Skip to content

Cloudflare Access Setup

This guide locks the docs behind Cloudflare Access so users must authenticate before they can read content.

Prerequisites

  • Cloudflare account with Zero Trust enabled
  • Domain managed in Cloudflare (for example: user.com)
  • Cloudflare Pages project deployed from this repository
  • Target hostname chosen (for example: infra-docs.user.com)

1. Create or verify Cloudflare Pages deployment

  1. Cloudflare Dashboard -> Workers & Pages -> Create application -> Pages.
  2. Connect this Git repository.
  3. Build settings:
  4. Build command: mkdocs build
  5. Build output directory: site
  6. Deploy and confirm site loads at the generated *.pages.dev URL.

2. Add custom domain to the Pages project

  1. Open Workers & Pages -> your project -> Custom domains.
  2. Add infra-docs.user.com (or your chosen docs hostname).
  3. Complete DNS validation and wait for domain status to become Active.

3. Create Access app for custom domain

  1. Cloudflare Zero Trust -> Access -> Applications -> Add an application.
  2. Type: Self-hosted.
  3. Application domain: infra-docs.user.com.
  4. Session duration: choose policy (for example: 24h).

4. Protect the Pages default hostname

  1. Create a second Self-hosted Access application for the generated project-name.pages.dev hostname.
  2. Apply the same policy intent as the custom domain.
  3. If you use preview deployments, protect preview hostnames as well.

5. Configure identity provider and policy

  1. Zero Trust -> Settings -> Authentication -> Login methods.
  2. Enable your preferred IdP (Google, GitHub, Okta, or One-time PIN).
  3. For each Access app, add an allow policy. Recommended baseline:
  4. Include: Emails ending in @your-domain.com
  5. Optional Include: explicit break-glass users
  6. Keep default deny behavior for non-matching users.

6. Validate behavior

  1. Open infra-docs.user.com in a private browser window.
  2. Confirm Access login appears before any docs content.
  3. Sign in with allowed account -> access granted.
  4. Sign in with non-allowed account -> access denied.
  5. Repeat for project-name.pages.dev and preview URLs.

7. Operational notes

  • Protecting only the custom domain is not enough; users can bypass via *.pages.dev if unprotected.
  • Keep Access logs enabled and review denied attempts.
  • Rotate IdP credentials and emergency access users regularly.
  • If you need stricter privacy of the origin itself, use Cloudflare Tunnel + Access instead of managed static hosting.