Skip to main content

Cloudflare Access

Purpose: Zero Trust authentication and access control for internal applications. Protects the Docusaurus documentation site with Google OAuth and domain-based access policies.

Last verified: January 2025

Account Details

  • Dashboard: https://one.dash.cloudflare.com/
  • Team domain: pacingagency.cloudflareaccess.com
  • Account owner: Ben Power
  • Category: SECURITY
  • Account type: INTERNAL
  • Plan: Free tier (up to 50 users)

Overview

Cloudflare Access (Zero Trust) provides authentication and authorisation for applications without exposing them to the public internet. It integrates with identity providers like Google OAuth to control who can access protected resources.

Key Features:

  • Google OAuth integration for single sign-on
  • Domain and email-based access policies
  • Edge-based authentication (no code changes required)
  • Session management and access logs
  • Free tier supports up to 50 users

Current Use

Protected Application: Docusaurus Documentation Site

Application: Tech Stack Docs
Domain: docs.pacing.agency
Application type: Self-hosted (Cloudflare Pages)

Authentication:

  • Identity provider: Google OAuth
  • Login method: Google (with PKCE enabled)
  • Session duration: 24 hours

Access Policy: PacingDocs1

  • Action: Allow
  • Rule: Emails ending in @pacing.agency
  • Additional rules: Can be extended with specific email addresses or other domains

Configuration

Google OAuth Setup

Google Cloud Console:

  • Project: pacingdocs
  • OAuth Client ID: 842963103058-2mtfd6kec86botcm4pq123pifknp8v9t.apps.googleusercontent.com
  • Authorised redirect URI: https://pacingagency.cloudflareaccess.com/cdn-cgi/access/callback
  • Authorised JavaScript origin: https://pacingagency.cloudflareaccess.com

Cloudflare Zero Trust:

  • Identity provider: Google
  • PKCE: Enabled (recommended for security)
  • Email claim: Default (email)

Application Settings

Application name: Tech Stack Docs
Public hostname: docs.pacing.agency
Session duration: 24 hours
Login methods: Google (explicitly selected)

Advanced settings:

  • CORS: Allow all origins (default)
  • HTTP Only cookies: Optional (can be enabled for additional security)
  • Cookie path enforcement: Default

Access Policies

Policies define who can access protected applications. Policies are evaluated in order, and the first matching policy determines access.

Current policy structure:

  1. PacingDocs1: Allows emails ending in @pacing.agency

Adding users:

  • Domain-based: Add "Emails ending in" rule with domain (e.g., @automates.tech)
  • Specific users: Add "Email" rule with individual email addresses
  • Multiple rules: Use OR logic (user needs to match any rule)

Policy actions:

  • Allow: Grants access if rules match
  • Deny: Blocks access (evaluated first)
  • Bypass: Skips authentication (use with caution)

Testing

Test access:

  1. Visit https://docs.pacing.agency/ in an incognito window
  2. Should redirect to Google OAuth login
  3. After authentication, access is granted if email matches policy
  4. Session persists for 24 hours (or configured duration)

Troubleshooting:

  • OTP shown instead of Google: Check that Google is selected in application login methods
  • "Account does not have access": Verify email matches access policy rules
  • Login loop: Clear browser cookies and try again
  • Policy not working: Use Policy Tester in Zero Trust dashboard to verify user attributes

Management

Adding new users:

  1. Go to Access → Applications → Tech Stack Docs
  2. Edit the policy (or create a new one)
  3. Add email or domain rule
  4. Save (changes take effect immediately)

Viewing access logs:

  • Zero Trust → Access → Logs
  • Shows login attempts, successful authentications, and denied access

Session management:

  • Users can log out via the Access login page
  • Sessions expire after configured duration
  • Force logout: Revoke access in policy or remove user from allowed list
  • Docusaurus: See tools/docusaurus.md for documentation site details
  • Cloudflare: See tools/cloudflare.md for DNS and CDN configuration
  • Google Workspace: See tools/google-workspace.md for Google account management

Security Notes

  • PKCE is enabled for additional security against CSRF attacks
  • Access is enforced at the edge before requests reach the application
  • No code changes required in the protected application
  • Access logs provide audit trail of who accessed what and when
  • Free tier suitable for small teams (up to 50 users)