Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to add custom headers for Cloudflare Zero Trust #1258

Open
eamontaf opened this issue Aug 15, 2024 · 2 comments
Open

Ability to add custom headers for Cloudflare Zero Trust #1258

eamontaf opened this issue Aug 15, 2024 · 2 comments
Assignees
@hslatman
Labels
enhancement
Milestone
Backlog

Comments

@eamontaf
Copy link

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

This request is similar to issue 1026. We are interested in being able to generate certificates on clients through a Cloudflare Zero Trust tunnel. According to the cloudflare documentation here, we would need to be able to set the 'cf-access-token' header with a value that is generated with the cloudflared command line utility. This would allow us to perform authentication and authorization prior to reaching our stepca instance.

Why is this needed?

Such a tunnel increases the security of our deployment by providing an additional layer of authentication and authorization. If there were a chance to pass user data into step, it would also potentially provide the ability to template certificates to prevent users from inadvertently or maliciously issuing a certificate with incorrect parameters such an common name or email address.

We are currently building a CA that will issue certificates to Yubikey holders and are using a webhook to map Yubikey serial numbers to users. This could remove the need for the webhook if we could verify that a user had permissions to access the CA via cloudflare rather than needed to provide access over VPN or a physical connection to our network. It also may reduce the administrative burden of maintaining the webhook and the user-to-Yubikey mappings.
@eamontaf eamontaf added enhancement needs triage Waiting for discussion / prioritization by team labels Aug 15, 2024
@hslatman hslatman self-assigned this Aug 20, 2024
@hslatman
Copy link
Member

Hi @eamontaf,

Thank you for opening the issue. We've discussed it in our open source triage meeting. We concluded that we need some more information about how step and step-ca are intended to work in combination with Cloudflare Zero Trust. The main thing we foresee issues with is our use of mTLS to access certain CA endpoints. How can those be supported with CF ZT sitting in front?

So far this is the only request to support this, and we don't currently have the bandwidth to implement this ourselves, so this'll go on our backlog for now. But we're open to accepting PRs to support this.

@hslatman hslatman added this to the Backlog milestone Aug 20, 2024
@hslatman hslatman removed the needs triage Waiting for discussion / prioritization by team label Aug 20, 2024
@eamontaf
Copy link
Author

It appears that Cloudflare ZT provides an option to pass-through untrusted certificates and other options to limit how the connection is handled (docs here), so that may facilitate this . What CA endpoints in particular are the concern?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hslatman hslatman

Labels
enhancement
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
2 participants
@hslatman @eamontaf