feat: add Cloudflare Zero Trust (Access Service Token) support#4
Open
wardlive wants to merge 1 commit intoTrackLine:mainfrom
Open
feat: add Cloudflare Zero Trust (Access Service Token) support#4wardlive wants to merge 1 commit intoTrackLine:mainfrom
wardlive wants to merge 1 commit intoTrackLine:mainfrom
Conversation
Adds support for authenticating through Cloudflare Zero Trust (Access) using Service Tokens (CF-Access-Client-Id / CF-Access-Client-Secret headers). This is needed when the Remnawave panel is protected by a Cloudflare Tunnel + Access policy, which is a common production hardening setup. New environment variables (both optional): - CF_ACCESS_CLIENT_ID → CF-Access-Client-Id header - CF_ACCESS_CLIENT_SECRET → CF-Access-Client-Secret header Tested with Cloudflare Tunnel + Caddy reverse proxy in front of Remnawave panel. Service Auth policy in CF Access correctly bypasses the login wall for machine-to-machine access.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & Why
Many users run Remnawave behind a Cloudflare Tunnel + Cloudflare Access policy for Zero Trust protection. In this setup every HTTP request must carry two headers:
Without these headers Cloudflare returns a
403 Forbiddenbefore the request ever reaches Remnawave, making the MCP server unusable in such environments.Changes
src/config.tsConfiginterface:cfAccessClientId?: stringcfAccessClientSecret?: stringloadConfig():CF_ACCESS_CLIENT_IDCF_ACCESS_CLIENT_SECRETsrc/client/index.tsRemnawaveClientconstructor: whencfAccessClientId/cfAccessClientSecretare present, they are appended to the outgoingheadersmap asCF-Access-Client-Id/CF-Access-Client-Secret.Both fields are optional — existing users who don't use Cloudflare Access are completely unaffected (zero behaviour change for them).
Configuration
Service Tokens are created in: Cloudflare Zero Trust → Access → Service Auth → Service Tokens.
Tested
REMNAWAVE_READONLY=true(69 tools) and full mode (153 tools)403; with headers → full API accessDocs reference