Optimizing Cloudflare Access Configuration Documentation

2024-07-12 04:26:33 +02:00 · 2024-07-12 04:26:33 +02:00 · e94693815f
commit e94693815f
parent aff28d5d33
8 changed files with 87 additions and 27 deletions
--- a/docs/en_US/guide/dashboard.md
+++ b/docs/en_US/guide/dashboard.md
@ -32,11 +32,15 @@ Nezha Monitoring uses Github, Gitlab, or Gitee as admin accounts.
 1. Click “Register application”.  
 2. Save the Client ID on the page, then click “Generate a new client secret” to create a new Client Secret, which will be displayed only once, **please keep it safe**.

-## Using Cloudflare Access as OAuth2 Provider
+## Using Cloudflare Access as an OAuth2 Provider

-If you encounter issues using Github, Gitlab, or Gitee as admin login, consider switching to [using Cloudflare Access as the OAuth2 provider](/en_US/guide/q8.html).
+If you encounter issues using GitHub, GitLab, or Gitee for admin account logins, consider switching to [Cloudflare Access as your OAuth2 provider](/en_US/guide/q8.html) for authentication.

-### Creating a SaaS-OIDC Application
+### Setting Up a New SaaS-OIDC Application
+
+:::warning
+The following steps are for users who have already started using Zero Trust. If you have not previously used Cloudflare Zero Trust, we strongly recommend that you first read the [Guide on Using Cloudflare Access as an OAuth2 Provider](/en_US/guide/q8.html) to understand the configuration examples and setup process.
+:::

 1. Go to [Zero Trust Dashboard](https://one.dash.cloudflare.com) and log in with your Cloudflare account.
 2. `My Team` -> `Users` -> `<specific user>` -> Get `User ID` and save it.
--- a/docs/en_US/guide/loginq.md
+++ b/docs/en_US/guide/loginq.md
@ -57,4 +57,9 @@ If you are configuring Github login on a server in mainland China, switching to

 ### net/http: TLS handshake timeout

-Same as above.
+Same as above.
+
+### Unable to receive email verification codes using Cloudflare Access as an OAuth2 Provider
+
+- Ensure that the email verification policy has been correctly configured in `Policies`.
+- Verify that the email address you provided is correct. Note that email addresses not on the policy whitelist will not receive verification codes.
--- a/docs/en_US/guide/q8.md
+++ b/docs/en_US/guide/q8.md
@ -1,3 +1,6 @@
+---
+outline: deep
+---
 # Cloudflare Access OAuth2 Configuration
 If you encounter issues logging in as an administrator using Github, Gitlab, or Gitee, you may consider switching to Cloudflare Access as the OAuth2 provider.

@ -20,18 +23,33 @@ Oauth2:
 | ClientID/ClientSecret | `Access` -> `Application` -> `Add an Application` <br/> -> `SaaS` -> `OIDC`     |
 | Endpoint              | `Access` -> `Application` -> `Application URL` -> `Only keep the protocol and domain, no path` |

-### Creating a SaaS-OIDC Application
+### Setting Up a New SaaS-OIDC Application

-Go to Zero Trust Dashboard: https://one.dash.cloudflare.com
+Navigate to the Zero Trust Dashboard: [https://one.dash.cloudflare.com/](https://one.dash.cloudflare.com/). Choose or create a new account, then follow these steps:

-1. `My Team` -> `Users` -> `<specific user>` -> Get `User ID` and save it;
-2. `Access` -> `Application` -> `Add an Application`;
-3. Select `SaaS`, enter a custom application name (e.g., nezha) in `Application`, select `OIDC`, and click `Add application`;
-4. In `Scopes`, select `openid`, `email`, `profile`, `groups`;
-5. Fill in your CallBack URL in `Redirect URLs`, such as `https://dashboard.example.com/oauth2/callback`;
-6. Record the `Client ID`, `Client Secret`, and the protocol and domain part of the `Issuer` URL, such as `https://xxxxx.cloudflareaccess.com`;
-7. Edit the Dashboard configuration file (usually located at `/opt/nezha/dashboard/data/config.yaml`), modify the `Oauth2` configuration according to the example configuration, and restart the Dashboard service.
+1. Go to `My Team` -> `Users` -> Click `<specific user>` -> Obtain and save the `User ID`. *(If this is your first time using Zero Trust, the Users list will be empty, and you can skip this step; users will appear after completing a verification.)*
+2. Navigate to `Access` -> `Applications` -> `Add an Application`.
+3. Select `SaaS`. In the `Application` field, enter a custom application name (e.g., `nezha`), select `OIDC`, and then click `Add application`.
+4. For `Scopes`, select `openid`, `email`, `profile`, `groups`.
+5. In `Redirect URLs`, enter your Dashboard Callback URL, such as `https://dashboard.example.com/oauth2/callback`.
+6. Record the `Client ID`, `Client Secret`, and the protocol and domain part of the `Issuer` address, for example, `https://xxxxx.cloudflareaccess.com`.
+7. Edit the Dashboard configuration file (usually located at `/opt/nezha/dashboard/data/config.yaml`), adjust the `OAuth2` settings according to the example configuration, and restart the Dashboard service.

