Zero Trust GitLab SSH & HTTP · Cloudflare Zero Trust docs (2024)

You can use Cloudflare Access to add Zero Trust rules to a self-hosted instance of GitLab. Combined with Cloudflare Tunnel, users can connect through HTTP and SSH and authenticate with your team’s identity provider.

This walkthrough covers how to:

  • Deploy an instance of GitLab
  • Lock down all inbound connections to that instance and use Cloudflare Tunnel to set outbound connections to Cloudflare
  • Build policies with Cloudflare Access to control who can reach GitLab
  • Connect over HTTP and SSH through Cloudflare

Time to complete:

1 hour

​​Deploying GitLab

This section walks through deploying GitLab in DigitalOcean. If you have already deployed GitLab, you can skip this section.

Create a Droplet that has 16 GB of RAM and 6 CPUs. This should make it possible to support 500 users, based on GitLab’s resource recommendationsOpen external link.

Zero Trust GitLab SSH & HTTP · Cloudflare Zero Trust docs (1)

GitLab will provide an external IP that is exposed to the Internet (for now). You will need to connect to the deployed server using this external IP for the initial configuration. You can secure connections to the IP by adding SSH keysOpen external link to your DigitalOcean account.

This example uses a macOS machine to configure the Droplet. Copy the IP address assigned to the machine from DigitalOcean.

Zero Trust GitLab SSH & HTTP · Cloudflare Zero Trust docs (2)

Open Terminal and run the following command, replacing the IP address with the IP assigned by DigitalOcean.

$ ssh [emailprotected]

Next, install GitLab. This example uses the Ubuntu packageOpen external link and the steps in the GitLab documentation, with a few exceptions called out below.

Run the following commands to begin.

$ sudo apt-get update

$ sudo apt-get install -y curl openssh-server ca-certificates

$ curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash

The commands above download the GitLab software to this machine. You must now install it. This is the first place this tutorial will diverge from the operations in the GitLab documentation. The next step in the GitLab-provided tutorial sets an external hostname. Instead, you can just install the software.

$ sudo apt-get install gitlab-ee

After a minute or so, GitLab will be installed.

Zero Trust GitLab SSH & HTTP · Cloudflare Zero Trust docs (3)

However, the application is not running yet. You can check to see what ports are listening to confirm by using ss.

$ sudo ss -lntup

The result should be only the services currently active on the machine:

$ sudo ss -lntup

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process

udp UNCONN 0 0 *:9094 *:*

tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=29,fd=3))

tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=29,fd=4))

To start GitLab, run the software’s reconfigure command.

$ sudo gitlab-ctl reconfigure

GitLab will launch its component services. Once complete, confirm that GitLab is running and listening on both ports 22 and 80.

Zero Trust GitLab SSH & HTTP · Cloudflare Zero Trust docs (4)

$ sudo ss -lntup

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process

udp UNCONN 0 0 *:9094 *:*

tcp LISTEN 0 4096 127.0.0.1:9236 0.0.0.0:*

tcp LISTEN 0 4096 127.0.0.1:8150 0.0.0.0:*

tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=29,fd=3))

tcp LISTEN 0 4096 127.0.0.1:8151 0.0.0.0:*

tcp LISTEN 0 4096 127.0.0.1:3000 0.0.0.0:*

tcp LISTEN 0 4096 127.0.0.1:8153 0.0.0.0:*

tcp LISTEN 0 4096 127.0.0.1:8154 0.0.0.0:*

tcp LISTEN 0 4096 127.0.0.1:8155 0.0.0.0:*

tcp LISTEN 0 511 0.0.0.0:8060 0.0.0.0:* users:(("nginx",pid=324,fd=8))

tcp LISTEN 0 4096 127.0.0.1:9121 0.0.0.0:*

tcp LISTEN 0 4096 127.0.0.1:9090 0.0.0.0:*

tcp LISTEN 0 4096 127.0.0.1:9187 0.0.0.0:*

tcp LISTEN 0 4096 127.0.0.1:9093 0.0.0.0:*

tcp LISTEN 0 4096 127.0.0.1:9229 0.0.0.0:*

tcp LISTEN 0 1024 127.0.0.1:8080 0.0.0.0:*

tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=324,fd=7))

tcp LISTEN 0 4096 127.0.0.1:9168 0.0.0.0:*

tcp LISTEN 0 4096 127.0.0.1:8082 0.0.0.0:*

tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=29,fd=4))

tcp LISTEN 0 4096 *:9094 *:*

Users connect to GitLab over SSH (port 22 here) and HTTP for the web app (port 80). In the next step, you will make it possible for users to try both through Cloudflare Access. I’ll leave this running and head over to the Cloudflare dashboard.

