AWS Route53 domain with ZeroTrust

Hi, I have a domain ( in route53 with a redirection to cloudflare NS Simple - No
60 - - SOA Simple - No xxxxx… A Simple - Yes

in cloudflare I have just a couple of registers pointing to the IP of my personal server with a website

I’d like to password protect the website under the domain I’ve followed the tutorial:
where it creates a sefl-hosted application in the zerotrust. However, in after doing all the steps the website remains opened to the public.

Anybody know if I’m missing something or if that’s not the correct option to use?

If the application is on your apex domain or www, then it’s because your DNS records are set to “DNS only” and not proxied.

Requests are going direct to your origin and not through Cloudflare so your redirect and zero trust settings will do nothing until the records are proxied.

1 Like

Hi @sjr,
I don’t understand it quite well, in route53 I don’t have now the ip of the server: How can it be then that cloudflare is not being used?
the only thing I did that could be rare was to create first an A register in route53 pointing to the ip address but that was for me a step to then be able to configure the www A alias. After that, I removed the first A register.
How can I specify the proxy? would it be activating the proxy switch in the registers in cloudflare DNS section?

Since my earlier post you have enabled the proxy for the hostnames as in your screenshot and here…

Your domain is now giving a zero-trust login page as you wanted.

1 Like

Hi @sjr ,
indeed it’s working when I have specified the proxied parameter with the switches

but how is it working internally? The IP is always in Cloudflare but depending on the switch it makes the proxy or not. Maybe the first time route53 gets the IP address and after that it preserves that ip in a cache in route53 if the proxied switch is not enabled in cloudflare?

If the site is proxied, clients get a Cloudflare IP address (as in my link) instead of your actual origin IP address. Clients connect to Cloudflare, Cloudflare applies the settings and if necessary connects to the origin itself to get a response to pass back to the client.

If the site is not proxied, clients get your server IP address and connect directly to it. No Cloudflare settings can take effect.

See here…

1 Like

The documentation helps. But it doesn’t answer my question directly. I’d say when not proxied, at first time route53 or any other intermediate DNS would have to load the origin server IP address from Cloudflare. Then that ip is cached to avoid having to ask again for the IP. Or when not cached the route53 or intermediate DNS would just provide the origin server IP to the client but cloudflare would then not act as a reverse proxy.