deploying-cloudflare-access-for-zero-trust

部署 Cloudflare Access 和 Cloudflare Tunnel,为自托管和私有应用程序提供零信任访问, 配置身份感知访问策略、设备态势检查,以及用于 VPN 替代的 WARP 客户端注册。

9 stars

Best use case

deploying-cloudflare-access-for-zero-trust is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

部署 Cloudflare Access 和 Cloudflare Tunnel,为自托管和私有应用程序提供零信任访问, 配置身份感知访问策略、设备态势检查,以及用于 VPN 替代的 WARP 客户端注册。

Teams using deploying-cloudflare-access-for-zero-trust should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/deploying-cloudflare-access-for-zero-trust/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/deploying-cloudflare-access-for-zero-trust/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/deploying-cloudflare-access-for-zero-trust/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How deploying-cloudflare-access-for-zero-trust Compares

Feature / Agentdeploying-cloudflare-access-for-zero-trustStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

部署 Cloudflare Access 和 Cloudflare Tunnel,为自托管和私有应用程序提供零信任访问, 配置身份感知访问策略、设备态势检查,以及用于 VPN 替代的 WARP 客户端注册。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 为零信任部署 Cloudflare Access

## 适用场景

- 使用 Cloudflare One 以身份感知应用访问取代 VPN 基础设施时
- 通过 Cloudflare Tunnel 暴露自托管内部应用程序而无需开放入站端口时
- 为分布式员工队伍访问 Web 应用、SSH 和 RDP 服务实施 ZTNA 时
- 需要具备集成 DLP、CASB 和 SWG 能力的经济高效零信任解决方案时
- 确保承包商和第三方对特定应用的访问而不赋予完整网络访问权限时

**不适用于**需要 Cloudflare Tunnel 不支持的持久 UDP 连接的应用程序、需要气隔离或完全本地访问控制的环境,或法规要求禁止通过第三方云基础设施路由流量的场景。

## 前置条件

- 具有零信任订阅的 Cloudflare 账户(最多 50 名用户免费,大型团队需付费计划)
- 由 Cloudflare DNS 管理的域名(或能够添加 CNAME 记录)
- 用于运行 `cloudflared` 隧道守护进程的 Linux、Windows 或 macOS 服务器
- 身份提供商:Okta、Microsoft Entra ID、Google Workspace、GitHub 或任何 SAML/OIDC 提供商
- 用于设备级注册的 Cloudflare WARP 客户端(可选但推荐)

## 工作流程

### 步骤 1:创建连接内部应用的 Cloudflare Tunnel

安装 `cloudflared` 并创建持久隧道以暴露内部服务。

```bash
# 在 Ubuntu/Debian 上安装 cloudflared
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb \
  -o cloudflared.deb
sudo dpkg -i cloudflared.deb

# 将 cloudflared 与 Cloudflare 账户关联认证
cloudflared tunnel login

# 创建命名隧道
cloudflared tunnel create internal-apps
# 输出:Created tunnel internal-apps with id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

# 配置隧道路由到内部应用
cat > ~/.cloudflared/config.yml << 'EOF'
tunnel: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
credentials-file: /home/admin/.cloudflared/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.json

ingress:
  - hostname: wiki.company.com
    service: http://localhost:8080
  - hostname: git.company.com
    service: http://10.1.1.50:3000
  - hostname: grafana.company.com
    service: http://10.1.1.60:3000
  - hostname: ssh.company.com
    service: ssh://localhost:22
  - hostname: rdp.company.com
    service: rdp://10.1.1.100:3389
  # 兜底规则(必须)
  - service: http_status:404
EOF

# 将 DNS 路由到隧道
cloudflared tunnel route dns internal-apps wiki.company.com
cloudflared tunnel route dns internal-apps git.company.com
cloudflared tunnel route dns internal-apps grafana.company.com

# 将隧道作为 systemd 服务运行
sudo cloudflared service install
sudo systemctl enable cloudflared
sudo systemctl start cloudflared

# 验证隧道状态
cloudflared tunnel info internal-apps
```

