Non-HTTP applications
Cloudflare offers both client-based and clientless ways to grant secure access to non-HTTP applications.
Users can connect by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access the application unless you build policies to allow or block specific users.
If you would like to define how users access specific infrastructure servers within your network, create an infrastructure application in Access for Infrastructure. Access for Infrastructure provides an additional layer of control and visibility over how users access non-HTTP applications, including:
- Define fine-grained policies to govern who has access to specific servers and exactly how a user may access that server.
- Eliminate SSH keys by using short-lived certificates to authenticate users.
- Export SSH command logs to a storage service or SIEM solution using Logpush.
Clientless access methods are suited for organizations that cannot deploy the WARP client or need to support third-party contractors where installing a client is not possible. Clientless access requires onboarding a domain to Cloudflare and configuring a public hostname in order to make the server reachable. Command logging is not supported, and user email prefixes must match their username on the server.
Cloudflare’s browser-based terminal allows users to connect over SSH and VNC without any configuration. When users visit the public hostname URL (for example, https://ssh.example.com
) and log in with their Access credentials, Cloudflare will render a terminal in their browser.
Users can log in to the application by installing cloudflared
on their device and running a hostname-specific command in their terminal. For more information, refer to cloudflared authentication.
To connect to an application over a specific protocol, refer to these tutorials: