How to access api behind cloudflare zero trust

Hello,

I’m using Cloudflare teams to access services on my server which works fine with the email authentication. Now I want to use concourse which uses a cli tool for many functions. The problem is that I don’t know how to authenticate the cli tool with Cloudflare access since it can (obviously) not show the login page.
I first tried the same way that is used for smb shares etc (cloudflared access tcp --hostname concourse.site.com --url localhost:8445) but when trying to connect to localhost:8445 then cloudflared just says error="websocket: bad handshake". Since I can reach my concourse instance from the browser after authenticating it’s not concourse’s fault.

I also installed warp client and added myself to the team which should in my understanding make everything “just work” i.e. that all requests from my computer to the services protected by access are authenticated automatically. Am I getting this wrong?

What possibilities are there to access the api from the cli application? I read something about generating a token but I don’t get where to use the token.

Thank you in advance
Joshua

1 Like

I’ve found a way now. I don’t know if that’s the best way to do it and I’d prefer to use a public hostname instead but it’s better than nothing:

  • Concourse is running on a device with the local ip 192.168.178.70
  • On the same device cloudflared is running and connected to my Cloudflare account (=has a tunnel started)
  • In the Cloudflare dashboard I added
    • 192.168.178.70/32 in the private network setting of the tunnel
    • A “private network” application with the ip 192.168.178.70 and a second policy item with “destination port” “is” 8099 (the port I use for concourse)
  • In Settings → Network → Split tunnel I changed the setting to “include” and added the ip 192.168.178.70 to the list
  • Now I’m able to connect to my concourse instance from any network via 192.168.178.70 when the warp client is active

Is that the way to do it? Is it possible to do the same thing with a public hostname (i.e. being able to access the resource without login page when the warp client is active)?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.