Skip to content

Instantly share code, notes, and snippets.

@DJStompZone

DJStompZone/README.md

Last active January 2, 2026 21:39
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save DJStompZone/8890e4a1a3a8fc4107516be8e9a25fcf to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save DJStompZone/8890e4a1a3a8fc4107516be8e9a25fcf to your computer and use it in GitHub Desktop.
Download ZIP
Cloudflare Zero Trust for Beginners
Raw
README.md

Cloudflare Zero Trust — Beginner’s Guide

What Is Zero Trust?

Zero Trust means:

Trust nothing by default — not users, devices, or networks.

Instead of “you’re on the internal network so you’re trusted,” Zero Trust asks:

  • Who are you?
  • What device are you using?
  • Are you allowed to access this specific thing?
  • Right now?

Cloudflare enforces this using identity, policies, and its global edge network.

What Is Cloudflare Zero Trust?

Cloudflare Zero Trust (formerly Cloudflare Access + Gateway) lets you:

  • Protect internal apps without VPNs
  • Enforce identity-based access rules
  • Secure DNS, HTTP, and network traffic
  • Control users, devices, and locations
  • Log everything for auditing

All managed from the Cloudflare dashboard.

Core Concepts You Need to Understand

1. Identity Providers (IdP)

This answers “Who are you?”

Common options:

  • Google Workspace
  • GitHub
  • Microsoft Entra ID (Azure AD)
  • Okta
  • One-time PIN via email

Cloudflare does not manage users directly — it relies on your identity provider.

2. Applications

An Application is anything you want to protect:

  • Web apps
  • Internal dashboards
  • Admin panels
  • SSH
  • RDP
  • Self-hosted services

Each application has access policies.

3. Policies

Policies define:

  • Who can access
  • From where
  • On what device
  • Under what conditions

Policies are evaluated top to bottom.
First match wins.

4. Cloudflare Tunnel (No Open Ports)

Cloudflare Tunnel allows you to expose internal services without opening firewall ports.

Internet → Cloudflare → Encrypted Tunnel → Your Server

5. Gateway (Optional)

Gateway secures outbound traffic:

  • DNS filtering
  • HTTP inspection
  • Malware blocking

Beginner Setup Order

  1. Create a Cloudflare account and add your domain
  2. Enable Zero Trust
  3. Add an Identity Provider
  4. Install Cloudflare Tunnel
  5. Create an Application
  6. Write access policies

Mental Model

  • Identity replaces the network
  • Policies replace firewalls
  • Tunnels replace open ports
  • Logs replace guesswork

Final Notes

Cloudflare Zero Trust is practical, scalable, and has a free tier that actually works.

Setup Guide

This guide walks you from zero to a working Zero Trust deployment using Cloudflare.

No enterprise jargon, no skipped steps.

What You Will Build

By the end of this guide, you will have:

  • A Cloudflare Zero Trust organization

  • Identity-based login (no VPN)

  • A protected internal app

  • Zero open inbound firewall ports

  • Auditable access logs

Prerequisites

You need:

  • A Cloudflare account

  • A domain name (any registrar is fine)

  • A server or service you want to protect

  • Basic command-line access

  • An identity provider account (Google, GitHub, etc.)

Step 1: Add Your Domain to Cloudflare

  1. Log in to Cloudflare

  2. Add your domain

  3. Change your domain’s nameservers to Cloudflare’s

  4. Wait for DNS to become active

Cloudflare Zero Trust requires Cloudflare DNS.

Step 2: Enable Zero Trust

  1. Go to:

    Zero Trust → Settings

  2. Click Enable Zero Trust

  3. Choose a team name (used in URLs)

Your organization URL will look like:

https://your-team.cloudflareaccess.com

Step 3: Configure Authentication

Add an Identity Provider

  1. Go to:

    Zero Trust → Settings → Authentication → Login methods

  2. Enable one provider (Google recommended for beginners)

  3. Restrict allowed domains or emails

This controls who can log in at all.

Step 4: Create a Cloudflare Tunnel

Cloudflare Tunnel lets your server connect outward to Cloudflare.

Install cloudflared

Linux example:

curl -fsSL https://pkg.cloudflare.com/install.sh | sudo bash

sudo apt install cloudflared

Authenticate

cloudflared tunnel login

Create the tunnel

cloudflared tunnel create my-app

Cloudflare generates a tunnel ID and credentials.

Step 5: Configure the Tunnel

Create a config file:

tunnel: my-app

credentials-file: /etc/cloudflared/my-app.json

ingress:

  - hostname: app.example.com

    service: http://localhost:3000

  - service: http_status:404

Start the tunnel:

cloudflared tunnel run my-app

Your app is now reachable only through Cloudflare.

Step 6: Create DNS Record for Tunnel

In Cloudflare DNS:

  • Type: CNAME

  • Name: app

  • Target: .cfargotunnel.com

  • Proxy: Enabled

No public IP required.

Step 7: Create a Protected Application

  1. Go to:

    Zero Trust → Access → Applications

  2. Add Application

  3. Type: Self-hosted

  4. Domain: app.example.com

  5. Service: Cloudflare Tunnel

Step 8: Create Access Policies

Basic Allow Policy

Example:

  • Action: Allow

  • Condition: Email ends with @example.com

Policies are evaluated top-down.

First match wins.

Step 9: Test Access

  1. Visit https://app.example.com

  2. You should be redirected to Cloudflare login

  3. Authenticate

  4. Access is granted only if policy matches

Step 10: Review Logs

Go to:

Zero Trust → Access → Logs

You can see:

  • Who accessed what

  • From where

  • Why access was allowed or denied

Optional: Device Posture Checks

Device posture lets you enforce security requirements.

Examples:

  • OS type/version

  • Disk encryption

  • MDM enrollment

  • Custom scripts

Configured under:

Zero Trust → Settings → Devices

Optional: Gateway Protection

Gateway protects outbound traffic.

Features:

  • DNS filtering

  • Malware blocking

  • App restrictions

Configured under:

Zero Trust → Gateway

Common Mistakes to Avoid

  • Opening firewall ports

  • Overly broad allow rules

  • Ignoring policy order

  • Skipping logs

  • Treating Zero Trust like a VPN

Security Model Summary

  • Identity replaces network trust

  • Policies replace firewall rules

  • Tunnels replace open ports

  • Logs replace guesswork

Recommended Next Steps

  • Protect SSH using Cloudflare Access

  • Add multiple identity providers

  • Enable device posture checks

  • Lock down admin panels

  • Enable Gateway DNS filtering

Final Notes

If a service is reachable without authentication:

It is not Zero Trust.

Cloudflare Zero Trust scales from homelabs to enterprises and works well even on the free tier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment