Have done the following to do the cloudflare (ZeroTrust) tunnelling to ourservername.
Cloudflare Zero Trust + Google Workspace + ourservername (SSH)
Architecture Overview
User (Client Machine)
│
Cloudflare Access (Zero Trust)
│
Google Workspace (Authentication + MFA)
│
Cloudflare Tunnel (cloudflared)
│
ourservername (SSH)
Authentication Flow Chart
User runs SSH (like ssh ssh-ourservername.ourdomain.org)
│
Cloudflare Access intercepts request
│
Redirect to Google Login
│
User authenticates + MFA
│
Cloudflare verifies identity + policy
│
Cloudflare establishes Tunnel
│
Access granted to ourservername ssh
On the client machine
Install cloudflared
Create a config file in .ssh folder
$ ~/.ssh/config
Host ourservername
HostName ssh-ourservername.ourdomain.org
User ourusername
ProxyCommand cloudflared access ssh --hostname %h
Then you the connection would be like
$ ssh ourservername
Connection was successful with ssh with the configuration as above. Connection was initially not successful with Filezilla.
ChatGPT told me that filezilla does not understand the proxycommand instruction, hence we can run cloudflared in proxy mode by running this in a terminal:
cloudflared access ssh --hostname ssh-ourservername.ourdomain.org --url localhost:2244
This creates a local listener on localhost:2244 which forwards via Cloudflare to the remote SSH server
With this, Filezilla could connect to localhost 2244 successfully (and I could see the files on ourservername with Filezilla.)
No comments:
Post a Comment