Cloudflare + Tailscale Setup

RetailOS menggunakan Tailscale VPN untuk koneksi aman antara toko dan cloud, serta Cloudflare untuk melindungi portal web dari serangan internet.

Arsitektur Keamanan Jaringan

Tailscale Setup

Install (`03-tailscale-cloudflare.sh`)

bash

# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh

# Start dengan SSH support
tailscale up --ssh --accept-routes

Approve di Admin Console

Setelah tailscale up, approve mesin di login.tailscale.com/admin/machines.

ACL Configuration

Konfigurasi ACL di Tailscale admin console untuk mengontrol akses antar node:

json

{
  "acls": [
    {
      "action": "accept",
      "src": ["tag:store"],
      "dst": ["tag:cloud:8090"]
    },
    {
      "action": "accept",
      "src": ["tag:cloud"],
      "dst": ["tag:store:8081"]
    },
    {
      "action": "accept",
      "src": ["tag:dc"],
      "dst": ["tag:cloud:8090"]
    },
    {
      "action": "accept",
      "src": ["tag:admin"],
      "dst": ["*:*"]
    }
  ],
  "tagOwners": {
    "tag:store": ["admin@retailos.id"],
    "tag:cloud": ["admin@retailos.id"],
    "tag:dc": ["admin@retailos.id"],
    "tag:admin": ["admin@retailos.id"]
  }
}

Keuntungan Tailscale

Fitur	Benefit
Zero-config	Tidak perlu port forwarding atau static IP
WireGuard	Enkripsi cepat (kernel-level)
Mesh network	Node-to-node langsung tanpa relay
MagicDNS	DNS otomatis: `store-001.tail12345.ts.net`
SSH	SSH via Tailscale tanpa expose port ke internet
ACL	Kontrol akses granular per tag/user

Cloudflare Setup

DNS Configuration

Record	Type	Value	Proxy
`retailos.id`	A	Server IP	Proxied
`ho.retailos.id`	CNAME	`retailos.id`	Proxied
`store.retailos.id`	CNAME	`retailos.id`	Proxied
`hr.retailos.id`	CNAME	`retailos.id`	Proxied
`api.retailos.id`	CNAME	`retailos.id`	Proxied
`docs.retailos.id`	CNAME	`retailos.id`	Proxied

UFW Firewall Rules

Script 03-tailscale-cloudflare.sh mengunci firewall agar hanya menerima traffic dari Cloudflare dan Tailscale:

bash

# Reset UFW
ufw --force reset

# Allow dari Cloudflare IPs saja (HTTP/HTTPS)
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
  ufw allow from $ip to any port 80,443 proto tcp
done

# Allow SSH dari Tailscale subnet saja
ufw allow from 100.64.0.0/10 to any port 2222 proto tcp

# Allow localhost (internal services)
ufw allow from 127.0.0.1

# Default deny
ufw default deny incoming
ufw default allow outgoing
ufw --force enable

Cloudflare WAF Rules

Rule	Action	Deskripsi
Block known bots	Block	User-agent blocklist
Rate limit API	Rate limit (100/min)	Prevent API abuse
Block non-ID countries	Challenge	Optional geo-restriction
SQL injection	Block	OWASP Core Rules
XSS	Block	OWASP Core Rules

SSL/TLS

Mode: Full (strict) -- Cloudflare validates origin certificate
Origin Certificate: Generated dari Cloudflare dashboard, installed di Nginx
Minimum TLS: 1.2
HSTS: Enabled (1 year)

Hasil Akhir

Setelah setup selesai:

Portal web hanya bisa diakses via Cloudflare (DDoS + WAF protected)
SSH hanya bisa via Tailscale VPN (100.x.x.x network)
Store Router sync via Tailscale (encrypted, no port forwarding)
Direct IP access ke server di-block oleh UFW
Internal ports (8090, 5432) hanya listen di localhost

Cloudflare + Tailscale Setup ​

Arsitektur Keamanan Jaringan ​

Tailscale Setup ​

Install (03-tailscale-cloudflare.sh) ​

Approve di Admin Console ​

ACL Configuration ​

Keuntungan Tailscale ​

Cloudflare Setup ​

DNS Configuration ​

UFW Firewall Rules ​

Cloudflare WAF Rules ​

SSL/TLS ​

Hasil Akhir ​