Chaika
CDCloudflare Developers
•Created by gristleking on 1/18/2025 in #general-help
Restricting routes to local Grafana public dashboard
I more meant no identity provider login, but you can have Service Auth rule including Everyone
56 replies
CDCloudflare Developers
•Created by gristleking on 1/18/2025 in #general-help
Restricting routes to local Grafana public dashboard
Sure
56 replies
CDCloudflare Developers
•Created by gristleking on 1/18/2025 in #general-help
Restricting routes to local Grafana public dashboard
The action types are the most confusing aspect to people I think
Allow = Always go through Identity Provider. Even if you set it to include:
Everyone, they still need to go through something providing them an identity to proceed
Bypass = Bypass all Zero Trust stuff, go back to zone/website level security (waf, etc)
Service Auth = Go through Zero Trust w/ no identity
If you enable "Protect with Access" on the tunnel, only Allow and Service Auth provide the JWT/magic stuff for it to work. If you enable "Protect with Access" and have a bypass rule, they'll just be blocked by the tunnel56 replies
CDCloudflare Developers
•Created by gristleking on 1/18/2025 in #general-help
Restricting routes to local Grafana public dashboard
Access is powered by Workers KV, so some understandable propagation/cache delay
56 replies
CDCloudflare Developers
•Created by gristleking on 1/18/2025 in #general-help
Restricting routes to local Grafana public dashboard
yea it can take a bit, maybe ~60s or so? Plus I believe there's some browser caching on the access redirects
56 replies
CDCloudflare Developers
•Created by gristleking on 1/18/2025 in #general-help
Restricting routes to local Grafana public dashboard
and so if you took the current one, and modified it to be
* for path, and then made another self hosted app w/ https://discord.com/channels/595317990191398933/1330066393764331580/1330291419751125063 and a single Bypass Everyone policy, and give it a second to propagate56 replies
CDCloudflare Developers
•Created by gristleking on 1/18/2025 in #general-help
Restricting routes to local Grafana public dashboard
what are the access apps you have currently? just one for
/login?56 replies
CDCloudflare Developers
•Created by gristleking on 1/18/2025 in #general-help
Restricting routes to local Grafana public dashboard
Remove the path on that public hostname (route), it's not doing anything other then making some things fail, should just show as
(optional) path once you remove it fully56 replies
CDCloudflare Developers
•Created by gristleking on 1/18/2025 in #general-help
Restricting routes to local Grafana public dashboard
that's different subdomain though, right?
56 replies
CDCloudflare Developers
•Created by gristleking on 1/18/2025 in #general-help
Restricting routes to local Grafana public dashboard
hmm, you have another public hostname (what you call Routes) on that tunnel for this subdomain?
56 replies
CDCloudflare Developers
•Created by gristleking on 1/18/2025 in #general-help
Restricting routes to local Grafana public dashboard
56 replies
CDCloudflare Developers
•Created by gristleking on 1/18/2025 in #general-help
Restricting routes to local Grafana public dashboard
hmm, the way you word that is interesting, what do you mean "Route"? None of the access app's terminology is route
56 replies
CDCloudflare Developers
•Created by gristleking on 1/18/2025 in #general-help
Restricting routes to local Grafana public dashboard
hmmm, I'd make sure you're testing that from incognito mode/another browser too, you might be already logged in
56 replies
CDCloudflare Developers
•Created by gristleking on 1/18/2025 in #general-help
Restricting routes to local Grafana public dashboard
hmm, what do you mean by setting the route to that?
Essentially what you're doing is:
Bypass:
/public*, /public-dashboards*, /api/public*
Redirect to auth, Allow: grafana.domain.com/*
/d*, wouldn't match any of the bypass ones, so it'd match the less specific general wildcard which requires auth56 replies
CDCloudflare Developers
•Created by gristleking on 1/18/2025 in #general-help
Restricting routes to local Grafana public dashboard
The action on the second one should be
Bypass, shouldn't get any login at all if it's setup right.
Just protecting /login should prevent any login attempts since they just POST to /login but wouldn't protect Grafana's full api and such, eh, still exposing it to a degree anyway with public dashboards, just means you're trusting exposing their non-public api a bit more56 replies