Access Policy Not Applying to Websites with "www"

What is the name of the domain?

example.com

What is the issue you’re encountering

Access policies do not apply to websites with “www.” For example, in W Access > Applications, I added example.com/mypanel/ and it asks for login through Access, but visiting www.example.com/mypanel/ does not prompt for login.

Either add www.example.com as another domain for that application, add it as another access application, or redirect example.com to www.example.com using Cloudflare as here…

www.example.com already redirected to example.com

curl -I -L www.example.om

HTTP/1.1 301 Moved Permanently
Date: Fri, 10 Jan 2025 10:45:50 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Location: https://example.com/

on mypanel hidden via Access:

curl -I -L www.example.com/mypanel/

HTTP/1.1 301 Moved Permanently
Date: Fri, 10 Jan 2025 10:48:09 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Location: https://www.example.com/mypanel/
CF-Cache-Status: DYNAMIC
(...)
Server: cloudflare
CF-RAY: 8ffc17d0fd983631-FRA
alt-svc: h3=":443"; ma=86400
(...)

HTTP/2 302 
date: Fri, 10 Jan 2025 10:48:09 GMT
content-type: text/html; charset=utf-8
location: index.php?controller=AdminLogin&token=xxxxxxx

Yes, I can also add www in one rule in Access, but it’s important to remember that, and today, few people remember that www was ever used.

In my opinion, this is a mistake by design, as this is a security service

Your redirect from www to the apex domain is not being done on Cloudflare. Better to implement it on Cloudflare so it doesn’t involve your origin at all. If you are redirecting, then there’s no problem as requests for example.com will be redirected to www.example.com which is protected.

If you’re asking that example.com automatically protects www.example.com, not everyone would want that. If you want it protected, then add it as a protected domain.

If you don’t want www at all, remove it from the DNS.

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.