Securing Argo Tunnel with Cloudflare Access


Can anyone clarify what needs to be done to secure a web application running over argo tunnel and behind Cloudflare access? The documentation seems like it could be read 2 different ways:

To secure your origin, you must enable Argo Tunnel or limit connections to your origin to only allow Cloudflare IPs and verify the JWT per the instructions.

It seems this could be read in two ways:

Enable argo tunnel or lock down firewall to cloudflare IPs
Verify JWT


Enable argo tunnel
lock down firewall to cloudflare IPs AND verify JWT on application

Is anyone able to clarify? Essentially need to know whether the JWT still needs to be verified by the web application in order to secure the origin if the application is only exposed via argo tunnel.


1 Like

I’m not a programmer, but my take is that you should always verify JWT (I had to look that acronym up). Argo Tunnel and blocking non-Cloudflare IP addresses are functionally similar, so I assume (yes, that word) that JWT needs to be used in either case.

Maybe @matteo knows. He knows stuff.

You mentioned “Cloudflare Access,” so I don’t know if you’re talking about the actual Access product that puts a login in front of restricted pages, or just plain “access” connectivity to a webserver.

Let me try to quickly answer before going to bed… won’t be perfectly formatted, using the phone right now and it’s late.

Let’s split the cases here, starting with a simple Argo Tunnel to a server somewhere. No Cloudflare Access.
In this case the server is connecting to Cloudflare, not the other way around and all connections from users to Cloudflare go directly to the server (or the cache, but let’s not get too deep into this). If you have a login or something you simply need to handle that at the server within your application. Follow all standard practices for those (use a third party service e.g. Firebase Auth, you will do yourself a favor).
As far as firewalling on the server you can block all incoming connections (leave only those you need: SSH? RDP? FTP? Obviously secure those, but it’s another matter out of scope here). You could technically limit outgoing connections as well, but it’s not practical nor necessary.

Second case, using Cloudflare Access.
In this case Cloudflare will verify the access for you, verify the JWT and send that back to your application in case you need it. At this point it becomes like the first case, handle the logins at the application of you need them obviously, but you don’t need to handle actual login flows to verify users (you certainly could, never actually done that with the same JWT and I presume it’s somewhat possible) and passwords and so on. You can simply read from the JWT the user details and act on those.
As far as firewalling it’s identical to the first case.

Thanks :blush: