首页龙虾技能列表 › Cloudflare Access VPS — Cloudflare工具

Cloudflare Access VPS — Cloudflare工具

v1.0.0

[AI辅助] Add Cloudflare Zero Trust Access authentication to a VPS-hosted OpenClaw agent. Puts a login screen (email OTP, Google SSO, GitHub, or TOTP MFA) in front of...

0· 216·0 当前·0 累计
by @maverick-software·MIT-0
下载技能包
License
MIT-0
最后更新
2026/3/9
安全扫描
VirusTotal
无害
查看报告
OpenClaw
安全
high confidence
The skill is an instruction-only guide to front an OpenClaw agent with Cloudflare Zero Trust Access; its requests and instructions are coherent with that purpose and it does not ask for unrelated credentials or install arbitrary software.
评估建议
This skill is a how-to guide that appears internally consistent with its purpose; it will not auto-run code on your machine. Before following it you should: (1) ensure you actually have cloudflared/tunnel and Cloudflare DNS for the domain, (2) treat CF service tokens and OpenClaw gateway tokens as sensitive secrets — store them in a vault and do not commit them to git, (3) prefer short-lived sessions/tokens and per-client tokens where possible and rotate/revoke compromised tokens promptly, (4) b...
详细分析 ▾
用途与能力
The name/description (Cloudflare Access for a VPS-hosted OpenClaw agent) matches the content: it documents configuring Cloudflare Zero Trust, creating Access applications/policies, and using service tokens. It correctly requires an existing cloudflared tunnel and a Cloudflare-managed domain — these are expected prerequisites.
指令范围
Instructions remain focused on Cloudflare dashboard actions, Access application/policy creation, service token usage, and OpenClaw configuration. The guide tells operators to store service tokens (e.g., ~/.openclaw/secrets.json) and explains localhost bypass for development; it also documents using non-expiring service tokens (which is functional but a security choice). There are no instructions to read unrelated system files, exfiltrate data, or contact unknown endpoints.
安装机制
This is instruction-only (no install spec, no code files executed). That minimizes on-disk risk — nothing will be downloaded or installed automatically by the skill.
凭证需求
The skill does not request environment variables, secrets, or unrelated credentials. It discusses Cloudflare service tokens and OpenClaw gateway tokens, which are logically required for the documented use-cases; the guidance warns to treat them like API keys. No unrelated credentials or system config paths are asked for.
持久化与权限
always:false and no code means the skill cannot auto-install or persist settings. It does not ask to modify other skills or system-wide configurations. Note: the documentation explicitly states localhost connections bypass Cloudflare Access (expected behavior) — operators must secure local endpoints accordingly.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/9

Initial release — zero-trust identity gate for OpenClaw VPS agents. Covers 5-step Cloudflare Access setup, MFA policies, service tokens for API/native app access, multi-agent patterns, and troubleshooting.

● 无害

安装命令 点击复制

官方npx clawhub@latest install cloudflare-access-vps
镜像加速npx clawhub@latest install cloudflare-access-vps --registry https://cn.clawhub-mirror.com

技能文档

Gates the entire domain with Cloudflare Zero Trust Access — every URL, including /ws, /api/, and the control UI, requires authentication before a byte reaches the VPS.

Architecture

Browser / app hits https://koda.yourdomain.com
        ↓
Cloudflare Edge
  ├── Access policy check → BLOCKED if unauthenticated (login screen shown)
  └── Authenticated → Cloudflare Tunnel → localhost:18789 → OpenClaw
                                                                ↓
                                                       Gateway token auth (layer 2)
                                                                ↓
                                                       Device pairing  (layer 3)

Prerequisites: Cloudflare Tunnel 活跃 (cloudflared 服务 running), domain 在...上 Cloudflare DNS. See cloudflare-agent-tunnel skill if tunnel is not yet set up.

Quick Setup (5 Steps)

Step 1 — Enable Zero Trust

  • dash.cloudflare.com → select 账户 → Zero Trust
  • 在...上 第一个 visit, pick team name (e.g. teamplayers) — becomes teamplayers.cloudflareaccess.com
  • Free plan: up 到 50 users, 否 credit card 必填

Step 2 — 添加 Identity Provider

Zero Trust → Settings → Authentication → 添加 新的 — pick one:

ProviderBest forSetup effort
One-time PIN (email OTP)Simplest, no external appZero — built-in
GoogleTeams with Google Workspace~5 min (OAuth app in Google Console)
GitHubDeveloper teams~5 min (OAuth app in GitHub)
For most solo/small team deployments, One-time PIN is sufficient and needs no external setup.

Step 3 — 创建 Access Application

Zero Trust → Access → Applications → 添加 application → Self-hosted

FieldValue
Application nameOpenClaw - Koda (or agent name)
Session duration24 hours (reduce for higher security)
Application domainkoda.yourdomain.com
Path(leave blank to gate entire domain)
Click Next.

Step 4 — 创建 Access Policy

Policy name: Owners 仅 (或 similar)

RuleSetting
ActionAllow
Include → SelectorEmails
Include → Valuecharles@yourdomain.com (your email)
To require MFA: Add require rule → Authentication Method → mfa (forces TOTP/hardware key on top of identity provider).

Click Next → Save.

Step 5 — Test

Open a private/incognito window → visit https://koda.yourdomain.com. You should see a Cloudflare login page. After authenticating, OpenClaw loads normally.

Multi-Agent Setup

Each agent subdomain gets its own Access Application with its own policy.

koda.teamplayers.ai    → Application: "OpenClaw - Koda"    → Policy: owners only
agent2.teamplayers.ai  → Application: "OpenClaw - Agent 2" → Policy: client X only

To add a second agent: repeat Steps 3–4 with the new subdomain.

服务 Tokens (对于 API / Native App Access)

Browser-based Cloudflare login doesn't work for programmatic or native app connections. Use Service Tokens instead — static credentials sent as HTTP headers.

Zero Trust → Access → 服务 Auth → 创建 服务 令牌

Copy the CF-Access-Client-Id and CF-Access-Client-Secret.

Attach the token to the application:

  • 在...中 Access Application, 添加 第二个 policy:
- Action: Allow, Include → 服务 令牌 → select 令牌 您 created

The caller then sends: 

CF-Access-Client-Id: .access
CF-Access-Client-Secret:

For WebSocket connections (OpenClaw gateway): pass these as HTTP headers on the WS upgrade request.

Full details → references/service-tokens.md

Interaction 带有 OpenClaw 令牌 + Pairing

Cloudflare Access is the outer gate. OpenClaw's own auth layers still apply after it:

LayerWhat it blocks
Cloudflare AccessUnauthenticated internet users (never reach the UI)
Gateway tokenAnyone who bypasses Cloudflare (e.g. VPS localhost, misconfigured tunnel)
Device pairingSomeone with the token but on an unapproved browser
For existing deployments, no OpenClaw config changes are needed — Access just wraps the outside.

Troubleshooting

See references/troubleshooting.md for common issues including:

  • "Access denied" 之后 登录
  • WebSocket connections failing 通过 Access
  • 服务 令牌 auth 不 working
  • Bypassing Access 对于 localhost development
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务