Block all non-specified applications by default

arenk · August 2, 2022, 6:55am

Hi there.

I’m just setting up Cloudflare Access to some self-hosted applications connected via Cloudflare Tunnel. Applications shall be reachable via a custom subdomain (e.g. app1 . mycompany . com)

In Zero Trust Center → Access → Tunnels I’ve added public hostnames for the required applications (app1 . mycompony . com, app2 . mycompany . com,…)
In Zero Trust Center → Access → Applications I’ve created applications for those subdomains restricting who can access those applications (identity, context, …)

All is working fine, however there is one thing that bothers me: If I would create an additional public hostname in the Tunnel config (step 1) and “forget” about creating a corresponding application policy (step 2), the application is publicly available to everyone without any restrictions.

I’ve currently set up an additional fictional application for *.mycompany.com with a “Block everyone” policy to make sure that can’t happen, but I’m somehow not satisfied with that solution. Is there a more elegant way to handle that?

In my understanding, a Zero Trust Policy should block access to all applications that have no matching application policy by default.

cscharff · August 2, 2022, 3:39pm

That’s one approach. That isn’t the one Cloudflare has taken… probably because for a domain with a variety of use cases that wouldn’t follow the principle of least surprise

arenk · August 11, 2022, 7:14am

Makes sense. Still, I think it would be great to have an option “Block access to applications without matching policy” - even if this option is disabled by default.

nm1 · November 10, 2022, 6:28pm

This was also a big WTF moment for me when I was using ZeroTrust for the first time. It’s very surprising when a private application behind the firewall is suddenly publicly accessible, especially when using a product that is called ZeroTrust.

sshaikh · May 19, 2023, 5:16pm

Can you please describe how to create such a policy? It doesn’t seem to be accepting the wildcard in the subdomain for me.

arenk · May 19, 2023, 6:09pm

Sure, just have a look at the documentation Application paths · Cloudflare Zero Trust docs

user6054 · July 15, 2023, 6:39pm

Almost a year but I still couldn’t see this option. IMO they should make this enabled by default!

This was a huge surprise to me. I was in the middle of setting my NAS up then I forget about my tunnel for a week… then just realized it was opened to the public by default OMG!