
Securing Infrastructure at Scale with Cloudflare Access - GordonS
https://blog.cloudflare.com/access-wildcard-subdomain
======
skybrian
This sounds vaguely similar to Google's "BeyondCorp" initiative [1]. I wonder
how the technology compares?

[1]
[https://cloud.google.com/beyondcorp/](https://cloud.google.com/beyondcorp/)

------
cj
> _Argo Tunnel lets you expose a server to the Internet without opening any
> inbound ports. The service runs a lightweight daemon on your server that
> initiates outbound tunnels to the Cloudflare network. Instead of managing
> DNS, network, and firewall complexity, Argo Tunnel helps administrators
> serve traffic from their origin through Cloudflare with a single command._

Is anyone here using this Cloudflare feature in production?

What has your experience been?

~~~
lasdfas
We have been using it at my company (100 employees) for 2 internal services
for about 6 months with Google SSO. It has been working great. There has been
1 outage where it was down for a couple hours.

My only complaint is the security of it is not perfect. When you launch the
tunnel, you declare the domain you want it to use. I can be any domain on the
account and can't limit it to specific domains. It's a little dangerous if you
have sensitive domains on your Cloudflare account that you don't want to use
Argo.

------
ThePhysicist
Oh nice, I already wanted to build something like this for our infrastructure
as I don't like the overhead of VPNs. For Cloudflare this makes perfect sense
of course as they have the DNS and load-balancing infrastructure as well as a
reverse proxy in place already. What I don't like about this is that (as fas
as I know) it would require sending all of our traffic over Cloudflare and let
them decrypt it. I'd personally prefer to host something like this myself,
especially if it's only for development purposes where I don't care (much)
about scalability or latency since it will serve only a small number of users.

~~~
o-__-o
You don't like the overhead of VPNs, but you're okay with using this protocol
that sits atop TCP/IP and encrypts traffic between your endpoint and
Cloudflare?

>What I don't like about this is that (as fas as I know) it would require
sending all of our traffic over Cloudflare and let them decrypt it.

Isn't that what a VPN is?

~~~
ThePhysicist
Well partially I'd say. A VPN creates a new network interface on my local
computer through which I can then tunnel traffic to the destination HTTP
server. A reverse proxy is just a server that accepts HTTP requests and
forwards them to the destination server. In both cases the destination server
would be configured to only accept traffic from the VPN or reverse proxy, and
the VPN / proxy would perform additional authentication of the user before
letting them connect through them. So in that sense they're similar, a VPN has
more overhead though since we need ot install client software on any computer
/ device from which we want to connect, which can be cumbersome. On the other
hand we can tunnel arbitrary IP traffic through the VPN and we can ensure that
all traffic gets tunneled (which is not possible with a reverse proxy setup),
so there are still cases where a VPN is the only solution. I can see the
appeal of a more lightweight proxy-based tunnel for HTTP services (and one can
come up with schemes for arbitrary TCP/UDP traffic as well, though not as
elegantly as for HTTP, which already supports a "fan out" mechanism via the
"Host" header).

Since we can encrypt HTTP traffic using TLS between the client as well as the
proxy and the destination the security should not be much worse than a VPN
(though TLS leaks slightly more metadata as far as I know).

What I don't like about Cloudflare's solution is that I have to trust them
with my traffic, as they decrypt and re-encrypt it in transit. I'd rather have
that done by a server that's under my control.

~~~
o-__-o
...and then anyone beyond that server can watch and analyze your traffic./ so
what’s the point of any server, cloudflare or otherwise?

------
sansnomme
It's a pity that the Sandstorm project got acquired. After decades of research
and development in operating systems, security, and UI we still can't make an
easy to use Firewall solution and instead have to rely on external services
like Argo tunnel and DigitalOcean's firewall to reliably lock down a network.
This is a failure of software engineering and open source. For all the the
obsession with software freedom, we are still locked in to proprietary systems
when it comes to critical stuff.

~~~
kentonv
FWIW, Sandstorm wasn't acquired. It ran out of money, forcing the developers
to find new jobs. Sandstorm had already failed before we talked to Cloudflare
about hiring the team members.

(I've been told by other founders and investors that I should pretend this was
an "exit" for "optics", but I'm really bad at lying...)

~~~
sansnomme
Just want to say Sandstorm's idea is AMAZING. A huge fan! :D

~~~
kentonv
Thanks! If only we could have figured out how to get people to pay for it...

~~~
Terretta
Bring a team to implement 2.0 at one of the world’s largest banks... then OSS
it... then spin off as a B2E support company.

------
jordanthoms
We've been using Pritunl Zero (
[https://zero.pritunl.com/](https://zero.pritunl.com/) ) for this and it's
been great - was always difficult to get non-technical users to use the VPN,
and now we have authentication even for internal traffic.

It seems to work similarly to this but you run it yourself so it doesn't need
to tunnel traffic through cloudflare, and it's open source.

------
AprilJenkins
Pomerium (
[https://github.com/pomerium/pomerium](https://github.com/pomerium/pomerium) )
is another option if you are looking for an open-source identity access proxy.

------
magoon
It’s neat, but one benefit of a VPN is that it routes, encrypts, and tunnels
at your own machine.

~~~
zackbloom
The Cloudflare client, cloudflared, works similarly but with less overhead. An
encrypted HTTP/2 tunnel is being created from your machine to the Internet.

~~~
o-__-o
How is that different from any other SSL VPN? Also IPSec is even less overhead
because the encryption is occurring at the IP layer.

This feels a lot like mid-2000s all over again (hey we have this new idea it's
<insert SaaS-rehash of existing services>)

