I did this for some self-hosted services that my wife accesses. Limited access to my email and hers with Google authorization. Passes the wife test and quite secure so I'm happy!
Hi buddy, Thanks for all the videos. They're always accurate and straight to the point. Thanks! Just one note: could you slow down a little? I find myself having to rewind 5 seconds about 50 times in a single video. Still, they’re great, and I’ve definitely subscribed. I’d just love to see a slower pace; I understand the videos will be longer, but (for me) it's worth it.
Thanks!! I talk fast. It's just who I am. Always have been. I've tried multiple times to slow down and I feel like I'm making fun of people. All I can say is to watch the video at .75 speed. Like... this has been enough of an issue over the years that I usually respond with this page that I put on my website years ago: dbtechreviews.com/i-talk-fast/
For those exposing docker services to cloudflared, make sure said services are part of (generally) the 'bridge' network. Don't ignore docker networking when troubleshooting!
Fantastic!! I had a CF Application authenticating with the one-time email code, but I've been struggling with the Google authentication. Afgter following along with your video,...IT WORKS! Thank you for all you do!
Thanks for this! Looking forward to the Authelia integration as well! Using this to access my local Radarr and Sonarr applications because they have no auth. This should block access to people not approved but Authelia would be ideal.
If I had known you were going to do all the hard work, I would have waited for your video. Alas, I took inspiration from your last video (and helpful comments) and figured it out about 24 hours before this video went live. Now for bonus points - I'm currently investigating using Google SSO for Portainer to auto sign me in too - The steps in the portainer documentation are nowhere near as helpful as Cloudflare's. Thanks again for the helpful videos!
Hi David. If I enable Google or Github auth to protect a Vaultwarden (running in a tunnel) instance what will happen to the Chrome Extension or the Android app? will I have access to these or I need to setup exclusions like in Authelia?
Very helpful - This will help me. I recently set up Authentik (very cool app) it is better then Authelia. I followed Cooptonian to set to configure it and just used the Authentik site with and .env file for email etc. Very cool though this will help me setup SMIL and cloud flair instead of Google or Github. :-)
did you add firewall rule allow access for this ip 0.0.0.0/0 on GCP ? actually I create wordpress on GKE and I want to restrict access to that wordpress using cloudflare , but I didn't know how to do that. I following your instruction using cloudflare, but the WordPress site still can be accessible for public
When I set this up, it only works as shown in the video in an incognito window. When I try this in a normal browser window, it appears to want to load my application (since I am already signed into google on my browser), but then I end up with a white screen. Is there something I am missing?
While I greatly appreciate your video on setting up Cloudflare Tunnels, there is a snag I've run into. I cannot get my domain through tunnels to connect to my Proxmox box, but all the VM's and Docker containers on it work with no problem.
Turn on No TLS verification under Additional Application Settings while configuring Proxmox. That should help. (Proxmox uses it's own TLS certification)
Sir, Please can you help me one thing i am using cloudflared tunnel for my winodows 10 pc, I can access webserver using 80 port from outside but when i am going to use RDP i cant not access from outside from my home. Please can help me.
Thank you for such series. Really helpful, built myself at least 5 self hosted programs. Do u have any plan on making one for Nextcloud AIO docker+portainer+cloudflare tunnel? I tried it but sadly after enabling nextcloud containers part, the initial a logging doesnt work sadly with tunnel, it says bad tunnel.
I installed NextCloud AIO using [This Guide](ua-cam.com/video/OCLq62KOqNU/v-deo.html) from Awesome Open Source, it works great, and I have it running through my Cloudflare tunnels. The AIO package makes NextCloud much easier to deploy and maintain. I actually find myself using NextCloud more as time goes on, there are some extremely useful add-ons that are quite lovely!
@@DBTechYT no worries. I like that a package contains all Nextcloud stuff in it, usually use office and talk, others I disable them in containers section. If I want to use them I can just enable them. I will be looking for solution online too. Again thank you for educational videos,
Thanks, David. I'm curious about how to use multiple identity providers, e.g. check for an included ip and if that fails then verify by email or github. Can you explain the difference between "include" and "require"? I suspect they are implementations of boolean ANDs/ORs but I am just guessing.
I wish I could find documentation on how to add a custom logo to the auth page (or to customize it further than the application OAUTH page) This was very helpful though. Thank you
I have an application which uses a specific port and was wondering how you can use the method described in this video to do this.. any help is greatly appreciated.
