Cloudflare Zero Trust 保护网站后台登录
status
Published
type
Post
slug
cloudflare-zero-trust-protect-web-admin-login
date
Nov 5, 2023
tags
Config
Cloudflare
Share
summary
使用 Cloudflare Zero Trust 保护网站后台登录,可以有效防止恶意探测。注册并开通 Cloudflare 账号,添加合适的鉴权方式(如 GitHub 认证),配置访问组和访问规则,最终实现只有通过认证的用户才能访问后台登录页面。
因为自行部署一些私人使用的Web服务,出于对公网访问下的安全考虑,便想将其后台登录页保护起来,从而避免被恶意探测。
下面以 memos 为例,通过配置
Cloudflare Zero Trust
来保护其登录页面。其他如 WordPress 之类的项目同理。准备
- 注册好 Cloudflare 账号
- 在 Cloudflare 后台按相关指引开通 Zero Trust(0元,但需要添加支付方式)
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F38eb7257-66ea-481f-b02f-6d5b3b01bb66%2F63915296-ff9e-4abe-b098-75f127893c87%2FUntitled.png?table=block&id=772bde25-3b30-47ac-97a1-78c2fdd414c5&cache=v2)
配置
- 进入 Zero Trust 管理页面,先添加合适的鉴权方式
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F38eb7257-66ea-481f-b02f-6d5b3b01bb66%2Fe1eb8c77-0491-4aff-bcee-8ed7f62addb9%2FUntitled.png?table=block&id=7b1b660f-1a4d-4e07-9d9e-f78836ea32e1&cache=v2)
- 此处我们以 GitHub 认证方式为例,依次选择并添加
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F38eb7257-66ea-481f-b02f-6d5b3b01bb66%2F006c4df4-ad65-4b39-bca8-52c1166deb70%2FUntitled.png?table=block&id=b5cfe213-f1a2-443e-847c-5d0a82370f89&cache=v2)
- 按照右侧的操作提示,自行到 GitHub 设置中生成认证所需的 App ID 和 Client secret,将其填入左侧并保存。
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F38eb7257-66ea-481f-b02f-6d5b3b01bb66%2F3ed26896-88a2-4c40-be35-5ece59c91569%2FUntitled.png?table=block&id=c3a3bfdb-af33-4a88-a48b-974a68a95669&cache=v2)
上面已经添加好了 GitHub 认证方式,此时任何 GitHub 账号登录都可以访问,因此接下来还需要配置使得只允许自己的 GitHub 账户对应邮箱登录时才能访问后台。
- 进入 Access —> Access Groups 添加一个访问组
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F38eb7257-66ea-481f-b02f-6d5b3b01bb66%2Fca0fae33-71ed-4189-9c40-7383be79de41%2FUntitled.png?table=block&id=7bb6bbd3-d52c-406d-9a9d-6dc276b496b7&cache=v2)
- 如图我们在 Include 处配置好自己的 GitHub 账号对应邮箱,然后保存
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F38eb7257-66ea-481f-b02f-6d5b3b01bb66%2Fc0747fc3-6409-4ec1-980d-fd274f0a19cb%2FUntitled.png?table=block&id=940ed21b-4189-4569-ad14-33c93a4e2ecc&cache=v2)
完成了上述配置后,下面可以开始添加自己部署的应用并添加相应的访问规则
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F38eb7257-66ea-481f-b02f-6d5b3b01bb66%2Fe6646b44-4ad7-4ea6-88de-a959ce676e1c%2FUntitled.png?table=block&id=b1519f6d-729d-4221-b9d2-8cd68a4b5c4e&cache=v2)
- 根据实际情况选择相应的应用类型,此处选择 Self-hosted
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F38eb7257-66ea-481f-b02f-6d5b3b01bb66%2F44d2223c-6c0f-48e4-b35a-c49397bc49ac%2FUntitled.png?table=block&id=9eebdd88-53bf-4592-81f8-545331fa0a3c&cache=v2)
- 配置相应的后台登录 URL 路径,进入下一步
如果应用没有登录模块,将 path 保持为空,即把该应用整体保护起来
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F38eb7257-66ea-481f-b02f-6d5b3b01bb66%2F6205b640-2cab-4c66-92be-dd96105af3c1%2FUntitled.png?table=block&id=fdcc362e-4d93-432d-ba0c-03b619092e43&cache=v2)
- 配置访问策略,分配前面创建的访问组即可
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F38eb7257-66ea-481f-b02f-6d5b3b01bb66%2F1cb43f2a-dbfe-4d19-90fd-81dc61176c7a%2FUntitled.png?table=block&id=8db3f6bc-8dae-4941-877e-7df09702c1f2&cache=v2)
- 按提示依次进行下一步直到最后完成添加,此时基本配置已完成。
验证
打开浏览器无痕访问上面保护的 URL ,显示如下
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F38eb7257-66ea-481f-b02f-6d5b3b01bb66%2F53ebc920-03d5-43b6-ae65-40d1e2c83cde%2FUntitled.png?table=block&id=27b9b970-f6f9-4f6d-9180-e5557a937d15&cache=v2)
点击 GitHub 按钮后页面跳转到如下所示 GitHub 登录界面
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F38eb7257-66ea-481f-b02f-6d5b3b01bb66%2Fbed31e21-e176-483d-9442-7c8675042782%2FUntitled.png?table=block&id=2f61685e-39b7-48d4-9283-4432b653014b&cache=v2)
登录后即可打开被保护的登录页面,如下
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F38eb7257-66ea-481f-b02f-6d5b3b01bb66%2Fa780efc6-fe68-40a4-bc37-2fb817efed43%2FUntitled.png?table=block&id=37ad6e9d-c6a5-4eb0-93b8-83d2d5ac68ac&cache=v2)
此时只有我们自己的 GitHub 账号通过认证后才可以查看到应用的后台登录页面,实现了对其的基本防护。
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F38eb7257-66ea-481f-b02f-6d5b3b01bb66%2F919372a8-6618-487d-838b-45a52a9500e9%2FUntitled.png?table=block&id=a8c511b1-4ebb-46cf-9b2d-b17ca0dcce86&cache=v2)