{"id":1911,"date":"2025-11-16T16:00:07","date_gmt":"2025-11-16T13:00:07","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/port-acmadan-yayin-nasil-mumkun-cloudflare-tunnel-zero-trust-mtls-ve-accessi-adim-adim\/"},"modified":"2025-11-16T16:00:07","modified_gmt":"2025-11-16T13:00:07","slug":"port-acmadan-yayin-nasil-mumkun-cloudflare-tunnel-zero-trust-mtls-ve-accessi-adim-adim","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/port-acmadan-yayin-nasil-mumkun-cloudflare-tunnel-zero-trust-mtls-ve-accessi-adim-adim\/","title":{"rendered":"Port A\u00e7madan Yay\u0131n Nas\u0131l M\u00fcmk\u00fcn? Cloudflare Tunnel, Zero Trust, mTLS ve Access\u2019i Ad\u0131m Ad\u0131m"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#Ofiste_Yasanan_Kucuk_Bir_Panik_ve_Port_Acmadan_Yayin_Hayali\"><span class=\"toc_number toc_depth_1\">1<\/span> Ofiste Ya\u015fanan K\u00fc\u00e7\u00fck Bir Panik ve Port A\u00e7madan Yay\u0131n Hayali<\/a><\/li><li><a href=\"#Cloudflare_Tunnelin_Kafamizdaki_Resmi_Port_Acmadan_Yayin_Ama_Nasil\"><span class=\"toc_number toc_depth_1\">2<\/span> Cloudflare Tunnel\u2019\u0131n Kafam\u0131zdaki Resmi: Port A\u00e7madan Yay\u0131n, Ama Nas\u0131l?<\/a><\/li><li><a href=\"#Temel_Kurulum_cloudflared_Tunnel_Olusturma_DNS_ve_Ingress\"><span class=\"toc_number toc_depth_1\">3<\/span> Temel Kurulum: cloudflared, Tunnel Olu\u015fturma, DNS ve Ingress<\/a><ul><li><a href=\"#cloudflared_nasil_kurulur\"><span class=\"toc_number toc_depth_2\">3.1<\/span> cloudflared nas\u0131l kurulur?<\/a><\/li><li><a href=\"#Cloudflare_hesabina_giris_ve_ilk_tunel\"><span class=\"toc_number toc_depth_2\">3.2<\/span> Cloudflare hesab\u0131na giri\u015f ve ilk t\u00fcnel<\/a><\/li><li><a href=\"#configyml_ile_Ingress_kurallari\"><span class=\"toc_number toc_depth_2\">3.3<\/span> config.yml ile Ingress kurallar\u0131<\/a><\/li><li><a href=\"#Tuneli_ayaga_kaldirma_ve_servis_olarak_calistirma\"><span class=\"toc_number toc_depth_2\">3.4<\/span> T\u00fcneli aya\u011fa kald\u0131rma ve servis olarak \u00e7al\u0131\u015ft\u0131rma<\/a><\/li><\/ul><\/li><li><a href=\"#Zero_Trust_Access_ile_Kapiya_Akil_Koymak\"><span class=\"toc_number toc_depth_1\">4<\/span> Zero Trust Access ile Kap\u0131ya Ak\u0131l Koymak<\/a><ul><li><a href=\"#Access_uygulamasi_Kimin_girecegini_kibarca_secmek\"><span class=\"toc_number toc_depth_2\">4.1<\/span> Access uygulamas\u0131: Kimin girece\u011fini kibarca se\u00e7mek<\/a><\/li><li><a href=\"#Servis_tokenlari_ve_makineler_arasi_trafik\"><span class=\"toc_number toc_depth_2\">4.2<\/span> Servis token\u2019lar\u0131 ve makineler aras\u0131 trafik<\/a><\/li><\/ul><\/li><li><a href=\"#mTLS_Iki_Tarafin_Da_Kimligini_Dogruladigi_O_Siki_Tokalasma\"><span class=\"toc_number toc_depth_1\">5<\/span> mTLS: \u0130ki Taraf\u0131n Da Kimli\u011fini Do\u011frulad\u0131\u011f\u0131 O S\u0131k\u0131 Tokala\u015fma<\/a><ul><li><a href=\"#Access_tarafinda_mTLS_sarti_koymak\"><span class=\"toc_number toc_depth_2\">5.1<\/span> Access taraf\u0131nda mTLS \u015fart\u0131 koymak<\/a><\/li><li><a href=\"#Origin_tarafini_gercekten_tani_Authenticated_Origin_Pulls\"><span class=\"toc_number toc_depth_2\">5.2<\/span> Origin taraf\u0131n\u0131 ger\u00e7ekten tan\u0131: Authenticated Origin Pulls<\/a><\/li><\/ul><\/li><li><a href=\"#Birden_Fazla_Servis_Tek_Tunel_HTTP_WebSocket_SSH_ve_Daha_Fazlasi\"><span class=\"toc_number toc_depth_1\">6<\/span> Birden Fazla Servis, Tek T\u00fcnel: HTTP, WebSocket, SSH ve Daha Fazlas\u0131<\/a><ul><li><a href=\"#Ornek_bir_coklu_ingress\"><span class=\"toc_number toc_depth_2\">6.1<\/span> \u00d6rnek bir \u00e7oklu ingress<\/a><\/li><li><a href=\"#SSHyi_Access_ile_sarmalamak\"><span class=\"toc_number toc_depth_2\">6.2<\/span> SSH\u2019yi Access ile sarmalamak<\/a><\/li><\/ul><\/li><li><a href=\"#Sorun_Giderme_Kucuk_Tuzaklar_ve_Tatli_Cozumler\"><span class=\"toc_number toc_depth_1\">7<\/span> Sorun Giderme: