Cloudflare Access Setup
Complete step-by-step guide to implement Cloudflare Access with GitHub OAuth for secure team-only access to the documentation site.
Cloudflare Access Setup - Step-by-Step Implementation Guide
Prerequisites ✅
Before starting, ensure you have:
- Admin access to your Cloudflare account
- The domain
latts.ie(or your target domain) added to Cloudflare - Cloudflare Pages deployment working (✅ Already completed)
Step 1: Enable Cloudflare Zero Trust
Navigate to Zero Trust Dashboard
- Go to Cloudflare Dashboard
- Select your account
- Click on “Zero Trust” in the left sidebar
- If first time: Follow the setup wizard to create your Zero Trust organization
Set Your Team Domain
- Choose a team domain (e.g.,
latts.cloudflareaccess.com) - This will be used for authentication flows
- Choose a team domain (e.g.,
Step 2: Configure GitHub OAuth Identity Provider
Create GitHub OAuth App
Go to GitHub Settings
- Navigate to GitHub → Settings → Developer settings → OAuth Apps
- Click “New OAuth App”
Configure OAuth App
Application name: LATTS Internal Docs Access Homepage URL: https://docs.latts.ie Authorization callback URL: https://latts.cloudflareaccess.com/cdn-cgi/access/callbackReplace
lattswith your actual team domainSave Client Details
- Copy the Client ID
- Generate and copy the Client Secret
Add GitHub Provider to Cloudflare
Navigate to Identity Providers
Zero Trust → Settings → Authentication → Login methods → Add newSelect GitHub
- Choose “GitHub” from the list
- Enter your Client ID and Client Secret
- Click “Test” to verify connection
- Save the configuration
Step 3: Create Access Application
Navigate to Applications
Zero Trust → Access → Applications → Add an applicationChoose Application Type
- Select “Self-hosted”
Configure Application
Application name: LATTS Internal Documentation Session Duration: 24 hours (or preferred) Application domain: docs.latts.ieSet Path Coverage
Subdomain: latts-internal-docs Domain: pages.dev Path: /* (covers entire site)
Step 4: Configure Access Policies
Policy 1: LATTS Team Members Only
Create New Policy
- Policy name:
LATTS Team Access - Action:
Allow
- Policy name:
Configure Rules
Include: - Login Methods: GitHub - GitHub Organization: latts-ie Require (optional - for additional security): - Device Posture: Corporate device - Country: Ireland, United States (adjust as needed)Save Policy
Policy 2: Admin Override (Optional)
Create Emergency Access Policy
- Policy name:
Admin Emergency Access - Action:
Allow - Priority: Higher than team policy
- Policy name:
Configure Rules
Include: - Emails: admin@latts.ie, security@latts.ie
Step 5: Test and Verify
Initial Testing
Open Private/Incognito Browser
- Navigate to your docs site
- You should see Cloudflare Access login page
Test GitHub Login
- Click “Sign in with GitHub”
- Authorize the OAuth app
- Verify you’re redirected to the docs site
Test Organization Membership
- Try with a GitHub account NOT in
latts-ieorganization - Should be denied access
- Try with a GitHub account NOT in
Verification Checklist
- Site redirects to Cloudflare Access login
- GitHub OAuth flow works correctly
- Only
latts-ieorganization members can access - Non-members are properly denied
- Session duration works as configured
- Logout functionality works
Step 6: Configure Advanced Security (Optional)
Enable Audit Logging
Go to Analytics
Zero Trust → Analytics → AccessEnable Detailed Logging
- Turn on request logging
- Configure log retention (recommended: 6 months)
Set Up Access Policies Alerts
Create Gateway Policies (if using Gateway)
Zero Trust → Gateway → PoliciesConfigure Alerts
- Failed login attempts (>5 in 10 minutes)
- Access from new countries
- Unusual access patterns
Device Requirements (Enhanced Security)
Enable Device Posture
Zero Trust → Settings → WARP ClientRequire Corporate Devices
- Only allow access from managed devices
- Require up-to-date antivirus
- Check for OS security updates
Troubleshooting
Common Issues
GitHub OAuth not working?
- Verify callback URL matches exactly:
https://[team-domain].cloudflareaccess.com/cdn-cgi/access/callback - Check that OAuth app is approved for your organization
- Ensure Client ID and Secret are correct
Access denied for team members?
- Verify they’re in the
latts-ieGitHub organization - Check organization visibility settings
- Confirm OAuth app has organization access
Infinite redirect loops?
- Clear browser cookies
- Check that Cloudflare Pages domain matches Access application domain
- Verify DNS settings point to Cloudflare
Debug Steps
Check Access Logs
Zero Trust → Analytics → Access → View detailed logsTest Authentication
Zero Trust → Settings → Authentication → Test login methodVerify Policies
Zero Trust → Access → Applications → [Your App] → Policies
Security Best Practices
Regular Maintenance
- Monthly: Review access logs for unusual patterns
- Quarterly: Audit team member access and remove inactive users
- Bi-annually: Rotate OAuth app secrets
- Annually: Review and update access policies
Monitoring
- Set up alerts for failed authentication attempts
- Monitor session durations and adjust as needed
- Track which team members access the documentation
- Review geographic access patterns
Backup Access
- Maintain at least 2 admin accounts with override access
- Document emergency access procedures
- Keep OAuth app backup credentials in secure location
- Test emergency access procedures quarterly
Final Configuration Summary
Once complete, your setup will have:
- ✅ GitHub OAuth Integration: Seamless login with GitHub accounts
- ✅ Organization-based Access Control: Only
latts-iemembers allowed - ✅ Comprehensive Audit Logging: Full access tracking and analytics
- ✅ Session Management: Configurable timeout and security policies
- ✅ Emergency Access: Admin override capabilities for critical situations
Your internal documentation is now secured with enterprise-grade access control! 🔐
Next Steps
After implementing Cloudflare Access:
- Train Team Members: Share login process and troubleshooting
- Document Access Procedures: Add to team onboarding materials
- Set Up Monitoring: Configure alerts and regular access reviews
- Plan Maintenance: Schedule regular security audits and updates