Skip to content

docs: add Cloudflare Zero Trust documentation for self-hosted instances#347

Open
ezkemboi wants to merge 3 commits intodimagi:mainfrom
ezkemboi:docs/zero-trust-cloudflare-docs
Open

docs: add Cloudflare Zero Trust documentation for self-hosted instances#347
ezkemboi wants to merge 3 commits intodimagi:mainfrom
ezkemboi:docs/zero-trust-cloudflare-docs

Conversation

@ezkemboi
Copy link
Copy Markdown

Summary

This PR adds Zero Trust access documentation for self-hosters who need to expose Open Chat Studio — including webhook endpoints for WhatsApp, Telegram, Slack, and Twilio — without opening inbound ports on their server. No application code changes.

Changes

Added docs/concepts/zero_trust_access.md with:

  • Vendor-neutral overview of the Zero Trust tunnel pattern
  • When to use it vs. a standard reverse proxy
  • Supported provider comparison table (Cloudflare implemented; Tailscale, ngrok, frp noted)
  • Webhook path requirements that must bypass Access policies
  • Maintenance warning prompting developers to update the list when new channels are added

Added docs/how-to/cloudflare_tunnel.md with:

  • Step-by-step Cloudflare Tunnel setup: tunnel creation, docker-compose.cloudflare.yml override, Django settings
  • Access policy configuration (Allow + Bypass policies) with policy order warning
  • WARP device enrolment and posture rules
  • Mermaid diagrams for webhook integration flow and full WARP Zero Trust trust chain
  • Troubleshooting and upgrade procedure

Added docs/how-to/zero_trust_admin.md with:

  • Ongoing administration guide for NGO administrators
  • Adding and removing users (device serial → posture rule → Access policy)
  • Device replacement workflow and lost/stolen device response
  • Session duration settings with WARP/app session ordering warning
  • Reading Access and Gateway audit logs, Logpush export
  • Common situations: can't connect checklist, tunnel down, OTP not arriving
  • Quick reference table for all admin tasks

Updated mkdocs.yml:

  • zero_trust_access.md placed under Concepts
  • cloudflare_tunnel.md and zero_trust_admin.md placed under How-to Guides
  • No Self-Hosting section added

Background

The existing docs had no guidance for self-hosters who need remote team access without a public IP or open firewall ports. This PR fills that gap with a three-document set: a conceptual overview, a developer setup guide, and an admin operations guide targeting NGO administrators managing day-to-day access.

Review Notes

  • docker-compose.cloudflare.yml is strictly opt-in; the main stack is unchanged
  • Bypass policies are marked required with an explicit policy order warning
  • The admin guide is intentionally non-technical — written for NGO staff, not DevOps

@lisa-jwayela
Copy link
Copy Markdown
Collaborator

@ezkemboi can you move these tech docs to the "Tech Hub" section ?

This is where articles that engineers will refer to and it keeps them separate from OCS users who will not need to understand self hosting.

Simon and I discussed and came up with this structure for the menus - dimagi/open-chat-studio#3010 (comment)

https://github.com/dimagi/open-chat-studio-docs/blob/main/docs/tech-hub/index.md

Let me know if you have concerns or questions

@ezkemboi
Copy link
Copy Markdown
Author

ezkemboi commented Apr 22, 2026

@ezkemboi ezkemboi marked this pull request as ready for review April 22, 2026 13:36
@ezkemboi
Copy link
Copy Markdown
Author

@lisa-jwayela I have been able to get the answer, I will leave this inside this repo, but move into the Tech Hub section.
Well noted and thank you for review.

Copy link
Copy Markdown
Contributor

@snopoke snopoke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ezkemboi this seems to overlap with the docs in dimagi/open-chat-studio#3190. I haven't fully reviewed either but in general I think the self hosting docs should be in the developer docs (https://developers.openchatstudio.com/hosting/). It's fine to mention it here but we probably just want a single page about self hosting that points to the other docs.

@lisa-jwayela what do you think?

@ezkemboi
Copy link
Copy Markdown
Author

@snopoke I agree with that feedback. It makes sense to keep the self-hosting documentation in a single place (the Developer Docs) and reference it from here.

I’ll take some time to review both areas of change and share my thoughts and any suggestions afterward.

cc. @lisa-jwayela

@ezkemboi
Copy link
Copy Markdown
Author

@lisa-jwayela and @snopoke , I have moved the technical and administrative reference to developer docs.
I only have reference here

@ezkemboi ezkemboi requested a review from snopoke April 23, 2026 07:46
snopoke
snopoke previously approved these changes Apr 24, 2026
Copy link
Copy Markdown
Contributor

@snopoke snopoke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the changes. Let's make this even more generic and just link to the main 'hosting' page in the dev docs: https://developers.openchatstudio.com/hosting/

@snopoke snopoke self-requested a review April 24, 2026 13:50
@snopoke snopoke dismissed their stale review April 24, 2026 13:50

didn't mean to approve

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants