Craig Kahle | Cloudflare CSE Assessment
Home
Welcome to the Tunnel app
Tunnel Index
View DNS Records
View Headers
Worker
Secure
Setup Steps / Summary
-
First, I began writing a basic flask app to return all of the headers with a GET request to the /headers endpoint.
From there, I used a commonn Dockerfile based on the Google Cloud docs to build the image and run the container.
Initially, I deployed to Cloud Run, as it is an easy way to deploy containers, but I realized for this assessment I would need more control
to place the Cloudflare signed certificate on the server as well as setting up a Cloudflare tunnel that has local network access to the application.
It is definitely possible to do this with Cloud Run and a multistage Dockerfile, but I decided to use a Compute Engine instance instead.
-
From there, I deployed a micro N1 GCE instance running a Debian 10 image. I installed Docker on the instance and cloned my application repo, which can be found here:
Cloudflare Assessment. I used the Cloudflare GCP setup documentation to set up apach2 which is serving the root index.html file.
Nginx would normally be my webserver of choice, but Apache2 ease-of-use won out here. The provided link on how to add a Cloudflare signed cert was very useful here.
-
I then used the provided Cloudflare Tunnels Docker command to run the tunnel on the instance. I used the --no-autoupdate flag to prevent the tunnel from updating and breaking the application.
I also used the -d flag to daemonize the process.
The Cloudflare tunnel product is excellent, and very useful for exposing private services publically. I really like how easy it is to run the tunnel in a Docker container with the provided command from the UI.
The only gotcha I ran into was neededing to add the
--network host
flag, which I had to use to allow the tunnel to access the application on localhost:5000
.
-
I then cloned my application repo using
git clone "https://github.com/ckahle33/cf-test"
, built and ran my Flask application using docker build -t flask-app .
and docker run -p 5000:5000 flask-app
-
I decided to structure the application as a kitchen sink with multiple routes that solve the problems in the assessment. I used the
flask
and requests
libraries to build the application.
Requests made it straightforward to loop through and display the headers in the /headers route.
-
I wrote a scoped API call to grab all of the DNS records associated with my Cloudflare zone. The docs were solid here, but was slighlty misled because I needed to add the
Authorization Bearer:
bearer header instead of the
X-Api-Key
header that was suggested in the docs. It is possible I misread the docs, but I was able to get it working with the bearer header.
Did you learn anything new during this assignment?
Yes, I learned about the Cloudflare Tunnel product, which is excellent! It was nice to get a refresher on installing certs onto a server, which has been a while
How did you fill the gaps (if any) in your knowledge during the process?
I mainly consulted the Cloudflare docs and GCP docs. The provded documentation was strong
What was your experience with Cloudflare Zero Trust, Cloudflare Tunnels and Cloudflare Workers?
I really like Cloudflare Tunnels, and Workers. I am still getting used to Zero Trust, but can already see how it would be very helpful to lock down routes of an application super quickly.
I switched to the Wrangler CLI for Workers, and it is very easy to use. I like how it is a wrapper around the API, and I can use it to quickly deploy and update my worker.
It felt like writing a familiar node app where I could add dependencies and use npm to manage them.
What issues did you run into (if any) and how did you overcome them?
The only issues I ran into were pivoting to a Compute Engine instance instead of Cloud Run, and getting the Cloudflare tunnel to work with the application by using the
--network host
flag.
Cloud Run just announced support for sidecar and proxy containers, which would have made this easier, but is definitely a bleeding edge feature, thus GCE made more sense for now.
How would you describe each product in simple language?
Cloudflare Tunnel: A way to expose private services publically
Cloudflare Workers: A way to run serverless code on the edge
Cloudflare Zero Trust: A way to lock down routes of an application
What use cases can you see each product being useful for?
Cloudflare Tunnel: This honestly can and will hopefully usher a move away from using VPNs for securing private resources.
VPNs definitely will have their place, but this is a great alternative for exposing private services publically, very quickly.
Cloudflare Workers: I really like this product in that you can build complete applications eg. html/react that some other FaaS (function as a service)
providers do not allow, or make it complicated to do. These applications could pair very nicely with larger infrastructure and handle crons or data movement/pipelines.
Cloudflare Zero Trust:
How do you imagine that a target customer will find this experience?
I believe the products are very strong and easy to use. The documentation is excellent as well. I really liked seeing the diverse array of Worker examples that used the Wrangler CLI.
The only slightly confusing aspect I encountered is that Zero Trust products use a separate dashboard than dash.cloudflare.com