Skip to content

Cloudflare Access

Home / Infrastructure / Cloudflare Access

This wiki is a fully static MkDocs site hosted on Cloudflare Pages. Static sites have no built-in authentication — anyone with the URL can read every page. Because the wiki holds strategy, policies, and other internal content, we gate the whole site behind Cloudflare Access (Zero Trust), which puts a Google SSO login in front of the custom domain.

Why Access, not per-page auth

MkDocs builds one public bundle of HTML. There is no reliable way to protect individual pages inside it. The right model is all-or-nothing at the edge: Access challenges every request to wiki.anvil.co and only serves the site to authenticated members of our Google Workspace. If we ever want a public slice (e.g. careers or marketing), that should be a separate public build/site, not per-page rules on this one.

Setup

  1. Add the custom domain — in the Cloudflare Pages project for docs, add wiki.anvil.co as a custom domain so the site is served there.
  2. Enable Zero Trust — in the Cloudflare dashboard, open Zero Trust → Access.
  3. Add a Google login method — under Settings → Authentication, add Google (or Google Workspace) as an identity provider.
  4. Create a self-hosted Access application — point it at wiki.anvil.co.
  5. Add a policy — Allow, with a rule matching emails ending in our domain (e.g. @anvil.co), or specific groups.
  6. Test — open wiki.anvil.co in a private window; you should be redirected to Google login and only reach the site after authenticating.

Notes

  • Access is free at our team size (well within the Zero Trust free tier).
  • Local previews (mkdocs serve) and the default *.pages.dev URL are not behind Access. Restrict or avoid sharing the raw pages.dev URL, or add it to the Access application as well.
  • Build/deploy itself is unchanged — see the deploy runbook in Runbooks & On-Call.