Great video as always! My question is how this affects other clients that are not browsers (i.e. Nextcloud, bitwarden, jellyfin, etc android clients). As I would like to setup this, but my concern is that they don't know how to interact with the new layer
Honestly I haven't tried it so I can't give much info. For my setup with those apps, I restrict by IP and either access at home or via my PIA VPN with a dedicated IP
@@DBTechYT I thought about that too. Will use that for restrictions then. Or something similar hehe. Thanks for your reply!!! Greetings from Argentina!
it was working then i suddenly started getting errors for both Google and Github, "Unable to find your Access organization! It appears that you have attempted to reach an invalid URL. Please enter a valid team name." i have gone into settings and copy and past what i see is the team name.... just wondering if someone else has this issue
Very interesting video. Thank you for your hard work! Quick question - will this result in having to authenticate via Google or GitHub (in your case) even if I'll try accessing the application from internal network?
Hi David, great video as always. Can you tell me what happens if you pick one of the other Gmail addresses. One that hasn't been given access. Does it handle it gracefully? Does it let you in anyway? Many thanks.
one thing that stumped me - that might help someone else. if you only want github access with NO email access. You must go to cloudflare zero trust/applications/authorization - then select add 'login methods' as the selector and 'Github' as the value. other wise you get a login error (That account does not have access)
I haven't tested it, but several of people have said they use them together. I don't see the point/need to combine then, but there's no one right way to do things
@@DBTechYT thank you so much for your response. I am behind CG-NAT, don't want to route via VPS (NPM + VPN). I am hoping CF tunnel pushes all traffic thru tunnel to my NPM instance and then NPM takes care of routing to individual apps and integrate to Authentik or something similar.
Hi @DBTech, nice Video! I have a question. How do I restrict access with Google authentication to all of my Cloudflare tunnels with a single policy? If I just leave the subdomain blank, there will be no authentication anymore. If I put subdomain in, authentication is working fine, but only for that singe sub. Would be nice If someone could help me.
I did this for some self-hosted services that my wife accesses. Limited access to my email and hers with Google authorization. Passes the wife test and quite secure so I'm happy!
Hell yes! That's awesome!
I did the same so my wife has access to some self-hosted services :D
Thank you for this very good video as usual, PLEASE do the Authelia / Cloudflare Tunnel Video 🙂
Wonderful😃..Thanks a lot, very helpful 🙏. Would love to watch more such videos related to CloudFlare since it is growing with lots of new features.
THIS! This is the video I've been searching for. Thank you so much for helping me get my subdomains locked down with Google.
Glad it helped!
Thanks for this one. I understand the implementation so much better now I have walked through it while pausing the video. keep them coming.
Glad it helped!
Hi buddy,
Thanks for all the videos. They're always accurate and straight to the point. Thanks!
Just one note: could you slow down a little? I find myself having to rewind 5 seconds about 50 times in a single video. Still, they’re great, and I’ve definitely subscribed. I’d just love to see a slower pace; I understand the videos will be longer, but (for me) it's worth it.
Thanks!! I talk fast. It's just who I am. Always have been. I've tried multiple times to slow down and I feel like I'm making fun of people. All I can say is to watch the video at .75 speed. Like... this has been enough of an issue over the years that I usually respond with this page that I put on my website years ago: dbtechreviews.com/i-talk-fast/
Excellent. Just the video I was waiting for.
Glad to hear it!
For those exposing docker services to cloudflared, make sure said services are part of (generally) the 'bridge' network. Don't ignore docker networking when troubleshooting!
Fantastic!! I had a CF Application authenticating with the one-time email code, but I've been struggling with the Google authentication. Afgter following along with your video,...IT WORKS! Thank you for all you do!
Really glad the video was helpful!!
These videos are incredible.
Thanks for doing this, I feel safe now
Thanks David! Very easy to follow
Great vid love the cloudflare tunnels vids use them on my network and always learn so much from ur vids thanks
Works like a champ. Thanks!!!
Followed step by step and it worked flawlessly! Thanks!!!
Great to hear! Thanks for the comment!!! :)
Thanks, great tutorial and comment for the algorithm.
Thank you for your time and effort with this videos, it really really really helps a lot!!
great job DB
if people only knew how powerful this content really is....Thank you! @DBTechYT
It's why I'm try to make content about it :)
Great content! Please do the Authelia / Cloudflare Tunnel Video
thanks you for making this video this is what I wanted a video about becuse it is so complicated.
