From ae323f49fd091805eba21d7ddb9a970714dee350 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Wed, 4 Dec 2024 18:41:58 -0500 Subject: [PATCH 1/2] tunnel rotation instructions --- .../configure-tunnels/remote-management.mdx | 164 +++++++++++++++++- 1 file changed, 162 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx index 41635b60684e43f..845bb0bf5ba4042 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx @@ -148,6 +148,166 @@ To configure how `cloudflared` sends requests to your [public hostname](/cloudfl ## Tunnel permissions -A remotely-managed tunnel only requires the tunnel token to run. Anyone with access to the token will be able to run the tunnel. You can get a tunnel's token from the dashboard or via the [API](/api/operations/cloudflare-tunnel-get-a-cloudflare-tunnel-token). +A remotely-managed tunnel only requires the tunnel token to run. Anyone with access to the token will be able to run the tunnel. -Account members with Cloudflare Access and DNS [permissions](/cloudflare-one/roles-permissions/) will be able to create, delete, and configure all tunnels for the account. +### View the tunnel token + +To get the token for a remotely-managed tunnel: + + + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**. +2. Select a `cloudflared` tunnel and select **Edit**. +3. Copy `cloudflared` installation command. +4. Paste the installation command into any text editor. The token value is of the form `eyJhIjoiNWFiNGU5Z...` + + + + +Make a `GET` request to the [Cloudflare Tunnel token](api/operations/cloudflare-tunnel-get-a-cloudflare-tunnel-token) endpoint: + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/cfd_tunnel/{tunnel_id}/token \ +--header "Authorization: Bearer " +``` +```sh output +{ + "success": true, + "errors": [], + "messages": [], + "result": "eyJhIjoiNWFiNGU5Z..." +} +``` + + + + +### Rotate a token without service disruption + +Cloudflare recommends rotating the tunnel token at a regular cadence to reduce the risk of token compromise. You can rotate a token with minimal disruption to users as long as the tunnel is served by at least two [`cloudflared` replicas](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/). To ensure service availability, We recommend performing token rotations outside of working hours or in a maintenance window. + +To rotate a tunnel token: + +1. Refresh the token on Cloudflare: + + + + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**. + 2. Select a `cloudflared` tunnel and select **Edit**. + 3. Select **Refresh token**. + 4. Copy the `cloudflared` installation command for your operating system. This command contains the new token. + + + + + 1. Generate a random base64 string (minimum size 32 bytes) to use as a tunnel secret: + + ```sh + openssl rand -base64 32 + ``` + + ```sh output + AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg= + ``` + + 2. Make a `PATCH` request to the [Cloudflare Tunnel](/api/operations/cloudflare-tunnel-update-a-cloudflare-tunnel) endpoint: + ```sh + curl --request PATCH \ + https://api.cloudflare.com/client/v4/accounts/{account_id}/cfd_tunnel/{tunnel_id} \ + --header 'Content-Type: application/json' \ + --header "Authorization: Bearer " \ + --data '{ + "name": "Example tunnel", + "tunnel_secret": "AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg=" + }' + ``` + + ```sh output {18} + { + "success": true, + "errors": [], + "messages": [], + "result": { + "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", + "account_tag": "699d98642c564d2e855e9661899b7252", + "created_at": "2024-12-04T22:03:26.291225Z", + "deleted_at": null, + "name": "Example tunnel", + "connections": [], + "conns_active_at": null, + "conns_inactive_at": "2024-12-04T22:03:26.291225Z", + "tun_type": "cfd_tunnel", + "metadata": {}, + "status": "inactive", + "remote_config": true, + "token": "eyJhIjoiNWFiNGU5Z..." + } + } + ``` + 3. Copy the `token` value shown in the output. + + + + + After refreshing the token, `cloudflared` can no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic. + +2. On half of your `cloudflared` replicas, update `cloudflared` to use the new token. For example, on a Linux host: + + ```sh + sudo cloudflared service install + ``` + +3. Restart `cloudflared`: + + ```sh + sudo systemctl restart cloudflared.service + ``` + +4. Confirm that the service started correctly: + ```sh + sudo systemctl status cloudflared + ``` + + While these replicas are connecting to Cloudflare with the new token, traffic will automatically route through the other replicas. + +5. Wait 10 minutes for traffic to route through the new connectors. + +6. Repeat steps 2, 3, and 4 for the second half of the replicas. + +The tunnel token is now fully rotated. The old token is no longer in use. + +### Rotate a compromised token + +If your tunnel token is compromised, we recommend taking the following steps: + +1. Refresh the token using the dashboard or API. Refer to Step 1 of [Rotate a token without service disruption](#rotate-a-token-without-service-disruption). +2. [Delete all connections](/api/operations/cloudflare-tunnel-clean-up-cloudflare-tunnel-connections) between `cloudflared` and Cloudflare: + ```sh + curl --request DELETE \ + https://api.cloudflare.com/client/v4/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connections \ + --header "Authorization: Bearer " + ``` + + This will clean up any unauthorized connections and prevent users from connecting to your network. + +3. On each `cloudflared` replica, update `cloudflared` to use the new token. For example, on a Linux host: + + ```sh + sudo cloudflared service install + ``` +4. Restart `cloudflared`: + + ```sh + sudo systemctl restart cloudflared.service + ``` + +5. Confirm that the service started correctly: + ```sh + sudo systemctl status cloudflared + ``` + +The tunnel token is now fully rotated. The old token is no longer in use. + +### Account-scoped roles + +Account members with [Cloudflare Access](/cloudflare-one/roles-permissions/) and [DNS](/fundamentals/setup/manage-members/roles/) permissions will be able to create, delete, and configure all tunnels for the account. From a20dfffeeccfca11cbafc09c93b8e8751a9f8ed3 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Wed, 4 Dec 2024 18:57:15 -0500 Subject: [PATCH 2/2] fix link --- .../connect-networks/configure-tunnels/remote-management.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx index 845bb0bf5ba4042..4519b8de540af4b 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx @@ -164,7 +164,7 @@ To get the token for a remotely-managed tunnel: -Make a `GET` request to the [Cloudflare Tunnel token](api/operations/cloudflare-tunnel-get-a-cloudflare-tunnel-token) endpoint: +Make a `GET` request to the [Cloudflare Tunnel token](/api/operations/cloudflare-tunnel-get-a-cloudflare-tunnel-token) endpoint: ```sh curl https://api.cloudflare.com/client/v4/accounts/{account_id}/cfd_tunnel/{tunnel_id}/token \