-### Authentication Policy Configuration
+### Identity Verification Strategy Configuration

-After completing the Dashboard setup, you also need to configure the authentication policy in the Zero Trust Dashboard: `Access` -> `Applications` -> `<application name>` -> `Policies`. You can choose from over ten SSO authentication methods, including email OTP verification, hardware key verification, etc. For detailed configuration, please refer to the [Cloudflare Zero Trust documentation](https://developers.cloudflare.com/cloudflare-one/).
+After setting up the Dashboard, you need to configure identity verification policies in the Zero Trust Dashboard. Navigate to: `Access` -> `Applications` -> `<application name>` -> `Policies`. You can choose from various SSO authentication methods, including email OTP and hardware key verification. For detailed configurations, refer to the [Cloudflare Zero Trust Documentation](https://developers.cloudflare.com/cloudflare-one/).
+
+### Policy Configuration Example (One-time PIN)
+
+Using email OTP as the default verification method:
+
+1. Navigate to `Access` -> `Applications` -> `<application name>` -> `Policies` -> `Add a policy`.
+2. Set a `Policy Name`, for example, `OTP`, and set `Action` to `Allow`.
+3. Under `Configure rules`, add a new `Include` rule. Select `Emails` as the `Selector` and enter your email address in the textbox.
+4. Click `Save policy` to save the configuration.
+
+### Testing the Policy
+
+1. If the configuration is correct, when you visit the Dashboard login interface, it will display as "Log in with Cloudflare Account." Clicking on login will redirect you to the Cloudflare Access login page.
+2. Enter the email address configured previously, click `Send me a code`, and then enter the code received to log in to the Dashboard.
+3. If `User ID` was not specified in `Admin` during previous steps, an error message will be displayed after login: "This user is not an administrator of this site and cannot log in." At this point, you need to go to `My Team` -> `Users`, find the corresponding user, click on the username to get the `User ID`, and enter it into the `Admin` section of the Dashboard configuration file. After restarting the Dashboard service, try logging in again.
--- a/docs/en_US/guide/q9.md
+++ b/docs/en_US/guide/q9.md
@ -1,3 +1,6 @@
+---
+outline: deep
+---
 # Enable GPU monitoring

 GPU monitoring is a new feature implemented in Nezha Monitoring v0.17.x. Before using the feature, please check you Dashboard version is higher than v0.17.2 and Agent version is higher than v0.17.0.
--- a/docs/guide/dashboard.md
+++ b/docs/guide/dashboard.md
@ -34,10 +34,14 @@ outline: deep

 ## 使用 Cloudflare Access 作为 OAuth2 提供方

-位于中国大陆的用户可能无法直接连接 Github，如您在使用 Github、Gitlab、Gitee 作为管理员账户登录时遇到问题，可以优先考虑切换 [使用 Cloudflare Access 作为 OAuth2 提供方](/guide/q8.html) 作为登录方式。
+对于位于中国大陆的用户，直接连接到 GitHub 可能会遇到困难。如果您在使用 GitHub、GitLab 或 Gitee 作为管理员账户登录时遇到问题，建议切换到使用 [Cloudflare Access 作为 OAuth2 提供方](/guide/q8.html) 进行登录。

 ### 新建 SaaS-OIDC 应用流程

+:::warning
+以下步骤适用于已经开始使用 Zero Trust 的用户。如果您尚未使用过 Cloudflare Zero Trust，强烈建议您首先阅读 [Cloudflare Access 作为 OAuth2 提供方的使用指南](/guide/q8.html)，以了解 Cloudflare Access 的配置示例和流程。
+:::
+
 1. 前往 [Zero Trust Dashboard](https://one.dash.cloudflare.com)，使用 Cloudflare 账号登录。
 2. `My Team` -> `Users` -> `<具体用户>` -> 获取 `User ID` 并保存。
 3. `Access` -> `Application` -> `Add an Application`。
--- a/docs/guide/loginq.md
+++ b/docs/guide/loginq.md
@ -57,4 +57,9 @@ Cloudflare Access 用户请注意，您的用户名不是邮箱，而是 User ID

 ### net/http: TLS handshake timeout

-同上。
+同上。
+
+### 使用 Cloudflare Access 作为 OAuth2 提供方时无法收到邮件验证码
+
+- 确认在 `Policies` 中已正确配置了邮件验证策略。
+- 检查您提供的邮箱地址是否正确无误。注意，不在策略白名单中的邮箱地址将不会接收到验证码。
--- a/docs/guide/q8.md
+++ b/docs/guide/q8.md
@ -1,3 +1,6 @@
+---
+outline: deep
+---
 # 使用 Cloudflare Access 作为 OAuth2 提供方
 相较于 Github，Cloudflare Access 对于中国大陆用户更加友好。如您当前使用 Github、Gitlab、Gitee 作为管理员账户登录时遇到问题，您可以考虑切换 Cloudflare Access 作为 OAuth2 提供方
 ## 示例配置：
@ -21,16 +24,31 @@ Oauth2:

