If I have subdomain protected by Cloudflare Access how can I authenticate my request using HTTP Basic Auth?
Doesn’t looks like basic auth is supported.
Is this for some automated service where you need to be able to login without using an IDP? Maybe this helps -
That one works but need Basic Auth for access from Grafana (Elasticsearch Data Source) which has only that
You could do that via Workers theoretically, putting them in front and checking the credentials there. It’s not Access Auth though. Don’t know if there is a way to add those credentials @Judge linked to and make the work. You can add them, but don’t think it will work as Access is probably handled before.
Maybe use a secondary path for this purpose?
thanks for this but honestly this seems like a lot of work for a simple task which is protecting my elasticsearch cluster. I will probably have to setup nginx server on our end that will take care of this…was hoping Cloudflare Access would be easy go to solution for simple auth…
Well Basic Auth isn’t really the best protection and also is directly supported by all browsers.
We have similar use case, wondering have you able to get it working?
Basic auth in a controlled environment (i.e. internal) is better than no authentication. Why would Cloudflare Access support no authentication, but not basic? Apache and Nginx reverse proxy can do this all day long and this would be very easy for them to add to the CORS/Cookie/Additional settings page. If the goal is to enable secure, external access to internal sites, not having basic auth seems like a missing feature.
They have service tokens, not pure Basic auth, though. Custom headers.
If you’re building an new app - Great. If you’re attempting to provide secure access to a legacy app, then we’re SOL and have to figure out how to create a worker to do this. All the threads that I’ve found on this topic end in sadness.
The two would go separate ways, though. Access + the app’s login. You can’t pass any other login token that’s not a JWT, if that’s not supported you have two auth layers.
To add to this, a Worker for this functionality is two lines and you can use Transform Rules from the dashboard.
But Cloudflare Access is not internal, it is exposed to the Internet. And basic auth at this point in time is just about acceptable in a low risk/security controlled environment, but there are a lot of issues with its use on the Internet. I suspect the use of Basic auth in Access would have transferred a lot of risk to Cloudflare that they are not willing to accept.
Completely agree with you basic auth is a no no on the internet. I’m speaking from the context of cloudflare access providing access to an internal URL and having the teams policies protect it via federated access and having that policy also authenticate to the internal URL via basic authentication. Use case is an old router or network device on an internal network. Rather than federating access to it and requiring a secondary authentication for a single user, pass it the basic authentication headers. I wouldn’t expose this to the internet without wrapping it with an access policy. I do this today via Apache reverse proxy but trying to get out of the business of running internal servers.
Header set Access-Control-Allow-Credentials: true Header set Access-Control-Allow-Headers: "authorization" RequestHeader set Authorization "Basic AAAAAAA"
If you want that, then simply use the Transform Rules and add the header towards the origin.
Basic Auth is essentially a secret string included as a header in every request. A bad actor can replay the request from anywhere and there is no way to tell what is happening. You cannot revoke a session unless you are willing to change all the passwords.
The idea to have Cloudflare Access “vault” basic auth credentials is not bad. There are plenty of similar use cases I can think of, even with other forms of authentication.
We certainly assume we are on SSL - and not broken SSL
Sure, but that’s always the issue with password based systems.
My point is, basic authentication certainly is not the most sophisticated approach, but it’s not meant to be, but I wouldn’t call it insecure right away
This worked for me. Thank you!!