cname record updates
This commit is contained in:
parent
7f2745862e
commit
3017f14de4
@ -135,55 +135,78 @@ curl -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/dns_records
|
||||
echo -e "\n"
|
||||
echo "Root domain CNAME record has been added."
|
||||
|
||||
# Prompt for admin email
|
||||
echo "Please enter the admin email address that should have access to protected services:"
|
||||
read ADMIN_EMAIL
|
||||
|
||||
# Validate email format
|
||||
if [[ ! "$ADMIN_EMAIL" =~ ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$ ]]; then
|
||||
echo "Error: Invalid email format. Please provide a valid email address."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Now create the Cloudflare Access applications
|
||||
echo "Creating Cloudflare Access applications..."
|
||||
|
||||
# 1. Create wildcard access application for all subdomains
|
||||
echo "Creating wildcard access application for *.$CF_DOMAIN..."
|
||||
WILDCARD_APP_RESPONSE=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps" \
|
||||
-H "Authorization: Bearer $CF_API_TOKEN" \
|
||||
-H "Content-Type: application/json" \
|
||||
--data "{
|
||||
\"name\": \"All Applications - $CF_DOMAIN\",
|
||||
\"domain\": \"*.$CF_DOMAIN\",
|
||||
\"type\": \"self_hosted\",
|
||||
\"session_duration\": \"24h\",
|
||||
\"app_launcher_visible\": true,
|
||||
\"skip_interstitial\": true
|
||||
}")
|
||||
# Create access applications only for specific services
|
||||
PROTECTED_SERVICES=("homepage" "live" "ferdium" "convertx" "mini-qr" "ollama")
|
||||
|
||||
# Extract the application ID from the response
|
||||
WILDCARD_APP_ID=$(echo $WILDCARD_APP_RESPONSE | jq -r '.result.id')
|
||||
|
||||
if [ -z "$WILDCARD_APP_ID" ] || [ "$WILDCARD_APP_ID" == "null" ]; then
|
||||
echo "Error creating wildcard access application. Response: $WILDCARD_APP_RESPONSE"
|
||||
else
|
||||
echo "Successfully created wildcard access application with ID: $WILDCARD_APP_ID"
|
||||
for service in "${PROTECTED_SERVICES[@]}"; do
|
||||
echo "Creating access application for $service.$CF_DOMAIN..."
|
||||
|
||||
# Create policy for emails ending with the domain
|
||||
echo "Creating email domain policy for wildcard application..."
|
||||
EMAIL_DOMAIN=$(echo $CF_DOMAIN | cut -d'.' -f1,2)
|
||||
|
||||
curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps/$WILDCARD_APP_ID/policies" \
|
||||
SERVICE_APP_RESPONSE=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps" \
|
||||
-H "Authorization: Bearer $CF_API_TOKEN" \
|
||||
-H "Content-Type: application/json" \
|
||||
--data "{
|
||||
\"name\": \"Allow Domain Emails\",
|
||||
\"decision\": \"allow\",
|
||||
\"include\": [{
|
||||
\"email_domain\": {
|
||||
\"domain\": \"$EMAIL_DOMAIN\"
|
||||
}
|
||||
}],
|
||||
\"require\": [],
|
||||
\"exclude\": [],
|
||||
\"precedence\": 1,
|
||||
\"purpose\": \"Authentication for domain users\",
|
||||
\"session_duration\": \"24h\"
|
||||
}"
|
||||
|
||||
echo "Email domain policy created."
|
||||
fi
|
||||
\"name\": \"$service $CF_DOMAIN\",
|
||||
\"domain\": \"$service.$CF_DOMAIN\",
|
||||
\"type\": \"self_hosted\",
|
||||
\"session_duration\": \"24h\",
|
||||
\"app_launcher_visible\": true,
|
||||
\"skip_interstitial\": true
|
||||
}")
|
||||
|
||||
# Extract the application ID from the response
|
||||
SERVICE_APP_ID=$(echo $SERVICE_APP_RESPONSE | jq -r '.result.id')
|
||||
|
||||
if [ -z "$SERVICE_APP_ID" ] || [ "$SERVICE_APP_ID" == "null" ]; then
|
||||
echo "Error creating $service access application. Response: $SERVICE_APP_RESPONSE"
|
||||
else
|
||||
echo "Successfully created $service access application with ID: $SERVICE_APP_ID"
|
||||
|
||||
# Create policy for admin email
|
||||
echo "Creating admin email policy for $service application..."
|
||||
|
||||
POLICY_RESPONSE=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/access/apps/$SERVICE_APP_ID/policies" \
|
||||
-H "Authorization: Bearer $CF_API_TOKEN" \
|
||||
-H "Content-Type: application/json" \
|
||||
--data "{
|
||||
\"name\": \"Allow Admin Email\",
|
||||
\"decision\": \"allow\",
|
||||
\"include\": [{
|
||||
\"email\": {
|
||||
\"email\": \"$ADMIN_EMAIL\"
|
||||
}
|
||||
}],
|
||||
\"require\": [],
|
||||
\"exclude\": [],
|
||||
\"precedence\": 1,
|
||||
\"purpose\": \"Admin Authentication\",
|
||||
\"session_duration\": \"24h\"
|
||||
}")
|
||||
|
||||
# Check if policy creation was successful
|
||||
POLICY_SUCCESS=$(echo $POLICY_RESPONSE | jq -r '.success')
|
||||
|
||||
if [ "$POLICY_SUCCESS" == "true" ]; then
|
||||
POLICY_ID=$(echo $POLICY_RESPONSE | jq -r '.result.id')
|
||||
echo "Admin email policy for $service created successfully with ID: $POLICY_ID"
|
||||
else
|
||||
ERROR_MSG=$(echo $POLICY_RESPONSE | jq -r '.errors[0].message')
|
||||
echo "Error creating admin email policy for $service: $ERROR_MSG"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
# 2. Create specific access application for Gitea
|
||||
echo "Creating access application for gitea.$CF_DOMAIN..."
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user