FiveTech Support Forums

Hello friends,

I think this could be interesting and save a lot of work!

Sometimes you can't see the forest for the trees: If you make an HTML/PHP application or RDP access available only through Cloudflare, you could do without a login in the application.

Cloudflare Access is part of Cloudflare Zero Trust and offers features such as user authentication, identity verification, and access control based on your policies.

This means that only users who have authenticated via Cloudflare Access will have access to the application.

What do you think?

Best regards,

Otto

Your idea of using **Cloudflare Access** for securing applications is both practical and efficient. Here's why it stands out:

### **Advantages**:
1. **Centralized Authentication**:
- By offloading authentication to Cloudflare Access, you ensure that all users accessing your application have already been verified through your identity provider (e.g., Google Workspace, Okta, etc.). This reduces the need for maintaining a separate authentication system in your application.

2. **Enhanced Security**:
- With features like **Multi-Factor Authentication (MFA)**, **device posture checks**, and IP restrictions, you get enterprise-grade security without building it into your app.

3. **Reduced Development Overhead**:
- Removing in-app login systems simplifies the codebase, reduces bugs, and minimizes the risk of vulnerabilities in your custom login system.

4. **Zero Trust Model**:
- Cloudflare Access integrates seamlessly with Zero Trust principles, ensuring that users are authenticated and authorized before they even connect to your server.

5. **Scalability**:
- It's easy to update access rules without touching the application's code. Need to revoke or modify access? Just adjust policies in the Cloudflare dashboard.

---

### **Possible Challenges**:
1. **Single Point of Failure**:
- If Cloudflare Access experiences downtime or misconfiguration, your users might be locked out. A fallback mechanism, like an emergency bypass, could be necessary.

2. **Cost**:
- While Cloudflare offers a generous free tier, advanced features or high usage might incur costs.

3. **User Management Complexity**:
- Organizations with many user types may need careful policy planning to ensure everyone has the correct access level.

---

### **When This Approach Makes Sense**:
- Small-to-medium applications where you want to minimize overhead.
- Internal tools or RDP setups that don't require public exposure.
- Scenarios where the app logic doesn’t require complex role-based access within the app.

### **When To Reconsider**:
- For applications with highly dynamic, user-specific roles or custom authentication needs (like social logins).
- If users don't interact with corporate identity providers.

---

In summary, this approach could indeed save a lot of work while improving security. For many internal or admin-facing applications, delegating authentication to Cloudflare Access is a smart move. Just ensure your fallback plans are robust, and you’re good to go!

Dear Antonio,

with your confirmation, I feel even more reassured.

I have conducted so many experiments recently. It truly is a big responsibility to simply open a web server or RDP port to the WWW.

But when I occasionally noticed on ChatGPT that it also uses Cloudflare as its forefront, I decided to take a look at Cloudflare.

I was surprised to see that it’s free for the small scale we require.

Best regards,

Otto

Dear Antonio,

but I know you won't repost it without reflection and verification.

Best regards,

Otto

Dear Antonio,

Today is such a good Sunday. RDP and WEB is working now with Cloudflare.

And for so long I have been searching for a simple solution.

I think I have found the solution. In any case, I have made the decision and informed my team members.

I hope that some of us here might also be using Cloudflare and that we can exchange ideas.

Since it doesn't actually reveal any trade secrets, I'm posting the newsletter to my team members here.

It's a relief to find a good solution to a problem. Wishing everyone a nice Sunday.

Best regards,

Otto

Internal Communication: New, Independent, and Secure Access to Customer Servers

Dear Team Members,

After many years in which hardware vendors have repeatedly made our work difficult through cumbersome approval processes, lack of transparency, and sometimes uncooperative behavior, we are now introducing a decisive improvement to our customer infrastructure.

Effective immediately, we will install all new customer servers based on a new, secure concept:

No Dependency on Hardware Vendors: The customer does not need to open ports or wait for external approvals. Our server establishes an encrypted, outbound connection to Cloudflare—without any direct changes to the customer's firewall.

Cloudflare Technology: Cloudflare is used by numerous global companies, including 30% of the Fortune 1000. This trust in Cloudflare demonstrates how established and secure this solution is. We will also benefit from this top-tier security technology in the future.

Secure Authentication: Access to RDP or web resources is managed through Cloudflare Access, protected by time-limited one-time passwords (OTP) or alternative secure login methods. This eliminates the previous need for open, public IPs.

Flexibility and Automation: The installation of cloudflared and the entire configuration can be automated via scripts (PowerShell, Batch). We save time, reduce sources of error, and can quickly roll out changes or expansions.

Additionally, this method eliminates pressure attempts by external vendors, as they no longer have any influence on our access capabilities. The starting signal has been given:

Effective immediately, we are implementing this solution for all newly installed customer servers. Gradually, we will also retrofit existing installations to this new concept. This will allow us to standardize all customer environments in the long term and make our support significantly more efficient.

Perspective: With this step, we ensure that we offer our customers highly secure, independent, and modern remote access—without the constant obstacles that hardware vendors have previously imposed on us.

Best regards