Cloudflare Tunnel and Service Tokens
Hi Ben,
I would like to secure my SecuritySpy web interface behind an additional authentication layer provided by Cloudflare ZeroTrust Tunnels, whilst still have it seamlessly work with the iOS app.
At the moment if I enable "Protect with Access" against my SecuritySpy Hostname within Cloudflare and choose an Application that was defined within Access -> Applications, I am redirected to my specified Identity Provider (Google) for an additional authentication request with my Google account, which is itself protected by MFA.
This of course then prevents the SecuritySpy iOS app from accessing my cameras which isn't ideal, so I disable "Protect with Access" which results in the SS web login page being the only barrier between the internet and my cameras.
Researching into alternative methods, it appears that I can create a Service Token (Access -> Service Auth -> Service Tokens) which gives me "CF-Access-Client-Id" and "CF-Access-Client-Secret" credentials. Apparently if these are supplied via the request headers, it will let that client bypass the "Protect with Access" policy.
Would it therefore be possible to look into providing these tokens in SS iOS app to see if this will allow us to fully protect our SecuritySpy environment please?
This is explained much better here: https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/
Thanks in advance,
Paul.
Comments
-
A typical workflow for a user could be something like this (taken from a post of the Cloudflare community forum)
- Open your iOS app and locate the “Add custom HTTP Header” option.
- Choose the “Custom” option.
- In the “Header Key” field, enter Cf-Access-Token.
- In the “Header Value” field, paste the service auth token you generated earlier.
- Save the changes and test the connection.
-
I've used the CF tunnels for some other trials, and it's nice. If you're set on it, then more power to you.
But if you haven't looked at it yet, I'd suggest that Tailscale is a better option here. I run a TS cluster with my Mac and iOS devices and have seamless exposure to my machines and notifications everywhere. When I'm on my private LAN, it turns the "VPN" off, and when I leave my wifi it turns the "VPN" back on. I don't need to use an exit node for this (which slows things down).
I basically have full speed access to my machines all within the same secured network.
Again, maybe you have other reasons for using CF for this, and nothing against it, just offering this observation in case it's useful to you or others.
-
Thank you for the suggestion, I have considered Tailscale but I don't think it would easily work for my setup because I've given external family members access to some cameras (Hedgehog cam for example) which they do so via the iOS app. I wouldn't want them to join my internal Tailscale network, plus as some are elderly, trying to remotely install/troubleshoot Tailscale/VPN issues on their phone could be tricky.
-
@paul2020 Makes sense. I have done the same in the past.
While I haven't tried it yet, TS does have a feature called TS Serve where I think you can serve up a single URL without authentication. It would be open access, but isolated to that URL, and pretty obscure. Just an option to add to the conversation.
I have added the TS app to my wife's phone and added her (own login) to my TS network where I could add some ACLs if I wanted. It's pretty much transparent to her. Sounds like not the right fit for your use, but again just mentioning in case it helps others.
-
Hi @paul2020 I appreciate what you are trying to do - adding extra security is a good thing! Unfortunately I think it's unlikely that we'd be able to add additional features to support this however - it doesn't make sense for us to spend development time on features that 99% of users won't use.
Instead of a tunnel, have you considered a private VPN? This is outlined on our blog post Remote Access Without Port Forwarding. This adds an extra layer of security (because you have to be a member of the VPN to gain network access) in transparent way that works well with our iOS app.
-
That's fair enough @Ben, although your blog does also suggest Cloudflare Tunnel. :)
I realise 99% of users probably don't use it at the moment, but if there was an easy to follow guide (I would create such a guide) that offered an alternative to opening up a port on your router, which resulted in a very secure public URL to access your cameras from anywhere (without installing VPN clients which may not be possible in some places such as work computers), a lot more people would go down that route.
I'm one of those people who sometimes needs to access my cameras from a corporate work laptop where Tailscale or VPNs just isn't an option, so it's a shame this is unlikely to be considered.
-
@paul2020 Just thinking of workarounds to help you out... I used CF with OTP as authentication sent to my email address. Worked well.
-
Hi @jimmyjohnson, thank you, I'm always for trying out different ideas or better ways of accessing my home services.
When you use CF with OTP as authentication, does this work ok with the SS iOS app?
-
Ahhh. You're right. I don't think it would work with the app as I think it's session based for web browser only.
-
@Ben do you have any plans to make a mobile-friendly version of the web interface please? This could be an alternative to using the SS iOS app and still allow the secure CF access. I do understand this may not be desirable as who would access via the web when you have a perfectly good enough iSO app. :) Unless you are planning to use the new Java Script engine as part of the app in a future update?
-
@jimmyjohnson yeah that's unfortunately the problem, but I did have a moment where I thought you'd managed to get it to work somehow. :)