Glad it was helpful!
Been a long time follower, I would love to see some videos on using NGrok and Cloudflare used together !
Very helpful, thank you!
Thanks for this! Looking forward to the Authelia integration as well! Using this to access my local Radarr and Sonarr applications because they have no auth. This should block access to people not approved but Authelia would be ideal.
If I had known you were going to do all the hard work, I would have waited for your video. Alas, I took inspiration from your last video (and helpful comments) and figured it out about 24 hours before this video went live. Now for bonus points - I'm currently investigating using Google SSO for Portainer to auto sign me in too - The steps in the portainer documentation are nowhere near as helpful as Cloudflare's. Thanks again for the helpful videos!
You might start here: ua-cam.com/video/IUBqsl_7uuc/v-deo.html
@@DBTechYT you’re good people David!
Merry Christmas!
Hi David. If I enable Google or Github auth to protect a Vaultwarden (running in a tunnel) instance what will happen to the Chrome Extension or the Android app? will I have access to these or I need to setup exclusions like in Authelia?
Great video thank you for sharing.
thanks so much. it finaly works
Glad it helped
Great tutorial 🙌
Very helpful - This will help me. I recently set up Authentik (very cool app) it is better then Authelia. I followed Cooptonian to set to configure it and just used the Authentik site with and .env file for email etc. Very cool though this will help me setup SMIL and cloud flair instead of Google or Github. :-)
did you add firewall rule allow access for this ip 0.0.0.0/0 on GCP ? actually I create wordpress on GKE and I want to restrict access to that wordpress using cloudflare , but I didn't know how to do that. I following your instruction using cloudflare, but the WordPress site still can be accessible for public
yes, please to a video with authelia and cloudflare
When I set this up, it only works as shown in the video in an incognito window. When I try this in a normal browser window, it appears to want to load my application (since I am already signed into google on my browser), but then I end up with a white screen. Is there something I am missing?
Thanks man
While I greatly appreciate your video on setting up Cloudflare Tunnels, there is a snag I've run into. I cannot get my domain through tunnels to connect to my Proxmox box, but all the VM's and Docker containers on it work with no problem.
Turn on No TLS verification under Additional Application Settings while configuring Proxmox. That should help. (Proxmox uses it's own TLS certification)
Sir, Please can you help me one thing i am using cloudflared tunnel for my winodows 10 pc, I can access webserver using 80 port from outside but when i am going to use RDP i cant not access from outside from my home. Please can help me.
Thank you for such series. Really helpful, built myself at least 5 self hosted programs. Do u have any plan on making one for Nextcloud AIO docker+portainer+cloudflare tunnel? I tried it but sadly after enabling nextcloud containers part, the initial a logging doesnt work sadly with tunnel, it says bad tunnel.
I'll have to look into it. I don't really care for NextCloud to start with and I'm not sure what the point of NextCloud AIO is...
I installed NextCloud AIO using [This Guide](ua-cam.com/video/OCLq62KOqNU/v-deo.html) from Awesome Open Source, it works great, and I have it running through my Cloudflare tunnels. The AIO package makes NextCloud much easier to deploy and maintain. I actually find myself using NextCloud more as time goes on, there are some extremely useful add-ons that are quite lovely!
@@DBTechYT no worries. I like that a package contains all Nextcloud stuff in it, usually use office and talk, others I disable them in containers section. If I want to use them I can just enable them. I will be looking for solution online too. Again thank you for educational videos,
What a legend
Followed this process for Google auth, but seem to be getting error 1033? Argo Tunnel error?
How this works for things like Plex and Vaultwarden where you have an app running in your phone ?
Thanks, David. I'm curious about how to use multiple identity providers, e.g. check for an included ip and if that fails then verify by email or github. Can you explain the difference between "include" and "require"? I suspect they are implementations of boolean ANDs/ORs but I am just guessing.
Based on my knowledge, you're spot on
maybe do setup of SSO provider like Authelia Authentik Keycloak tutorial and integration more content to come!!
how to add multiple email in the google authentication?
I wish I could find documentation on how to add a custom logo to the auth page (or to customize it further than the application OAUTH page)
This was very helpful though. Thank you
Any option to use the tunnel for other protocols, e.g. RDP?
You can easily login to your Cloudflare account and see all the protocols available
I have an application which uses a specific port and was wondering how you can use the method described in this video to do this.. any help is greatly appreciated.
Watch the video linked in the video description
Best!
My company uses gitea instead of github .. is there any option to check.
