Skip to content

Cloudflare Access — apps protegidas

Estado a 2026-05-20 11:30 CEST. 31 apps protegidas con CF Access usando PocketID como Identity Provider (no email PIN).

Apps protegidas (31)

Policy default todos: allow { email=ramonkawa@gmail.com OR email_domain=monxas.com }. Sesión 24h.

Pre-existing (18)

airdrop, apis, bazarr, code, dozzle, jellyseerr, md, md-api, n8n (+ n8n/webhook bypass), ntfy, ocr, pdf, prowlarr, radarr, sonarr, dockge, monxas.cloudflareaccess.com.

Añadidas 2026-05-20 (13)

dashboard, phpmyadmin, cpanel, admin, panel, login, changedetection, jira, job-hunter, pinchflat, esp, japon, md-demo.

Apps deliberately SIN CF Access

Auth propio fuerte (no need perimeter)

  • home.monxas.casa, matematico.monxas.casa — Home Assistant
  • nas.monxas.casa — Synology
  • jellyfin.monxas.casa, nopor.monxas.casa — Jellyfin/Stash
  • pass.monxas.casa — Vaultwarden (master password)
  • bookmarks.monxas.casa, pics.monxas.casa, podcasts.monxas.casa, paperless.monxas.casa — F5 OIDC candidatos

OIDC nativo ya integrado

  • grafana.monxas.casa — PocketID OIDC desde sesión anterior

Público / bearer-only / IdP itself

  • pocketid.monxas.casaNUNCA detrás de CF Access (es el IdP)
  • monxas.casa — apex landing
  • cors.monxas.casa — utility público (rate-limited)
  • kiwix.monxas.casa — read-only KB
  • rag.monxas.casa, loki.monxas.casa — APIs con bearer auth

Webhook bypass (special policies)

  • n8n.monxas.casa/webhook — bypass everyone (specific path)
  • deploy.monxas.casa, deploy-trip*.monxas.casa — CI/CD webhooks (review caso a caso)

API recipes

```bash

Listar apps + policies

source ~/.env # CF_API_TOKEN ACC= curl -sH "Authorization: Bearer $CF_API_TOKEN" \ "https://api.cloudflare.com/client/v4/accounts/$ACC/access/apps?per_page=100" | \ jq '.result[] | {domain, name}'

Proteger nueva app (crea + policy default)

curl -X POST -H "Authorization: Bearer $CF_API_TOKEN" -H 'Content-Type: application/json' \ --data '{"name":"X","domain":"x.monxas.casa","type":"self_hosted","session_duration":"24h","app_launcher_visible":false}' \ "https://api.cloudflare.com/client/v4/accounts/$ACC/access/apps"

luego copiar app_id de la respuesta y:

curl -X POST -H "Authorization: Bearer $CF_API_TOKEN" -H 'Content-Type: application/json' \ --data '{"name":"default","decision":"allow","include":[{"email":{"email":"ramonkawa@gmail.com"}},{"email_domain":{"domain":"monxas.com"}}]}' \ "https://api.cloudflare.com/client/v4/accounts/$ACC/access/apps//policies"

Verify external (302 = CF Access OK)

curl -s -o /dev/null -w "%{http_code}\n" https://x.monxas.casa/ ```

Identity Provider

PocketID está configurado como OIDC IdP en CF Zero Trust. El cliente Cloudflare Access existe en PocketID DB con callback https://monxas.cloudflareaccess.com/cdn-cgi/access/callback.

Cuando hay sesión válida, CF Access pasa el request al origin. Cuando no, redirige a PocketID. Una vez autenticado, regresa a la app. Sesión 24h shared entre todas las apps.

Gotchas

  1. App sin policy = BLOQUEA TODO. Crear app y policy en transacción rápida o usar CF dashboard que lo hace junto.
  2. Webhooks/APIs externos: requieren bypass específico por path. Ver patrón n8n/webhook.
  3. Móviles/CLIs (LunaSea, etc.): no soportan OIDC interactivo. Usar Service Tokens (CF API).
  4. Subdomain debe estar en tunnel ingress antes de crear CF Access app, si no, queda inaccesible.