K\u00fc\u00e7\u00fck Tuzaklar ve Tatl\u0131 \u00c7\u00f6z\u00fcmler<\/a><\/li><li><a href=\"#Guvenligi_Bir_Kademe_Daha_Yukseltmek_Pratik_Oneriler\"><span class=\"toc_number toc_depth_1\">8<\/span> G\u00fcvenli\u011fi Bir Kademe Daha Y\u00fckseltmek: Pratik \u00d6neriler<\/a><\/li><li><a href=\"#Adim_Adim_Bir_Ornek_Senaryo_Kucuk_Bir_Ic_Uygulamayi_Yayina_Alalim\"><span class=\"toc_number toc_depth_1\">9<\/span> Ad\u0131m Ad\u0131m Bir \u00d6rnek Senaryo: K\u00fc\u00e7\u00fck Bir \u0130\u00e7 Uygulamay\u0131 Yay\u0131na Alal\u0131m<\/a><\/li><li><a href=\"#Dokumantasyon_ve_Kucuk_Pusulalar\"><span class=\"toc_number toc_depth_1\">10<\/span> Dok\u00fcmantasyon ve K\u00fc\u00e7\u00fck Pusulalar<\/a><\/li><li><a href=\"#Kapanis_Port_Acmadan_Yayin_Ama_Kontrol_Hep_Sizde\"><span class=\"toc_number toc_depth_1\">11<\/span> Kapan\u0131\u015f: Port A\u00e7madan Yay\u0131n, Ama Kontrol Hep Sizde<\/a><\/li><\/ul><\/div>\n<h2 id=\"section-1\"><span id=\"Ofiste_Yasanan_Kucuk_Bir_Panik_ve_Port_Acmadan_Yayin_Hayali\">Ofiste Ya\u015fanan K\u00fc\u00e7\u00fck Bir Panik ve Port A\u00e7madan Yay\u0131n Hayali<\/span><\/h2>\n<p>Hi\u00e7 ba\u015f\u0131n\u0131za geldi mi? K\u00fc\u00e7\u00fck bir side\u2011project\u2019i evdeki sunucuda ko\u015fturursunuz, d\u0131\u015far\u0131dan bakmak istersiniz, sonra modem aray\u00fcz\u00fcnde NAT, port y\u00f6nlendirme, \u00e7ift NAT derken bir anda kendinizi a\u011f ayarlar\u0131n\u0131n labirentinde bulursunuz. O g\u00fcn ofiste tam da b\u00f6yle bir an ya\u015fad\u0131m. Bir demo g\u00f6sterece\u011fim, ama 443 portu kapal\u0131, dinamik IP \u00fcst\u00fcne CGNAT. U\u011fra\u015f u\u011fra\u015f, olmuyor. \u0130\u015fte o an akl\u0131ma \u015fu geldi: Port a\u00e7madan, g\u00fcvenlikten \u00f6d\u00fcn vermeden, hatta tam tersi, <strong>daha s\u0131k\u0131 g\u00fcvenlik<\/strong> ile yay\u0131na nas\u0131l \u00e7\u0131kar\u0131m?<\/p>\n<p>Bir s\u00fcredir kula\u011f\u0131mda dolanan bir isim vard\u0131: <strong>Cloudflare Tunnel<\/strong>. Ad\u0131 \u00fcst\u00fcnde, trafi\u011fi d\u0131\u015far\u0131dan i\u00e7eriye \u00e7ekmek yerine, i\u00e7eriden d\u0131\u015far\u0131ya g\u00fcvenli bir t\u00fcnel kuruyordu. Yani modem, NAT, port a\u00e7ma gibi dertleri bir kenara b\u0131rak\u0131yorsun. \u00dcstelik \u00fcst\u00fcne bir de <strong>Zero Trust<\/strong> kurallar\u0131, <strong>Access<\/strong> politikalar\u0131 ve istersen <strong>mTLS<\/strong> ile kimlik do\u011frulama ekleyebiliyorsun. O g\u00fcn bu yolculu\u011fa ba\u015flad\u0131m, \u015fimdi de size ad\u0131m ad\u0131m, hi\u00e7 zorlamadan, ger\u00e7ek hayattan \u00f6rneklerle anlatmak istiyorum. Hadi beraber kural\u0131m, ayarlar\u0131 tatl\u0131 tatl\u0131 konu\u015fal\u0131m; arada k\u00fc\u00e7\u00fck p\u00fcf noktalar\u0131 da b\u0131rakaca\u011f\u0131m.<\/p>\n<h2 id=\"section-2\"><span id=\"Cloudflare_Tunnelin_Kafamizdaki_Resmi_Port_Acmadan_Yayin_Ama_Nasil\">Cloudflare Tunnel\u2019\u0131n Kafam\u0131zdaki Resmi: Port A\u00e7madan Yay\u0131n, Ama Nas\u0131l?<\/span><\/h2>\n<p>Mesela \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fcn: Evdeki ya da ofisteki makineniz elini kald\u0131r\u0131p \u201cBen buraday\u0131m\u201d diyerek <em>d\u0131\u015far\u0131ya do\u011fru<\/em> g\u00fcvenli bir hat a\u00e7\u0131yor. Bu hatt\u0131n ucu Cloudflare\u2019in kenar a\u011f\u0131na ba\u011flan\u0131yor. Art\u0131k d\u00fcnyadan gelen istekler \u00f6nce Cloudflare\u2019e u\u011fruyor, oradan sizin a\u00e7t\u0131\u011f\u0131n\u0131z t\u00fcnelden i\u00e7eri ak\u0131yor. Yani y\u00f6n\u00fc ters \u00e7eviriyorsunuz; port a\u00e7maya, NAT\u2019la bo\u011fu\u015fmaya gerek kalm\u0131yor. D\u0131\u015far\u0131ya a\u00e7\u0131k tek kap\u0131 yok, ba\u011flant\u0131 <strong>i\u00e7eriden ba\u015fl\u0131yor<\/strong>.