Hello to all,

I just want to report that Passbolt and its Extension is running great over Cloudflare Tunnel.

How did I install Passbolt?

On a Selfhosted Linux Debian 11 System
Followed the instructions provided by Passbolt step by step

Where is your Server Hosted?

Hetzner CX Cloud Server

What is your Firewall configuration?

At Hetzner you have your own Virtual Firewall for your Public facing IP.
Information about that is at the Cloudflare Docs. → Ports and IPs · Cloudflare Zero Trust docs

Incoming:
104.19.0.0/16 TCP HTTPS
104.18.0.0/16 TCP HTTPS
172.64.0.0/16 TCP HTTPS
198.41.0.0/16 TCP 7844

Outgoing:
Any HTTPS Any / Reason is that I use Yubikey API and could not find the Range they operate in!
SMTP 587 TCP for Passbolt E-Mail to my Mail Provider (outlook(dot)com) App Pass with restrictions for only Microsoft Servers
198.41.0.0/16 TCP 7844

INFORMATION: The Cloudflare Tunnel uses the QUIC Protocol - So if you have a Firewall that blocks QUIC you need an exception for the Cloudflare Tunnel Agent Server.

Were did you install the Cloudflare Tunnel Agent?

On the same Linux Machine running Passbolt on the Linux Server.

How did you secure your Cloudflare Tunnel?

I use a One-Time Passwort with a Session Token for 24 Hours
Great Instructions at → You Need to Learn This! Cloudflare Tunnel Easy Tutorial - YouTube
To Lockdown your Services

On my End I have a dedicated IP / GeoRestriction and required E-Mail ← Overkill

Little UPDATE 17.04.2023 - Authentication
-----------------START
Switched to Google Authentication and GeoRestriction - Audit Everything
-----------------END

Why?
I want to make sure that only I can Access Passbolt and the registration page is only available if you can login over from Cloudflare. Like this the Passbolt Server does not need too much configuration and works great!

Hope my feedback could inspire you to use a more secure approach on servicing on your own network.

Best regards
Val.

Have you managed to get the mobile app working over Cloudflare as well?

Hello @chssn

sadly the Passbolt Mobile App does not like Cloudflare Tunnel with Authentication implemented.

The error is - HTTP Redirect on the Mobile App - Sadly you can not manually configure the MobileApp.

I tried with the Cloudflare ZTNA WARP Tunnel without success - Even if no authentication gets generated the access gateway is still there for verification.

Example:
Passbolt DNS = pass.your-bolt.com
Cloudflare Teamsite = your-team.cloudflareaccess.com → then → pass.your-bolt.com

The logs do not give out clearly what is wrong only: HTTP Redirect again and again…

Best regards
Val.

Nice!

Let me share what I did with cloudflare and passbolt.

i set up a VPN with fixed IP.

On cloudflare zero trust I made two rules on access…

1. BYPASS to my VPN ip
2. Warp and email

So when I turn on my vpn I can use passbolt on my computer desktop and cellphone normally.

All others IPs will fall into the warp and email authentication… forbidden page will be displayed.

btw. you can set a split tunnel in to your vpn app just to passbolt app… lovely!

it just works

Cheerz!

Hello @hackmann
but that in turn is a VPN and not pure Cloudflare Tunnel.

In theory you will need a VPN Client on all your devices as a P2S or if you’ll use S2S.

My goal was to be able to use Passbolt on any device that has Internet connectivity.

With the Mobile App at its current state, it does not want to give up Authentication and Verification to a third party. (Actually, fine in my book!)

Workaround would be a browser extension for Safari on iOS Since the webportal from Passbolt and Extension Communication is Ok.

Sincerely
Val.

