Access: Bypass for single IP not working

I am quite lost right now with setting up Cloudflare Access policies for letting a single IP bypass the login screen.

A short overview of what I’ve done:

  • I set up Access for my home network, Tunnel is set up and working correctly.
  • Added multiple hostnames to the Tunnel and added applications for the corresponding subdomains.
  • Accessing the applications work flawlessly, login is bypassed when using WARP, otherwise
  • Even Service Token authorization is working. When adding the credentials to a request, login is bypassed as expected.

Now comes the part that is not working:

I added a policy for two applications which should allow a single IP (that of my web server) to bypass authorization.
The policy is set up using the official Policies guide which actually use unblocking an IP as the primary example. That IP is also added to the global allowed IPs in the WAF.

  • When accessing the app with a Service Token, I can bypass the login, but that’s not an option.
  • When accessing the application without anything, I get the login page, which is not what I expect.

Here’s a screenshot of one of the applications:

I have no idea what I’m doing wrong. It’s not that complicated and according to the documentation, it should work. I just tested this with the office IP at work, and it leads to the same results, so I guess it’s not an issue with my server. :confused:

For all others with the same problem: double, tripple check if you are really using the correct IP address. In my case the server communicated via its IPv6 IP address, instead of the v4 one as I thought initially. As soon as I added the v6 IP it worked.

1 Like

I have my BYPASS policy at the top. Though if your Service Auth is working, then maybe order doesn’t matter.

My home also runs IPv6, so I’ve had to add IPv6 ranges as well.