Pixiv ID: 92492136 Member: Aurora

How to easily log in to your Tencent Lightweight server using Azure AD authentication and Cloudflare Teams D WebSSH. The girl

On how to redefine “relaxed” (perhaps the title should be a book title?

Q: According to the title description, what is the use of such a complicated process?

A: If the Azure AD login authentication is used and the Cloudflare Tunnel is used to connect to SSH, the SSH port can be disabled to prevent illegal intrusions to A certain extent, and the login IP address and related events can be recorded to ensure security

In general, this article will cover three main sections, and a simple hardcore promotion

Note: This tutorial is for most Linux devices and Windows devices with SSH installed, although Cloudflare Teams offers a free credit for 50 members, However, you need to bind a payment method to Cloudflare to enable the Cloudflare Teams service

The main part of

  • Add Microsoft Azure AD SSO login method for Cloudflare Teams
  • Install a Cloudflare Tunnel on the server and configure WebSSH rendering with Cloudflare
  • Set a short-term certificate for quick and secure login

Hardcore promotion

  • Recent activities promotion of Conscience Cloud

Reference documentation

Cloudflare Docs:

  • Microsoft Azure AD® · Cloudflare for Teams documentation
  • Render an SSH client in a browser · Cloudflare for Teams documentation
  • Configure short-lived certificates · Cloudflare for Teams documentation

Although the above three documents are enough if they only need to accomplish the objectives, they are all in English and there are common supplementary requirements for details, so the old things are mentioned again

Add Microsoft Azure AD SSO login method for Cloudflare Teams

Related links:

  • Cloudflare for Teams
  • Microsoft Azure AD

Prepare Cloudflare Teams

Note: Although Cloudflare Teams has a free package, it cannot be set up unless a payment method is bundled with Cloudflare

Open the Cloudflare for Teams link above and click on Login to jump to the familiar Cloudflare management interface. Click on a domain name and click on Acess to enter

Here, if it is the first time to use Access, you will see the following page, click to start Access

This will jump to the Cloudflare Teams page. Follow the process to complete the Settings, select Settings and click Authentication

After entering the page, click Add New under Login Methods and select Azure AD as shown in the picture below (The Cloudflare Teams used in the demonstration have already displayed Azure AD option since verification methods have been added, it should be normal that it is not displayed at this time)

You will see familiar filling out requirements and a simple document

As shown in the figure above, Name corresponds to the login mode Name, Application ID corresponds to the Application (client) ID in Azure AD, Application Secret corresponds to the client password, Directory ID ID of the corresponding Directory (tenant) (this is just a brief introduction. The following describes how to create an Azure AD application.)

Create an Azure AD application

After entering Azure AD, click Apply register and click New Register

After entering the interface as shown below, write any application name you need and write the redirection link in the redirection URI (as shown below).

https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback
# here 
      
        is your Cloudflare Teams tenant name
      
Copy the code

Note: The Cloudflare Teams tenant name is the name originally set. If forgotten or needs to be reset, click General under Settings to view and set the tenant name

(Do not directly fill in, fill in according to the requirements above is valid, otherwise invalid)

After the registration is complete, click Register. The following page is displayed. In this case, you need to obtain the application (client) ID, directory (tenant) ID, and client password

Select the application (client) ID and directory (tenant) ID in the following box

On the menu bar, select certificate and password and click New Client Password

Select an expiration time of 24 months and click Add (if you want to set a longer time, you can find your own method)

At this time, you can see the selected area in the box below, which is the client password. Click Copy (The confidential value here should be kept properly and should not be disclosed to avoid additional accidents. The confidential value will only be displayed when it is created and will be hidden after refreshing).

At this point, you should have the three values listed above, then you need to add the API and grant permissions to the application

Select menu bar API permissions

Click the relevant page to add permissions and then click the Microsoft Graph below to select permissions for delegates and search the following permissions in the search box

Here are the permissions to find and grant

email
openid
profile
offline_access
User.Read
Directory.Read.All
Group.Read.All
Copy the code

After the selection, click Add permission, and click “You Directory Name” to grant administrator consent (here You Directory Name literally means your tenant Name).

Note: If you use the global administrator account to complete the application creation, this option is optional. If you use the non-administrator account to create the application, please log in to the administrator account and grant permission on this page

Example Set the Azure AD authentication method

After completing the above steps, go back to the following page and directly write the Name, Application ID, Application Secret and Directory ID values

Check Support Groups (Support for groups) and click Save to Save

Note: Support for groups is support for Azure AD groups. This operation will allow you to obtain information about Azure AD groups. Read permission for groups is required (the above step has been added).

