Applying globle access policies to ZT public hostnames
Hi, I have a remote server where I test multiple web services. I use Zero Trust Tunnels and public hostnames to ensure security and ease of management. For each new HTTP service running on the server, I create a public hostname via Zero Trust Tunnel, then create an application to restrict access to myself. This allows safe testing in a browser without configuring firewalls, passwords, etc.
While this workflow works, I'm unsure of its efficiency. For each public hostname, I must create a new application, or else it defaults to being fully public on the internet. Additionally, I need to create the same policies for every application. Is there a way to establish a default or global access policy for the entire domain? Thank you!
2 Replies
The first thing I'd recommend is making an Access group under Access -> Access groups. Have it include your emails or whatever restrictions you want, and you can even make it default. Way cleaner to apply and update. Under each application policy you can then just include the group easily.
You can also use wildcards in the subdomain or path field of a self-hosted application: https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/
You can do it for an entire subdomain like
*.secure.example.com (would need ACM to get a cert covering) or partial like www-secure.example.com phpmyadmin-secure.example.com then using *-secure.example.com to match. That docs link covers it pretty wellCloudflare Docs
Application paths | Cloudflare Zero Trust docs
Application paths define the URLs protected by an Access policy. When adding a self-hosted web application to Access, you can choose to protect the entire website by entering its apex domain, or alternatively, protect specific subdomains and paths.
Thank you very much. The wildcards setting in subdomain worked perfectly for me.