### 步骤 2:配置身份提供商集成

配置与组织身份提供商的认证集成。

```bash
# 使用 Cloudflare API 将 Okta 配置为 IdP
curl -X PUT "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers" \
  -H "Authorization: Bearer ${CF_API_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "name": "Corporate Okta",
    "type": "okta",
    "config": {
      "client_id": "OKTA_CLIENT_ID",
      "client_secret": "OKTA_CLIENT_SECRET",
      "okta_account": "company.okta.com",
      "api_token": "OKTA_API_TOKEN",
      "claims": ["email", "groups", "name"],
      "email_claim_name": "email"
    }
  }'

# 将 Microsoft Entra ID 配置为附加 IdP
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers" \
  -H "Authorization: Bearer ${CF_API_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "name": "Microsoft Entra ID",
    "type": "azureAD",
    "config": {
      "client_id": "AZURE_APP_CLIENT_ID",
      "client_secret": "AZURE_APP_CLIENT_SECRET",
      "directory_id": "AZURE_TENANT_ID",
      "support_groups": true,
      "claims": ["email", "groups", "name"]
    }
  }'
```

### 步骤 3:创建访问应用和策略

为每个内部服务定义具有身份感知策略的访问应用。

```bash
# 为内部 wiki 创建访问应用
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps" \
  -H "Authorization: Bearer ${CF_API_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "name": "Internal Wiki",
    "domain": "wiki.company.com",
    "type": "self_hosted",
    "session_duration": "8h",
    "auto_redirect_to_identity": true,
    "http_only_cookie_attribute": true,
    "same_site_cookie_attribute": "lax",
    "logo_url": "https://company.com/wiki-logo.png",
    "allowed_idps": ["OKTA_IDP_ID", "AZURE_IDP_ID"]
  }'

# 为 wiki 应用创建允许策略
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/{app_id}/policies" \
  -H "Authorization: Bearer ${CF_API_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "name": "Allow Engineering Team",
    "decision": "allow",
    "precedence": 1,
    "include": [
      {"group": {"id": "ENGINEERING_GROUP_ID"}},
      {"okta": {"name": "Engineering", "identity_provider_id": "OKTA_IDP_ID"}}
    ],
    "require": [
      {"device_posture": {"integration_uid": "CROWDSTRIKE_INTEGRATION_ID"}}
    ]
  }'

# 为 SSH 访问创建访问应用
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps" \
  -H "Authorization: Bearer ${CF_API_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "name": "SSH Access",
    "domain": "ssh.company.com",
    "type": "ssh",
    "session_duration": "4h",
    "auto_redirect_to_identity": true
  }'
```

### 步骤 4:部署 WARP 客户端进行设备注册

使用 Cloudflare WARP 注册企业设备,以实现私有网络访问和设备态势检查。

```bash
# 创建设备注册规则
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/policy" \
  -H "Authorization: Bearer ${CF_API_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "name": "Corporate Device Enrollment",
    "match": "identity.email matches \".*@company\\.com$\"",
    "precedence": 100,
    "enabled": true,
    "gateway_unique_id": "GATEWAY_ID",
    "support_url": "https://helpdesk.company.com/warp-help"
  }'

# 通过 MDM(Jamf/Intune)在 macOS 上安装 WARP
# 下载地址:https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/download-warp/
# 使用 MDM 配置文件部署:
cat > warp_mdm_config.plist << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>organization</key>
    <string>company</string>
    <key>auto_connect</key>
    <integer>1</integer>
    <key>switch_locked</key>
    <true/>
    <key>onboarding</key>
    <false/>
</dict>
</plist>
EOF

# 安装 Cloudflare 根证书用于 TLS 检查
# 下载地址:https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/user-side-certificates/
sudo cp cloudflare-root-ca.pem /usr/local/share/ca-certificates/cloudflare-root-ca.crt
sudo update-ca-certificates

# 配置分割隧道通过 WARP 路由私有网络
curl -X PUT "https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains" \
  -H "Authorization: Bearer ${CF_API_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '[
    {"suffix": "internal.corp", "description": "内部企业域名"},
    {"suffix": "10.0.0.0/8", "description": "私有网络范围"}
  ]'
```

### 步骤 5:配置设备态势检查

将端点安全信号集成到访问策略中。

```bash
# 添加 CrowdStrike 设备态势集成
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/posture/integration" \
  -H "Authorization: Bearer ${CF_API_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "name": "CrowdStrike Falcon",
    "type": "crowdstrike_s2s",
    "config": {
      "api_url": "https://api.crowdstrike.com",
      "client_id": "CS_API_CLIENT_ID",
      "client_secret": "CS_API_CLIENT_SECRET",
      "customer_id": "CS_CUSTOMER_ID"
    },
    "interval": "10m"
  }'

# 创建磁盘加密设备态势规则
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/posture" \
  -H "Authorization: Bearer ${CF_API_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "name": "Disk Encryption Required",
    "type": "disk_encryption",
    "match": [{"platform": "windows"}, {"platform": "mac"}],
    "input": {"requireAll": true}
  }'

# 创建操作系统版本设备态势规则
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/posture" \
  -H "Authorization: Bearer ${CF_API_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "name": "Minimum OS Version",
    "type": "os_version",
    "match": [{"platform": "windows"}],
    "input": {"version": "10.0.19045", "operator": ">="}
  }'
```

