# Cloudflare Tunnel

## TLS Version

For access for MicroPython, set the minimum TLS version to 1.2 (default is 1.3).

* From dashboard choose `SSL/TLS`
* Click the triangle to show `Edge Certificates`
* Scroll down to `Minimum TLS Version`
* Set to 1.2
* The change takes effect immediately

## Zero Trust

Tunnels are managed in [Cloudflare](https://www.cloudflare.com/) Zero Trust (option in left panel).

### Networks

Choose networks to add tunnels. Then add routes ("public hostnames"):

| Public Hostname          | Service |
| ------------------------ | ------- |
| leaf49.org               | http://backend:8000 
| editor.leaf49.org        | http://code-server:8443
| jupyter.leaf49.org       | http://jupyter:8888
| homeassistant.leaf49.org | http://homeassistant:8123

### Access (login passwords)



### TODO

Create multiple app domains in Cloudflare and multiple certificaties to facilitate more than one app on the same network. E.g.

* roulotte.leaf49.org/ws
* dev.leaf49.org/ws
* demo.leaf49.org.ws

## Login protection

Authentication is managed from the Access option. 

### Access Policies.

As a convenience, create "groups" for common access "policies". E.g. "everyone" gives access to everyone who logs in (with an email). Alternatively, access can be restricted to certain emails only. The "superuser" policy uses this feature.

```{image} includes/access-policies.png
:width: 500px
```

Policies:

```{image} includes/everyone-policy.png
:width: 250px
```

```{image} includes/superuser-policy.png
:width: 250px
```

### Applications

Define an "application" to protect a route.

```{image} includes/applications.png
:width: 550px
```

**Note:** root (and /backend) are not authenticated by CF! Disable `/docs` in production or figure out how to protect by API (not big risk; routes are protected by tokens, anyway).

Confusingly, networks and applications configurations are separate, although the "application" applies to a route defined in "networks".

Seems to work:

```bash
curl https://leaf49.org
```

```
{"message":"Hello World"}
```

```
$ curl https://leaf49.org/frontend/app/018e8798-b091-7f16-a1c3-2155c512f790 -v
*   Trying 172.67.196.221:443...
* Connected to leaf49.org (172.67.196.221) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=leaf49.org
*  start date: Mar 21 23:22:00 2024 GMT
*  expire date: Jun 19 23:21:59 2024 GMT
*  subjectAltName: host "leaf49.org" matched cert's "leaf49.org"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1P5
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://leaf49.org/frontend/app/018e8798-b091-7f16-a1c3-2155c512f790
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: leaf49.org]
* [HTTP/2] [1] [:path: /frontend/app/018e8798-b091-7f16-a1c3-2155c512f790]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET /frontend/app/018e8798-b091-7f16-a1c3-2155c512f790 HTTP/2
> Host: leaf49.org
> User-Agent: curl/8.4.0
> Accept: */*
> 
< HTTP/2 302 
< date: Sun, 31 Mar 2024 02:20:01 GMT
< location: https://leaf49.cloudflareaccess.com/cdn-cgi/access/login/leaf49.org?kid=bf7e721fb64a2306bebaf792017e51711728a07741c2a46311c7a4b56ffa1808&redirect_url=%2Ffrontend%2Fapp%2F018e8798-b091-7f16-a1c3-2155c512f790&meta=eyJraWQiOiIyMTQxNzlkNTMyZjZhOTc2NjEzMDA2NDBmMTQ0Yzk5Mjg2ZGU2MWY4OGE2
...
```

From browser (authenticated):

`https://leaf49.org/frontend/app/018e8798-b091-7f16-a1c3-2155c512f790`

```
kid: "018e8798-b091-78a3-b5de-b718ae3fa357",
app_key: "wAycQ50jaU3zxC8-3e_ICFkCGiHcXnvFhI6kyFthC6jFexCMQelJpvAaPZRdeXYAq9U1gKkAnRNuXDfMG0zQDDfahd9qL2ykOAvmhIQy5fmAS5qxIBNF-vGj1TaOxjln-ClSBg4e3gLjDFLdzLJ-vnJpRgrW-6KlLt4ZItQmuUs",
espnow_pmk: "6afc9e2fd38083377496bc4a86432548",
name: "App_0",
title: "Title of App 0",
description: "Description of App 0",
id: "018e8798-b091-7f16-a1c3-2155c512f790",
nodes: [
    {
    name: "Node_0_of_App_0",
    mac: "12:34:56:78:9a:00",
    description: "Description of Node 0",
    espnow_lmk: "809ad8940ce6b5ae281ad83f1ea0e4d8",
    app_id: "018e8798-b091-7f16-a1c3-2155c512f790",
    id: "018e8798-ba5b-7789-8dd9-8ba35e72c1a6",
    token: null
    },
    {
    name: "Node_1_of_App_0",
    mac: "12:34:56:78:9a:01",
    description: "Description of Node 1",
    espnow_lmk: "db9e8f5c3ce979fe402bd5e0e9b68054",
    app_id: "018e8798-b091-7f16-a1c3-2155c512f790",
    id: "018e8799-945d-79db-88b4-56c343ed6712",
    token: null
    }
]
```



#### Previous solution that puts root behind CF authentication.


**ws-bypass** should apply to all `https://<app>.leaf49.org/ws` routes! I could not get `https://*.leaf49.org/ws` to work. 

**Is an application even needed or is the route unprotected by default?** Presumably `root-everyone` is an issue, split into `/docs`, `/ping` - but how get root (landing page) to work? Use `iot49.org` to host it? **Or leave unprotected and disable `/docs` in production? Good idea, anyway!**

Then only `editor` and `/frontend` are left - both `everyone`. The api handles the rest. 


```{image} includes/access-applications.png
:width: 550px
```