Greetings,
I’m in the same boat. I am running Passbolt inside of a Docker container on my Synology NAS with a Cloudflare tunnel to give me outside access through a secure https address. Everything works great for the web browser and browser extension, but the mobile app gets those http redirect errors. I’ve tried turning off any Cloudflare authentication, but no change. Everything is hosted offsite, so it shouldn’t make a difference if I’m on wifi or cellular, and I’ve tried both without success.
I don’t think my setup is much different than the others in this discussion, but just throwing my setup into the mix in hopes that someone has an answer to getting the mobile app to work through the Cloudflare tunnel. I’m hoping to administer Passbolt across my organization with many users, and our work environment is almost entirely mobile and remote, so the function of the mobile app is pretty much a deal breaker if we can’t get past this.
Thanks,
Jamison

Greetings @Valvaris and @jhill

Like you guys, I had no problem using Passbolt and its Extension over Cloudflare Tunnel, in the desktop computer. I am using it with Google Chrome, Edge, and Brave browser. Works pretty good!

Sadly I did not find any solution about the mobile app, as you both know already. Those gateway redirections just kill the app funcionality. It is not only on passbolt mobile app, but in some others services I have that dont accept redirections or headers change…

Only solution I found was that workaround bypassing the cloudflare access gateway by setting up a VPN. Of course using the bypass I wont have the cloudflare security funcionality and I need to install vpn in all my clients like @Valvaris said, but at least works on my cellphone when I am not home (flawlessly). Since I am the only user on my server, I have no problem to lock entire instance down to work with vpn only. But that would be a pain in a bigger environment with a lot of users.

Same behavior i found in bitwarden and vaultwarden… mobile apps does not handle gateway redirections. It is not a passbolt “exclusivity”, sadly.

Before cloudflare access, I was using Authelia… Same principle… proxy and redirections… and had same results: dont work with those kinda of apps.

Would be awesome some tweaks on mobile app by developers, but I really dont know if that is even possible.

Cloudflare has announced a new authentication method called “pingidentity”. I think that would work. But there is no free service and it is too much expensive… really expensive.

Cheerz!

passed through this thread because i was looking to make the cloudflare tunnel to work with the mobile app as well. i had doubts it would work so i had to search through the net first. glad i found this before proceeding. hoping somebody comes up with a work around. i don’t want to set up a VPN for this…

Hello @chrisbjr and welcome to the forum!
Using Cloudflare tunnel without any problem from extension, desktop or mobile apps is possible.
As the Cloudflare documentation says, you don’t need the Cloudflare VPN if you use only HTTP/HTTPS types of service. If you choose for example TCP, you will need it

Passbolt Mobile App Setup Guide with Cloudflare Tunnel

Hi all,

I’ve been testing the self-hosting feature for Passbolt and Cloudflare, and one of the issues I came across was what’s discussed in this post.

After some trial and error using Claude AI, I’ve managed to get the mobile app working using a Cloudflare tunnel. For this, I added Cloudflare to the docker-compose file included in this post.

Now I need to clarify: I don’t know if this limits the security or if this setup contains some “not done” elements. I’m just someone who likes to tinker until I get it working.

But using the steps provided by Claude AI, it worked for me.

Hopefully someone will be helped by this, and if I did something not done, feedback is always helpful.

My Full Docker File

services:
  db:
    image: mariadb:10.11
    restart: unless-stopped
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: "passbolt"
      MYSQL_USER: "passbolt"
      MYSQL_PASSWORD: "P4ssb0lt"
    volumes:
      - database_volume:/var/lib/mysql

  passbolt:
    image: passbolt/passbolt:latest-ce
    restart: unless-stopped
    depends_on:
      - db
    environment:
      APP_FULL_BASE_URL: https://your-server-URL.com
      PASSBOLT_SSL_FORCE: 1
      PASSBOLT_SECURITY_SET_HEADERS: 0
      DATASOURCES_DEFAULT_HOST: "db"
      DATASOURCES_DEFAULT_USERNAME: "passbolt"
      DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
      DATASOURCES_DEFAULT_DATABASE: "passbolt"
      EMAIL_DEFAULT_FROM_NAME: "Passbolt"
      EMAIL_DEFAULT_FROM: "Your Mail"
      EMAIL_TRANSPORT_DEFAULT_HOST: "SMTP Host"
      EMAIL_TRANSPORT_DEFAULT_PORT: "Port"
      EMAIL_TRANSPORT_DEFAULT_USERNAME: "Your Mail Username"
      EMAIL_TRANSPORT_DEFAULT_PASSWORD: "Your Mail Password"
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
    command:
      [
        "/usr/bin/wait-for.sh",
        "-t",
        "0",
        "db:3306",
        "--",
        "/docker-entrypoint.sh",
      ]
    ports:
      - 80:80
      - 443:443
   #Alternatively for non-root images:
    # - 80:8080
    # - 443:4433
  cloudflared:
    image: cloudflare/cloudflared:latest
    restart: unless-stopped
    command: tunnel --no-autoupdate run --token <Insert Token>
volumes:
  database_volume:
  gpg_volume:
  jwt_volume:

