Cloudflare Access for OpenClaw VPS Agents
Gates the entire domain with Cloudflare Zero Trust Access — every URL, including /ws, /api/,
and the control UI, requires authentication before a byte reaches the VPS.
Architecture
CODEBLOCK0
Prerequisites: Cloudflare Tunnel active (cloudflared service running), domain on Cloudflare DNS.
See cloudflare-agent-tunnel skill if tunnel is not yet set up.
Quick Setup (5 Steps)
Step 1 — Enable Zero Trust
- 1. dash.cloudflare.com → select your account → Zero Trust
- On first visit, pick a team name (e.g.
teamplayers) — this becomes �INLINECODE5 - Free plan: up to 50 users, no credit card required
Step 2 — Add an Identity Provider
Zero Trust → Settings → Authentication → Add new — pick one:
| Provider | Best for | Setup effort |
|---|
| One-time PIN (email OTP) | Simplest, no external app | Zero — built-in |
| Google |
Teams with Google Workspace | ~5 min (OAuth app in Google Console) |
| GitHub | Developer teams | ~5 min (OAuth app in GitHub) |
For most solo/small team deployments, One-time PIN is sufficient and needs no external setup.
Step 3 — Create an Access Application
Zero Trust → Access → Applications → Add an application → Self-hosted
| Field | Value |
|---|
| Application name | INLINECODE6� (or agent name) |
| Session duration |
24 hours (reduce for higher security) |
| Application domain |
koda.yourdomain.com |
| Path |
(leave blank to gate entire domain) |
Click Next.
Step 4 — Create an Access Policy
Policy name: Owners only (or similar)
| Rule | Setting |
|---|
| Action | Allow |
| Include → Selector |
Emails |
| Include → Value |
charles@yourdomain.com (your email) |
To require MFA: Add require rule → Authentication Method → mfa (forces TOTP/hardware key on top of identity provider).
Click Next → Save.
Step 5 — Test
Open a private/incognito window → visit https://koda.yourdomain.com.
You should see a Cloudflare login page. After authenticating, OpenClaw loads normally.
Multi-Agent Setup
Each agent subdomain gets its own Access Application with its own policy.
CODEBLOCK1
To add a second agent: repeat Steps 3–4 with the new subdomain.
Service Tokens (for API / Native App Access)
Browser-based Cloudflare login doesn't work for programmatic or native app connections.
Use Service Tokens instead — static credentials sent as HTTP headers.
Zero Trust → Access → Service Auth → Create Service Token
Copy the CF-Access-Client-Id and CF-Access-Client-Secret.
Attach the token to the application:
- - In the Access Application, add a second policy:
- Action:
Allow, Include →
Service Token → select the token you created
The caller then sends:
�CODEBLOCK2
For WebSocket connections (OpenClaw gateway): pass these as HTTP headers on the WS upgrade request.
Full details → references/service-tokens.md
Interaction with OpenClaw Token + Pairing
Cloudflare Access is the outer gate. OpenClaw's own auth layers still apply after it:
| Layer | What it blocks |
|---|
| Cloudflare Access | Unauthenticated internet users (never reach the UI) |
| Gateway token |
Anyone who bypasses Cloudflare (e.g. VPS localhost, misconfigured tunnel) |
| Device pairing | Someone with the token but on an unapproved browser |
For existing deployments, no OpenClaw config changes are needed — Access just wraps the outside.
