Allow (with auth) for a domain, but bypass auth for a path that should be available for public access?

Hi folks,

I just used a Cloudflare tunnel for a service, which is published with a domain name (service.example.com). Backend is backend.internal.example.org

The Access policy for that is to force user to authenticate via my authentication service (Okta), and it also does MFA. Now that works wonder whenever someone access service.example.com or any path beyond it.

However, there is now a need for a public page (which is expected to be reachable via service.example.com/public) that I am suppose to allow. I’m feeling there are two ways I can do it, but want to consult you guys for experience:

  1. Using the existing tunnel and service, but create another Application which points to the path service.example.com/public. Then the policy is set to Bypass
  2. Using a new tunnel, with a new domain name (public.example.com), with its service points to the path backend.internal.example.org/public. The new Application for public.example.com has its policy set to Bypass

I’ve tried the first one but seems CORS blocked the cross-origin requests (the requests for the resources still called to myorg.cloudflareaccess.com, and my public page failed to display due to that). If I were to login first instead, then refresh the public page - now it loads properly.

If using the second method, I would have to ask the guys controlling our public DNS system to add another domain name, which is a hassle (business-side, not technical-side)

Sincerely appreciate any inputs