Using Clouflare Access rules for application on wildcard domain relying on REST API
We are using Cloudflare Access to control who has access to our staging environment. We use a simple Google Auth to identify users on our team.
The policy defined is like this for URL *.mydomain.com:
- include email ending
@myteam.com
The issue is that on the URL in question we're using a wildcard because we have various apps running like:
dashboard.mydomain.comclient.mydomain.com
And that causes a problem when say one app is communicating with the other via a REST API. The requests made from client.mydomain.com to dashboard.mydomain.com/api are being held up by Cloudflare, ie. redirecting to the auth page.
I've tried add another policy for dashboard.mydomain.com/api and allow EVERYONE (just to try out) and it didn't work:
Is my idea of how to set this up correct?
Your configuration looks alright, I believe what is probably happening is the authentication (cookie) isn't being passed to your second subdomain during the API request. This can usually be traced back to a CORS issue.
https://developers.cloudflare.com/cloudflare-one/policies/zero-trust/cors/
Specifically, your API subdomain may not have the Access-Control-Allow-Credentials properly set to allow sending cookies. Before enabling, you'll want to ensure you'll also want to ensure the other CORS headers are properly setup to restrict which sites can allow requests (reduce risk of XSS attack now that you are allowing authenticated requests).
- Extract ip and uag from Cloudflare cdn-cgi/trace text result using regex in JS
- Why my amp site with amp-facebook-comments not show?
- R2: Setting CORS policy with different methods per allowed-origins
- Should I share my website's SSL private key with CloudFlare to use its CDN service?
- Install Cloudflare warp cli in ubuntu 23.04 or any non LTS versions have issues
- How to click on "Verify you are human" checkbox challenge by cloudflare using Selenium
- Coolify with CloudFlared & SSL/TLS HTTPS
- How to exclude a folder in Cloudflare deployment
- Cloudflare R2 to move data across AWS regions
- Why doesn't CopyObject for CloudFlare R2 not work with the AWS SDK for .NET?
- Website always returning a <Response 403>
- Terraform Module for multiple rules in Cloudflare ruleset
- How to clone an existing Cloudflare Worker
- PDF from website looks garbled on browser, but opens after downloading
- Detecting if we are running in dev mode or in production mode in CloudFlare Worker
- Why can't I go to sign in page to Gitlab.com from Browser?
- How to use google cloud load balance with cloudflare DNS proxy
- Cloudflare API defaults the proxied parameter to false
- Equivalent alternative to Whitelisting Twilio requests in CloudFlare
- Astro site on Cloudflare Pages intermittent ReferenceError
- You are not authorized to view this object, Django + Cloudflare R2
- How can I get the age of the cache using the API?
- Type name 'serializeObject' does not exist in the type 'JsonConvert'
- 307 Temporary Redirect not work nginx 1.18
- Blazor server app not working when deployed, works fine in Visual Studio
- Why doesn't certbot-dns-cloudflare plugin install under aws linux
- Why do I get a malformed JSON in request body in this cURL call?
- How to user KV in cloudflare workers?
- Why does having a www CNAME in Cloudflare does not work and return Error 523
- How to bypass Cloudflare bot protection in selenium