Zero Trust application bypass policy not working on local network

Hi there,

I'm trying to setup an application on Zero Trust Access. I created a tunnel, installed the connector on my server, and added a public hostname. That works fine and the status is

Healthy

Healthy

. I then added an application in ZT Access using the same hostname. I added two policies: one allow for emails with a particular domain and a bypass policy for my local network (

192.168.1.0/24

192.168.1.0/24

). I left the last settings page with the defaults and I only have a one-time PIN idP. I enabled Protect with Access on the public hostname in the Cloudflare Tunnel and added a

config.yaml

config.yaml

file on the server that looks something like the following, then restarted

cloudflared

cloudflared

(I'm not sure if this is even right!):

tunnel: my-tunnel-id
originRequest:
  connectTimeout: 30s
  access:
    required: true
    teamName: my-team-name
    audTag:
      - aud1 my-application-aud-tag

ingress:
  - hostname: myapp.example.com
    service: http://localhost
  - service: http_status:404

tunnel: my-tunnel-id
originRequest:
  connectTimeout: 30s
  access:
    required: true
    teamName: my-team-name
    audTag:
      - aud1 my-application-aud-tag

ingress:
  - hostname: myapp.example.com
    service: http://localhost
  - service: http_status:404

When I connect to the domain from another network, I get the App Launcher login page. I can login OK and be taken to the web app. When I connect from the local network using the public hostname (either from the web app server itself or another PC), I also get the login page... I thought the bypass policy would circumvent that and take me directly to the web application itself. If I delete the allow policy, I get a Cloudflare Access HTTP error 403 that shows my public IP. If I add the public IP to the bypass policy, I get a blank HTTP error 403 page. I also tried changing the bypass policy to Service Auth but got a similar result.

Am I missing something?

Thanks!

Scrawny SpiderOP•7/18/23, 9:28 PM

Here's some screenshots to help clarify things:

Tunnel
Tunnel public hostname configuration
Application
Application policies
Bypass policy
Allow policy
Access group based upon email domain
Application identity provider
Origin IP address
Origin
```
config.yaml
```
```
config.yaml
```
file

Scrawny SpiderOP•7/18/23, 9:32 PM

What I see when logging in from the origin server network
What I see when logging in from an external connection

Scrawny SpiderOP•7/19/23, 8:09 PM

Hello @Vero

, are you able to assist? Thank you!

SScrawny Spider Hi there, I'm trying to setup an application on Zero Trust Access. I created a...

Chaika•7/19/23, 8:25 PM

This bypass policy would never work for two reasons:
1: It needs to be Service Auth, not Bypass. Bypass = bypass access flow and return to zone security. When you have access configured in your tunnel to verify the Access JWTs (That you passed through the application), it needs you to go through the access flow. Service Auth lets you go through the flow and get a jwt without an identity.
2: Local IPs just don't make sense in that. You're connecting to Cloudflare Access, which runs on an external server. The 192.168.0.0/16 IP you get assigned via your router, which uses NAT, is being rewritten to the External IP, which is what Cloudflare sees ith your connection. In other words, allow your external ip (https://whatismyipaddress.com/) to bypass, If you have IPv6 make sure to add it as well
Edit: Opps, I see you provided a bit more info at the end as well

If I delete the allow policy, I get a Cloudflare Access HTTP error 403 that shows my public IP.

you're not matching the conditions for the bypass policy

If I add the public IP to the bypass policy, I get a blank HTTP error 403 page.

Hitting the no JWT/bypass issue

I also tried changing the bypass policy to Service Auth but got a similar result.

Probably didn't whitelist both your IPv4 and your IPv6? That would be more interesting if it's still failing. Keep in mind Access has a bit of cache with these things, I would test in incognito after you change it to Service Auth and allow your IPs.

Chaika•7/19/23, 8:26 PM

You also don't need both a config.yaml and to configure it in the dashboard. If your tunnel is set up in the dashboard, you add public hostnames to it and such, that's the source of the configuration, your config.yaml would just be ignored. It's one or the other

Scrawny SpiderOP•7/20/23, 3:50 AM

@chaika.me thank you for the clarification. Changing the IP range to the external IP and the policy to Service Auth allowed things to work. I read the access policy doc (https://developers.cloudflare.com/cloudflare-one/policies/access/#bypass) and misinterpreted the bypass example as what I was trying to achieve but I think you explained it better!

Access policies · Cloudflare Zero Trust docs

Cloudflare Access determines who can reach your application by applying the Access policies you configure.