I did this for some self-hosted services that my wife accesses. Limited access to my email and hers with Google authorization. Passes the wife test and quite secure so I'm happy!
For those exposing docker services to cloudflared, make sure said services are part of (generally) the 'bridge' network. Don't ignore docker networking when troubleshooting!
Hi buddy, Thanks for all the videos. They're always accurate and straight to the point. Thanks! Just one note: could you slow down a little? I find myself having to rewind 5 seconds about 50 times in a single video. Still, they’re great, and I’ve definitely subscribed. I’d just love to see a slower pace; I understand the videos will be longer, but (for me) it's worth it.
Thanks!! I talk fast. It's just who I am. Always have been. I've tried multiple times to slow down and I feel like I'm making fun of people. All I can say is to watch the video at .75 speed. Like... this has been enough of an issue over the years that I usually respond with this page that I put on my website years ago: dbtechreviews.com/i-talk-fast/
Fantastic!! I had a CF Application authenticating with the one-time email code, but I've been struggling with the Google authentication. Afgter following along with your video,...IT WORKS! Thank you for all you do!
Thanks for this! Looking forward to the Authelia integration as well! Using this to access my local Radarr and Sonarr applications because they have no auth. This should block access to people not approved but Authelia would be ideal.
If I had known you were going to do all the hard work, I would have waited for your video. Alas, I took inspiration from your last video (and helpful comments) and figured it out about 24 hours before this video went live. Now for bonus points - I'm currently investigating using Google SSO for Portainer to auto sign me in too - The steps in the portainer documentation are nowhere near as helpful as Cloudflare's. Thanks again for the helpful videos!
While I greatly appreciate your video on setting up Cloudflare Tunnels, there is a snag I've run into. I cannot get my domain through tunnels to connect to my Proxmox box, but all the VM's and Docker containers on it work with no problem.
Turn on No TLS verification under Additional Application Settings while configuring Proxmox. That should help. (Proxmox uses it's own TLS certification)
Hi David. If I enable Google or Github auth to protect a Vaultwarden (running in a tunnel) instance what will happen to the Chrome Extension or the Android app? will I have access to these or I need to setup exclusions like in Authelia?
I wish I could find documentation on how to add a custom logo to the auth page (or to customize it further than the application OAUTH page) This was very helpful though. Thank you
Very helpful - This will help me. I recently set up Authentik (very cool app) it is better then Authelia. I followed Cooptonian to set to configure it and just used the Authentik site with and .env file for email etc. Very cool though this will help me setup SMIL and cloud flair instead of Google or Github. :-)
Great video as always! My question is how this affects other clients that are not browsers (i.e. Nextcloud, bitwarden, jellyfin, etc android clients). As I would like to setup this, but my concern is that they don't know how to interact with the new layer
Honestly I haven't tried it so I can't give much info. For my setup with those apps, I restrict by IP and either access at home or via my PIA VPN with a dedicated IP
@@DBTechYT I thought about that too. Will use that for restrictions then. Or something similar hehe. Thanks for your reply!!! Greetings from Argentina!
did you add firewall rule allow access for this ip 0.0.0.0/0 on GCP ? actually I create wordpress on GKE and I want to restrict access to that wordpress using cloudflare , but I didn't know how to do that. I following your instruction using cloudflare, but the WordPress site still can be accessible for public
Thank you for such series. Really helpful, built myself at least 5 self hosted programs. Do u have any plan on making one for Nextcloud AIO docker+portainer+cloudflare tunnel? I tried it but sadly after enabling nextcloud containers part, the initial a logging doesnt work sadly with tunnel, it says bad tunnel.
I installed NextCloud AIO using [This Guide](ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-OCLq62KOqNU.html) from Awesome Open Source, it works great, and I have it running through my Cloudflare tunnels. The AIO package makes NextCloud much easier to deploy and maintain. I actually find myself using NextCloud more as time goes on, there are some extremely useful add-ons that are quite lovely!
@@DBTechYT no worries. I like that a package contains all Nextcloud stuff in it, usually use office and talk, others I disable them in containers section. If I want to use them I can just enable them. I will be looking for solution online too. Again thank you for educational videos,
When I set this up, it only works as shown in the video in an incognito window. When I try this in a normal browser window, it appears to want to load my application (since I am already signed into google on my browser), but then I end up with a white screen. Is there something I am missing?
one thing that stumped me - that might help someone else. if you only want github access with NO email access. You must go to cloudflare zero trust/applications/authorization - then select add 'login methods' as the selector and 'Github' as the value. other wise you get a login error (That account does not have access)
Very interesting video. Thank you for your hard work! Quick question - will this result in having to authenticate via Google or GitHub (in your case) even if I'll try accessing the application from internal network?
Sir, Please can you help me one thing i am using cloudflared tunnel for my winodows 10 pc, I can access webserver using 80 port from outside but when i am going to use RDP i cant not access from outside from my home. Please can help me.
Thanks, David. I'm curious about how to use multiple identity providers, e.g. check for an included ip and if that fails then verify by email or github. Can you explain the difference between "include" and "require"? I suspect they are implementations of boolean ANDs/ORs but I am just guessing.
Hi David, great video as always. Can you tell me what happens if you pick one of the other Gmail addresses. One that hasn't been given access. Does it handle it gracefully? Does it let you in anyway? Many thanks.
I have an application which uses a specific port and was wondering how you can use the method described in this video to do this.. any help is greatly appreciated.
it was working then i suddenly started getting errors for both Google and Github, "Unable to find your Access organization! It appears that you have attempted to reach an invalid URL. Please enter a valid team name." i have gone into settings and copy and past what i see is the team name.... just wondering if someone else has this issue
Hi @DBTech, nice Video! I have a question. How do I restrict access with Google authentication to all of my Cloudflare tunnels with a single policy? If I just leave the subdomain blank, there will be no authentication anymore. If I put subdomain in, authentication is working fine, but only for that singe sub. Would be nice If someone could help me.
I haven't tested it, but several of people have said they use them together. I don't see the point/need to combine then, but there's no one right way to do things
@@DBTechYT thank you so much for your response. I am behind CG-NAT, don't want to route via VPS (NPM + VPN). I am hoping CF tunnel pushes all traffic thru tunnel to my NPM instance and then NPM takes care of routing to individual apps and integrate to Authentik or something similar.