<\/p>\n<p>Bu modelin g\u00fczel taraf\u0131 sadece pratik olmas\u0131 de\u011fil. Trafik, Cloudflare\u2019in a\u011f\u0131 \u00fczerinden geldi\u011fi i\u00e7in araya <strong>Zero Trust Access<\/strong> kurallar\u0131, <strong>kimlik do\u011frulama<\/strong>, isterseniz <strong>cihaz sertifikas\u0131<\/strong> gibi ek katmanlar koyabiliyorsunuz. Klasik \u201ca\u00e7\u0131k kap\u0131\u201d yakla\u015f\u0131m\u0131 yerine, \u201ckap\u0131 g\u00f6r\u00fcnm\u00fcyor, sadece izin verilenler i\u00e7eri giriyor\u201d modeline ge\u00e7iyorsunuz. K\u0131sacas\u0131, proxy mant\u0131\u011f\u0131n\u0131 t\u00fcnelle birle\u015ftiriyor, trafik kontrol\u00fcn\u00fc kenarda de\u011fil <em>sizde<\/em> tutuyorsunuz. \u00dcstelik yap\u0131land\u0131rma basit; birazdan beraber kuraca\u011f\u0131z.<\/p>\n<h2 id=\"section-3\"><span id=\"Temel_Kurulum_cloudflared_Tunnel_Olusturma_DNS_ve_Ingress\">Temel Kurulum: cloudflared, Tunnel Olu\u015fturma, DNS ve Ingress<\/span><\/h2>\n<h3><span id=\"cloudflared_nasil_kurulur\">cloudflared nas\u0131l kurulur?<\/span><\/h3>\n<p>\u0130lk ad\u0131m, t\u00fcneli a\u00e7acak k\u00fc\u00e7\u00fck yard\u0131mc\u0131: <strong>cloudflared<\/strong>. Linux\u2019ta basit\u00e7e paket indirip kurabilirsiniz. Ben h\u0131zl\u0131 olsun diye yay\u0131nlanan derlenmi\u015f paketi tercih ediyorum. En g\u00fcncel s\u00fcr\u00fcmler i\u00e7in <a href=\"https:\/\/github.com\/cloudflare\/cloudflared\/releases\" target=\"_blank\" rel=\"nofollow noopener\">cloudflared s\u00fcr\u00fcm sayfas\u0131n\u0131<\/a> kontrol edin. \u00d6rnek bir kurulum ad\u0131m\u0131 \u015f\u00f6yle:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">curl -L https:\/\/github.com\/cloudflare\/cloudflared\/releases\/latest\/download\/cloudflared-linux-amd64.deb -o cloudflared.deb\nsudo dpkg -i cloudflared.deb\ncloudflared --version\n<\/code><\/pre>\n<p>Kurulum tamam, \u015fimdi Cloudflare hesab\u0131n\u0131zla t\u00fcnel ili\u015fkilendirece\u011fiz. Bunun i\u00e7in kimlik do\u011frulamas\u0131n\u0131 bir kez yapman\u0131z yeterli.<\/p>\n<h3><span id=\"Cloudflare_hesabina_giris_ve_ilk_tunel\">Cloudflare hesab\u0131na giri\u015f ve ilk t\u00fcnel<\/span><\/h3>\n<p>Terminalden \u015funu \u00e7al\u0131\u015ft\u0131r\u0131n; taray\u0131c\u0131 a\u00e7\u0131lacak, hesab\u0131 do\u011frulayacaks\u0131n\u0131z:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">cloudflared tunnel login\n<\/code><\/pre>\n<p>Giri\u015ften sonra yeni bir t\u00fcnel olu\u015ftural\u0131m. Ad\u0131na ister \u201cblog-tunnel\u201d deyin, ister \u201cev-ofis\u201d.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">cloudflared tunnel create blog-tunnel\n<\/code><\/pre>\n<p>Bu komut size bir <strong>Tunnel ID<\/strong> ve kimlik bilgisi dosyas\u0131 \u00fcretir. Genelde <code>~\/.cloudflared\/&lt;TUNNEL_ID&gt;.json<\/code> alt\u0131nda durur. \u015eimdi s\u0131ra, hangi domain \u00fczerinden gelece\u011fini ve i\u00e7eride nereye akaca\u011f\u0131n\u0131 tarif etmeye geldi. DNS y\u00f6nlendirmesiyle ba\u015flayal\u0131m:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">cloudflared tunnel route dns blog-tunnel app.example.com\n<\/code><\/pre>\n<h3><span id=\"configyml_ile_Ingress_kurallari\">config.yml ile Ingress kurallar\u0131<\/span><\/h3>\n<p>T\u00fcnel ayarlar\u0131n\u0131 bir dosyada tutmak i\u015fleri \u00e7ok kolayla\u015ft\u0131r\u0131yor. <code>~\/.cloudflared\/config.yml<\/code> dosyas\u0131n\u0131 \u015f\u00f6yle olu\u015fturabilirsiniz:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">tunnel: &lt;TUNNEL_ID&gt;\ncredentials-file: \/home\/&lt;kullanici&gt;\/.cloudflared\/&lt;TUNNEL_ID&gt;.json\n\ningress:\n  - hostname: app.example.com\n    service: http:\/\/localhost:8080\n  - service: http_status:404\n<\/code><\/pre>\n<p>Burada \u201capp.example.com\u201d i\u00e7in gelen istekleri i\u00e7eride 8080 portuna y\u00f6nlendiriyoruz. Sondaki 404 kural\u0131 \u00f6nemli; e\u015fle\u015fmeyen her \u015feyi kibarca geri \u00e7evirir. K\u00fc\u00e7\u00fck bir ipucu: Ingress kurallar\u0131nda <strong>s\u0131ralama<\/strong> kritik. Daha spesifik olanlar\u0131 \u00fcste yaz\u0131n, genel olanlar alta insin. Yoksa beklenmedik bir e\u015fle\u015fme yapabilirsiniz.