Cloudflare Access Setup

Setting up Cloudflare Access (Zero Trust) for sop.sanmarcsoft.com with GitHub OAuth, restricted to smsmatt

Overview

The SOP runbook at sop.sanmarcsoft.com is protected by Cloudflare Access (part of Cloudflare Zero Trust). Only authorized GitHub accounts can access the site.

Prerequisites

  • Cloudflare account with Zero Trust enabled
  • Domain sanmarcsoft.com on Cloudflare
  • GitHub OAuth application (or use Cloudflare’s built-in GitHub IdP)

Setup Steps

Step 1: Enable Cloudflare Zero Trust

  1. Go to https://one.dash.cloudflare.com/
  2. Select the Cloudflare account
  3. Navigate to Access > Applications

Step 2: Add GitHub as Identity Provider

  1. Go to Settings > Authentication > Login methods

  2. Click Add new > GitHub

  3. Configure:

    • Client ID: Create a GitHub OAuth App at https://github.com/settings/developers
    • Client Secret: From the GitHub OAuth App
    • Authorization URL: https://github.com/login/oauth/authorize (auto-filled)
    • Token URL: https://github.com/login/oauth/access_token (auto-filled)

  4. GitHub OAuth App settings:

    • Application name: SanMarcSoft Cloudflare Access
    • Homepage URL: https://sanmarcsoft.com
    • Authorization callback URL: https://<team-domain>.cloudflareaccess.com/cdn-cgi/access/callback
      • The team domain is found in Zero Trust > Settings > Custom Pages

Step 3: Create Access Application

  1. Go to Access > Applications

  2. Click Add an application > Self-hosted

  3. Configure:

    Application Configuration:

    • Application name: SOP Runbook
    • Session duration: 24 hours
    • Application domain: sop.sanmarcsoft.com

    Identity providers:

    • Select GitHub only

Step 4: Create Access Policy

  1. In the application configuration, add a policy:

    Policy name: Allow smsmatt

    Action: Allow

    Include rules:

    • Selector: GitHub Organizations
    • Value: Sanmarcsoft

    OR (more restrictive):

    • Selector: Emails
    • Value: The email associated with the smsmatt GitHub account

    AND:

    • Selector: Login Methods
    • Value: GitHub

  2. No additional Exclude or Require rules needed for a single-user setup

Step 5: Configure DNS

Add a CNAME or A record for sop.sanmarcsoft.com:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

CF_TOKEN=$(pass cloudflare/api-token)
ZONE_ID=$(pass cloudflare/zones/sanmarcsoft-com)

curl -s -X POST "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records" \
  -H "Authorization: Bearer ${CF_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "type": "CNAME",
    "name": "sop.sanmarcsoft.com",
    "content": "sop-runbook.pages.dev",
    "ttl": 1,
    "proxied": true
  }'

Note: proxied: true is required for Cloudflare Access to intercept requests.

Step 6: Deploy to Cloudflare Pages

  1. Connect the Sanmarcsoft/sop-runbook GitHub repository to Cloudflare Pages

  2. Configure build settings:

    • Build command: hugo --minify
    • Build output directory: public
    • Root directory: / (project root)
    • Environment variable: HUGO_VERSION = 0.139.0 (or latest)

  3. Set custom domain:

    • Go to the Pages project > Custom domains
    • Add sop.sanmarcsoft.com
    • Cloudflare will verify DNS automatically

Verification

Test Access Control

  1. Open https://sop.sanmarcsoft.com in an incognito browser
  2. You should be redirected to the Cloudflare Access login page
  3. Select GitHub as the login method
  4. Authenticate with the smsmatt GitHub account
  5. You should be granted access and redirected to the SOP runbook

Test Denied Access

  1. Open in incognito
  2. Authenticate with a different GitHub account
  3. You should see an “Access Denied” page

Maintenance

Adding Additional Users

  1. Go to Access > Applications > SOP Runbook > Policies
  2. Edit the policy
  3. Add additional email addresses or GitHub org membership rules

Revoking Access

  1. Go to Access > Applications > SOP Runbook > Policies
  2. Remove the user from the policy
  3. To immediately revoke an active session: Access > Overview > Active sessions > Revoke

Viewing Access Logs

  1. Go to Access > Logs
  2. Filter by application: SOP Runbook
  3. View login attempts, approvals, and denials

Cloudflare Access Policy Examples

Allow only a specific GitHub user

Rule: Include
  Selector: Emails
  Value: matt@sanmarcsoft.com (GitHub email)

Rule: Require
  Selector: Login Methods
  Value: GitHub

Allow all members of the Sanmarcsoft GitHub org

Rule: Include
  Selector: GitHub Organizations
  Value: Sanmarcsoft

Allow specific GitHub teams

Rule: Include
  Selector: GitHub Organizations
  Value: Sanmarcsoft

Rule: Require
  Selector: GitHub Teams (if available)
  Value: engineering

Troubleshooting

  • “Application not found”: Ensure the domain in the Access Application exactly matches sop.sanmarcsoft.com.
  • Redirect loop: Check that the DNS record has proxied: true. Cloudflare Access requires the orange cloud.
  • GitHub login fails: Verify the GitHub OAuth App callback URL matches the Cloudflare Access team domain.
  • Access denied for correct user: Check that the policy selector matches the user’s GitHub email, not their username.
  • Pages build fails: Ensure HUGO_VERSION environment variable is set. Cloudflare Pages needs to know which Hugo version to use.