How to Restrict Access to a Website or R2 Bucket With Cloudflare Zero Trust
Introduction
If you have a website that is proxied through Cloudflare, or you have a Cloudflare R2 storage bucket connected to your domain, you may want to lock it down so only authorised users can access the contents of the website or R2 bucket. This article will explain and walk you through exactly how to do that.
R2
Skip this section if you are not locking down an R2 bucket, if you are already familiar with R2 or if you have a bucket already.
Creating An R2 Bucket If You Don't Already Have One
If you don't already have an R2 bucket and would like to create one to host files across the internet and lock it down, follow the below steps.
Select the relevant Cloudflare account if prompted. You should be taken to the "Create a bucket" page.
Give the bucket a name. Note that this is permanent and cannot be changed afterwards. It also cannot contain certain characters like full stops/periods. I'm going to be connecting this bucket to locked-files.RyderCragie.com, so I will name it locked-files-RyderCragie-com. Think about the name thoroughly if you plan to link the bucket to multiple domains/subdomains. In this case, you can name it after it's purpose rather than a hyphenated version of the URL.
Click "Create bucket". You should be taken to the "Objects" tab of the new bucket.
Go to the "Settings" tab and scroll down slightly.
In the "Public access" section, click "Connect Domain" under "Custom Domains".
Enter the URL of the domain/subdomain. This must be all lowercase and must not include https:// or http:// at the front.
Click "Continue".
Go to the "Objects" tab and drag a test file into the upload section from your local machine. The filename will become part of the URL. We will use this to test the locking policy. In this example, mine is located at locked-files.RyderCragie.com/test-file.txt.
Website
Skip this section if you are not locking down a website, or if you are and your website is already proxied.
Ensuring Your Website Is Proxied
To lock down a website you need to ensure that your website is proxied through Cloudflare's servers. You can learn more about the Cloudflare proxy and what it does here.
Go to https://dash.cloudflare.com/?to=/:account/:zone/dns/records.
Select the relevant Cloudflare account if prompted.
Select the domain where the website that you want to lock down is located.
Find the DNS record for the website and click the "Edit" button to the right of it.
Switch on the proxy switch so it turns from grey to orange. Note that some websites do not function correctly when using the Cloudflare proxy. Proceed with caution.
Click "Save".
Creating The Access Application And Policy In Zero Trust
You now need to create an access policy for this R2 domain/subdomain using Cloudflare Zero Trust so that access can be restricted. Here is the process for how to do that. The process is the same regardless of whether you are locking down an R2 bucket or a website.
Go to https://one.dash.cloudflare.com/?to=/:account/access/apps/add.
Select the relevant Cloudflare account if prompted.
Click "Select" under "Self-hosted".
Give the application a name in the "Application name" field.
Specify the subdomain, e.g. "locked-files", in the "Subdomain" field if applicable.
Specify the domain, e.g. "RyderCragie.com" in the "Domain" drop-down.
Optional: You can specify a file path that you'd like to block and leave everything else unblocked. If you want to specify more than one subdomain, domain, and/or file path, click "Add domain" to add another row so you can add more criteria.
Scroll to the very bottom and click "Next" at the bottom right.
Give the policy a name in the "Policy name" field. This can be the same as the application name to keep things consistent.
In the "Configure rules" section is where you will specify the email addresses of the users that you want to provide access to the website or R2 bucket. Under "Selector", open the "Select..." drop-down and choose "Emails", or "Emails ending in" if you have a corporate domain. Note that if you do choose "Emails ending in" anyone with an email ending in the domain you're about to specify will immediately have access. Proceed with choosing this option cautiously.
In the "Value" field, enter the email address(es) or email address endings of the users that you want to provide access to the website or R2 bucket. Multiple emails or email endings can be specified in this one field.
Optional: If you want users to be prompted to provide a reason for accessing the resource, scroll down and enable "Purpose justification" under "Additional settings".
Scroll to the very bottom and click "Next" at the bottom right.
Testing The Policy
Go to the domain/subdomain that you have locked down in your web browser.
You should be redirected to <org-name>.CloudflareAccess.com.
Enter one of the email addresses you previously specified in the Zero Trust Access Policy and click "Send me a code".
Open the email you have received and enter the code from it into the Cloudflare Access webpage. Ensure to check your spam/junk folder if you have not received it.
Click "Sign in".
You should now have access to the website/R2 bucket. Try going to the test file you uploaded in Step 9 of the first section to see if it's accessible.
Conclusion
Congratulations! You've created a secure and locked down website or R2 bucket using Cloudflare Zero Trust. If you have any issues, feel free to join the Cloudflare Discord server to discuss any problems or questions!