PassBolt and Cloudflare Tunnel (It just works!)

Hello to all,

I just want to report that Passbolt and its Extension is running great over Cloudflare Tunnel.

How did I install Passbolt?

On a Selfhosted Linux Debian 11 System
Followed the instructions provided by Passbolt step by step

Where is your Server Hosted?

Hetzner CX Cloud Server

What is your Firewall configuration?

At Hetzner you have your own Virtual Firewall for your Public facing IP.
Information about that is at the Cloudflare Docs. → Ports and IPs · Cloudflare Zero Trust docs

Incoming:
104.19.0.0/16 TCP HTTPS
104.18.0.0/16 TCP HTTPS
172.64.0.0/16 TCP HTTPS
198.41.0.0/16 TCP 7844

Outgoing:
Any HTTPS Any / Reason is that I use Yubikey API and could not find the Range they operate in!
SMTP 587 TCP for Passbolt E-Mail to my Mail Provider (outlook(dot)com) App Pass with restrictions for only Microsoft Servers
198.41.0.0/16 TCP 7844

INFORMATION: The Cloudflare Tunnel uses the QUIC Protocol - So if you have a Firewall that blocks QUIC you need an exception for the Cloudflare Tunnel Agent Server.

Were did you install the Cloudflare Tunnel Agent?

On the same Linux Machine running Passbolt on the Linux Server.

How did you secure your Cloudflare Tunnel?

I use a One-Time Passwort with a Session Token for 24 Hours
Great Instructions at → You Need to Learn This! Cloudflare Tunnel Easy Tutorial - YouTube
To Lockdown your Services

On my End I have a dedicated IP / GeoRestriction and required E-Mail ← Overkill

Little UPDATE 17.04.2023 - Authentication
-----------------START
Switched to Google Authentication and GeoRestriction - Audit Everything
-----------------END

Why?
I want to make sure that only I can Access Passbolt and the registration page is only available if you can login over from Cloudflare. Like this the Passbolt Server does not need too much configuration and works great!

Hope my feedback could inspire you to use a more secure approach on servicing on your own network.

Best regards
Val.

Have you managed to get the mobile app working over Cloudflare as well?

Hello @chssn

sadly the Passbolt Mobile App does not like Cloudflare Tunnel with Authentication implemented.

The error is - HTTP Redirect on the Mobile App - Sadly you can not manually configure the MobileApp.

I tried with the Cloudflare ZTNA WARP Tunnel without success - Even if no authentication gets generated the access gateway is still there for verification.

Example:
Passbolt DNS = pass.your-bolt.com
Cloudflare Teamsite = your-team.cloudflareaccess.com → then → pass.your-bolt.com

The logs do not give out clearly what is wrong only: HTTP Redirect again and again…

Best regards
Val.

Nice!

Let me share what I did with cloudflare and passbolt.

i set up a VPN with fixed IP.

On cloudflare zero trust I made two rules on access…

1. BYPASS to my VPN ip
2. Warp and email

So when I turn on my vpn I can use passbolt on my computer desktop and cellphone normally.

All others IPs will fall into the warp and email authentication… forbidden page will be displayed.

btw. you can set a split tunnel in to your vpn app just to passbolt app… lovely!

it just works

Cheerz!

Hello @hackmann
but that in turn is a VPN and not pure Cloudflare Tunnel.

In theory you will need a VPN Client on all your devices as a P2S or if you’ll use S2S.

My goal was to be able to use Passbolt on any device that has Internet connectivity.

With the Mobile App at its current state, it does not want to give up Authentication and Verification to a third party. (Actually, fine in my book!)

Workaround would be a browser extension for Safari on iOS Since the webportal from Passbolt and Extension Communication is Ok.

Sincerely
Val.

Greetings,
I’m in the same boat. I am running Passbolt inside of a Docker container on my Synology NAS with a Cloudflare tunnel to give me outside access through a secure https address. Everything works great for the web browser and browser extension, but the mobile app gets those http redirect errors. I’ve tried turning off any Cloudflare authentication, but no change. Everything is hosted offsite, so it shouldn’t make a difference if I’m on wifi or cellular, and I’ve tried both without success.
I don’t think my setup is much different than the others in this discussion, but just throwing my setup into the mix in hopes that someone has an answer to getting the mobile app to work through the Cloudflare tunnel. I’m hoping to administer Passbolt across my organization with many users, and our work environment is almost entirely mobile and remote, so the function of the mobile app is pretty much a deal breaker if we can’t get past this.
Thanks,
Jamison

Greetings @Valvaris and @jhill

Like you guys, I had no problem using Passbolt and its Extension over Cloudflare Tunnel, in the desktop computer. I am using it with Google Chrome, Edge, and Brave browser. Works pretty good!

Sadly I did not find any solution about the mobile app, as you both know already. Those gateway redirections just kill the app funcionality. It is not only on passbolt mobile app, but in some others services I have that dont accept redirections or headers change…

Only solution I found was that workaround bypassing the cloudflare access gateway by setting up a VPN. Of course using the bypass I wont have the cloudflare security funcionality and I need to install vpn in all my clients like @Valvaris said, but at least works on my cellphone when I am not home (flawlessly). Since I am the only user on my server, I have no problem to lock entire instance down to work with vpn only. But that would be a pain in a bigger environment with a lot of users.

Same behavior i found in bitwarden and vaultwarden… mobile apps does not handle gateway redirections. It is not a passbolt “exclusivity”, sadly.

Before cloudflare access, I was using Authelia… Same principle… proxy and redirections… and had same results: dont work with those kinda of apps.

Would be awesome some tweaks on mobile app by developers, but I really dont know if that is even possible.

Cloudflare has announced a new authentication method called “pingidentity”. I think that would work. But there is no free service and it is too much expensive… really expensive.

Cheerz!