this website is added as an A record for @ and www as normal.
I have a new A record added for the intranet subdomain with a different server IP. The IP address added in this record is the Dynu dynamic dns service address provided within the user account there. FYI, when entering this IP address into my browser, it directly reaches my router login page. My router updates this dynu dns link dynamically. The Cloudflare record simply redirects the subdomain to this IP.
The only goal here is to reach my router login page through my subdomain and be protected by Access with SSO.
I’m sorry if I am unclear, I don’t know how to explain differently.
Yes I do, that sentence might have been misleading, sorry.
So, if in Cloudflare DNS i setup an A record with the IP of my router in it, it works and loads the router login page as long as I leave the orange/proxy icon set to off/DNSOnly.
When enabling Cloudflare Access (and hence needing to set my DNS record to orange/ON) it stopped working and threw the 522 error.
Thats not an Access issue at this point however. Before doing anything with Access you first need to get the connection up and running.
In this case, you could add an Origin certificate to your router as well. How you do this depends on your router and you best refer to its documentation.