CLI Proxy for Cloudflare Access

Access protected resources with Cloudflare Access Link to heading

Cloudflare Access is a fantastic solution within the Cloudflare Zero Trust stack. It allows you to secure access to internal applications and resources without the need for a traditional VPN. Instead, every request to an application is verified to ensure it comes from an authenticated and authorized user.

When you access an application protected by Cloudflare Access through a web browser, the experience is seamless. Cloudflare redirects you to your identity provider to log in. Once authenticated, a cookie is created in your browser, and you can access the application without any issues.

architecture

But what happens when you need to access these resources from a tool? This is where things get a bit more complicated.

If you only need to make a single request, you can use the cloudflared access curl http://example.com command. But if you need to use a tool, then you need to:

  1. Authenticate using cloudflared access login http://example.com.
  2. Obtain an authentication token using cloudflared access token -app=http://example.com.
  3. Include this token in each of your requests as an HTTP header (cf-access-token). You can find more details in their official documentation.

This process can be tedious and requires adding extra logic to your scripts or configuring your tools to handle these headers, which is not always simple or possible.

Introducing cloudflared-proxy Link to heading

To simplify this workflow, I have created a new open-source tool: cloudflared-proxy.

cloudflared-proxy is a local reverse proxy that automates Cloudflare Access authentication. Once configured, it allows you to access your protected resources from any tool without having to worry about token management. You just point your tool to the proxy’s local port, and it takes care of adding the necessary authentication headers to each request.

How Does It Work? Link to heading

The tool uses cloudflared to obtain the authentication token for a specific hostname and then starts a local reverse proxy. When a request hits this proxy, the tool automatically injects the Cloudflare Access authentication header before forwarding it to the final destination.

Main Features Link to heading

  • Multiple Endpoints: You can configure proxies for multiple applications simultaneously.
  • Flexible Configuration: It supports configuration via flags, a configuration file (YAML, JSON, etc.), or environment variables.
  • Transparent for your Tools: You don’t need to modify your clients or scripts. Just use them as if the resource were available locally.

Installation and Usage Link to heading

You can download the binary directly from the Releases page on GitHub.

Basic Usage Link to heading

The main command is run, which starts the proxies. You can specify the endpoints you want to protect directly from the command line.

The format is [LOCAL_PORT:]HOSTNAME[:DESTINATION_PORT].

Example:

./cfproxy run -e app.your-domain.com

Once the proxy is running, you can use your tools by pointing to the local port. For example, with curl:

# Instead of: curl https://app.your-domain.com
# You use:
curl http://localhost:8080

Usage with a Configuration File Link to heading

For a more permanent configuration, you can use a YAML file.

Example config.yaml:

proxies:
  - hostname: "app1.your-domain.com"
    localPort: 8080
  - hostname: "app2.your-domain.com"
    localPort: 8081
    destinationPort: 8443

And then run:

./cfproxy run -c /path/to/config.yaml

Conclusion Link to heading

cloudflared-proxy was born out of the need to simplify access to resources protected by Cloudflare Access from development and CLI environments. I hope you find it as useful as I do. Feel free to try it out, open issues, or contribute to the project on GitHub!