​​Securing GitLab with Zero Trust rules

​​Building Zero Trust policies

You can use Cloudflare Access to build Zero Trust rules to determine who can connect to both the web application of GitLab (HTTP) and who can connect over SSH.

When a user makes a request to a site protected by Access, that request hits Cloudflare’s network first. Access can then check if the user is allowed to reach the application. When integrated with Cloudflare Tunnel, the Zero Trust architecture looks like this:

Zero Trust GitLab SSH & HTTP · Cloudflare Zero Trust docs (5)

To determine who can reach the application, Cloudflare Access relies on integration with identity providers like Okta or AzureAD or Google to issue the identity cards that get checked at the door. While a VPN allows users free range on a private network unless someone builds an active rule to stop them, Access enforces that identity check on every request (and at any granularity configured).

For GitLab, start by building two policies. Users will connect to GitLab in a couple of methods: in the web app and over SSH. Create policies to secure a subdomain for each. First, the web app.

Before you build the rule, you’ll need to follow these instructions to set up Cloudflare Access in your account.

Once enabled, go to the Applications page in Zero Trust. Select Add an application.

Choose self-hosted from the options presented.

Zero Trust GitLab SSH & HTTP · Cloudflare Zero Trust docs (6)

In the policy builder, you will be prompted to add a subdomain that will represent the resource. This must be a subdomain of a domain in your Cloudflare account. You will need separate subdomains for the web application and SSH flows.

This example uses gitlab.widgetcorp.tech for the web application and gitlab-ssh.widgetcorp.tech for SSH connectivity.

While on this page, you can decide which identity providers will be allowed to authenticate. By default, all configured providers are allowed. Select Next to build rules to determine who can reach the application.

You can then add rules to determine who can reach the site.

Select Next and Next again on the Setup page - this example does not require advanced CORS configuration. Repeat these steps for the second application, gitlab-ssh.widgetcorp.tech.

​​Cloudflare Tunnel

Cloudflare Tunnel creates a secure, outbound-only, connection between this machine and Cloudflare’s network. With an outbound-only model, you can prevent any direct access to this machine and lock down any externally exposed points of ingress. And with that, no open firewall ports.

Cloudflare Tunnel is made possible through a lightweight daemon from Cloudflare called cloudflared. Download and install cloudflared on the DigitalOcean machine by following the instructions listed on the Downloads page.

Once installed, authenticate the instance of cloudflared with the following command.

$ cloudflared login

The command will print a URL that you must visit to login with your Cloudflare account.

Choose a website that you have added into your account.

Once you select one of the sites in your account, Cloudflare will download a certificate file to authenticate this instance of cloudflared. You can now use cloudflared to control Cloudflare Tunnel connections in your Cloudflare account.

Zero Trust GitLab SSH & HTTP · Cloudflare Zero Trust docs (7)

​​Connecting to Cloudflare

You can now connect GitLab to Cloudflare using Cloudflare Tunnel.

  1. Create a new Tunnel by running the following command.

$ cloudflared tunnel create gitlab

cloudflared will generate a unique ID for this Tunnel, for example 6ff42ae2-765d-4adf-8112-31c55c1551ef. You can use this Tunnel both for SSH and HTTP traffic.

  1. You will need to configure Cloudflare Tunnel to proxy traffic to both destinations. The configuration below will take traffic bound for the DNS record that will be created for the web app and the DNS record to represent SSH traffic to the right port.

You use the text editor of your choice to edit the configuration file. The example relies on Vi.

$ vim ~/.cloudflared/config.yml

  1. Configure the Tunnel to serve traffic.

tunnel: 6ff42ae2-765d-4adf-8112-31c55c1551ef

credentials-file: /root/.cloudflared/6ff42ae2-765d-4adf-8112-31c55c1551ef.json

ingress:

- hostname: gitlab.widgetcorp.tech

service: http://localhost:80

- hostname: gitlab-ssh.widgetcorp.tech

service: ssh://localhost:22

# Catch-all rule, which just responds with 404 if traffic doesn't match any of

# the earlier rules

- service: http_status:404

Zero Trust GitLab SSH & HTTP · Cloudflare Zero Trust docs (8)

  1. You can test that the configuration file is set correctly with the following command:

$ cloudflared tunnel ingress validate

cloudflared should indicate the Tunnel is okay. You can now begin running the Tunnel.

