What is the name of the domain?
What is the issue you’re encountering
Cannot block all incoming requests except one subdomain
What steps have you taken to resolve the issue?
To provide context, I have a tunnel with Cloudflare to my local network for the domain example.com. Among other things, I have public hostnames, alice and bob.
The subdomain alice is accessible with an SSO and internally communicates with bob, a subdomain that I want to be accessible only to alice and no one else.
To achieve this, I have tried 2 actions: adding the following firewall rule to block (i have replaced all dots to _ due posts limitation):
(http.referer ne “https://alice_example_com” and http.request.full_uri contains “bob_example_com”)
I have also tried adding an HTTP Response Header Modification Rule:
Incoming request: (http.request.full_uri contains “bob_example_com”)
Then set static: Access-Control-Allow-Origin = https://alice_example_com
If I add the firewall rule, I get a 404 from the subdomain alice. If I add the rule to the response header, the call from alice works, but it can also be accessed directly.
Finally, I tried adding bob as an application in zero trust and adding a bypass policy “common name = alice_example_com” but it didn’t work either. I assume the certificate works at domain level, but then accessing bob directly would also work.
Is there a way to do this without using IPs, as I don’t have a static one?
What is the current SSL/TLS setting?
Full