Prerequisites

• Passbolt instance running in Docker

• Cloudflare Tunnel configured and running

• Access to Cloudflare Dashboard

• Docker and docker-compose installed

Part 1: Generate JWT Authentication Keys

The mobile app requires JWT (JSON Web Token) authentication. You need to generate the required key pair.

Step 1: Enter the Passbolt Container

docker exec -it <passbolt-container-name> bash

Replace <span class="editor-theme-code"><passbolt-container-name></span> with your actual container name (find it using <span class="editor-theme-code">docker ps</span>).

Step 2: Create JWT Directory

mkdir -p /etc/passbolt/jwt

Step 3: Generate Private Key

openssl genpkey -out /etc/passbolt/jwt/jwt.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048

Step 4: Generate Public Key

openssl rsa -in /etc/passbolt/jwt/jwt.key -pubout -out /etc/passbolt/jwt/jwt.pem

Step 5: Set Proper Permissions

chown www-data:www-data /etc/passbolt/jwt/jwt.key /etc/passbolt/jwt/jwt.pem

chmod 640 /etc/passbolt/jwt/jwt.key

chmod 644 /etc/passbolt/jwt/jwt.pem

Step 6: Exit Container

exit

Step 7: Verify Keys Were Created

docker exec <passbolt-container-name> ls -la /etc/passbolt/jwt/

You should see:

• jwt.key private key

• jwt.pem (public key)

Part 2: Update Docker Compose Configuration

Step 1: Add Volume Mounts for JWT Keys

Edit your docker-compose.yml file and add the JWT volume mount:

services:

passbolt:

image: passbolt/passbolt:latest

volumes:

- passbolt_data:/var/www/passbolt/data

- passbolt_jwt:/etc/passbolt/jwt # Add this line

environment:

- APP_FULL_BASE_URL=https://your-server-URL.com

- PASSBOLT_SSL_FORCE=true

- PASSBOLT_SECURITY_SET_HEADERS=false

# ... rest of your configuration

volumes:

passbolt_data:

passbolt_jwt:

Step 2: Restart Passbolt

docker-compose restart passbolt

Or if using standalone Docker:

docker restart <passbolt-container-name>

Part 3: Configure Cloudflare Tunnel Settings

Step 1: Access Cloudflare Dashboard

1. Go to Cloudflare Dashboard

2. Navigate to Zero Trust → Access → Tunnels

Step 2: Configure Your Tunnel

1. Find your tunnel in the list

2. Click Configure

3. Locate the Public Hostname for your server URL.com

Step 3: Update HTTP Settings

Under Additional application settings → HTTP Settings, configure:

• No TLS Verify - Enable this if using self-signed certificates internally

• HTTP Host Header - Set to your server URL .com

• Origin Server Name - Set to your server URL .com

  Also set the IP to that of the Passbolt docker container

image2278×596 47.8 KB

Step 4: Save Changes

Click Save to apply the tunnel configuration changes.

Part 4: Security Recommendations

Rotate Your Cloudflare Tunnel Token

Important: If your tunnel token has been exposed, rotate it immediately:

1. In Cloudflare Dashboard, go to your tunnel settings

2. Click on your tunnel

3. Select Configure

4. Find the option to regenerate/rotate the token

5. Update your docker-compose.yml with the new token:

cloudflared:

image: cloudflare/cloudflared:latest

restart: unless-stopped

command: tunnel --no-autoupdate run --token <NEW_TOKEN_HERE>

6. Restart the cloudflared container:

docker-compose restart cloudflared

Part 5: Testing

Step 1: Test Mobile App Connection

1. Open the Passbolt mobile app

2. Enter your server URL: https:// your server URL .com

3. Attempt to log in with your credentials