This guide outlines how to secure all your dev services (e.g., Bazarr, Radarr, Tdarr) using Cloudflare Access with Google OAuth. The approach protects every subdomain under *.[example.com](http://example.com/) via a wildcard Access app and Cloudflare Tunnel.

Cloudflare Access serves as either an alternative or a complementary security layer to Traefik:

• Replacement: If you're looking for a fully cloud-managed authentication system, Cloudflare Access eliminates the need for Traefik Forward Auth or OAuth2 Proxy.
• Complementary: If you're already using Traefik for internal routing, Cloudflare Access can provide pre-authentication at the edge, reducing reliance on middleware authentication while keeping Traefik in play for service discovery.

By shifting authentication to Cloudflare’s edge, this setup ensures that only validated users can reach your infrastructure, before requests even touch your server or containers.

• A Cloudflare account managing [example.com](http://example.com/)
• Zero Trust dashboard enabled
• Running Cloudflare Tunnel (cloudflared) with Docker
• DNS CNAME records for each subdomain (e.g., [bazarrdev.example.com](http://bazarrdev.example.com/))
• Docker containers reachable via internal networking

1. Go to Access → Applications → Add application → Self-hosted
2. Set:
   • Application name: <Domain Name>
   • Subdomain: *
   • Domain: [example.com](http://example.com/)
3. Click Next

• Set session to 1 month (Users will not have to reauthenticate for 1 month)
• Leave visual customization as default unless needed

1. If not linked yet:
   • Go to Zero Trust → Settings → Authentication
   • Add a Google OAuth client using your GCP project
   • Redirect URI format:
     https://<your-team>.[cloudflareaccess.com/cdn-cgi/access/callback](http://cloudflareaccess.com/cdn-cgi/access/callback%60)

1. Create a policy named Google Auth
2. Action: Allow
3. Include: (Repeat this step for each user you wish to give access)
   • Your email(s) ([[email protected]](mailto:[email protected]))
4. Save policy

1. Return to the Access app
2. Under Policies, click "Add existing"
3. Select your Google Auth policy
4. Save and finish

Inside your cloudflared config:

tunnel: test-tunnel
credentials-file: /home/nonroot/.cloudflared/test-tunnel.json

ingress:
  - hostname: [bazarrdev.example.com](http://bazarrdev.example.com/)
    service: http://bazarr:6767/
  - hostname: [radarrdev.example.com](http://radarrdev.example.com/)
    service: http://radarr:7878/
  - hostname: [tdarrdev.example.com](http://tdarrdev.example.com/)
    service: http://tdarr_node:8265/
  - service: http_status:404# Cloudflare Access: Zero Trust for Dev Services