I have an existing site exposed through a Cloudflare Tunnel with an Access policy that restricts access to specific users and countries for site.example.com
This works fine.
I want to create another Access Policy for site.example.com/status/* and make it accessible to the world with no auth.
I tried setting up an Application that targets that URL with an Access Policy of Bypass, but I then get an error in cloudflared: request filtered by middleware handler (AccessJWTValidator) due to: no access token in request"
Is there any way to have Access allow all sources for a specific subdomain, but still pass valid credentials to cloudflared?
I have this exact issue! I am getting that error and when attempting to load on a device with the working bypass I have nothing but a blank white screen. I am also searching for a resolution, interacting to bump this and we both can get some help!
Also, you are the only search result if I enter error=“request filtered by middleware handler (AccessJWTValidator) due to: no access token in request” - congrats on being the first
I got the very same issue. Did you configure the bypass-url as separate “public hostname” in the tunnel-settings and did you move it above the main url? That did the trick for me
Configure Public Hostnames in Tunnel Settings:
a. Navigate to Access > Tunnels.
b. Add the Public Hostname for the protected URL and the to-be-bypassed URL, both pointing to the Service URL.
c. Move the bypass-URL above the protected URL.
Set up Access Applications:
a. Navigate to Access > Applications.
b. Create an Application for the protected URL and define an “allow” policy for your users.
c. Create an Application for the to-be-bypassed URL and define a “bypass” policy with the selector “Everyone” and the value “Everyone.”
This worked…
In my case I was trying to setup a push notification receiver from GCP… Your approach allowed the unauthenticated hooks through! thank you!
I have ~20 services running as dockers, and assign each public hostname under the tunnel.
Is it possible to have *.domain.com as the subdomain for the lockdown application, and then xxx.domain.com and yyy.domain.com for the few that are bypassed? Or does each public hostname listed on the tunnel specifically need to be added to one of the application policies? It doesn’t look like there is a way to order the “Applications” that contain the policies.
Ideally I’d like all required to be blocked unless they are specifically added to the bypass, that way I don’t need to enter the locked ones in both the tunnel public name AND the application.
