Argo without authentication

Is it possible to allow anonymous (no auth) users access to https based web apps behind argo/ztna? I can publish internal resources, no problem - but they all require some kind of authentication.
I would like to simply allow everyone (without prompting for anything) access since some of the are API’s with non-interactive access.

If not, what CF product am I looking for to avoid exposing these endpoints directly to Internet in my firewall.

Thx.
/Rune

Cloudflare Tunnel and Cloudflare Access are separate configurations. You can use the first, without configuring a policy for the second.

Brilliant, so basically just cloudflared+cname and ignore any config in the zero trust interface?

Exactly.

There is a way to bypass via Access, if you want to be more specific in who you allow, but for those I’d suggest reading the docs, it’s way better than what I could do here in a post.

I read a lot but it’s very hard to find any info since there are so many names for argo, teams, zero trust, cloudflared etc. and I simply wasn’t able to figure out anonymous access. Can you share a like?
Also, I don’t presume I can simply use my existing (and same) tunnel for warp-routing, access AND simply cloudflared+cname as I suggested above. I’ll need one additional tunnel?

1 Like

No, the one works. The Access rules are per hostname, so those are totally separate from how you actually connect to the server. :slight_smile: You can even use Access policies (Zero Trust I think it’s now called) for standard proxied hostnames or Workers-only ones.

Read these, https://developers.cloudflare.com/cloudflare-one/policies/zero-trust.

Yeah just got back to it now, just adding another hostname to same tunnel and skip the access config bit works - I just use some obfuscated URL and I presume since it hits Cloudflare’s edge first, some basic checks are still in place.

Security through obscurity is never a great idea… they are visible still by a lot of parties when you navigate normally.

What are you expecting to be checked?

Sure, agreed - but since this particular url needs anonymous access (no auth before landing site) and user/pwd for interactive login or cert for service login I’m ok with just hiding it behind a random cname + Cloudflare Tunnel . The data downloaded automatically is signed and validated with a simple hash match before being deployed by those machines contacting it.

basic checks, don’t know what CF calls protection from “bad actors” and their edge policies. I’m guessing some basic proxy stuff, block malicious code, making it harder to compromise etc. I’ve not done a scan internal/external yet to see the difference.

Also turns out I can just use regular firewall rules on the dashboard for those tunnels/apps not covered under “access”, further securing it. Fairly simple.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.