POV Acceleration Bundle - Cloudflare Tunnel Config & Endpoint Whitelist Review #6465
Description
Description
1. Context & Architecture
Goal: Accelerate the self-hosted evaluation process by eliminating infrastructure delays (DNS, SSL, Firewall) that typically stall POVs for 30-60 days.
The Solution: We are introducing a "POV Acceleration Bundle" utilizing a pre-provisioned Cloudflare Tunnel.
- Networking: Uses
cloudflaredfor an outbound-only connection (no inbound ports 80/443 required). - DNS: Routes
*.customer-pov.flowfuse-managed.comdirectly to their local container. - Traffic Flow: User -> Cloudflare Edge -> Tunnel -> Nginx (Local) -> Forge App / Broker.
2. Security Strategy & Assumptions
Current Configuration:
I have applied a Cloudflare Access Policy (SSO/PIN Auth Wall) strictly to the Forge Application (UI) to protect the unhardened trial instance.
Assumption: I have not locked down the other services (e.g., MQTT Broker, File Server) at the Cloudflare edge. I am assuming their native service-to-service authentication (e.g.,
mosquitto-go-authtokens) and encryption are sufficient for the POV. The Auth Wall is specifically targeting the Forge UI, as MFA and SSO are rarely configured during the initial evaluation phase.
3. Engineering Review (The Ask)
A. Endpoint Whitelist
Because the Forge UI is behind an Auth Wall, I have identified the following paths that must be bypassed to ensure core functionality:
/api/*- Required for Remote Instances: Necessary to get "Dev Mode" working on remote instances./account/*- Required for Hosted Instances: Necessary to allow editing of hosted instances.
Question: Are there any other critical endpoints missing from this list that will break without a bypass?
B. Service Exposure
Question: Is my assumption to leave the other apps (like the MQTT Broker) exposed—relying solely on their internal auth—correct? Or should I be locking down other specific services in the docker-compose stack at the Cloudflare Edge level as well?
Metadata
Metadata
Assignees
Type
Projects
Status