← 返回 Skills 市场
maverick-software

Cloudflare Access VPS

作者 maverick-software · GitHub ↗ · v1.0.0
cross-platform ✓ 安全检测通过
267
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install cloudflare-access-vps
功能描述
Add Cloudflare Zero Trust Access authentication to a VPS-hosted OpenClaw agent. Puts a login screen (email OTP, Google SSO, GitHub, or TOTP MFA) in front of...
使用说明 (SKILL.md)

Cloudflare Access for OpenClaw VPS Agents

Gates the entire domain with Cloudflare Zero Trust Access — every URL, including /ws, /api/, and the control UI, requires authentication before a byte reaches the VPS.

Architecture

Browser / app hits https://koda.yourdomain.com
        ↓
Cloudflare Edge
  ├── Access policy check → BLOCKED if unauthenticated (login screen shown)
  └── Authenticated → Cloudflare Tunnel → localhost:18789 → OpenClaw
                                                                ↓
                                                       Gateway token auth (layer 2)
                                                                ↓
                                                       Device pairing  (layer 3)

Prerequisites: Cloudflare Tunnel active (cloudflared service running), domain on Cloudflare DNS. See cloudflare-agent-tunnel skill if tunnel is not yet set up.

Quick Setup (5 Steps)

Step 1 — Enable Zero Trust

  1. dash.cloudflare.com → select your account → Zero Trust
  2. On first visit, pick a team name (e.g. teamplayers) — this becomes teamplayers.cloudflareaccess.com
  3. Free plan: up to 50 users, no credit card required

Step 2 — Add an Identity Provider

Zero Trust → Settings → Authentication → Add new — pick one:

Provider Best for Setup effort
One-time PIN (email OTP) Simplest, no external app Zero — built-in
Google Teams with Google Workspace ~5 min (OAuth app in Google Console)
GitHub Developer teams ~5 min (OAuth app in GitHub)

For most solo/small team deployments, One-time PIN is sufficient and needs no external setup.

Step 3 — Create an Access Application

Zero Trust → Access → Applications → Add an application → Self-hosted

Field Value
Application name OpenClaw - Koda (or agent name)
Session duration 24 hours (reduce for higher security)
Application domain koda.yourdomain.com
Path (leave blank to gate entire domain)

Click Next.

Step 4 — Create an Access Policy

Policy name: Owners only (or similar)

Rule Setting
Action Allow
Include → Selector Emails
Include → Value [email protected] (your email)

To require MFA: Add require rule → Authentication Method → mfa (forces TOTP/hardware key on top of identity provider).

Click Next → Save.

Step 5 — Test

Open a private/incognito window → visit https://koda.yourdomain.com. You should see a Cloudflare login page. After authenticating, OpenClaw loads normally.

Multi-Agent Setup

Each agent subdomain gets its own Access Application with its own policy.

koda.teamplayers.ai    → Application: "OpenClaw - Koda"    → Policy: owners only
agent2.teamplayers.ai  → Application: "OpenClaw - Agent 2" → Policy: client X only

To add a second agent: repeat Steps 3–4 with the new subdomain.

Service Tokens (for API / Native App Access)

Browser-based Cloudflare login doesn't work for programmatic or native app connections. Use Service Tokens instead — static credentials sent as HTTP headers.

Zero Trust → Access → Service Auth → Create Service Token

Copy the CF-Access-Client-Id and CF-Access-Client-Secret.

Attach the token to the application:

  • In the Access Application, add a second policy:
    • Action: Allow, Include → Service Token → select the token you created

The caller then sends:

CF-Access-Client-Id: \x3Cid>.access
CF-Access-Client-Secret: \x3Csecret>

For WebSocket connections (OpenClaw gateway): pass these as HTTP headers on the WS upgrade request.

Full details → references/service-tokens.md

Interaction with OpenClaw Token + Pairing

Cloudflare Access is the outer gate. OpenClaw's own auth layers still apply after it:

Layer What it blocks
Cloudflare Access Unauthenticated internet users (never reach the UI)
Gateway token Anyone who bypasses Cloudflare (e.g. VPS localhost, misconfigured tunnel)
Device pairing Someone with the token but on an unapproved browser

For existing deployments, no OpenClaw config changes are needed — Access just wraps the outside.

