Block all non-specified applications by default

Hi there.

I’m just setting up Cloudflare Access to some self-hosted applications connected via Cloudflare Tunnel. Applications shall be reachable via a custom subdomain (e.g. app1 . mycompany . com)

  1. In Zero Trust Center → Access → Tunnels I’ve added public hostnames for the required applications (app1 . mycompony . com, app2 . mycompany . com,…)
  2. In Zero Trust Center → Access → Applications I’ve created applications for those subdomains restricting who can access those applications (identity, context, …)

All is working fine, however there is one thing that bothers me: If I would create an additional public hostname in the Tunnel config (step 1) and “forget” about creating a corresponding application policy (step 2), the application is publicly available to everyone without any restrictions.

I’ve currently set up an additional fictional application for * with a “Block everyone” policy to make sure that can’t happen, but I’m somehow not satisfied with that solution. Is there a more elegant way to handle that?

In my understanding, a Zero Trust Policy should block access to all applications that have no matching application policy by default.

That’s one approach. That isn’t the one Cloudflare has taken… probably because for a domain with a variety of use cases that wouldn’t follow the principle of least surprise

1 Like

Makes sense. Still, I think it would be great to have an option “Block access to applications without matching policy” - even if this option is disabled by default.

This was also a big WTF moment for me when I was using ZeroTrust for the first time. It’s very surprising when a private application behind the firewall is suddenly publicly accessible, especially when using a product that is called ZeroTrust.

Can you please describe how to create such a policy? It doesn’t seem to be accepting the wildcard in the subdomain for me.

Sure, just have a look at the documentation Application paths · Cloudflare Zero Trust docs

Almost a year but I still couldn’t see this option. IMO they should make this enabled by default!

This was a huge surprise to me. I was in the middle of setting my NAS up then I forget about my tunnel for a week… then just realized it was opened to the public by default OMG!