Setting up browser-based SSH access

I set up a tunnel, including SSH access, using the Dash UI. SSH is working via ProxyCommand cloudflared access ssh --hostname %h, but I wanted to give the browser access a try and can’t figure out how to set it up it works now, but was 404-ing yesterday. A couple of questions:

  1. The tunnel config lets me put in a path, how does that work and how do I access it?

I assume the idea is to connect to ssh.domain/host instead of host.domain somehow. The help doesn’t clear this up:

NAME:
   cloudflared access tcp - 

USAGE:
   cloudflared access tcp [command options] [arguments...]

DESCRIPTION:
   The tcp subcommand sends data over a proxy to the Cloudflare edge.

OPTIONS:
   --hostname value, --tunnel-host value, -T value  specify the hostname of your application.
   --destination value                              specify the destination address of your SSH server.
   --url value, --listener value, -L value          specify the host:port to forward data to Cloudflare edge.
   --header value, -H value                         specify additional headers you wish to send.  (accepts multiple inputs)
   --service-token-id value, --id value             specify an Access service token ID you wish to use. [$TUNNEL_SERVICE_TOKEN_ID]
   --service-token-secret value, --secret value     specify an Access service token secret you wish to use. [$TUNNEL_SERVICE_TOKEN_SECRET]
   --logfile value                                  Save application log to this file for reporting issues.
   --log-directory value                            Save application log to this directory for reporting issues.
   --log-level value, --loglevel value              Application logging level {debug, info, warn, error, fatal}.
   --help, -h                                       show help (default: false)
  1. As mentioned above, I have ssh host.domain working with ProxyCommand. I’ve added a Zero Trust app, but how do I configure it?

If I use here ssh.domain/host, there’s no way to link it to the tunnel host, but it would be nice if it was possible. If I use host.domain, it works fine.

  1. The access policies seem a bit wonky. I set up a policy to use email yesterday, and today I removed it in favor of Everyone. I saved the app, but still get a “Get a login code emailed to you” redirect when accessing host.domain.

  2. I did try the CA setup for short-lived certificates, but the browser login was still asking for my private key, so I probably did something wrong there. I’m not sure how I’m supposed to authenticate anyway.

Did you also add this setting in your Zero Trust Application?
image

You should be able to enter whatever you want into subdomain and path, just make sure it’s the same for the tunnel and your Zero Trust Application.

Yes, but I also enabled the automatic cloudflared auth

You should be able to enter whatever you want into subdomain and path, just make sure it’s the same for the tunnel and your Zero Trust Application.

But then how do I connect using the command line?