Troubleshooting
See references/troubleshooting.md for common issues including:
- - "Access denied" after login
- WebSocket connections failing through Access
- Service token auth not working
- Bypassing Access for localhost development
Cloudflare Access for OpenClaw VPS Agents
使用Cloudflare Zero Trust Access对整个域名进行网关控制——包括/ws、/api和控制UI在内的每个URL,在数据包到达VPS之前都需要进行身份验证。
架构
浏览器/应用访问 https://koda.yourdomain.com
↓
Cloudflare 边缘节点
├── 访问策略检查 → 未认证则拦截(显示登录页面)
└── 已认证 → Cloudflare Tunnel → localhost:18789 → OpenClaw
↓
网关令牌认证(第2层)
↓
设备配对(第3层)
前置条件: Cloudflare Tunnel已启用(cloudflared服务正在运行),域名已接入Cloudflare DNS。
如果尚未设置隧道,请参阅cloudflare-agent-tunnel技能。
快速设置(5步)
第1步 — 启用Zero Trust
- 1. 访问 dash.cloudflare.com → 选择您的账户 → Zero Trust
- 首次访问时,选择一个团队名称(例如 teamplayers)——这将成为 teamplayers.cloudflareaccess.com
- 免费计划:最多50个用户,无需信用卡
第2步 — 添加身份提供商
Zero Trust → Settings → Authentication → Add new — 选择其中一个:
| 提供商 | 适用场景 | 设置难度 |
|---|
| 一次性PIN(邮件OTP) | 最简单,无需外部应用 | 零配置 — 内置功能 |
| Google |
使用Google Workspace的团队 | ~5分钟(在Google控制台创建OAuth应用) |
| GitHub | 开发者团队 | ~5分钟(在GitHub创建OAuth应用) |
对于大多数个人/小团队部署,一次性PIN已足够,无需外部设置。
第3步 — 创建访问应用
Zero Trust → Access → Applications → Add an application → Self-hosted
| 字段 | 值 |
|---|
| 应用名称 | OpenClaw - Koda(或代理名称) |
| 会话时长 |
24小时(降低时长可提高安全性) |
| 应用域名 | koda.yourdomain.com |
| 路径 |
(留空则对整个域名进行网关控制) |
点击 Next。
第4步 — 创建访问策略
策略名称: 仅所有者(或类似名称)
电子邮件 |
| 包含 → 值 | charles@yourdomain.com(您的邮箱) |
如需强制MFA:添加要求规则 → Authentication Method → mfa(在身份提供商基础上强制使用TOTP/硬件密钥)。
点击 Next → Save。
第5步 — 测试
打开隐私/无痕窗口 → 访问 https://koda.yourdomain.com。
您应该会看到Cloudflare登录页面。认证通过后,OpenClaw正常加载。
多代理设置
每个代理子域名都有自己的访问应用和独立策略。
koda.teamplayers.ai → 应用:OpenClaw - Koda → 策略:仅所有者
agent2.teamplayers.ai → 应用:OpenClaw - Agent 2 → 策略:仅客户端X
要添加第二个代理:使用新子域名重复第3-4步。
服务令牌(用于API/原生应用访问)
基于浏览器的Cloudflare登录不适用于程序化或原生应用连接。
请改用服务令牌——作为HTTP标头发送的静态凭据。
Zero Trust → Access → Service Auth → Create Service Token
复制 CF-Access-Client-Id 和 CF-Access-Client-Secret。
将令牌附加到应用:
- 操作:
允许,包含 →
服务令牌 → 选择您创建的令牌
调用方随后发送:
CF-Access-Client-Id: .access
CF-Access-Client-Secret:
对于WebSocket连接(OpenClaw网关):在WS升级请求中将这些作为HTTP标头传递。
完整详情 → references/service-tokens.md
与OpenClaw令牌+配对的交互
Cloudflare Access是外层网关。OpenClaw自身的认证层在其之后仍然生效:
| 层级 | 拦截对象 |
|---|
| Cloudflare Access | 未认证的互联网用户(无法到达UI) |
| 网关令牌 |
绕过Cloudflare的任何人(例如VPS本地主机、配置错误的隧道) |
| 设备配对 | 持有令牌但使用未授权浏览器的用户 |
对于现有部署,无需更改OpenClaw配置——Access仅包裹外部访问。
故障排除
常见问题请参阅 references/troubleshooting.md,包括:
- - 登录后显示访问被拒绝
- 通过Access的WebSocket连接失败
- 服务令牌认证无效
- 为本地开发绕过Access
