local-hosting-cloudflare-tunnels

Local Hosting with Cloudflare Tunnels

Last updated: 2026-03-29 Policy owner: Dmitri Zasage Reference baseline: docs.solanasis.com

---

Standard

All Solanasis local services exposed through Cloudflare Tunnel now inherit the same Cloudflare Access baseline used by docs.solanasis.com.

Docs baseline

• Access app per hostname
• OTP email authentication
• Allowed emails:
  • dmitri@solanasis.com
  • ds@solanasis.com
  • mr.sunshine@solanasis.com
• Session duration: 24h
• auto_redirect_to_identity: false
• allowed_idps: []
• No extra require or exclude rules

As of 2026-03-29, that baseline is active on:

• erp.solanasis.com
• baserow.solanasis.com
• sm.solanasis.com
• edit.solanasis.com
• docs.solanasis.com
• db.solanasis.com

Local Origin Rule

• Tunnel-backed local services must bind to 127.0.0.1 by default.
• Cloudflare Tunnel is the only intended external exposure path for these local services.
• If a service needs a different bind address, Dmitri must explicitly approve it.

Source of Truth

• Live tunnel config: ~/.cloudflared/config.yml
• Access baseline: solanasis-scripts/security/config/cf_access_baseline.json
• Override registry: solanasis-scripts/security/config/cf_exceptions.json
• Human-readable inventory: operations/service-inventory.md
• Automated audit: solanasis-scripts/security/cloudflare_access_audit.py
• Automated baseline check/apply: solanasis-scripts/security/cloudflare_tunnel_policy.py
• Human-readable exception registry: operations/service-inventory.md > Cloudflare Access Exceptions

Required Workflow

1. Create or update the checked-in script first.
2. Run --dry-run or --check-only.
3. Create or update the Access app first.
4. Record any approved override before exposure.
5. Add or update the tunnel route.
6. Run the baseline check and full audit.
7. Update service-inventory.md and cloudflare-hardening-cheatsheet.md.
8. If the service is Cloudflare Pages-backed, verify the root pages.dev URL and a live preview alias, not just the custom domain.

No Scripting on the Fly

• Agents must not improvise Cloudflare mutations in the shell.
• If a Cloudflare task is part of the workflow, the script must exist on disk first.
• For this workflow, use:
  • cloudflare_tunnel_policy.py
  • cloudflare_access_audit.py

Override Rule

Any deviation from the docs baseline requires Dmitri’s explicit override.

Examples:

• Different allowlist
• Different session duration
• Geo restrictions
• Additional require or exclude rules
• No Access app at all

If an override is approved, record it in both:

• solanasis-scripts/security/config/cf_exceptions.json
• operations/service-inventory.md

Why This Exists

This standard was tightened after the docs.solanasis.com and edit.solanasis.com exposure incident on 2026-03-27. The goal is to prevent future drift between tunnel routing, Access policy, agent behavior, and human documentation.