Argo Tunnels is a great feature that allows an entire server farm to allow remote and secure access via Cloudflare Access.
However, as a powerful tool it has the potential to create security holes, as once a tunnel daemon is authorized it is then has the ability to create multiple tunnels on its own. This means that any admin on a server can by a simple command write DNS rules that will bypass Access policies and open internal servers to the world.
For now we’re not using Tunnels due to this security concern and would love to here if there’s some intention to improve on the security constraints imposed on a Daemon.
There are multiple options here, with the best being requiring an authorization on Cloudflare side for each tunnel and not for each daemon.
Another good thing would be to have a functionality that allows to impose Access on Argo Tunnels ins such a way that no tunnel is accessible if it does not have an Access policy leading to it.