Using Service Auth for Gitea Access via Git Client + Cloudflare Tunnel

previous, I added a Cloudflare Zero Trust Application Access for my gitea with a one-time password, but when I use a git client to push code, it redirects me to Cloudflare Tunnel with a one-time password

Problem

So, in this blog, I want to create a Service Auth to ByPass access to Gitea, if I have a special key. Otherwise, it redirects to Cloudflare Tunnel with a one-time password

Solution

Set up Gitea + Cloudflare Zero Trust Application Access

If you have already setup Gitea + Cloudflare Zero Trust Application Access. You can go to step setup Create Service Auth (For Git Client to Access)

  • I have a Docker Compose file ready for deployment (I use it on my Synology NAS)
    For documentation about details, please go to Gitea - Installation
- Check Authentication on Cloudflare Zero Trust

Check Authentication on Cloudflare Zero Trust Trust Overview > Setting > Authentication

1
2

The default is Email One-Time Password, but you can set another method, such as Azure AD (Entra Id) / Open Id, etc.

- Add Application Policy

Zero Trust Overview > Access > Application

  • Add Application
  • Select Self-Hosted (In this case in run App Gitea on Synology)
  • Create you General Info
    - Config Name
    - Domain + Sub Domain + Path to Access

Next Add a Policy you can

  • create a new policy
  • or use exsiting

Next, Select Authentication Method (I use Email One-Time Password)

You can customize such as custom login page

- Test via Web Access, such as https://yourgitdomain
  • From the Gitea Login Page, redirected to the Cloudflare Access Page
  • Cloudflare will send a one-time password
  • Enter one-time password, if the correct code you will be redirected Gitea Login Page

But when using Git Client to push code. I required a One-Time Password like this

PS D:\0gitea\ollama-traefik-letsencrypt-docker-compose> git push
fatal: unable to update url base from redirection:
   asked for: https://gitea.youdomain.example/samplegitusr/ollama-traefik-letsencrypt-docker-compose.git/info/refs?service=git-receive-pack
   redirect: https://xxxxxxxx.cloudflareaccess.com/cdn-cgi/access/login/gitea.youdomain.example?kid=33FQu...&redirect_url=%2Fsamplegitusr%2Follama-traefik-letsencrypt-docker-compose.git%2Finfo%2Frefs%3Fservice%3Dgit-receive-pack

Create Service Auth (For Git Client to Access)

So, in this blog, I want to create a Service Auth to ByPass access to Gitea, if I have a special key. Otherwise, it redirects to Cloudflare Tunnel with a one-time password

Solution
- Create Service Auth
  • Cloudflare Zero Trust Dashboard > Access > Service Auth > Create Service
  • Save CF-Access-Client-Id / CF-Access-Client-Secret, for adding in the git client
- Create a ByPass Policy
  • Cloudflare Zero Trust Dashboard > Access > Policies > Add Policies
  • Create a ByPass for Gitea with condition Service Auth (gitea)
- Add Cloudflare Zero Trust Application Access
  • Cloudflare Zero Trust Dashboard > Access > Applications > Add an application > Self-hosted
  • Set Gitea Domain
  • Add Policy First
    1. ByPass Policy (Service Auth)
    2. One-Time Password, if the ByPass Policy does Not Match
- Configure your git config with the Service Auth header

Run the following command to tell git client to add an extra header with the Gitea URL

git config --global --add http.https://yourgitdomain/.extraHeader "CF-Access-Client-Id: CF_Service_Auth_Access"
git config --global --add http.https://yourgitdomain/.extraHeader "CF-Access-Client-Secret: CF_Service_Auth_Access_Secret"
- Test

Reference

Discover more from naiwaen@DebuggingSoft

Subscribe to get the latest posts sent to your email.

Tags

Related Posts