Cloudflare Access Guide

[dominic-r]

trafficstars

Is your feature request related to a problem? Please describe. A part of my selfhosted applications are running on Cloudflare Tunnels which allow easy protection with Access. Unfortunately, Authentik does not provide a guide on how to setup an "application" for CF Access.

Describe the solution you'd like Documentation created. I set it up myself and I wouldn't mind opening a pull request with my implementation. I'll probably create one in a few hours.

Describe alternatives you've considered Proxying all applications with a reverse proxy. It's just not possible 100% of the time in certain use cases

Additional context Add any other context or screenshots about the feature request here.

[gitmotion]

assuming you have a reverse proxy installed already that is exposed to your cloudflare tunnel and have authentik working locally, you would use the local proxy url of your application in the host section of cf tunnels. so instead of exposing the docker container directly in your ct tunnel, you would use the mydockerinstance.local.mydomain.com if that makes sense. you would also need to map/expose the actual external url host.domain.com subdomain in your reverse proxy that points to your container or authentik instance depending on how you are proxying with authentik. that way when you access the external url from cloudflare your reverse proxy manager routes it to the resource, which in this case would be attached to/with authentik

in authentik i treated internal and external access as two separate brands by creating a separate outposts to handle local and external requests. this means you'll have to create separate versions of local vs external providers, applications, and brand. then add all the local providers/apps to the local outpost and external providers/apps to the external outpost. and point the local outpost to the local url and the external outpost to point to the external url. most of the settings will be the same when setting up the two providers and applications just the url, referencing provider, names, and slugs will be different.

that way when you're accessing externally it redirects to external authentik and when accessing internally it redirects to the local authentik. this is assuming you also included authentik in your cloudflare tunnel. i didn't see any documentation on this either so i'm not sure if this is the official way/feels lowkey hacky but i was able to get it working this way. i did it this way so i didn't have to create a whole separate instance of authentik for local vs external.

• if any devs/mods are reading this it would be great if we could define multiple hosts/domains/urls for one provider in the proxy section

then in your reverse proxy create a host that handles both or just create a wildcard subdomain if possible for both external and local versions independently if that makes sense