<\/p>\n<h3><span id=\"Tuneli_ayaga_kaldirma_ve_servis_olarak_calistirma\">T\u00fcneli aya\u011fa kald\u0131rma ve servis olarak \u00e7al\u0131\u015ft\u0131rma<\/span><\/h3>\n<p>T\u00fcneli bir test i\u00e7in do\u011frudan \u00e7al\u0131\u015ft\u0131rabilirsiniz:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">cloudflared --config ~\/.cloudflared\/config.yml tunnel run\n<\/code><\/pre>\n<p>Her \u015fey yolundaysa bunu kal\u0131c\u0131 bir servise d\u00f6n\u00fc\u015ft\u00fcrmek i\u015fin en tatl\u0131 k\u0131sm\u0131. Systemd kullanan bir sunucuda \u00f6rnek bir servis birimi \u015f\u00f6yle olabilir:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">[Unit]\nDescription=cloudflared Tunnel\nAfter=network-online.target\n\n[Service]\nType=simple\nUser=&lt;kullanici&gt;\nExecStart=\/usr\/local\/bin\/cloudflared --config \/home\/&lt;kullanici&gt;\/.cloudflared\/config.yml tunnel run\nRestart=always\nRestartSec=5\n\n[Install]\nWantedBy=multi-user.target\n<\/code><\/pre>\n<p>Dosyay\u0131 <code>\/etc\/systemd\/system\/cloudflared.service<\/code> olarak kaydedin, sonra etkinle\u015ftirin:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">sudo systemctl daemon-reload\nsudo systemctl enable --now cloudflared\nsudo systemctl status cloudflared\n<\/code><\/pre>\n<p>Art\u0131k <strong>port a\u00e7madan<\/strong> \u201capp.example.com\u201d adresine gidip uygulaman\u0131z\u0131 g\u00f6rebilirsiniz. Ama durun, hik\u00e2ye burada bitmez. G\u00fcvenlik katmanlar\u0131, kim girebilir kim giremez, cihaz do\u011frulama gibi detaylar as\u0131l fark\u0131 yarat\u0131yor.<\/p>\n<h2 id=\"section-4\"><span id=\"Zero_Trust_Access_ile_Kapiya_Akil_Koymak\">Zero Trust Access ile Kap\u0131ya Ak\u0131l Koymak<\/span><\/h2>\n<h3><span id=\"Access_uygulamasi_Kimin_girecegini_kibarca_secmek\">Access uygulamas\u0131: Kimin girece\u011fini kibarca se\u00e7mek<\/span><\/h3>\n<p>Cloudflare\u2019in Zero Trust panelinde \u201cAccess\u201d b\u00f6l\u00fcm\u00fcne girdi\u011finizde, \u201cSelf-hosted\u201d bir uygulama ekleyerek t\u00fcnelin \u00fczerine <strong>kimlik do\u011frulama<\/strong> ve <strong>yetkilendirme<\/strong> katmanlar\u0131 koyabilirsiniz. Ad\u0131mlar basit: Uygulamaya bir ad verin, domain olarak \u201capp.example.com\u201d yaz\u0131n, sonra da \u201cPolicies\u201d b\u00f6l\u00fcm\u00fcnde kimlerin girebilece\u011fini belirleyin. Mesela, \u201cE\u2011postas\u0131 @firma.com ile bitenler\u201d diyebilirsiniz. \u0130sterseniz tek tek e\u2011posta adresi de girersiniz, isterseniz OIDC\/SAML ile kurumsal hesab\u0131n\u0131z\u0131 ba\u011flars\u0131n\u0131z.<\/p>\n<p>Ho\u015fuma giden bir \u00f6zellik de <strong>oturum s\u00fcresi<\/strong> ve <strong>yenileme davran\u0131\u015f\u0131<\/strong>. K\u0131sa s\u00fcreli oturum, ger\u00e7ekten giren ki\u015finin h\u00e2l\u00e2 yetkili oldu\u011fundan emin olman\u0131z\u0131 sa\u011flar. Uygulaman\u0131z incelikli roller istiyorsa birden fazla politika tan\u0131mlayarak ad\u0131m ad\u0131m s\u0131n\u0131rlar \u00e7izebilirsiniz. Bir politikay\u0131 \u201cAllow\u201d yap\u0131p di\u011ferini \u201cDeny\u201d ile daraltmak m\u00fcmk\u00fcn. \u00c7ok katmanl\u0131 d\u00fc\u015f\u00fcn\u00fcn, ama abartmay\u0131n; kontrol panelinde okunabilir kalmas\u0131 uzun vadede sizi yormaz.<\/p>\n<h3><span id=\"Servis_tokenlari_ve_makineler_arasi_trafik\">Servis token\u2019lar\u0131 ve makineler aras\u0131 trafik<\/span><\/h3>\n<p>\u0130\u015f sadece insanlarla bitmiyor. Bir cron job ya da ba\u015fka bir servis de bu uygulamaya ba\u011flanmak isteyebilir. \u201cService Auth\u201d b\u00f6l\u00fcm\u00fcnden <strong>Access Service Token<\/strong> \u00fcretip bu istemcilerin iste\u011fine iki \u00f6zel ba\u015fl\u0131kla eklemesini sa\u011flay\u0131n: <code>CF-Access-Client-Id<\/code> ve <code>CF-Access-Client-Secret<\/code>. B\u00f6ylece makineler de s\u0131raya girer, kimlik g\u00f6sterir, i\u00e7eri \u00f6yle al\u0131n\u0131r. Basit ama etkili.