Troubleshooting

See references/troubleshooting.md for common issues including:

  • "Access denied" after login
  • WebSocket connections failing through Access
  • Service token auth not working
  • Bypassing Access for localhost development
安全使用建议
This skill is a how-to guide that appears internally consistent with its purpose; it will not auto-run code on your machine. Before following it you should: (1) ensure you actually have cloudflared/tunnel and Cloudflare DNS for the domain, (2) treat CF service tokens and OpenClaw gateway tokens as sensitive secrets — store them in a vault and do not commit them to git, (3) prefer short-lived sessions/tokens and per-client tokens where possible and rotate/revoke compromised tokens promptly, (4) be aware that localhost connections bypass Cloudflare Access so lock down any services listening on the VPS (bind to localhost only, use firewall rules), (5) test WebSocket (wss://) behavior after enabling Access and confirm service-token policies include the token, and (6) monitor Zero Trust Access logs to verify expected behavior and detect unexpected usage. If you want higher assurance, request an audited install script from a trusted source rather than relying only on manual instructions.
功能分析
Type: OpenClaw Skill Name: cloudflare-access-vps Version: 1.0.0 The skill bundle consists entirely of documentation and configuration guides for setting up Cloudflare Zero Trust Access to secure an OpenClaw VPS deployment. It contains no executable code, scripts, or malicious instructions, focusing instead on architectural overviews, step-by-step dashboard instructions, and troubleshooting (SKILL.md, references/service-tokens.md, references/troubleshooting.md). The content is aligned with its stated purpose of enhancing security through identity-based access control.
能力评估
Purpose & Capability
The name/description (Cloudflare Access for a VPS-hosted OpenClaw agent) matches the content: it documents configuring Cloudflare Zero Trust, creating Access applications/policies, and using service tokens. It correctly requires an existing cloudflared tunnel and a Cloudflare-managed domain — these are expected prerequisites.
Instruction Scope
Instructions remain focused on Cloudflare dashboard actions, Access application/policy creation, service token usage, and OpenClaw configuration. The guide tells operators to store service tokens (e.g., ~/.openclaw/secrets.json) and explains localhost bypass for development; it also documents using non-expiring service tokens (which is functional but a security choice). There are no instructions to read unrelated system files, exfiltrate data, or contact unknown endpoints.
Install Mechanism
This is instruction-only (no install spec, no code files executed). That minimizes on-disk risk — nothing will be downloaded or installed automatically by the skill.
Credentials
The skill does not request environment variables, secrets, or unrelated credentials. It discusses Cloudflare service tokens and OpenClaw gateway tokens, which are logically required for the documented use-cases; the guidance warns to treat them like API keys. No unrelated credentials or system config paths are asked for.
Persistence & Privilege
always:false and no code means the skill cannot auto-install or persist settings. It does not ask to modify other skills or system-wide configurations. Note: the documentation explicitly states localhost connections bypass Cloudflare Access (expected behavior) — operators must secure local endpoints accordingly.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install cloudflare-access-vps
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /cloudflare-access-vps 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release — zero-trust identity gate for OpenClaw VPS agents. Covers 5-step Cloudflare Access setup, MFA policies, service tokens for API/native app access, multi-agent patterns, and troubleshooting.
元数据
Slug cloudflare-access-vps
版本 1.0.0
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Cloudflare Access VPS 是什么?

Add Cloudflare Zero Trust Access authentication to a VPS-hosted OpenClaw agent. Puts a login screen (email OTP, Google SSO, GitHub, or TOTP MFA) in front of... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 267 次。

如何安装 Cloudflare Access VPS?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install cloudflare-access-vps」即可一键安装,无需额外配置。

Cloudflare Access VPS 是免费的吗?

是的,Cloudflare Access VPS 完全免费(开源免费),可自由下载、安装和使用。

Cloudflare Access VPS 支持哪些平台?

Cloudflare Access VPS 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Cloudflare Access VPS?

由 maverick-software(@maverick-software)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论