Block all incoming requests except one subdomain

What is the name of the domain?

example.com

What is the issue you’re encountering

Cannot block all incoming requests except one subdomain

What steps have you taken to resolve the issue?

To provide context, I have a tunnel with Cloudflare to my local network for the domain example.com. Among other things, I have public hostnames, alice and bob.
The subdomain alice is accessible with an SSO and internally communicates with bob, a subdomain that I want to be accessible only to alice and no one else.
To achieve this, I have tried 2 actions: adding the following firewall rule to block (i have replaced all dots to _ due posts limitation):
(http.referer ne “https://alice_example_com” and http.request.full_uri contains “bob_example_com”)

I have also tried adding an HTTP Response Header Modification Rule:
Incoming request: (http.request.full_uri contains “bob_example_com”)
Then set static: Access-Control-Allow-Origin = https://alice_example_com

If I add the firewall rule, I get a 404 from the subdomain alice. If I add the rule to the response header, the call from alice works, but it can also be accessed directly.

Finally, I tried adding bob as an application in zero trust and adding a bypass policy “common name = alice_example_com” but it didn’t work either. I assume the certificate works at domain level, but then accessing bob directly would also work.

Is there a way to do this without using IPs, as I don’t have a static one?

What is the current SSL/TLS setting?

Full

Hi, i have found a workaround using workers. alice is communicating with bob using websockets, so i am using origin instead of referer and it works.
But i would like something that doesn’t involve workers.

export default {
	async fetch(request, env, ctx) {
		const url = new URL(request.url);

		if (url.hostname === 'bob.example.com') {
		  // Obtener el encabezado Referer
		  const origin = request.headers.get('origin');
	  
		  if (!origin || !origin.startsWith('https://alice.example.com')) {
			return new Response('Acceso no autorizado', { status: 403 });
		  }
		}
	  
		// Si la solicitud es válida o no es para bob.example.com, la reenviamos
		return fetch(request);
	},
};