$ cloudflared tunnel run

Zero Trust GitLab SSH & HTTP · Cloudflare Zero Trust docs (9)

​​Configure DNS records

You can now create DNS records for GitLab in the Cloudflare dashboard. Remember, you will still need two records - one for the web application and one for SSH traffic.

In the DNS tab, choose the website where you built your Access policies. Select Add record and select CNAME from type. In the Name field, input gitlab. In the Target field, input the ID of the Tunnel created followed by cfargotunnel.com. In this example, that value is:

6ff42ae2-765d-4adf-8112-31c55c1551ef.cfargotunnel.com

Select Save. Repeat the process again by creating a second CNAME record, with the same Target, but input gitlab-ssh for the Name. Both records should then appear, pointing to the same Tunnel. The ingress rules defined in the configuration file above will direct traffic to the appropriate port.

Zero Trust GitLab SSH & HTTP · Cloudflare Zero Trust docs (10)

​​Connecting to the web application

You can now test the end-to-end configuration for the web application. Visit the subdomain created for the web application. Cloudflare Access will prompt you to authenticate. Login with your provider.

Once authenticated, you should see the GitLab web application.

Zero Trust GitLab SSH & HTTP · Cloudflare Zero Trust docs (11)

Register your own account and create a Blank project to test SSH in the next step.

Zero Trust GitLab SSH & HTTP · Cloudflare Zero Trust docs (12)

GitLab will create a new project and repository.

​​Configuring SSH

To push and pull code over SSH, you will need to install cloudflared on the client machine as well. This example uses a macOS laptop. On macOS, you can install cloudflared with the following command.

$ brew install cloudflared

While you need to install cloudflared, you do not need to wrap your SSH commands in any unique way. Instead, you will need to make a one-time change to your SSH configuration file.

$ vim /Users/samrhea/.ssh/config

Input the following values; replacing gitlab-ssh.widgetcorp.tech with the hostname you created.

Host gitlab-ssh.widgetcorp.tech

ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h

You can now test the SSH flow by attempting to clone the project created earlier.

$ git clone [emailprotected]:samrhea/demo

cloudflared will prompt you to login with my identity provider and, once successful, issue a token to your device to allow you to authenticate.

Zero Trust GitLab SSH & HTTP · Cloudflare Zero Trust docs (13)

​​Lock down exposed ports

You can now configure your DigitalOcean firewall with a single rule, block any inbound traffic, to prevent direct access.

Zero Trust GitLab SSH & HTTP · Cloudflare Zero Trust docs (14)

Cloudflare Tunnel will continue to run outbound-only connections and I can avoid this machine getting caught up in a crypto mining operation, or something worse.

​​View logs

You can also view logs of the events that are allowed and blocked. Open the Access page of the Logs section in Zero Trust.

Zero Trust GitLab SSH & HTTP · Cloudflare Zero Trust docs (2024)

FAQs

Zero Trust GitLab SSH & HTTP · Cloudflare Zero Trust docs? ›

You can use Cloudflare Access to add Zero Trust rules to a self-hosted instance of GitLab. Combined with Cloudflare Tunnel, users can connect through HTTP and SSH and authenticate with your team's identity provider.

What is the Zero Trust rule in Cloudflare? ›

Build a Zero Trust rule

Cloudflare Access follows a Zero Trust architecture: by default, Access assumes every connection or request is untrusted and forces the user (or service) to authenticate. This gives me the security posture I need to build a simple rule to only allow myself to reach this device.

How to setup SSH with Cloudflare tunnels? ›

​​ 1. Connect the server to Cloudflare
  1. Create a Cloudflare Tunnel by following our dashboard setup guide.
  2. In the Public Hostnames tab, choose a domain from the drop-down menu and specify any subdomain (for example, ssh.example.com ).
  3. For Service, select SSH and enter localhost:22 . ...
  4. Select Save hostname.
Mar 26, 2024

What is Cloudflare warp Zero Trust? ›

Cloudflare Zero Trust enables you to restrict access to your applications to devices running the Cloudflare WARP client.

