Please don’t hack my blog and all that!
I know that Cloudflare Access can be used to lock down pretty much anything but (for reasons that evade me) I can’t get it running. I’ve looked and looked over my config. I’ve got it working previously without issue. But … the security “checkpoint” just won’t load.
As figuring this out might take a while, I’m wondering whether there are any alternatives at all for securing the backend with 2FA … or just about anything else that might make accessing it more secure and more challenging for a would-be intruder.
TIA for any suggestions.
I’ll assume you are #selfhosting and not using Ghost(Pro). Here’s what you can do:
TailScale
- Install and run Tailscale on your webserver and your laptop. It’s free if it’s just you and these two devices. It’s also pretty easy to setup. This will put your laptop and the server on the same private network, no matter where in the world your laptop is. Each will have their own static, private IP address on this network.
- Update your Nginx or other web server configuration with the
allow directive in location blocks that for the admin login page and other admin API URLs.
Now your admin features are only accessible to your private “tailnet”.
The same concept could be used with any VPN service that allows you to limit access to it’s private IP range.
Alternately, you could not use either and use Nginx or only allow access to the admin area from your home IP address or a range assigned to your local ISP that your IP always falls between.
Cloudflare is working for me in the end (I forgot that I installed WARP and apparently was automatically authenticating) but … I’m a huge fan (and user) of Tailscale too. Thank you very much for these notes (@markstos) which I look forward to implementing!
1 Like