CD
Cloudflare Developersโ€ข2y ago
scrawny_spider

Zero Trust application bypass policy not working on local network

Hi there, I'm trying to setup an application on Zero Trust Access. I created a tunnel, installed the connector on my server, and added a public hostname. That works fine and the status is Healthy. I then added an application in ZT Access using the same hostname. I added two policies: one allow for emails with a particular domain and a bypass policy for my local network (192.168.1.0/24). I left the last settings page with the defaults and I only have a one-time PIN idP. I enabled Protect with Access on the public hostname in the Cloudflare Tunnel and added a config.yaml file on the server that looks something like the following, then restarted cloudflared (I'm not sure if this is even right!): 
tunnel: my-tunnel-id
originRequest:
  connectTimeout: 30s
  access:
    required: true
    teamName: my-team-name
    audTag:
      - aud1 my-application-aud-tag

ingress:
  - hostname: myapp.example.com
    service: http://localhost
  - service: http_status:404
tunnel: my-tunnel-id
originRequest:
  connectTimeout: 30s
  access:
    required: true
    teamName: my-team-name
    audTag:
      - aud1 my-application-aud-tag

ingress:
  - hostname: myapp.example.com
    service: http://localhost
  - service: http_status:404
When I connect to the domain from another network, I get the App Launcher login page. I can login OK and be taken to the web app. When I connect from the local network using the public hostname (either from the web app server itself or another PC), I also get the login page... I thought the bypass policy would circumvent that and take me directly to the web application itself. If I delete the allow policy, I get a Cloudflare Access HTTP error 403 that shows my public IP. If I add the public IP to the bypass policy, I get a blank HTTP error 403 page. I also tried changing the bypass policy to Service Auth but got a similar result. Am I missing something? Thanks!
6 Replies
scrawny_spider
scrawny_spiderOPโ€ข2y ago
Here's some screenshots to help clarify things: 1. Tunnel 2. Tunnel public hostname configuration 3. Application 4. Application policies 5. Bypass policy 6. Allow policy 7. Access group based upon email domain 8. Application identity provider 9. Origin IP address 10. Origin config.yaml file
scrawny_spider
scrawny_spiderOPโ€ข2y ago
11. What I see when logging in from the origin server network 12. What I see when logging in from an external connection
scrawny_spider
scrawny_spiderOPโ€ข2y ago
Hello @Vero ๐Ÿ™, are you able to assist? Thank you!
Chaika
Chaikaโ€ข2y ago
This bypass policy would never work for two reasons: 1: It needs to be Service Auth, not Bypass. Bypass = bypass access flow and return to zone security. When you have access configured in your tunnel to verify the Access JWTs (That you passed through the application), it needs you to go through the access flow. Service Auth lets you go through the flow and get a jwt without an identity. 2: Local IPs just don't make sense in that. You're connecting to Cloudflare Access, which runs on an external server. The 192.168.0.0/16 IP you get assigned via your router, which uses NAT, is being rewritten to the External IP, which is what Cloudflare sees ith your connection. In other words, allow your external ip (https://whatismyipaddress.com/) to bypass, If you have IPv6 make sure to add it as well Edit: Opps, I see you provided a bit more info at the end as well
If I delete the allow policy, I get a Cloudflare Access HTTP error 403 that shows my public IP.
you're not matching the conditions for the bypass policy
If I add the public IP to the bypass policy, I get a blank HTTP error 403 page.
Hitting the no JWT/bypass issue
I also tried changing the bypass policy to Service Auth but got a similar result.
Probably didn't whitelist both your IPv4 and your IPv6? That would be more interesting if it's still failing. Keep in mind Access has a bit of cache with these things, I would test in incognito after you change it to Service Auth and allow your IPs.
Chaika
Chaikaโ€ข2y ago
You also don't need both a config.yaml and to configure it in the dashboard. If your tunnel is set up in the dashboard, you add public hostnames to it and such, that's the source of the configuration, your config.yaml would just be ignored. It's one or the other
scrawny_spider
scrawny_spiderOPโ€ข2y ago
@chaika.me thank you for the clarification. Changing the IP range to the external IP and the policy to Service Auth allowed things to work. I read the access policy doc (https://developers.cloudflare.com/cloudflare-one/policies/access/#bypass) and misinterpreted the bypass example as what I was trying to achieve but I think you explained it better! ๐Ÿ‘
Access policies ยท Cloudflare Zero Trust docs
Cloudflare Access determines who can reach your application by applying the Access policies you configure.

Did you find this page helpful?