How to open Cloudflare Zero Trust? ›

​​ Windows, macOS, and Linux
  1. Download and install the WARP client.
  2. Launch the WARP client.
  3. Select the Cloudflare logo in the menu bar.
  4. Select the gear icon.
  5. Go to Preferences > Account.
  6. Select Login with Cloudflare Zero Trust.
  7. Enter your team name.
  8. Complete the authentication steps required by your organization.
Jan 31, 2024

What are the three principles of Zero Trust? ›

In this guide, we'll delve into the three fundamental principles of Zero Trust: Least Privilege Access, Always Verify, and Risk Mitigation. Each principle is critical for building a resilient and dynamic security environment where threats are not only recognized but also effectively contained.

Can Cloudflare Zero Trust replace VPN? ›

Yes, you really can replace your VPN with Zero Trust Network Access. Download this technical whitepaper to compare alternative remote access approaches and find the best option for your organization.

What is SSH over https? ›

HTTPS encrypts your requests and files, so that people can't read them. SSH is used to login and control an account on another computer. Git just uses these to ask the server to send the files that it wants and is allowed to have.

How to Tunnel Internet connection through SSH? ›

Setting up an SSH Tunnel
  1. Host: Enter the FQDN host or SSH service IP address for the remote server you want to route traffic through.
  2. Port: Enter the SSH port for this Host. Typically, SSH listens on port 22, so if you are unsure what port to specify, try that.
  3. Leave the obfuscation items unchecked/empty.

How to use SSH as a Tunnel? ›

In Windows - putty
  1. Click the plus sign by the SSH menu choice in the left pane of the main window.
  2. Click on Tunnels.
  3. Set Source port to the value of the listen port and Destination to DESTINATION_HOST:DESTINATION_PORT given your specific tunneling options. (

How to use Zero Trust? ›

Implementing Zero Trust in 5 Steps
  1. Deploy SASE. SASE (Secure access service edge) helps unify SD-WAN and network security point solutions into a centralized cloud native service. ...
  2. Utilize Microsegmentation. ...
  3. Use Multi-Factor Authentication (MFA) ...
  4. Implement the Principle of Least Privilege (PoLP) ...
  5. Validate All Endpoint Devices.

How fast is Cloudflare Zero Trust tunnel? ›

The Internet Speed from the tunnel to the internet is 250/250 so there is no limitation here.

Why is ZTNA better than VPN? ›

Unlike a VPN, ZTNA provides application security that is independent of the network, which makes it more scalable and flexible than a VPN.

Why use Cloudflare Zero Trust? ›

The primary benefit of applying Zero Trust principles is to help reduce an organization's attack surface. Additionally, Zero Trust minimizes the damage when an attack does occur by restricting the breach to one small area via microsegmentation, which also lowers the cost of recovery.

Does Zero Trust require encryption? ›

Application layer encryption plays a key factor for Zero Trust that mandates all data and communications are encrypted when users are interacting with web applications or devices. Application layer encryption ensures that only verified and trusted entities can access web applications or devices.

How do I add apps to Cloudflare Zero Trust? ›

In Zero Trust Open external link , go to Access > Applications. Select Add an application. Select Self-hosted. Enter any name for the application.

How does zero trust work in the cloud? ›

Zero trust takes the view that every user is hostile and that threats are omnipresent, both inside and outside the network. Therefore, any traffic that does not have explicit permission is automatically denied access.

What is the bad score rule in Cloudflare? ›

The threat score of a request has a value from 0 to 100, where 0 indicates low risk. Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the Internet.

What is the session duration in Cloudflare zero trust? ›

​​ Set global session duration

You can set a global session duration between 15 minutes and 1 month. In Zero Trust Open external link , go to Settings > Authentication. Under Global session timeout, select Edit, Select the desired timeout duration from the dropdown menu.

What are Cloudflare rules? ›

Cloudflare Rules allows you to make adjustments to requests and responses, configure Cloudflare settings, and trigger specific actions for matching requests. Rules features require that you proxy the DNS records of your domain (or subdomain) through Cloudflare.

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Maia Crooks Jr

Last Updated:

Views: 6093

Rating: 4.2 / 5 (63 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Maia Crooks Jr

Birthday: 1997-09-21

Address: 93119 Joseph Street, Peggyfurt, NC 11582

Phone: +2983088926881

Job: Principal Design Liaison

Hobby: Web surfing, Skiing, role-playing games, Sketching, Polo, Sewing, Genealogy

Introduction: My name is Maia Crooks Jr, I am a homely, joyous, shiny, successful, hilarious, thoughtful, joyous person who loves writing and wants to share my knowledge and understanding with you.