This document serves as a guide for a Proof of Concept (POC) aimed at validating Cloudflare Zero Trust forwards using Traefik's forward-auth service. The rust service is compatible with both Traefik 2.x and Traefik 3.x versions, originally i setout ot build a traefik only plugin but the limitations of the current WASM implementation follows R1 spec and as such is limited.

This is a port of: https://github.com/nihaopaul/Traefik-ForwardAuth-Cloudflare-Access

The primary goal is to demonstrate how to authenticate Traefik requests through Cloudflare Zero Trust, ensuring secure access control.

Additionally most configurations have moved to environmental variables which allow you to dockerise it, and since AUDs will come and go along with certificates the certficates refresh every 24hours while the auds refresh every hour using cloudflare APIS.

setup a read only API token with permission: Account > Access: apps and policies > Read

CF_TOKEN=_this is your cf token_

take from the cloudflare dashboard url https://dash.cloudflare.com/{your ORG ID}

CF_ORG=_this is your ID for cloudflare_

what you have configured in cloudflare zero trust: team domain

CF_DOMAIN=https://{yourdomain}.cloudflareaccess.com
traefik config such as auth.yml

http:
  middlewares:
    test-auth:
      forwardAuth:
        address: "http://IP:PORT/auth"

then under the domain specify the provider, you probably dont want to do this on a writable dashboard or API.

http:
  routers:
    dashboard:
      rule: Host(`{your domain}`)
      service: api@internal
      middlewares:
        - test-auth
      entryPoints:
        - "websecure"