<\/p>\n<h2 id=\"section-5\"><span id=\"mTLS_Iki_Tarafin_Da_Kimligini_Dogruladigi_O_Siki_Tokalasma\">mTLS: \u0130ki Taraf\u0131n Da Kimli\u011fini Do\u011frulad\u0131\u011f\u0131 O S\u0131k\u0131 Tokala\u015fma<\/span><\/h2>\n<p>\u015eimdi geldik o ekstra kilide: <strong>mTLS<\/strong> yani kar\u015f\u0131l\u0131kl\u0131 TLS. Normalde taray\u0131c\u0131 sunucunun sertifikas\u0131n\u0131 do\u011frular. mTLS\u2019de ise sunucu da <em>istemcinin<\/em> sertifikas\u0131n\u0131 do\u011frular. \u201cBen kimim?\u201d sorusu tek tarafl\u0131 de\u011fil, kar\u015f\u0131l\u0131kl\u0131. Biraz daha hareketli bir ortamdaysan\u0131z, kritik bir dahili panele eri\u015fim veriyorsan\u0131z, mTLS \u015fart.<\/p>\n<h3><span id=\"Access_tarafinda_mTLS_sarti_koymak\">Access taraf\u0131nda mTLS \u015fart\u0131 koymak<\/span><\/h3>\n<p>Zero Trust panelinde \u201cmTLS\u201d b\u00f6l\u00fcm\u00fcne girip bir <strong>istemci sertifikas\u0131<\/strong> olu\u015fturabilirsiniz. Sonra Access\u2019te uygulaman\u0131z\u0131n politikas\u0131na \u201cRequire mTLS certificate\u201d \u015fart\u0131n\u0131 ekleyin. B\u00f6ylece taray\u0131c\u0131 (veya WARP kullanan cihaz) uygulamaya yakla\u015f\u0131rken sertifikas\u0131n\u0131 g\u00f6stermek zorunda kal\u0131r. Y\u00f6netmesi kolay olsun diye sertifikalar\u0131 belli bir s\u00fcreyle s\u0131n\u0131rlay\u0131n ve gerekti\u011finde h\u0131zla iptal edebilmek i\u00e7in isimlendirmeyi d\u00fczenli yap\u0131n. Detaylar ve ak\u0131\u015f i\u00e7in <a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/applications\/configure-apps\/self-hosted-apps\/\" target=\"_blank\" rel=\"nofollow noopener\">Access uygulama belgelerine<\/a> g\u00f6z atabilirsiniz.<\/p>\n<h3><span id=\"Origin_tarafini_gercekten_tani_Authenticated_Origin_Pulls\">Origin taraf\u0131n\u0131 ger\u00e7ekten tan\u0131: Authenticated Origin Pulls<\/span><\/h3>\n<p>Bazen t\u00fcnel yerine do\u011frudan kenar\u2011origin trafi\u011fiyle \u00e7al\u0131\u015f\u0131yorsan\u0131z, kenardan gelen iste\u011fin <em>ger\u00e7ekten Cloudflare\u2019den<\/em> geldi\u011fini kan\u0131tlamak istersiniz. Bu durumda <strong>Authenticated Origin Pulls<\/strong> harika. Kenar, origin\u2019e \u00f6zel bir istemci sertifikas\u0131yla gelir, siz de \u201cba\u015fka kimse de\u011fil\u201d dersiniz. Konuyu <a href=\"https:\/\/www.dchost.com\/blog\/origini-korumak-cloudflare-authenticated-origin-pulls-ve-mtls-ile-gercek-kaynak-dogrulamasi\/\" target=\"_blank\">Authenticated Origin Pulls ve mTLS ile ger\u00e7ek kaynak do\u011frulamas\u0131<\/a> yaz\u0131m\u0131zda ad\u0131m ad\u0131m i\u015flemi\u015ftim; ihtiyac\u0131n\u0131za uyuyorsa mutlaka bak\u0131n.<\/p>\n<p>T\u00fcnel senaryosunda ise cloudflared trafi\u011fi i\u00e7erideki uygulamaya iletir. \u0130\u00e7erideki servisiniz HTTPS konu\u015fuyorsa, cloudflared\u2019in ona nas\u0131l ba\u011flanaca\u011f\u0131n\u0131 <code>originRequest<\/code> ayarlar\u0131yla incelikle belirleyebilirsiniz. Baz\u0131 durumlarda \u201cnoTLSVerify: true\u201d ile test etmek pratik olur, ama \u00fcretimde <strong>do\u011fru bir origin sertifikas\u0131<\/strong> kullanman\u0131z\u0131 \u00f6neririm. Sertifikay\u0131 do\u011fru kurmak, mTLS politikalar\u0131n\u0131zla birlikte gayet sa\u011flam bir kap\u0131 eder.<\/p>\n<h2 id=\"section-6\"><span id=\"Birden_Fazla_Servis_Tek_Tunel_HTTP_WebSocket_SSH_ve_Daha_Fazlasi\">Birden Fazla Servis, Tek T\u00fcnel: HTTP, WebSocket, SSH ve Daha Fazlas\u0131<\/span><\/h2>\n<p>T\u00fcnelin en sevdi\u011fim yan\u0131 \u015fu: Ayn\u0131 t\u00fcnelden birden fazla servisi g\u00fcvenle ta\u015f\u0131yabiliyorsunuz. \u00d6rne\u011fin web uygulamas\u0131 8080\u2019de, API 9000\u2019de, bir de websockets kullanan ger\u00e7ek zamanl\u0131 bir servisiniz var diyelim. Hepsini tek tek ingress\u2019e yaz\u0131n, hepsi ayn\u0131 t\u00fcnelden ge\u00e7sin. WebSocket i\u00e7in ayr\u0131ca bir \u015fey yapman\u0131za gerek yok; cloudflared onu da ta\u015f\u0131r.