Post author:Michael Klissner
Post published:7. November 2024
Post category:Hosting EN / Security
Post comments:1 Comment

Secure Cloudflare WEB applications

Today you will learn how to secure WEB applications. Secure WEB applications such as sites like Home Assistant or wp-admin with Cloudflare.

People who use Home Assistant often want to be able to access their smart home from anywhere. A common and secure solution for this is access via a VPN.

VPN access to your network, worldwide and free of charge

If, like me, you often forget to switch on the VPN, an alternative solution for worldwide access to your smart home could be interesting.

Basically, it’s easy to make your smart home accessible via the internet. However, this also opens the door to unwanted access – many hackers simply use such opportunities to practice 😁.

Today, we secure our smart home and restrict access specifically, for example to “Home Assistant”. This is very easy to implement. So, let’s get started!

Video: Secure Cloudflare WEB applications

Language: 🇩🇪
☝️ Use YouTube subtitles for all languages.

The Cloudflare tunnel

In this article, I will not go into detail about setting up the tunnel. You can find detailed instructions on configuring the tunnel in this article:

NAT? Deine WEB-Seite Hosten

We will now create a new host in our tunnel:

Subdomain	: homi (z.B.)
Domain	: Select the corresponding registered domain (example: klissner.uk)
Path	: leer
Type	: PTTP
URL	: IP address of the PC hosting the application (example: 192.168.1.106:8010)

Save and exit.

While the DNS records for https://homi.klissner.uk are distributed worldwide and published in the DNS servers, we focus on security.

Settings

Authentication

“One-Time PIN” should be activated under “Login methods”. If this is not yet set up for you, you can set up “One-Time PIN” via “Add”, as shown in the video.

Access

Applications

Use the side menu bar to select “Access” and then “Applications”. Then click on “Add application” and select “Self-hosted”.

Add an application

Applikation Name	: Home Assistant (example)
Gültigkeitsdauer	: 24h (default)
Subdomain	: homi (like tunnel setup)
Domain	: Select registered domain (example: Klissner.uk)
Path	: emty

Identification provider

Make sure that “Accept all available identification providers” is activated and “One-time PIN” is displayed. No further adjustments are required on this page – simply click “Next” at the bottom right.

Add application

In the “Policy Name” field, enter a name for the security policy, for example “ha-pin”.

Create additional rules

Now we define who is allowed to log in and how, and who is denied access.

As we have defined verification by PIN, we now determine who is authorized to receive a PIN to log in.

Selection: There are numerous options here. The simplest and most secure method is verification by email. Therefore, set the “Selection” to “Email” to control access via a verified email address.

Value: Now enter the e-mail addresses of the users who are allowed to log in. Make sure that you separate the addresses with a comma (“,”).

I’ll explain it simply: with this setting, only the specified e-mail addresses are sent a PIN for logging in. All other e-mail addresses do not receive a PIN code and therefore cannot log in.

As soon as you have entered the desired e-mail addresses, you can click on “Next” to continue.

CORS settings

You don’t need to do anything here, click on “Next” at the bottom right.

Back to the overview Applications

Your application is now displayed in the overview. In the example, this is “Home Assistant” with the corresponding URL.

Well done, off to the test …

Testing the access

Perfect! You have completed the steps for configuring secure login with “Cloudflare Access”, so to speak. Now you can test the access by calling up the URL in the browser (in the example: https://homi.klissner.uk):

Enter the configured e-mail address.
You will receive a One-Time PIN (OTP) by e-mail.
Enter the PIN in the input mask provided to check access to the application.

The video will show you the exact steps and make sure that everything works correctly. If everything is configured correctly, you will be given access to your system after entering the PIN – so you can make your SmartHome or other applications securely accessible via the Internet.