 ### 新建 SaaS-OIDC 应用流程

-前往 Zero Trust Dashboard: https://one.dash.cloudflare.com
+前往 Zero Trust Dashboard：[https://one.dash.cloudflare.com/](https://one.dash.cloudflare.com/)，选择或新建一个账户（Account），然后按照以下步骤操作：

-1. `My Team` -> `Users` -> `<具体用户>` -> 获取 `User ID` 并保存；
-2. `Access` -> `Application` -> `Add an Application`;
-3. 选择 `SaaS`，在 `Application` 中输入自定义的应用名称（例如 nezha），选择 `OIDC`后点击 `Add application`;
+1. `My Team` -> `Users` -> 点击`<具体用户>` -> 获取 `User ID` 并保存 *（如果是第一次使用 Zero Trust，Users 列表会为空，可暂时跳过这一步；你需要完成一次验证后，用户才会出现在 Users 列表中）*；
+2. `Access` -> `Applications` -> `Add an Application`;
+3. 选择 `SaaS`，在 `Application` 字段中输入自定义的应用名称（例如 `nezha`），选择 `OIDC` 后点击 `Add application`;
 4. `Scopes` 选择 `openid`, `email`, `profile`, `groups`;
-5. `Redirect URLs` 填写你的 CallBack 地址，例如 `https://dashboard.example.com/oauth2/callback`;
-6. 记录 `Client ID`、`Client Secret`、`Issuer` 地址中协议与域名的部分，例如 `https://xxxxx.cloudflareaccess.com`
-7. 编辑 Dashboard 配置文件(通常在`/opt/nezha/dashboard/data/config.yaml)`，参考示例配置修改 `Oauth2` 配置，并重启 Dashboard 服务
-<br>   
-### 身份验证策略配置   
+5. 在 `Redirect URLs` 中填写你的 Dashboard Callback 地址，例如 `https://dashboard.example.com/oauth2/callback`;
+6. 分别记录 `Client ID`、`Client Secret` 和 `Issuer` 地址中的协议与域名部分，例如 `https://xxxxx.cloudflareaccess.com`;
+7. 编辑 Dashboard 配置文件（通常位于 `/opt/nezha/dashboard/data/config.yaml`），参照示例配置修改 `OAuth2` 设置，并重启 Dashboard 服务。

-在完成 Dashboard 的设置后，您还需要在 Zero Trust Dashboard 中 `Access`-> `Applications` -> `<应用名>` -> `Policies` 配置验证策略。您可以选择包括邮件OTP验证、硬件密钥验证、等十多种 SSO 验证方式，详细配置请参考 [Cloudflare Zero Trust 文档](https://developers.cloudflare.com/cloudflare-one/)
+### 身份验证策略配置
+
+在完成 Dashboard 设置后，您还需要在 Zero Trust Dashboard 中配置身份验证策略，路径为：`Access` -> `Applications` -> `<应用名>` -> `Policies`。您可以选择多种 SSO 验证方式，包括邮件 OTP 验证、硬件密钥验证等，详细配置请参考 [Cloudflare Zero Trust 文档](https://developers.cloudflare.com/cloudflare-one/)。
+
+### 策略配置示例（One-time PIN）
+
+默认使用邮件 OTP 验证方式：
+
+1. `Access` -> `Applications` -> `<应用名>` -> `Policies` -> `Add a policy`;
+2. 设置一个 `Policy Name`，例如 `OTP`，`Action` 设置为 `Allow`;
+3. 在 `Configure rules` 下新增一条 `Include` 规则，`Selector` 选择 `Emails`，在文本框中输入你的邮箱地址；
+4. 点击 `Save policy` 保存策略。
+
+### 测试策略
+
+1. 在配置正确的情况下，访问 Dashboard 登录界面，会显示为 `使用 Cloudflare 账号登录`，点击登录会跳转到 Cloudflare Access 登录页面；
+2. 输入前面配置的 Email 地址，点击 `Send me a code`，输入收到的验证码，即可登录 Dashboard；
+3. 如果在之前的步骤中，未在 `Admin` 中未填写 `User ID`，登录后会提示错误信息：“该用户不是本站点管理员，无法登录”。此时需要在 `My Team` -> `Users` 中找到对应的用户，点击用户名获取 `User ID` 并填写到 Dashboard 配置文件里的 `Admin` 部分，重启 Dashboard 服务后再次尝试登录。
--- a/docs/guide/q9.md
+++ b/docs/guide/q9.md
@ -1,3 +1,6 @@
+---
+outline: deep
+---
 # 启用 GPU 监控

 GPU 监控是哪吒监控 v0.17.x 引入的新功能，使用前请检查您的 Dashboard 版本是否为 v0.17.2+ / Agent 版本是否为 v0.17.0+。