Access: Bypass rule by URL

Feedback Feature Request Submitting & Feedback
1

Hi,

Currently, there isn’t an option to Bypass based on URL. This would avoid having to create an ‘application’ for each URL that needs to be bypassed.

Examples:

  1. Static image files that are hot-linked.
  2. /.wellknown urls. E.g.: Let’s Encrypt
  3. Apps/APIs that don’t support this type of external authentication, e.g.: Bitwarden Mobile Apps, which accesses a /api url to authenticate and access the data.

Thanks,

2

Another example is putting WordPress Admin Dashboard behind Cloudflare Access, whereby:
/wp-admin => Needs to be behind Cloudflare Access

However, the following URLs need to be excluded:
/wp-admin/admin-ajax.php => Used in some front-end form submissions
wp-admin/css/ => Used to load/format the login page for all users (including non-admins)

Currently, the only way to achieve the above is by creating 3 different applications!

3

Following. Having the same issue. Firewall rules are easier for now than Access.

1 Like
4

hey :wave:
That unfortunately is not possible, at the moment :slight_smile:
We hope to make this better and easier on Q2!

2 Likes
5

Thank you @stefano1, good to know that it’s finally in the pipeline! Would really help clean up the applications list that we currently have.

Any roadmap that we could refer to for updates?

Thank you

6

Hi @stefano1
Any news about an ability to bypass a URL from Cloudflare Access?

Thanks

7

Hiya,

Kindly update on anything further with regards to this please, as we’re already on Q3 now :blush:

Thank you

8

Not sure this is the same issue, I have Pages preview builds protected by Access, which works great, though I’d like to get a specific path to be excluded/bypassed but I can’t get this working.

I created a 2nd app, same domain just added a path and tried to bypass Everyone or ideally only specific IPs but none of those work as I could never access those without being redirected to Access auth page.

Am I doing something wrong? Or is this the same issue? From some forum posts about how to bypass webhook paths it seemed that others have got it working tho no-one really shared exact steps :confused: Also asked in Discord though never really got an answer.

For now I have a separate Worker for the webhook which is sub-optimal as this complicating DX a lot, especially local dev & having separate environments :grimacing:

UPDATE: got it working, steps in Multiple access policies for a single application - Application Paths · Cloudflare Access docs - #9 by CanRau