Set Azure AD group information to Cloudflare Teams

Click the Group option in the Azure AD menu. The group name and corresponding object ID are displayed on the page to obtain the Azure AD group object ID

Go back to Cloudflare Teams and select Groups and click Add a Group

Fill in the name (as required, optional) select Azure Group option at the bottom of the drop-down box as shown below, and fill in the Azure Group object ID obtained above in the box at the back, confirm all information, click Save to Save

Install a Cloudflare Tunnel on the server and configure WebSSH rendering with Cloudflare

The work here will be done in two parts, one on the server and the other at Cloudflare Teams

Install the Cloudflare Tunnel. Complete related configurations and set the daemon process

First, log in to the server through SSH. At this time, you can consider using a tool like PuTTY to log in to the server directly or log in to the Tencent Cloud console (provided that you are using the Tencent Cloud Lightweight server)

First, execute the following instructions in sequence (that is, install CloudFlared)

yum install epel-release -y
yum repolist
yum install dpkg-devel dpkg-dev -y
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
dpkg -i ./cloudflared-linux-amd64.deb
Copy the code

Then use the following command to log in, as shown in the figure below

cloudflared tunnel login
Copy the code

Copy the above link to your browser and select the domain name you want to authorize

After authorization is complete, the following information is displayed

Next you need to create a tunnel for the connection

cloudflared tunnel create <NAME>
# here 
      
        is the tunnel NAME you defined
      
Copy the code

If the following message is displayed, the tunnel is successfully created. Please note down the tunnel ID as follows: C2AF5C2B-4FD3-4069-B25D-XXXXXXXX049F

Note: There is no need to worry if you forget the tunnel ID. Use the following command to check the tunnel ID

cloudflared tunnel list
Copy the code

Next, you need to set up a daemon for Cloudflared and start it automatically at startup

Create a new file with the following instructions and write the contents

vi /etc/systemd/system/cloudflared.service
Copy the code

Need to writecloudflared.serviceThe content of the

[Unit]
Description=Argo Tunnel
After=network.target

[Service]
TimeoutStartSec=0
Type=notify
ExecStart=/usr/local/bin/cloudflared --config /root/.cloudflared/config.yml --no-autoupdate tunnel run
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target
Copy the code

Note: above/usr/local/bin/cloudflaredPath for Cloudflared/root/.cloudflared/config.ymlIs the path to the configuration file. How to set the configuration file is described in the following sections

Set Cloudflare Team-related applications

Now go back to the Cloudflare Teams page, select Applications and click Add an Application to go to the following page

In this case, select self-hosted and the following page is displayed

  • Application Name: The name of your Application
  • Session Duration: indicates the Session Duration
  • Application Domain: indicates the Application domain name

Note: Please remember that Application Domain will continue to be used for subsequent operations

Here Identity providers select Azure AD because there is only one authentication method, so check Instant Auth for direct authentication

Click Next to enter the following page. Fill in the Rule name here (you can fill in the Rule name as required)

On the next page, set access-Control-max-age (seconds) to an appropriate value and select access-Control-allow-origin and access-Control-allow-methods

Note: Access-Control-allow-Origin and access-Control-allow-methods must be checked otherwise they cannot be created successfully

As shown above, Select Enable Binding cookies under Cookie Settings and Enable Automatic Cloudflared Authentication under Cloudflared Settings and pinch Browser Rendering selected SSH

Modify the Cloudflared configuration file and start tunneling

First create the configuration file using the following instructions

vi /root/.cloudflared/config.yml
Copy the code

Fill in the following content (note: Fill in according to your own needs)

tunnel: <you-tunnel-id>
credentials-file: /root/.cloudflared/<you-tunnel-id>.json

ingress:
  - hostname: <Application domain>
    service: ssh://localhost:<sshd-port>
  - service: http_status:404
Copy the code

Note: hereyou-tunnel-idFor your tunnel ID,Application domainDomain name set up for yousshd-portPort for your SSH service

The filling effect is as follows

Additional steps (required if domain name is connected to Cloudflare using CNAME)

Add a CNAME resolution record in the following format

<Application domain> CNAME <you-tunnel-id>.cfargotunnel.com
Copy the code

Note: The CFP panel used in the previous example is a Dream Bull. It is important to note that after setting up, go to Cloudflare to check whether WebSocket is enabled, because dream Bull may turn off the WebSocket option, and the functions shown in this tutorial need to run on WebSocket

Start the tunnel and test the effect

systemctl start cloudflared
systemctl status cloudflared
Copy the code

Follow the instructions above, similar to those shown in the picture, and open a browser to access your domain name and try to log in to the server

By accessing the domain name, you can view the following information

At this time, the tunnel can be set to start automatically after startup, and the instructions are as follows

systemctl enable cloudflared
Copy the code

Set a short-term certificate for quick and secure login

With the above results, you can see that you can access the server directly by logging in, but you can take it one step further by logging in with a short-term certificate

Note the following points if you need to configure short-term certificates

  • The login Username must be the same as the Email prefix
  • Login using the root account is not recommended
  • The server must be enabled to allow public key logins (see below)

First go back to Cloudflare Teams and select the Service Auth under Access and select your Application in the Application drop down box. And click Generate certificate to obtain a Public key as shown below

Copy the Public Key. Use the following command in the terminal and write the Public key

vi /etc/ssh/ca.pub
Copy the code

Next modify the SSH configuration file

vi /etc/ssh/sshd_config
Copy the code

Delete the PubkeyAuthentication Yes comment and add TrustedUserCAKeys /etc/ssh/ca.pub on the next line. Save and exit, and restart the SSHD service using the following command

systemctl restart sshd
Copy the code

Add a user with the same name as your email prefix

adduser <username>
Copy the code

For example, if my email address is [email protected], I should add user Romeyer

If you log in to WebSSH again, you will find that you can directly enter the terminal. The effect is as follows

Recent activities promotion of Conscience Cloud

The 1-core 2G cloud server costs 50 yuan in the first year, and 2-core 4G new users only need 74 years. If you are interested, you can buy one