Infrastracture December 15, 2024

Connect through Cloudflare Access using docker

Zero Trust

Cloudflare & Docker Logos

Cloudflare’s Zero Trust platform offers a secure way to connect to Docker registries by using its cloudflared tool. This setup ensures that your connections are authenticated, private, and protected from unauthorized access. Here’s how you can achieve this.

Overview

This guide covers:

  • Building a policy in Cloudflare Access to secure your Docker registry
  • Setting up a connection between Cloudflare and your Docker registry
  • Connecting to the Docker registry from a client machine

Prerequisites

  1. A website added to Cloudflare.
  2. A Docker registry you want to secure.
  3. cloudflared installed on both the server and client machines.
  4. Administrative access to Cloudflare Zero Trust.

Step 1: Create a Zero Trust Policy

To secure your Docker registry, you first need to create an application in Cloudflare Zero Trust.

  1. Log in to the Cloudflare Zero Trust dashboard.
  2. Navigate to Applications and click Add an application.
  3. Select Self-hosted as the application type.
  4. Under Application Domain, input a subdomain where your Docker registry will be accessible (e.g., registry.domain.com).
  5. Set up rules to specify which users or groups can access the registry. For example:
    • Allow specific emails (e.g., devops@domain.com).
    • Use SSO authentication methods such as Google or Azure AD.
  6. Click Save to finalize your policy.

Step 2: Install and Authenticate Cloudflared

Cloudflare Tunnel, powered by the lightweight cloudflared daemon, establishes a secure outbound connection between your server and Cloudflare’s network. Follow these steps:

  1. Install cloudflared on the server hosting the Docker registry by following the installation instructions.

  2. Authenticate cloudflared to connect it with your Cloudflare account:

    cloudflared tunnel login

    This command opens a browser window to log in. If you’re on a headless server, copy the URL output and open it in any browser.

Step 3: Create and Configure a Tunnel

  1. Create a new tunnel to connect your Docker registry:

    cloudflared tunnel create docker-registry

    This generates a unique tunnel ID and a credentials file.

  2. Configure the tunnel by creating a YAML file, typically located at ~/.cloudflared/config.yml. Replace the example values with your tunnel ID and registry domain:

    tunnel: <tunnel-id>
credentials-file: /root/.cloudflared/<tunnel-id>.json

ingress:
  - hostname: registry.domain.com
    service: tcp://127.0.0.1:32000
  - service: http_status:404

  3. Add a DNS record in the Cloudflare dashboard to route traffic to your tunnel:

    • Type: CNAME
    • Name: registry (or your subdomain prefix)
    • Target: <tunnel-id>.cfargotunnel.com

  4. Start the tunnel:

    cloudflared tunnel run docker-registry

Step 4: Connect from a Client Machine

  1. Install cloudflared on your client machine. On macOS, you can use Homebrew:

    brew install cloudflared

  2. Create a connection to the Docker registry. Replace the example values with your registry domain and a local port:

    cloudflared access tcp --hostname registry.domain.com --url 127.0.0.1:32000

Or use a service token instead of SSO for automations in CI/CD:

cloudflared access tcp --hostname registry.domain.com --url 127.0.0.1:32000 \
  --service-token-id CF_ACCESS_CLIENT_ID \
  --service-token-secret CF_ACCESS_CLIENT_SECRET

  1. With the connection running, use Docker commands to interact with the registry. For example:

    docker push 127.0.0.1:32000/image:latest

Cloudflare will handle the authentication process, launching a browser window or using the service token for access.

For more details, you can refer to the official Cloudflare documentation for kubectl.

Share article
@WhoAmI Avatar
By @WhoAmI
CEO & Co-Founder