Forward auth server to verify Cloudflare Access JWT tokens.
cloudflare-jwt-verify is designed to be a forward auth server to verify
Cloudflare Access
JWT tokens.
When forwarding a user's request to your application, Cloudflare Access will include a signed JWT as a HTTP header. This JWT needs to be authenticated to ensure the request has been signed by Cloudflare and has gone through their servers.
Documentation on how to validate the JWT can be found here https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/.
Using cloudflare-jwt-verify, you can configure your proxy instance to correctly authenticate cloudflare requests.
This image will also work if you use a split DNS, where your app is also being served to an internal network
that is not sending the Cloudflare token. Create the container with the ALLOW_LOCAL=1 environment variable and all
private IPv4 addresses will be allowed through.
It can optionally set the verified claim information in the response headers. To do so, use the AUTH_EMAIL_HEADER and/or
the AUTH_USER_ID_HEADER environment variables.
To verify your authentication setup is receiving requests and verifying tokens propery, you can set the
LOG_LEVEL=debug environment variable.
Look into the example directory to find an example for the traefik reverse proxy.
dep ensure
go build
docker run --rm -e AUTH_DOMAIN=https://app.cloudflareaccess.com -e AUDIENCE_TAG=62d4c34bece5735ba2b94a865de5cc6312dc4f6192a946005e2ac59a3f4522d2 -e ALLOW_LOCAL=1 -e AUTH_EMAIL_HEADER=X-Auth-User -e LOG_LEVEL=debug -p 8080:80 fhriley/cloudflare-jwt-verify