Else authelia we use these two things..
Any advice or suggestions
Vijey
Excellent videos, really useful! Have you played with the Private Network feature within the Zero Trust Tunnel? Is it useful at all?
Thanks! I haven't done much of anything with Private Networks as of yet.
@@DBTechYT This is where a good video guide comes in (as the documentation is really quite hard going!).
Great video as always! My question is how this affects other clients that are not browsers (i.e. Nextcloud, bitwarden, jellyfin, etc android clients). As I would like to setup this, but my concern is that they don't know how to interact with the new layer
Honestly I haven't tried it so I can't give much info. For my setup with those apps, I restrict by IP and either access at home or via my PIA VPN with a dedicated IP
@@DBTechYT I thought about that too. Will use that for restrictions then. Or something similar hehe. Thanks for your reply!!! Greetings from Argentina!
All this after I setup my Nginx container :( thanks for the vid!
it was working then i suddenly started getting errors for both Google and Github, "Unable to find your Access organization!
It appears that you have attempted to reach an invalid URL. Please enter a valid team name." i have gone into settings and copy and past what i see is the team name.... just wondering if someone else has this issue
yup trying to figure it out rn
is anyone else having trouble getting this to work. I setup the self hosted app but it is not restricting access to my tunnel
Love u DB Tech...Ty from Brazil!
Thanks for watching!
Thank you . 🌹🌹🌷🌷🌷
Very interesting video. Thank you for your hard work!
Quick question - will this result in having to authenticate via Google or GitHub (in your case) even if I'll try accessing the application from internal network?
No it doesn't. Only if you access via CloudFlare.
Hi David, great video as always. Can you tell me what happens if you pick one of the other Gmail addresses. One that hasn't been given access. Does it handle it gracefully? Does it let you in anyway? Many thanks.
It'll just tell you that that account doesn't have access
Is it possible to add multiple authorized email addresses this way?
In the spot in CloudFlare where you add your email, you can add multiple emails there.
@@DBTechYT Thanks, seems obvious now that you say it.
one thing that stumped me - that might help someone else. if you only want github access with NO email access. You must go to cloudflare zero trust/applications/authorization - then select add 'login methods' as the selector and 'Github' as the value. other wise you get a login error (That account does not have access)
Awesome as always bro , if possible can u do a video on setting up samba on cloudflare tunnels
What are you trying to accomplish with samba on CF tunnels?
@@DBTechYT remote access
So use a file management application and access it that way via tunnels? It would be a much easier solution and give you more options
@@DBTechYT have u done any videos on that bro ? If yes can u please link to it
FileRun: ua-cam.com/video/jaLGcgrAyto/v-deo.html
FileCloud: ua-cam.com/video/CCGMc6iheWM/v-deo.html
Is it possible to use Nginx Proxy Manager with Cloudflare Tunnels ?
I haven't tested it, but several of people have said they use them together. I don't see the point/need to combine then, but there's no one right way to do things
@@DBTechYT thank you so much for your response. I am behind CG-NAT, don't want to route via VPS (NPM + VPN). I am hoping CF tunnel pushes all traffic thru tunnel to my NPM instance and then NPM takes care of routing to individual apps and integrate to Authentik or something similar.
Is there a way to use Google Authenticator to get access to a application that run on a cloudflare tunnel?
@@MrRalf2201 You could put 2FA on your email address and use that for your authentication
Well this doesn't play nicely when trying to access your staging server's API endpoints. It keeps asking to authenticate with github :(
This isn't meant for API endpoints.
This not working I add e-mail verification and remove. Everybody with mail still can has access
Then you missed a step in your configuration
Hi @DBTech, nice Video!
I have a question. How do I restrict access with Google authentication to all of my Cloudflare tunnels with a single policy?
If I just leave the subdomain blank, there will be no authentication anymore. If I put subdomain in, authentication is working fine, but only for that singe sub.
Would be nice If someone could help me.
You'll need to create an access group with the emails you want to authorize. Then apply that access group to any of the applications you want
getting "Error 400: redirect_uri_mismatch" when trying to test google
figured out that issue, since i copied it from yt it mistook the g as a q... but now im getting access blocked
Are you using the paid version of cloudflare.. please advise
There are things with CloudFlare that I pay for but everything in these videos are available on their free tier
Can’t even transfer a simple TLS session. It has to be https or http or else it’s useless!
Also, I just posted in r/kasmweb about this....
Thanks!