Protect Uptime Kuma with Cloudflare Tunnel and Access

kuma_cloudflare.md

Uptime Kuma via Cloudflare Tunnel

This guide outlines steps to access Uptime Kuma through a semi-protected Cloudflare Tunnel.

Semi-protected meaning the status page is public, while all other endpoints are private.

Step 0: deploy Uptime Kuma

Consider e.g. Fly.io (repo) (howto).

Step 1: access via Cloudflare Tunnel

Follow Uptime Kuma's guide for setting up Cloudflare Tunnel as a reverse proxy.

Step 2: protect via Cloudflare Access

Create policies

Create two policies

• admin
  • allow action
  • include rule with emails selector, value set to your personal (or other desired) email address
• public
  • bypass action
  • include rule with everyone selector

Add identity provider

Optionally, add an identity provider to Cloudflare, e.g. Google.

Create applications

Create two applications, optionally using the above identity provider for both

• uptimekuma-admin with 1 input method
  • {type: public hostname, subdomain: uptime, domain YOUR_DOMAIN}
• uptimekuma-public with 4 input methods
  • {type: public hostname, subdomain: uptime, domain: YOUR_DOMAIN, path: status}
  • {type: public hostname, subdomain: uptime, domain: YOUR_DOMAIN, path: assets}
  • {type: public hostname, subdomain: uptime, domain: YOUR_DOMAIN, path: api/status-page}
  • {type: public hostname, subdomain: uptime, domain: YOUR_DOMAIN, path: icon.svg}

Step 3: disable native auth

Disable Uptime Kuma's native auth at your Uptime Kuma instance via Settings > Security > Disable auth.

Step 4: validate

Validate the following access scenarios

• Can access dashboards page after authenticating
• Can access status page after authenticating
• Can't access dashboards when unauthenticated
• Can't access dashboards when identified but with unauthorized identity
• Can access status page when unauthenticated