<\/p>\n<h3><span id=\"Ornek_bir_coklu_ingress\">\u00d6rnek bir \u00e7oklu ingress<\/span><\/h3>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">ingress:\n  - hostname: app.example.com\n    service: http:\/\/localhost:8080\n  - hostname: api.example.com\n    service: http:\/\/localhost:9000\n  - hostname: ws.example.com\n    service: http:\/\/localhost:7000\n  - service: http_status:404\n<\/code><\/pre>\n<p>\u0130\u00e7erideki servisleriniz i\u00e7in tek bir <strong>servis ke\u015ffi<\/strong> gibi d\u00fc\u015f\u00fcnebilirsiniz. Bunun bir ad\u0131m \u00f6tesinde SSH\/RDP gibi ba\u011flant\u0131lar\u0131 da t\u00fcnelden ge\u00e7irmek m\u00fcmk\u00fcn. \u201cSelf-hosted, ama herkese a\u00e7\u0131k de\u011fil\u201d dedi\u011finiz hassas ara\u00e7lar i\u00e7in \u00e7ok pratik.<\/p>\n<h3><span id=\"SSHyi_Access_ile_sarmalamak\">SSH\u2019yi Access ile sarmalamak<\/span><\/h3>\n<p>SSH i\u00e7in bir alt alan ad\u0131 ay\u0131r\u0131n ve ingress\u2019e ekleyin:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">- hostname: ssh.example.com\n  service: ssh:\/\/localhost:22\n<\/code><\/pre>\n<p>\u0130stemci tarafta <code>~\/.ssh\/config<\/code> i\u00e7ine \u015fu yap\u0131, ba\u011flanmay\u0131 \u00e7ocuk oyunca\u011f\u0131na \u00e7evirir:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Host ssh.example.com\n  ProxyCommand \/usr\/local\/bin\/cloudflared access ssh --hostname %h\n  User myuser\n<\/code><\/pre>\n<p>B\u00f6ylece <code>ssh ssh.example.com<\/code> dedi\u011finizde, \u00f6nce Access sizi do\u011frular, sonra t\u00fcnelden SSH oturumu a\u00e7\u0131l\u0131r. D\u0131\u015far\u0131da 22 portu yok, g\u00fcvenlik duvar\u0131n\u0131 kurcalam\u0131yorsunuz, ama i\u00e7erideki makinaya gayet rahat eri\u015fiyorsunuz.<\/p>\n<h2 id=\"section-7\"><span id=\"Sorun_Giderme_Kucuk_Tuzaklar_ve_Tatli_Cozumler\">Sorun Giderme: K\u00fc\u00e7\u00fck Tuzaklar ve Tatl\u0131 \u00c7\u00f6z\u00fcmler<\/span><\/h2>\n<p>\u0130lk kurulumda her \u015fey masal gibi ak\u0131yor, ama bazen ufak p\u00fcr\u00fczler \u00e7\u0131kabiliyor. En yayg\u0131nlar\u0131ndan biri, <strong>ingress s\u0131ras\u0131<\/strong>. Daha genel bir kural\u0131 \u00fcste, spesifi\u011fi alta yaz\u0131nca \u201cNeden 404?\u201d diye bakakal\u0131yorsunuz. \u00c7\u00f6z\u00fcm basit: Spesifik host kurallar\u0131 her zaman \u00fcste.<\/p>\n<p>Bir di\u011feri, i\u00e7erideki servisinizin <strong>host header<\/strong> beklentisi. Baz\u0131 uygulamalar \u201cHost: localhost:8080\u201d g\u00f6r\u00fcnce \u015fa\u015f\u0131r\u0131r, kendi domain ad\u0131n\u0131 ister. Bu durumda <code>originRequest: httpHostHeader<\/code> ile host ba\u015fl\u0131\u011f\u0131n\u0131 hedef domain\u2019e \u00e7evirirsiniz. Ayr\u0131ca, 502 hatalar\u0131 genelde i\u00e7erideki servis kapal\u0131yken ya da localhost yanl\u0131\u015f porttayken \u00e7\u0131kar. Loglara bak\u0131n; cloudflared bunu saklamaz, net s\u00f6yler.<\/p>\n<p>DNS taraf\u0131nda \u201capp.example.com\u201d otomatik eklendiyse harika. Bazen ayn\u0131 domain i\u00e7in eski bir kay\u0131t kalm\u0131\u015f olabilir; panelden temizleyin. Sa\u011flam bir test i\u00e7in <code>curl -I https:\/\/app.example.com<\/code> ve <code>cloudflared tunnel logs<\/code> ikilisi \u00e7ok \u015fey anlat\u0131r. Geli\u015ftirme s\u0131ras\u0131nda Access\u2019i ge\u00e7ici olarak gev\u015fetmek yerine kendinizi \u201cAllow\u201d politikas\u0131na ekleyin; unutulmu\u015f a\u00e7\u0131k kap\u0131 b\u0131rakmay\u0131n.