### 步骤 6:设置审计日志和分析

配置访问决策日志记录和隧道健康监控。

```bash
# 启用 Logpush 将访问审计日志发送到 S3
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/logpush/jobs" \
  -H "Authorization: Bearer ${CF_API_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "name": "access-audit-logs",
    "output_options": {
      "field_names": ["RayID","Action","Allowed","AppDomain","AppUUID","Connection","Country","CreatedAt","Email","IPAddress","PurposeJustificationPrompt","PurposeJustificationResponse","TemporaryAccessDuration","UserUID"],
      "timestamp_format": "rfc3339"
    },
    "destination_conf": "s3://security-logs-bucket/cloudflare-access/?region=us-east-1&access-key-id=AKID&secret-access-key=SECRET",
    "dataset": "access_requests",
    "enabled": true
  }'

# 通过 GraphQL Analytics API 查询访问日志
curl -X POST "https://api.cloudflare.com/client/v4/graphql" \
  -H "Authorization: Bearer ${CF_API_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "query": "{ viewer { accounts(filter: {accountTag: \"ACCOUNT_ID\"}) { accessLoginRequestsAdaptiveGroups(filter: {datetime_gt: \"2026-02-22T00:00:00Z\"}, limit: 100, orderBy: [count_DESC]) { dimensions { action appName userEmail country } count } } } }"
  }'
```

## 核心概念

| 术语 | 定义 |
|------|------|
| Cloudflare Tunnel | 从基础设施到 Cloudflare 网络的仅出站加密连接,无需开放入站防火墙端口即可暴露内部服务 |
| Cloudflare Access | 身份感知反向代理,在授权访问受保护应用前评估每个请求 |
| WARP Client | Cloudflare 端点 Agent,将设备流量路由到 Cloudflare 网络以执行策略和访问私有网络 |
| Access Application(访问应用)| 定义受保护资源(自托管、SaaS 或基础设施)及其关联访问策略的配置对象 |
| Device Posture(设备态势)| 端点健康信号(操作系统版本、磁盘加密、EDR 状态),作为访问策略的条件评估 |
| Cloudflare One | 统一 SASE 平台,整合 ZTNA(Access)、SWG(Gateway)、CASB、DLP 和 RBI |

## 工具与系统

- **Cloudflare Access**:提供每请求授权的身份感知应用代理
- **Cloudflare Tunnel(cloudflared)**:从内部网络到 Cloudflare 边缘创建加密隧道的守护进程
- **WARP Client**:用于设备注册、DNS 过滤和私有网络路由的跨平台端点 Agent
- **Cloudflare Gateway**:提供 DNS/HTTP 过滤和 DLP 检查的安全 Web 网关
- **Cloudflare Logpush**:向外部 SIEM 和存储目标实时流式传输日志
- **Access for Infrastructure**:基于短期证书和会话录制的 SSH 和 RDP 访问

## 常见场景

### 场景:拥有 200 名员工的初创公司从零开始部署零信任

**场景背景**:一家拥有 200 名员工的 SaaS 初创公司没有现有 VPN,希望为运行在 AWS 上的内部工具(Grafana、内部 API、暂存环境)提供安全访问。预算有限,团队没有专职安全人员。

**方法**:
1. 从 Cloudflare Zero Trust 免费版(最多 50 名用户)开始概念验证
2. 在生产 VPC 的 EC2 实例上部署一个 `cloudflared` 隧道
3. 通过隧道和 DNS 路由暴露 Grafana、内部 wiki 和暂存应用
4. 配置 Google Workspace 作为 IdP 进行单点登录认证
5. 创建要求所有应用使用 @company.com 邮箱域的访问策略
6. 添加磁盘加密和操作系统版本的设备态势检查
7. 升级到付费计划,通过 MDM 将 WARP 客户端部署到所有员工笔记本
8. 启用 Gateway DNS 过滤和 HTTP 检查以防范恶意软件
9. 配置 Logpush 将访问日志发送到 Datadog 进行监控

**常见陷阱**:TLS 检查功能需要在所有设备上安装 Cloudflare 根证书,某些应用可能因 TLS 拦截而中断。隧道故障转移需要运行多个 `cloudflared` 实例或使用 Cloudflare 的副本功能。访问策略应始终包含默认拒绝规则。WebSocket 应用可能需要特定的隧道配置。

