Cloudflare Access Security
Security
Access Control
Infrastructure
Default-deny security configuration protecting all internal resources
1 Cloudflare Access Security Configuration
1.1 Overview
Ethical Capital implements a default-deny security posture using Cloudflare Access, where all resources require authentication except specifically bypassed public sites.
1.2 Security Architecture
1.2.1 🌐 Public Resources (No Authentication)
- ethicic.com - Main company website
- dryvest.ethicic.com - Dryvest platform
- labs.ethicic.com - Labs and experimental features
1.2.2 🔐 Protected Resources (Authentication Required)
- matrix.ethical-capital.workers.dev - Matrix vector search system
- docs.ethicic.com - Internal documentation
- *.ethicic.com - All other subdomains (wildcard protection)
- *.ethical-capital.workers.dev - All Workers applications
1.3 Implementation Details
1.3.1 Access Applications Configured
1.3.1.1 1. Public Sites Bypass
- Application Name: Public Sites Bypass
- Domains:
- ethicic.com
- dryvest.ethicic.com
- labs.ethicic.com
- Policy: Bypass - Everyone
- Purpose: Allows unrestricted public access to marketing sites
1.3.1.2 2. Matrix Search Protection
- Application Name: Matrix Search
- Domain: matrix.ethical-capital.workers.dev
- Policy: Allow - @ethicic.com email domain
- Session Duration: 8 hours
- Purpose: Secures the Matrix vector search system
1.3.1.3 3. Documentation Protection
- Application Name: Documentation Site
- Domain: docs.ethicic.com
- Policy: Allow - @ethicic.com email domain
- Session Duration: 8 hours
- Purpose: Protects internal documentation
1.3.1.4 4. Default Subdomain Protection
- Application Name: Default Protection - All Subdomains
- Domains:
- *.ethicic.com
- *.ethical-capital.workers.dev
- Policy: Allow - @ethicic.com email domain
- Purpose: Catches any new subdomains or Workers
1.3.2 Authentication Method
One-time PIN via Email - Users authenticate using their @ethicic.com email address - Secure PIN sent to verified email - No additional identity provider dependencies - Session duration: 8 hours
1.4 Testing & Verification
1.4.1 Automated Testing
Testing script located at: /Users/srvo/dev/matrix/test-access-policies.sh
#!/bin/bash
# Test all Access policies
PUBLIC_SITES=(
"https://ethicic.com"
"https://dryvest.ethicic.com"
"https://labs.ethicic.com"
)
PROTECTED_SITES=(
"https://matrix.ethical-capital.workers.dev"
"https://docs.ethicic.com"
)
# Expected Results:
# Public sites: HTTP 200
# Protected sites: HTTP 302 (redirect to login)1.4.2 Manual Testing Checklist
1.5 Security Benefits
1.5.1 Default-Deny Posture
- Zero Trust Architecture: All resources protected by default
- Automatic Protection: New services inherit security controls
- Centralized Management: Single point of access control
1.5.2 Access Control
- Domain-Based Authentication: Only @ethicic.com emails allowed
- Session Management: 8-hour sessions with automatic timeout
- Audit Trail: All access attempts logged and monitored
1.5.3 Operational Benefits
- No VPN Required: Secure access from anywhere
- Simple User Experience: Email-based authentication
- Scalable: Automatically protects new resources
1.6 Monitoring & Alerts
1.6.1 Cloudflare Access Logs
- Location: Zero Trust Dashboard
- Retention: 30 days
- Metrics: Login attempts, blocked access, session data
1.6.2 Key Monitoring Points
- Failed Authentication Attempts: Monitor for brute force attacks
- Unusual Access Patterns: Off-hours or geographic anomalies
- New User Access: First-time access to protected resources
- Policy Changes: Modifications to Access applications
1.7 Incident Response
1.7.1 Breach Response
- Immediate: Review Access logs for unauthorized access
- Containment: Disable compromised user accounts
- Investigation: Analyze authentication patterns
- Recovery: Reset affected user sessions
1.7.2 Policy Updates
- New Resources: Add to appropriate Access application
- User Changes: Update email domain allowlists
- Security Incidents: Adjust policies based on threat intelligence
1.8 Configuration Management
1.8.1 Infrastructure as Code
Configuration scripts available at: - /Users/srvo/dev/matrix/cloudflare-access-setup.sh - /Users/srvo/dev/matrix/cloudflare-access-manual-setup.md
1.8.2 API Management
- Account ID: 483f91afa8e97683223b69b57fd773ae
- Zone ID: 483f91afa8e97683223b69b57fd773ae
- API Token: Stored securely with Access:Edit permissions
1.9 Compliance & Audit
1.9.1 SEC Rule 204-2 Alignment
- Access Controls: All records systems protected
- Audit Trail: Complete logging of access attempts
- Data Protection: Default-deny prevents unauthorized access
1.9.2 Regular Audits
- Weekly: Review access logs for anomalies
- Monthly: Test all Access policies
- Quarterly: Review user access and permissions
- Annually: Security architecture review
1.10 Troubleshooting
1.10.1 Common Issues
1.10.1.1 User Cannot Access Protected Site
- Verify email domain is @ethicic.com
- Check if user is in Access group
- Clear browser cache and cookies
- Try incognito/private browsing mode
1.10.1.2 Site Requiring Auth When It Shouldn’t
- Check if domain is in Public Sites Bypass application
- Verify bypass policy is set to “Everyone”
- Check application domain configuration
1.10.1.3 Authentication Loop
- Clear Cloudflare Access cookies
- Check identity provider configuration
- Verify session duration settings
1.10.2 Support Contacts
- Primary: Cloudflare Access dashboard
- Secondary: API-based troubleshooting
- Emergency: Manual policy override capability
1.11 Future Considerations
1.11.1 Planned Enhancements
- Multi-Factor Authentication: Consider adding MFA for high-privilege access
- Geographic Restrictions: Limit access by location if needed
- Device Trust: Certificate-based device authentication
- API Protection: Extend Access to API endpoints
1.11.2 Scalability
- New Domains: Automatically protected by wildcard policies
- Additional Users: Simple email domain management
- Service Growth: Infrastructure as Code for rapid deployment
1.12 Quick Reference
Dashboard: https://one.dash.cloudflare.com/483f91afa8e97683223b69b57fd773ae/zero-trust/access/apps
Test URLs: - Public: https://ethicic.com - Protected: https://matrix.ethical-capital.workers.dev
Status: ✅ All policies tested and verified working (2025-09-25)