<\/p>\n<h2 id=\"section-8\"><span id=\"Guvenligi_Bir_Kademe_Daha_Yukseltmek_Pratik_Oneriler\">G\u00fcvenli\u011fi Bir Kademe Daha Y\u00fckseltmek: Pratik \u00d6neriler<\/span><\/h2>\n<p>G\u00fcvenlikte k\u00fc\u00e7\u00fck ad\u0131mlar birikir. Mesela, Access\u2019te <strong>k\u0131sa oturum<\/strong> s\u00fcresi belirleyin, uzun s\u00fcreli \u201cRemember me\u201d al\u0131\u015fkanl\u0131\u011f\u0131ndan ka\u00e7\u0131n\u0131n. mTLS sertifikalar\u0131na <strong>ayr\u0131 isimler<\/strong> verin, proje bazl\u0131 ay\u0131r\u0131n. \u0130ptal etmeniz gerekti\u011finde tek bir sertifikay\u0131 hedefleyebilmek b\u00fcy\u00fck rahatl\u0131k. \u0130steklerin g\u00f6vdesi b\u00fcy\u00fckse ve bir y\u00fck dengeleyiciye gidiyorsa, cloudflared\u2019in <strong>zlib<\/strong> s\u0131k\u0131\u015ft\u0131rmas\u0131n\u0131 ve <strong>HTTP\/2<\/strong> deste\u011fini makul tutmak i\u00e7in ilgili ayarlar\u0131 ke\u015ffedin; kimi uygulama bu sayede nefes al\u0131r.<\/p>\n<p>G\u00fcncellemeleri ihmal etmeyin. cloudflared s\u0131k s\u0131k iyile\u015ftirmeler al\u0131yor; otomatik g\u00fcncellemeyi sevmiyorsan\u0131z bile bir takvim koyun, ayda bir g\u00fcncelleyin. Sertifika yenilemelerini, Access politikas\u0131 de\u011fi\u015fikliklerini ve en \u00f6nemlisi, kimlerin giri\u015f denemesi yapt\u0131\u011f\u0131n\u0131 raporlay\u0131n. Bir bak\u0131\u015fta anla\u015f\u0131ls\u0131n diye etiketler ve a\u00e7\u0131klamalar ekleyin.<\/p>\n<p>Ek olarak, hassas de\u011fi\u015fkenleri (token, client secret, mTLS anahtarlar\u0131) konfig\u00fcrasyondan ayr\u0131 tutmak iyi bir al\u0131\u015fkanl\u0131k. Da\u011f\u0131t\u0131m s\u00fcrecinde gizleri elle de\u011fil, otomasyona b\u0131rakmak hem h\u0131zland\u0131r\u0131r hem hata pay\u0131n\u0131 d\u00fc\u015f\u00fcr\u00fcr. Rotasyon i\u00e7in hafif ve g\u00fcvenli bir ara\u00e7 zinciri se\u00e7mek, uzun vadede ba\u015f\u0131n\u0131z\u0131 a\u011fr\u0131tmaz.<\/p>\n<h2 id=\"section-9\"><span id=\"Adim_Adim_Bir_Ornek_Senaryo_Kucuk_Bir_Ic_Uygulamayi_Yayina_Alalim\">Ad\u0131m Ad\u0131m Bir \u00d6rnek Senaryo: K\u00fc\u00e7\u00fck Bir \u0130\u00e7 Uygulamay\u0131 Yay\u0131na Alal\u0131m<\/span><\/h2>\n<p>Somutla\u015ft\u0131ral\u0131m. Diyelim ki i\u00e7eride 8080\u2019de \u00e7al\u0131\u015fan bir Go uygulaman\u0131z var. D\u0131\u015far\u0131dan sadece ekibiniz eri\u015fsin, ayr\u0131ca API i\u00e7in de ayr\u0131 bir alt alan ad\u0131 istiyorsunuz. mTLS ile sadece \u015firket cihazlar\u0131 girsin, misafir yok. Yol haritas\u0131 \u015f\u00f6yle akabilir:<\/p>\n<p>\u00d6nce cloudflared\u2019i kurdunuz ve giri\u015f yapt\u0131n\u0131z. \u201cblog-tunnel\u201d ile t\u00fcneli olu\u015fturdunuz. <code>config.yml<\/code> i\u00e7ine \u201capp.example.com\u201d i\u00e7in 8080, \u201capi.example.com\u201d i\u00e7in 9000 girdiniz; en alta 404 koydunuz. DNS rotas\u0131 bitti. Testte her \u015fey yerli yerinde, sayfalar ak\u0131yor.<\/p>\n<p>\u015eimdi Access\u2019e d\u00f6n\u00fcp iki uygulama olu\u015fturuyorsunuz: Biri app.example.com i\u00e7in, di\u011feri api.example.com i\u00e7in. Her ikisine de \u201c@firma.com\u201d ile biten e\u2011postalar\u0131 dahil ediyorsunuz. Oturum s\u00fcresini k\u0131sa tutuyor, deneme yan\u0131lma yaparken kendinizi ve bir test hesab\u0131n\u0131 Allow\u2019a ekleyip loglar\u0131 izliyorsunuz.<\/p>\n<p>mTLS i\u00e7in Zero Trust panelinde cihaz sertifikalar\u0131 \u00fcretiyorsunuz. Bu sertifikalar\u0131 \u015firket cihazlar\u0131na profil \u00fczerinden da\u011f\u0131t\u0131yor, Access politikalar\u0131na \u201cRequire mTLS\u201d \u015fart\u0131n\u0131 koyuyorsunuz. Misafir cihazla denedi\u011finizde, giri\u015f ekran\u0131n\u0131 bile g\u00f6remeyince do\u011fru yoldas\u0131n\u0131z demektir. Son olarak SSH i\u00e7in \u201cssh.example.com\u201d ekliyorsunuz; sadece SRE ekibi Access\u2019te g\u00f6r\u00fcnen gruptaysa ge\u00e7ebilsin. \u0130stemci taraf\u0131nda SSH config\u2019i dokundu mu, t\u00fcnelden SSH da tamam.