Help Needed with Cloudflare Zero Trust, Pages, and Workers for ReactFlux + MiniFlux Setup

Hi everyone,

I'm new to Cloudflare and have been trying to set up a self-hosted project on my Raspberry Pi 500. I'm mostly self-taught, so I apologize if I misunderstand anything or miss important details. Here's my situation:

**Current Setup**:
- I'm running the self-hosted RSS feed reader MiniFlux on my Raspberry Pi 500 (Arch Linux ARM, installed via Pacman).
- The setup uses Caddy as a reverse proxy, a Cloudflare Zero Trust tunnel, and Cloudflare Access for SSO.
- My Cloudflare Access application is configured to allow all origins, methods, and headers. It has a policy that allows specific emails or login methods (e.g., GitHub).
**What I'm Trying to Do**:
- I want to deploy ReactFlux, an alternative frontend for MiniFlux, on Cloudflare Pages.
- Before setting it up fully, I tested the ReactFlux demo with my MiniFlux instance at
```
https://rss.laniecarmelo.tech
```
```
https://rss.laniecarmelo.tech
```
  . However, ReactFlux couldn't log in.
**Suspected Issue**:
- I believe the issue is caused by Cloudflare Access protection blocking ReactFlux from accessing the MiniFlux API (
```
https://rss.laniecarmelo.tech/v1/*
```
```
https://rss.laniecarmelo.tech/v1/*
```
  ).
**What I've Tried So Far**:
- I added another hostname (
```
rss.laniecarmelo.tech/v1/*
```
```
rss.laniecarmelo.tech/v1/*
```
  ) to my tunnel configuration and created a new Cloudflare Access application with a policy set to "Bypass" for everyone. However, this didn't work—when testing the API endpoint in a private browser window, I'm still asked to sign into Cloudflare.
- I also tried setting up the hostname with "Protect with Access" turned off but got the same results.
- Next, I attempted to use a Cloudflare Worker written in JavaScript to bypass authentication for
```
/v1/*
```
```
/v1/*
```
  , but it doesn't seem to be doing anything (or isn't being triggered).
**What I Need Help With**:
- How can I properly configure Cloudflare so ReactFlux can access the MiniFlux API (
```
/v1/*
```
```
/v1/*
```
  ) while keeping the rest of my MiniFlux instance protected by Cloudflare Access?
- I've been stuck on this for a couple of days and would really appreciate any guidance or suggestions!

Thanks in advance for your help!

ReactFlux

A Simple but Powerful RSS Reader for Miniflux

Laudian•2/14/25, 7:18 AM

Have you actually confirmed that the problem is due to Access and not something else? Is your Access configuration as described still active?

LLanie Hi everyone, I'm new to Cloudflare and have been trying to set up a self-host...

Laudian•2/14/25, 7:35 AM

Also, is your 2nd Application for the v1 path still active?

LLaudian Also, is your 2nd Application for the v1 path still active?

LanieOP•2/15/25, 3:45 AM

I've confirmed it's due to access. My Caddy configuration and MiniFlux setup seem to be set up correctly, and MiniFlux is accessible both locally and at rss.laniecarmelo.tech, but no matter what I do, I either still get asked to sign into Cloudflare Access when visiting the API endpoint, or the whole MiniFlux subdomain gets where I get a 403 error when I try to visit it. Right now, I have one MiniFlux application with both rss.laniecarmelo.tech/v1/* and rss.laniecarmelo.tech/* added as paths, and two policies, one for API access set to allow everyone and one for personal access set to allow only certain emails or login methods. I tried bypass for the API policy but that locked the whole site behind a 403 error.

LLanie I've confirmed it's due to access. My Caddy configuration and MiniFlux setup see...

Laudian•2/15/25, 4:48 AM

What you want are 2 Access Applications. One for with your normal policy.

Then a 2nd application for with path and a Bypass everyone policy.

See here:
test.laudian.de/blockedbyaccess
test.laudian.de/blockedbyaccess/butnotthis

Laudian•2/15/25, 4:49 AM

Laudian•2/15/25, 4:50 AM

LLaudian What you want are 2 Access Applications. One for `rss.example.com` with your nor...

LanieOP•2/15/25, 9:13 AM

I'm blind, so I can't see the pictures you posted, but I changed it so there are two access applications. The main one seems to be working correctly, but the one for the API with bypass and include everyone doesn't. I get a 403 error saying I don't have the rights to visit the page when I go there.

LLanie I'm blind, so I can't see the pictures you posted, but I changed it so there are...

Laudian•2/15/25, 9:22 AM

The 403 is coming from your backend, not from Cloudflare.

LLaudian The 403 is coming from your backend, not from Cloudflare.

LanieOP•2/15/25, 2:32 PM

I've done some more testing, and I'm seeing this in my logs:
Feb 15 07:13:08 stormux cloudflared[82971]: 2025-02-15T13:13:08Z DBG GET https://rss.laniecarmelo.tech/v1/me HTTP/1.1 connIndex=0 content-length=0 event=1 headers={"Accept":["/"],"Accept-Encoding":["gzip, br"],"Cdn-Loop":["cloudflare; loops=1; subreqs=1"],"Cf-Connecting-Ip":["69.58.156.77"],"Cf-Ew-Via":["15"],"Cf-Ipcountry":["US"],"Cf-Ray":["91258db235f1e91a-DFW"],"Cf-Visitor":["{"scheme":"https"}"],"Cf-Warp-Tag-Id":["a5f2c6fb-dd1f-48f1-9f88-103234cf5e1b"],"Cf-Worker":["laniecarmelo.tech"],"User-Agent":["curl/8.11.1"],"X-Auth-Token":["8FpW9eQWJv75j5ZM6lzBPZjqQFI_G_O6WgqZ1gy9JxI="],"X-Forwarded-For":["69.58.156.77"],"X-Forwarded-Proto":["https"]} host=rss.laniecarmelo.tech ingressRule=7 originService=http://192.168.1.137:80 path=/v1/me
Feb 15 07:13:08 stormux cloudflared[82971]: 2025-02-15T13:13:08Z ERR error="request filtered by middleware handler (AccessJWTValidator) due to: no access token in request" connIndex=0 event=1 ingressRule=7 originService=http://192.168.1.137:80
I'm not sure how to fix this. I already configured Caddy to forward headers.

LLanie I've done some more testing, and I'm seeing this in my logs: Feb 15 07:13:08 sto...

LanieOP•2/15/25, 4:30 PM

I followed the directions here but still no luck: https://community.cloudflare.com/t/access-policy-to-bypass-auth-requirements-for-specific-subpath/455603

LLanie I followed the directions here but still no luck: https://community.cloudflare.c...

LanieOP•2/17/25, 7:45 AM

Wound up switching back to having Caddy get certificates and using Authelia for SSO because Cloudflare was too hard to get working.