Cloudflare One — protect docs.apexstem.org (Access)¶
Cloudflare’s admin UI is Cloudflare One (one.dash.cloudflare.com). The old name “Zero Trust” is the same service.
You do not need a VPN, Tunnel, or “Secure private apps” wizard for this use case. Your wiki is already public on Cloudflare Pages; Access adds a login gate in front of the hostname.
Where to click (navigation map)¶
| Old wording (guides) | Cloudflare One (2025+) |
|---|---|
| Zero Trust dashboard | Cloudflare One → one.dash.cloudflare.com |
| Access → Applications | Access controls → Applications |
| Add application | Create new application |
| Self-hosted | Self-hosted and private |
| Application domain | Add public hostname |
Do not use (wrong wizards for Pages docs):
- “Replace your VPN”
- “Connect a network” / Magic WAN
- “Secure private apps” that requires Cloudflare Tunnel only — unless you have no public hostname (you do:
docs.apexstem.org)
Official doc: Publish a self-hosted application (public hostname)
Step 0 — First-time Cloudflare One setup¶
- dash.cloudflare.com → sidebar Zero Trust (opens Cloudflare One), or go directly to one.dash.cloudflare.com.
- If prompted:
- Team name: e.g.
apexstem(internal label; users rarely type it for browser Access). - Plan: Zero Trust Free (includes Access with seat limits).
- Finish onboarding until you see the Cloudflare One home (cards like “Replace VPN”, “Secure private apps”, etc.). You can ignore those cards.
Step 1 — Add a login method¶
Add your preferred identity provider under Integrations → Identity providers before enabling it on the application.
Option A — One-time PIN (fastest, ~5 min)¶
Good for small teams and fast setup.
- Sidebar → Integrations → Identity providers (or Settings → Authentication).
- Add new identity provider → One-time PIN → Save.
- On your Application → enable One-time PIN under identity providers.
- Users enter email at login → receive 6-digit code in inbox → must match an email in your Allow policy.
Use each person's own email account, not shared role aliases such as board@.
Option B — Google (better UX, ~20 min)¶
Requires Google Cloud OAuth (free). Official: Google IdP doc.
- Find team name: Cloudflare One → Settings → Team name (e.g.
apexstem→ hostapexstem.cloudflareaccess.com). - Google Cloud Console → new project → OAuth client (Web application).
- Authorized JavaScript origins:
https://<team-name>.cloudflareaccess.com - Redirect URI:
https://<team-name>.cloudflareaccess.com/cdn-cgi/access/callback - Copy Client ID and Client secret.
- Cloudflare One → Integrations → Identity providers → Add new → Google → paste ID/secret → Save → Test.
- On your Application → enable Google (and optionally One-time PIN as backup).
Users sign in with their own email account, not board@apexstem.org.
Step 2 — Create an Allow policy (recommended first)¶
Creating the policy first avoids hunting menus inside the application wizard.
- Access controls → Policies (or Policy management).
- Create policy / Add a policy.
- Policy name:
Apex trustees - Action: Allow
- Configure rules → Include:
- Selector: Emails
- Value: each trustee's individual email address (one rule or multiple entries).
- Save policy.
Step 3 — Create the Access application¶
- Access controls → Applications.
- Create new application.
- Choose Self-hosted and private (not “SaaS” unless you know you need it).
- Choose Add public hostname (not “private IP”).
- Hostname:
- Domain dropdown:
apexstem.org - Subdomain:
docs - Result:
docs.apexstem.org -
Or pick / type the full hostname if the UI offers a single field.
-
Access policies:
-
Add policy → select
Apex trustees(from Step 2), or create inline Allow policy with same emails. -
Authentication / Identity providers:
- Enable your chosen identity provider(s).
-
Optional: Instant authentication if using a single provider.
-
Session duration: e.g. 24 hours.
-
Create (bottom of form).
Tunnel: Skip “Connect your origin to Cloudflare” / Tunnel setup — Pages already hosts docs.apexstem.org on your zone. Access sits in front of existing DNS.
Step 4 — Test¶
- Chrome Incognito (not logged in as a trustee).
- Visit
https://docs.apexstem.org. - Expect: redirect to Cloudflare Access login.
- Sign in with an allowed trustee email account → wiki loads.
- Incognito + non-allowed email account → blocked / access denied.
If the site loads with no login, the application is not bound to the hostname — see troubleshooting.
Step 5 — Notify trustees¶
Open https://docs.apexstem.org
Sign in with your invited account using the configured identity provider.
Mentors: Mentor guide · Board/Treasurer: Start here
Troubleshooting¶
| Symptom | What to do |
|---|---|
| Sidebar says Cloudflare One, not Zero Trust | Normal — use this doc |
| Stuck in “Secure private apps” / Tunnel wizard | Back out; use Access controls → Applications path above |
| No Applications in sidebar | Complete Cloudflare One onboarding (team name + plan) |
docs.apexstem.org not in domain dropdown |
Zone apexstem.org must be Active in same account; Pages custom domain attached |
| Login never appears | Confirm DNS record for docs is proxied (orange cloud); Access app hostname must match exactly |
board@ cannot log in |
Use individual user emails in policy, not role aliases |
Pages .pages.dev URL still public |
Access app is on custom domain only — add separate app for *.pages.dev if needed, or disable pages.dev in Pages settings |
Optional later¶
- Access Groups under Access controls for parents/mentors (
apex-parents-ridge-racers, etc.) — see rbac-groups.md - Path-based policies when content uses
/internal/...URLs - Block direct access to
apexstem-docs.pages.devin Pages project settings
Expanding to all users (email/password)¶
When you're ready to give students, parents, mentors, and Omesh access with email/password login, see the full setup guide:
portal_access_setup_all_users.md — Auth0 (OIDC) + Cloudflare Access Groups for role-based access.