## 输出格式

```
Cloudflare Zero Trust 部署报告
==================================================
组织:StartupCorp
团队名称:startupcorp
部署日期:2026-02-23

隧道基础设施:
  活跃隧道:2(主 + 故障转移)
  隧道状态:健康
  连接边缘:华盛顿特区、Ashburn
  入站路由:8

访问应用:
  自托管应用:6
  SaaS 应用:3
  SSH/基础设施:2
  总策略数:15

设备注册:
  已注册设备:187 / 200
  WARP 已连接:182 / 187(97.3%)
  态势合规:175 / 187(93.6%)

访问指标(过去 30 天):
  总请求数:89,432
  已允许:88,756(99.2%)
  已拦截:676(0.8%)
  唯一用户数:195
  国家/地区:12
  平均会话时长:6.2 小时
```

Related Skills

testing-for-broken-access-control

9
from killvxk/cybersecurity-skills-zh

系统性测试 Web 应用程序中的访问控制缺陷,包括权限提升、缺失的功能级检查以及不安全的直接对象引用。

securing-remote-access-to-ot-environment

9
from killvxk/cybersecurity-skills-zh

本技能涵盖为操作员、工程师和供应商实施OT/ICS环境的安全远程访问,同时防止可能危害工业运营的未授权访问。涉及跳板服务器架构、多因素认证、会话记录、特权访问管理、供应商远程访问控制,以及符合IEC 62443和NERC CIP-005远程访问要求。

performing-privileged-account-access-review

9
from killvxk/cybersecurity-skills-zh

对特权账户进行系统性审查,验证访问权限,识别过多权限,并在 PAM 基础设施中执行最小权限原则。

performing-initial-access-with-evilginx3

9
from killvxk/cybersecurity-skills-zh

在红队演练中,使用 EvilGinx3 中间人(Adversary-in-the-Middle)钓鱼框架执行授权的初始访问,捕获会话令牌并绕过多因素认证(MFA)。

performing-credential-access-with-lazagne

9
from killvxk/cybersecurity-skills-zh

在授权红队行动中,使用 LaZagne 后渗透工具从已控制的终端提取存储的凭据,从浏览器、数据库、系统密钥库和应用程序中恢复密码。

performing-active-directory-forest-trust-attack

9
from killvxk/cybersecurity-skills-zh

使用 impacket 枚举和审计 Active Directory 林信任关系,进行 SID 过滤分析、信任密钥提取、跨林 SID 历史滥用检测和跨域 Kerberos 票据评估。

performing-access-review-and-certification

9
from killvxk/cybersecurity-skills-zh

开展系统性的访问审查和认证,确保用户拥有与其角色相符的访问权限。涵盖审查活动设计、审查员选择、基于风险的优先级排序、微认证策略,以及满足 SOX、HIPAA 和 PCI DSS 要求的整改跟踪。

performing-access-recertification-with-saviynt

9
from killvxk/cybersecurity-skills-zh

在 Saviynt Enterprise Identity Cloud 中配置和执行访问重认证活动,以验证用户权限、撤销多余的访问权限,并维持对 SOX、SOC2 和 HIPAA 的合规性。

implementing-zero-trust-with-hashicorp-boundary

9
from killvxk/cybersecurity-skills-zh

使用 HashiCorp Boundary 实现具备动态凭据代理、会话录制和 Vault 集成的身份感知零信任基础设施访问管理。

implementing-zero-trust-with-beyondcorp

9
from killvxk/cybersecurity-skills-zh

使用身份感知代理(IAP,Identity-Aware Proxy)、上下文感知访问策略、设备信任验证和 Access Context Manager,部署 Google BeyondCorp Enterprise 零信任访问控制,对 GCP 资源和内部应用强制执行基于身份和安全态势的访问。

implementing-zero-trust-network-access

9
from killvxk/cybersecurity-skills-zh

通过配置身份感知代理、微分段、基于条件访问策略的持续验证,以及在 AWS、Azure 和 GCP 环境中以 BeyondCorp 风格的架构替代传统 VPN 访问,在云环境中实施零信任网络访问(ZTNA)。

implementing-zero-trust-network-access-with-zscaler

9
from killvxk/cybersecurity-skills-zh

使用 Zscaler 实施零信任网络访问(Zero Trust Network Access,ZTNA),通过 Zscaler Private Access(ZPA)配置应用分段、访问策略和连接器,替代传统 VPN 架构