Cloudflare Security, Zero Trust, and R2 Storage

VIDEO TRANSCRIPT | Recorded: 2025-12-17 | Verify against current system state

Abstract¶

This session covers Cloudflare security features, R2 object storage, and Zero Trust access policies. Jeff demonstrates the rule hierarchy (redirect rules → URL rewrites → page rules), configuring bulk redirects for URL forwarding, setting up R2 storage buckets for public and private assets, and implementing Zero Trust policies with reusable rule groups for controlling application access via IP addresses, email domains, and Azure AD authentication.

Key Procedures¶

• Rules hierarchy order: DDoS protection → URL normalization → Redirect rules → URL rewrites → Page rules (order matters!)
• View all rules in one place: Domain → Rules Overview (combines redirects, rewrites, cache rules, page rules)
• Page rules are limited quantity (purchased extra) - use for seasonal redirects that need quick on/off toggling
• Bulk redirects for permanent URL forwarding: No limit on entries, source URL should NOT include https://
• Create bulk redirect lists: Rules → Bulk Redirects → Create list → Manually add URLs or CSV import
• Turnstile (reCAPTCHA): Organization level → Turnstile - configured for CraftCMS Freeform, hides when user verified as human
• Security analytics: Domain → Security → Analytics - check threat origins, bot traffic patterns (bots most active at night)
• Countries banned: Russia and others - shows in analytics as dimmed red (blocked but still attempting)
• R2 Storage: Organization → R2 → Create bucket (name cannot be changed after creation)
• Public R2 bucket: Assign custom domain (e.g., assets.amp.org) to make bucket publicly accessible
• Private R2 bucket access: Use S3 API with token/key and proxy pattern for time-limited access (10-15 minute tokens)
• Simple Backups: Configured for daily/monthly/weekly backups of assets.amp.org bucket
• Zero Trust users: Access → Users - monitor seat usage, disable inactive users
• Zero Trust applications: Access → Access Controls → Applications - define URLs protected by authentication
• Session duration: Configurable per application (e.g., 1 month for Aptify Web)
• Login methods: Azure AD, One-time PIN (limited to specific email domains), GitHub (AMPIT org members)
• Reusable policies: Create once, apply to multiple applications (e.g., "Allow all active consultants and vendors")
• Bypass policies: Skip authentication for specific IP ranges (office IPs, VPN, home office IPs)
• Rule groups: Core of policies - define by email domain, IP address, or IP list references
• Legacy policies: Per-application (older method) - consider consolidating to reusable policies

Notable Statements¶

• 0:00:33 "Rules live at two different levels... you end up having to look in both places for specific rules - organizational level and within a specific domain."
• 0:03:06 "Turnstile tries to hide itself as much as possible. If it can figure out that the person is human, then it just doesn't show anything at all."
• 0:12:05 "The first thing that's done is any kind of DDoS protection... then redirect rules, then URL rewrites, then page rules underneath that."
• 0:14:55 "Most of our threats that come in, like bots that are checking things, happening as people leave the office and then a little bit before people are logging into the system."
• 0:22:51 "R2 storage is S3 compatible object storage... buckets can be public or private."
• 0:31:12 "Zero Trust is used to limit access to certain areas of our websites. We've come to rely on this quite a bit."
• 0:41:34 "The worst is home office IP addresses - it rarely works because people's home IP address changes all the time."
• 0:49:10 "Cloudflare changes the location of these things like every six months... they very rarely disable things, but they'll keep moving them into places that are harder to find."

Systems & Configurations¶

Systems Mentioned¶

• Cloudflare (WAF, Page Rules, Bulk Redirects, R2, Zero Trust)
• Azure Active Directory (identity provider)
• GitHub (identity provider option)
• CraftCMS (Turnstile integration)
• Google Cloud Storage (CraftCMS assets - legacy, not migrated to R2)
• Simple Backups (R2 backup service)
• CyberDuck (FTP-style R2 access option)

Specific Configurations¶

Credentials/Access Mentioned¶

• IT Support Cloudflare account for organizational settings
• Azure AD integration for staff authentication
• GitHub (AMPIT organization) as identity provider option
• One-time PIN authentication for approved email domains
• IP-based bypass for office, VPN, and approved home office IPs

Errors & Troubleshooting¶

• Issue: Page rule not taking effect
• Cause: Redirect rule at higher priority already handling the URL
• Resolution: Check Rules Overview to see rule hierarchy; move page rule or modify redirect rule

• Timestamp: 0:12:47

• Issue: WordPress attack attempts flooding logs

• Cause: Bots scanning for WordPress endpoints that don't exist
• Resolution: Monitor but no action needed - requests fail naturally; review analytics for patterns

• Timestamp: 0:17:12

• Issue: Home office IP bypass stops working

• Cause: ISP changes home IP addresses dynamically
• Resolution: Use email-based authentication instead of IP bypass for home workers

• Timestamp: 0:41:34

• Issue: CraftCMS storage not in R2

• Cause: Set up before R2 existed, migration requires coordination with MightyCitizen and downtime
• Resolution: Would be a mini-project to migrate from Google Cloud Storage to R2
• Timestamp: 0:30:23

Transcript Gaps & Quality Notes¶

• Recording is from a live Teams meeting
• Part 2 of 2 - Part 1 covers DNS, billing, and Cloudflare Pages
• Extensive visual walkthrough of Cloudflare UI - watching video recommended
• Zero Trust section is comprehensive and covers complex policy configuration
• Note: Cloudflare frequently moves UI elements; documentation may become outdated within 6 months
• Presenter: Jeff Sikes
• Duration: ~60 minutes
• Audio quality: Good