I’m just setting up Cloudflare Access to some self-hosted applications connected via Cloudflare Tunnel. Applications shall be reachable via a custom subdomain (e.g. app1 . mycompany . com)
- In Zero Trust Center → Access → Tunnels I’ve added public hostnames for the required applications (app1 . mycompony . com, app2 . mycompany . com,…)
- In Zero Trust Center → Access → Applications I’ve created applications for those subdomains restricting who can access those applications (identity, context, …)
All is working fine, however there is one thing that bothers me: If I would create an additional public hostname in the Tunnel config (step 1) and “forget” about creating a corresponding application policy (step 2), the application is publicly available to everyone without any restrictions.
I’ve currently set up an additional fictional application for *.mycompany.com with a “Block everyone” policy to make sure that can’t happen, but I’m somehow not satisfied with that solution. Is there a more elegant way to handle that?
In my understanding, a Zero Trust Policy should block access to all applications that have no matching application policy by default.