Before you begin
This article is the first of the Cloudflare series where I will be showing how to setup Cloudflare tunnels to protect a Ghost blog. If you're yet to setup a containerised Ghost blog using Docker and Docker-compose check out my Docker series!
- How to configure Cloudflare Tunnels for a secure Ghost blog.
- How to use Cloudflare Access with short lived certificates for browser based SSH connectivity.
Cloudflare relatively recently released free Tunnels as part of their broader strategy to make Zero Trust more of a reality for everyone with the use of their Cloudflare Access Product. They dubbed this "A Boring Announcement" but I think it's anything but, considering the benefits for those of us running smaller services like this blog.
Given Cloudflare now runs almost 20% of the web as of November this year (2021) I thought it would be a great time to explore leveraging the new service to further protect VPS's running on the web such as this blog.
Cloudflare Access with Tunnels
Essentially what Cloudflare Tunnels does is allow us to have an outbound only connection to Cloudflare's edge through a lightweight connector that you deploy on your Server. What this gives us is an encrypted tunnel between our origin (server) and Cloudflare's edge network without us opening up any ports or exposing our web server ip address to the web and having to deal with the consequences such as direct or persistent attacks leaving us more time to focus on content creation.
What this means is that we can:
- Connect a Ghost blog running in the server to Cloudflare's edge network securely.
- Connect the Server running the Ghost blog for SSH access to Cloudflare's edge network securely.
The architecture for this one is relatively simple when compared to the docker series. All of the users accessing our blog or SSH running on our server will be routed through Cloudflare's extensive network and protection mechanisms. This means we can easily leverage Cloudflare's Access to protect our deployed applications.
The main advantage to this approach is that we don't have to bother with creating firewall rules or validating traffic from a Coudflare origin, rather we can rely on a company worth just under $68 Billion to do most of the heavy lifting for us to protect our origin (Our server) 💪.