I finally understand Cloudflare Zero Trust tunnels

(david.coffee)

311 points eustoria | 1 comments | 16 Nov 25 17:39 UTC | HN request time: 0s | source

Show context

amluto ◴[16 Nov 25 22:17 UTC] No.45948954[source]▶

> Then go into Cloudflare DNS settings and map the domain homeassistant.mydomain.com to the tunnel:

> CNAME homeassistant.mydomain.com a2f17e27-cd4d-4fcd-b02a-63839f57a96f.cfargotunnel.com

> Now all traffic going to this domain will go through the cloudflared tunnel, which is configured to route homeassistant.mydomain.com to 192.168.1.3. No Warp client needed, Argo tunnel does everything for us.

It boggles my mind that Cloudflare ever considered this acceptable for production, let alone that this is still how tunnels work. The whole configuration scheme feels like something that someone might have kludged up as a technology demo and launched in a staging environment. But the fact that a very security sensitive production system where a “DNS” record that looks like a CNAME to a magic hostname causes traffic to get proxied and sent to a “Zero Trust” private network is just … unreal. It’s almost impossible to tell WTF is going on or what policies apply to what. Does Cloudflare’s proxy really try to fetch an upstream resource, notice that the configured domain name ends with “cfargotunnel.com” and invoke some special handling? What happens if, say, someone else adds that same CNAME to their own network? What if some route goes to foo.bar.com and foo.bar.com’s nameserver reports a CNAME to cfargotunnel.com?

I’ve been using this product for several years, and the documentation and configuration pages have slowly evolved from abysmal to very slightly better. At least now it’s sort of clear how tunnels interact with strict TLS.

replies(3): >>45950173 #>>45950423 #>>45954679 #

pests ◴[17 Nov 25 01:47 UTC] No.45950173[source]▶

>>45948954 #

The cname is just a normal domain. That DNS entry is a real entry. The CNAME is real. You can go directly to that address too. If someone else knows the cname destination they could go to it or cname their own domain to it literally like any other domain.

The only specially handling is cloud flare has a mapping from subdomain to your private network via it's agent and that's it.

I don't get what's the wrong or complicated about this.

replies(1): >>45960216 #

1. amluto ◴[18 Nov 25 00:56 UTC] No.45960216[source]▶

>>45950173 #

I gave you the benefit of the doubt for a moment, but as far as I can tell, you are incorrect for practical purposes. I went ahead and re-checked everything to make sure. Let's see:

1. I have a cloudflare domain with a working tunnel (managed through Access). In DNS Records, it shows as a CNAME to [redacted].cfargotunnel.com. But:

$ dig [redacted].cfargotunnel.com

; <<>> DiG 9.10.6 <<>> [redacted].cfargotunnel.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5851 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

and no records are returned. Interestingly, it's an empty result, no NXDOMAIN.

2. I have multiple subdomains that appear to be CNAMEs to the same [redacted].cfargotunnel.net. And yet they are entirely different sites that just happen to share an instance of cloudflared at the origin. The sites aren't even served at the same origin address!

They are different "Published Application Routes". They don't even have the same protocol!

2. The tunnel above is on a domain with "Full (strict)" TLS. But traffic to the origin emerges from cloudflared in cleartext.

This whole configuration schema is nonsense. What should happen if a CNAME points at a tunnel that doesn't have a route for that application? What if a tunnel has a route for an application that is CNAMEd somewhere else?

I imagine that what's going on is that Cloudflare internally has a rule that traffic with a cfargotunnel.com origin goes out their Tunnel infrastructure instead of out to the normal Internet. And Cloudflare applies the same JWT that it would apply if the request went out via the normal Internet, and cloudflared verifies that JWT if "Enforce Access JSON Web Token (JWT) validation" is on (maybe the request is literally TLS wrapped inside the cloudflared tunnel? I've never tried to inspect what's going on inside). And then cloudflared unwraps everything? And if you configure cloudflared wrong, then it's totally insecure?

↑