SSH Hostname Wildcard policies

I’m in the process of setting up and using cloudflare access for SSH connections to infrastructure. I would like to name hosts and connect to them via hostnames like or and then gate ssh via access policies scoped to or *

It instead appears that I can use only one subdomain string (ie, and that Cloudflare Access “Applications” have to be created on a per-FQDN basis (one for, another for, etc). Is my understanding correct? (because five hundred applications, one for each ssh server, seems a bit much).

I realize that the intention is probably to deploy all of this with something like Terraform, but it’s difficult to reason about and difficult to scale eyeballs when looking at deployed policies, or accurately reason about said policies, when there’s hundreds of apps in the cloudflare access dashboard. Am I missing something?

Additionally, is it at all possible to add wildcard hostname configs to ~/.ssh/config when using short-lived certificates? don’t (yet) know enough about SSH config syntax to be able to wildcard things into the stanzas. (especially since each hostname will again have its own shortlived cert name)

Here’s a sample ssh configuration for one server (using short-lived certs); according to the docs, I’d need to do this five hundred times for each server I needed ssh access to; I can’t believe that to be true:

  ProxyCommand bash -c '/usr/local/bin/cloudflared access ssh-gen --hostname %h; ssh -tt %[email protected] >&2 <&1'

  ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
  IdentityFile ~/.cloudflared/
  CertificateFile ~/.cloudflared/

Unless you’re on an Enterprise plan that can proxy a wildcard, I can’t imagine a way you could SSH to a wildcard subdomain here. And considering that your hostnames are pretty deep in subdomain territory, you’d most likely need ACM to handle certs for those hostnames.

The only person I know of who could come close to answering stuff like this is @cs-cf. I think @SamRhea also works on this.

SSH conf supports regex so on the client side in this scenario it sounds like the client could be configured pretty simply. On the Cloudflare side see

Would you need 500 DNS entries if not on an ENT plan? Sure… but since no one is spinning up 500 hosts without automation, Terraform or the json based api endpoint would be in play I imagine.


This topic was automatically closed after 31 days. New replies are no longer allowed.