Access (Setup & Usage)

access

#1

Hello all,

In case you haven’t heard, we have launched Access, and it is ready to run with. As of today (1/18/18) it is completely available to all ENT customers (contact sales for bulk pricing questions), and other customers can turn it on from the Access tab on your Cloudflare dashboard. Please note that the “beta” label is still showing until we iron out some billing related stuff for non-Enterprise customers.

We received amazing feedback on the beta thread, but we are going to close that for now so this can focus more on feedback since launch. You can still review the beta thread if you are interested in how the feature evolved, but please leave your feedback here.

Let us know what you think - both good and bad, and how you end up using the product. Looking forward to hearing from you.

-Ryan


Cloudflare Access Beta Feedback
Cloudflare Access Beta Feedback
#3

I just saw today’s blog entry and signed up. Fun tool!

But, the pricing. It says one user is free, then $3/seat/mo after that. I’m a bit hazy on this.

I’m just one guy with a bunch of sites here, and I want to protect some URLs, say WordPress Admin and Login. I set the login to be anybody at @example.com. So each of my domains has two Access Policies (wp-admin and wp-login) for anybody @example.com (yes, I know I could set it to [email protected], but I was lazy).

What would this cost?


#4

Hi @sdayman, glad you’re enjoying Access! If it’s just you login using Access to your wp-admin and wp-login - that’s free - if more people login to them, it will be $3 for each additional person logging in via Access.


#5

Tried it and works very well.

However, pricing seems odd unless I’m mistaken. It’s one unique user across all domains managed by an account that’s free, followed by paid access?

Because it would make much more sense to be one unique user per domain that’s free. Folk could just create a new free tier account for each domain and split them to get that level of access for free so I don’t see why that kind of pricing isn’t implemented off the bat?


#6

That’s great feedback, thanks @saul! The idea is not to double charge you for a user. They can login to any domain across your account and you only need to pay once.


#7

The thing is that [email protected] != [email protected] so the latter would be billable if domainA and domainB were under one Cloudflare account, but not if they were under separate Cloudflare accounts.

Seeing as you can open as many Cloudflare accounts as you like, eg one per domain, this makes your pricing structure odd. One free unique account per month per domain name makes more sense and aligns with the cost if you had one Cloudflare account per domain.


#8

Thanks for your feedback @saul.


#9

The company where I work has numerous domains hosted with CloudFlare. Some of these domains are used for test environments that are constantly created and destroyed.

It would be greatly beneficial for us if we could enable external access to these test environments without the need of a VPN, and CloudFlare access could be a potential solution. However, we cannot specify wildcards in the subdomains of an access policy.

Why is this? All our tests sites use sub-domains that are constantly changing.


#10

My Access is configured for a specific email address.

For kicks, I entered a different email address. It says it emailed a code to me, but it really didn’t.

Is this intentional? Naturally, it’d be nice if it let someone know they did something wrong. On the other hand, maybe you don’t want people to stumble upon a valid email address.


#11

I’m trying to figure a way to work this, but come up empty:

My box runs a password-protected admin web interface on port 8443. Unfortunately, it will respond to any domain:8443 hosted on the box. So I have it firewalled off, except to my home IP address and I access it directly via IP address. Ports 80 and 443 are firewalled off, except to Cloudflare.

Would it be possible to add a wildcard Access configuration for any of my domains at Port 8443? That way, I could open up 8443 to Cloudflare’s IP addresses and have it fully protected.

EDIT: After I posted this, I realized Access doesn’t allow for access control by Port. It would be nice if it could. I’m still trying to think of a way to make this work; maybe in conjunction with Proxy Anything.


#12

Yeah this is intentional. In general it is a best practice to treat valid and invalid users exactly the same way from a security perspective, otherwise you can theoretically dictionary (or more intelligently) try a list of addresses to determine if they are valid or not.

Same as a Windows login “bad username or password”. It doesn’t tell you which and the login behavior doesn’t change once the account has been locked out if it was valid either (so you can’t easily determine account lockout policy thresholds).


#13

I think you could do this with Access + Warp.


#14

Thanks for your feedback. Currently wildcard in subdomains are not supported. We will review this request in our future releases.


#15

From what I know about Warp, it’s something I run locally on my computer. My desire is to be able to Access a protected Port 8443 from a standard work computer (or Chromebook).


#16

Doesn’t seem to work with Angular 5 Service Workers. When loading the manifest file, the request is always redirected to the Cloudflare access login page, even if I am already authenticated.


#17

Warp can be run on any server (your computer could be acting as a server) but it allows you to publish an application to the internet. It takes a specific single port and publishes that as a host name. So for example I have 3 docker instances running on my DO box, 2 of them are published normally (behind an nginx instance) and the 3rd runs under WARP. The warp docker instance can only be accessed via the DNS hostname associated with it. So depending on what’s running on 8443 you might be able to publish it directly using warp or perhaps point it to a dedicated nginx instance which would then be published through warp.


#18

Is there an API endpoint yet for Access, so at least we can automate the process of setting new access policies for the new test environments? I can’t see it within the API documentation…


#19

Currently we don’t have an API endpoint for Access yet.


#20

Adding a clear, concurrent licencing selection to Access Policy would be a nice touch to groups. Much easier than manually entering each user or creating additional groups.
Also, would love to see options for idle timeout/lock, show/hide the number of users and possibly an option like the logout bar to show other users.
This is by far the easiest solution for locking down the backend of a site and opens a lot of doors for small business. Keep up the good work!


#21

Any possibility of getting nested Google Groups support added?