Skip to content

Cloudflare One — protect docs.apexstem.org (Access)

Cloudflare’s admin UI is Cloudflare One (one.dash.cloudflare.com). The old name “Zero Trust” is the same service.

You do not need a VPN, Tunnel, or “Secure private apps” wizard for this use case. Your wiki is already public on Cloudflare Pages; Access adds a login gate in front of the hostname.


Where to click (navigation map)

Old wording (guides) Cloudflare One (2025+)
Zero Trust dashboard Cloudflare Oneone.dash.cloudflare.com
Access → Applications Access controlsApplications
Add application Create new application
Self-hosted Self-hosted and private
Application domain Add public hostname

Do not use (wrong wizards for Pages docs):

  • “Replace your VPN”
  • “Connect a network” / Magic WAN
  • “Secure private apps” that requires Cloudflare Tunnel only — unless you have no public hostname (you do: docs.apexstem.org)

Official doc: Publish a self-hosted application (public hostname)


Step 0 — First-time Cloudflare One setup

  1. dash.cloudflare.com → sidebar Zero Trust (opens Cloudflare One), or go directly to one.dash.cloudflare.com.
  2. If prompted:
  3. Team name: e.g. apexstem (internal label; users rarely type it for browser Access).
  4. Plan: Zero Trust Free (includes Access with seat limits).
  5. Finish onboarding until you see the Cloudflare One home (cards like “Replace VPN”, “Secure private apps”, etc.). You can ignore those cards.

Step 1 — Add a login method

Add your preferred identity provider under Integrations → Identity providers before enabling it on the application.

Option A — One-time PIN (fastest, ~5 min)

Good for small teams and fast setup.

  1. Sidebar → IntegrationsIdentity providers (or SettingsAuthentication).
  2. Add new identity providerOne-time PINSave.
  3. On your Application → enable One-time PIN under identity providers.
  4. Users enter email at login → receive 6-digit code in inbox → must match an email in your Allow policy.

Use each person's own email account, not shared role aliases such as board@.

Option B — Google (better UX, ~20 min)

Requires Google Cloud OAuth (free). Official: Google IdP doc.

  1. Find team name: Cloudflare One → SettingsTeam name (e.g. apexstem → host apexstem.cloudflareaccess.com).
  2. Google Cloud Console → new project → OAuth client (Web application).
  3. Authorized JavaScript origins: https://<team-name>.cloudflareaccess.com
  4. Redirect URI: https://<team-name>.cloudflareaccess.com/cdn-cgi/access/callback
  5. Copy Client ID and Client secret.
  6. Cloudflare One → IntegrationsIdentity providersAdd newGoogle → paste ID/secret → SaveTest.
  7. On your Application → enable Google (and optionally One-time PIN as backup).

Users sign in with their own email account, not board@apexstem.org.


Creating the policy first avoids hunting menus inside the application wizard.

  1. Access controlsPolicies (or Policy management).
  2. Create policy / Add a policy.
  3. Policy name: Apex trustees
  4. Action: Allow
  5. Configure rules → Include:
  6. Selector: Emails
  7. Value: each trustee's individual email address (one rule or multiple entries).
  8. Save policy.

Step 3 — Create the Access application

  1. Access controlsApplications.
  2. Create new application.
  3. Choose Self-hosted and private (not “SaaS” unless you know you need it).
  4. Choose Add public hostname (not “private IP”).
  5. Hostname:
  6. Domain dropdown: apexstem.org
  7. Subdomain: docs
  8. Result: docs.apexstem.org
  9. Or pick / type the full hostname if the UI offers a single field.

  10. Access policies:

  11. Add policy → select Apex trustees (from Step 2), or create inline Allow policy with same emails.

  12. Authentication / Identity providers:

  13. Enable your chosen identity provider(s).
  14. Optional: Instant authentication if using a single provider.

  15. Session duration: e.g. 24 hours.

  16. Create (bottom of form).

Tunnel: Skip “Connect your origin to Cloudflare” / Tunnel setup — Pages already hosts docs.apexstem.org on your zone. Access sits in front of existing DNS.


Step 4 — Test

  1. Chrome Incognito (not logged in as a trustee).
  2. Visit https://docs.apexstem.org.
  3. Expect: redirect to Cloudflare Access login.
  4. Sign in with an allowed trustee email account → wiki loads.
  5. Incognito + non-allowed email account → blocked / access denied.

If the site loads with no login, the application is not bound to the hostname — see troubleshooting.


Step 5 — Notify trustees

Open https://docs.apexstem.org
Sign in with your invited account using the configured identity provider.
Mentors: Mentor guide · Board/Treasurer: Start here


Troubleshooting

Symptom What to do
Sidebar says Cloudflare One, not Zero Trust Normal — use this doc
Stuck in “Secure private apps” / Tunnel wizard Back out; use Access controls → Applications path above
No Applications in sidebar Complete Cloudflare One onboarding (team name + plan)
docs.apexstem.org not in domain dropdown Zone apexstem.org must be Active in same account; Pages custom domain attached
Login never appears Confirm DNS record for docs is proxied (orange cloud); Access app hostname must match exactly
board@ cannot log in Use individual user emails in policy, not role aliases
Pages .pages.dev URL still public Access app is on custom domain only — add separate app for *.pages.dev if needed, or disable pages.dev in Pages settings

Optional later

  • Access Groups under Access controls for parents/mentors (apex-parents-ridge-racers, etc.) — see rbac-groups.md
  • Path-based policies when content uses /internal/... URLs
  • Block direct access to apexstem-docs.pages.dev in Pages project settings

Expanding to all users (email/password)

When you're ready to give students, parents, mentors, and Omesh access with email/password login, see the full setup guide:

portal_access_setup_all_users.md — Auth0 (OIDC) + Cloudflare Access Groups for role-based access.