<\/p>\n<h2 id=\"section-10\"><span id=\"Dokumantasyon_ve_Kucuk_Pusulalar\">Dok\u00fcmantasyon ve K\u00fc\u00e7\u00fck Pusulalar<\/span><\/h2>\n<p>Bir \u015feyleri ilk kez kurarken g\u00f6z\u00fcn\u00fcz\u00fcn bir k\u00f6\u015fesinde kalmas\u0131 g\u00fczel olan kaynaklar var. T\u00fcnel yap\u0131s\u0131n\u0131n \u015femas\u0131n\u0131 ve olas\u0131 geli\u015fmi\u015f se\u00e7enekleri g\u00f6rmek i\u00e7in <a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/connections\/connect-apps\/\" target=\"_blank\" rel=\"nofollow noopener\">Cloudflare Tunnel belgeleri<\/a> sade ve g\u00fcncel. Access taraf\u0131nda politika \u00f6rneklerini, grup\/kural kombinasyonlar\u0131n\u0131n nas\u0131l i\u015flendi\u011fini ve mTLS ad\u0131mlar\u0131n\u0131 <a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/applications\/configure-apps\/self-hosted-apps\/\" target=\"_blank\" rel=\"nofollow noopener\">Self-hosted uygulama dok\u00fcman\u0131nda<\/a> buluyorsunuz. cloudflared\u2019in s\u00fcr\u00fcm notlar\u0131na ve platformlara g\u00f6re kurulum paketlerine de <a href=\"https:\/\/github.com\/cloudflare\/cloudflared\/releases\" target=\"_blank\" rel=\"nofollow noopener\">s\u00fcr\u00fcm sayfas\u0131ndan<\/a> bakabilirsiniz. Kafan\u0131z kar\u0131\u015f\u0131rsa panik yok; en iyi \u00f6\u011frenme, ufak bir test alan\u0131nda denemekle gelir.<\/p>\n<h2 id=\"section-11\"><span id=\"Kapanis_Port_Acmadan_Yayin_Ama_Kontrol_Hep_Sizde\">Kapan\u0131\u015f: Port A\u00e7madan Yay\u0131n, Ama Kontrol Hep Sizde<\/span><\/h2>\n<p>Toparlayal\u0131m. Cloudflare Tunnel ile kap\u0131lar\u0131 d\u0131\u015far\u0131dan a\u00e7mak yerine i\u00e7eriden g\u00fcvenli bir yol \u00e7iziyorsunuz. Bu yolun \u00fczerine Zero Trust Access kurallar\u0131yla kimlik, yetki ve oturum y\u00f6netimi koymak inan\u0131n \u00e7ok rahatlat\u0131c\u0131. mTLS ile iki tarafl\u0131 do\u011frulama eklemek ise \u201cyanl\u0131\u015f ki\u015fi kap\u0131ya gelse bile i\u00e7eri ad\u0131m atamaz\u201d hissini veriyor. Kurulum basit, bak\u0131m\u0131 hafif, getirisi b\u00fcy\u00fck.<\/p>\n<p>Pratik bir tavsiye: K\u00fc\u00e7\u00fck ba\u015flay\u0131n. \u00d6nce tek bir uygulamay\u0131 t\u00fcnelden \u00e7\u0131kar\u0131n, Access\u2019i ekleyin, sonra mTLS\u2019yi devreye al\u0131n. Her katmanda loglara bak\u0131n, ufak bir ekip i\u00e7inde test edin. En \u00e7ok i\u015finize yarayacak k\u0131s\u0131m, zamanla kendini belli ediyor. Ve unutmay\u0131n, t\u00fcnel sadece bir boru de\u011fil; do\u011fru kurallarla birle\u015fince asl\u0131nda ak\u0131ll\u0131 bir kap\u0131. Umar\u0131m bu yaz\u0131, port a\u00e7madan, NAT\u2019la yorulmadan, ama <strong>daha g\u00fcvenli<\/strong> bir \u015fekilde yay\u0131na \u00e7\u0131kman\u0131za yard\u0131mc\u0131 olur. Bir dahaki yaz\u0131da g\u00f6r\u00fc\u015fmek \u00fczere; sorular\u0131n\u0131z olursa yorumlarda beklerim.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 Ofiste Ya\u015fanan K\u00fc\u00e7\u00fck Bir Panik ve Port A\u00e7madan Yay\u0131n Hayali2 Cloudflare Tunnel\u2019\u0131n Kafam\u0131zdaki Resmi: Port A\u00e7madan Yay\u0131n, Ama Nas\u0131l?3 Temel Kurulum: cloudflared, Tunnel Olu\u015fturma, DNS ve Ingress3.1 cloudflared nas\u0131l kurulur?3.2 Cloudflare hesab\u0131na giri\u015f ve ilk t\u00fcnel3.3 config.yml ile Ingress kurallar\u01313.4 T\u00fcneli aya\u011fa kald\u0131rma ve servis olarak \u00e7al\u0131\u015ft\u0131rma4 Zero Trust Access ile Kap\u0131ya Ak\u0131l Koymak4.1 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1912,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-1911","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1911","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=1911"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1911\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/1912"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=1911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=1911"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=1911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}