manage_cloudflared

Ansible Role - manage_cloudflared

This repo contains the Ansible role for configuring a cloudflared server in either WARP mode, or ingress mode.

What this role does

This Ansible role will allow you to configure cloudflared on an Ubuntu 20.04+ server in either WARP tunnel mode, or in ingress mode.

  1. Download and install cloudflared via a package repo
  2. Configure cloudflared
    1. Set cloudflared to start as a service
    2. Start cloudflared

Variables

The tunnel configuration files will need to be supplied, as this role intentionally does not include authentication and tunnel creation for security reasons.

The following variables are required:

  1. manage_cloudflared.warp - Use WARP tunneling instead of ingresses (Default: false)
    manage_cloudflared.warp: true
    manage_cloudflared.tunnel_uuid: "a1b234c5-de67-89f0-g123-4hi5jk678l90"
    manage_cloudflared.account_tag: "1234567abcdefg890123hijklom45678"
    manage_cloudflared.tunnel_secret: "YmFkc2VjcmV0Cg=="
    manage_cloudflared.tunnel_name: "internal_warp"
    
  2. Either the manage_cloudflared.console_token method or the local configuration method
    console_token: "BASE64 STRING OF TUNNEL TOKEN"
    
    OR
    manage_cloudflared.tunnel_uuid: "a1b234c5-de67-89f0-g123-4hi5jk678l90"
    manage_cloudflared.account_tag: "1234567abcdefg890123hijklom45678"
    manage_cloudflared.tunnel_secret: "YmFkc2VjcmV0Cg=="
    manage_cloudflared.tunnel_name: "internal_websites"
    manage_cloudflared.ingresses:
       - hostname: statuspage.externaldomain.com
         service: "https://10.1.2.3:443"
         dont_verify_ssl: true
         host_header: "status.internaldomain.com"
       - hostname: timeclock.externaldomain.com
         service: "https://timeclock.internaldomain.net:443"
       - hostname: timeclock.externaldomain.com
         service: "https://timeclock.internaldomain.net:443"
    

ZTA Managed Tunnels

If you use manage_cloudflared.console_token you don't need to specify any other variables as the Zero Trust Console will manage everything else.

Additionally, please note that migrating between config file managed and ZTA managed tunnels will not work because the service install test only checks if the service exists, so installing one prior to the other will not result in removing the old style of service. You will have to manually remove the old service first.

Testing

Due to the nature of the service this role is configuring, all testing is done manually.
TESTING.md contains details and instructions for testing.

Route 1337 LLC's open source code heavily relies on donations. If you find this Ansible role useful, please consider using the GitHub Sponsors button to show your continued support.

Thank you for your support!

About

Deploy and configure cloudflared using pre-created tunnel credentials

Install
ansible-galaxy install route1337/ansible-role-managecloudflared
GitHub repository
License
mit
Downloads
90
Owner
Modern InfoSec, Zero Trust, and DevOps consulting for Web2 and Web3 clients.