I’ve set up access control for a subdomain of the form sub.mysite.com using one time pin sent to my email.
This seems to work correctly. When I go to sub.mysite.com I’m presented with the cloudflare access control page which asks for me email, and then sends the pin to my email. When I enter the pin I am granted access.
However, at this point I get an error:
400 Bad Request Request Header Or Cookie Too Large nginx/1.14.0 (Ubuntu)
I can see there is now one cookie for the site which looks like this:
If I delete the cookie and refresh the page it gets recreated and I still get the 400 error.
If I go into Cloudflare for Teams dashboard → My Team → User → revoke access (and also make sure the cookie is deleted), then reload sub.mysite.com I see the login screen again, get sent a new pin, enter it, then I’m back to the 400 error and the process starts again.