Block all non-specified applications by default

arenk · August 2, 2022, 6:55am

Hi there.

I’m just setting up Cloudflare Access to some self-hosted applications connected via Cloudflare Tunnel. Applications shall be reachable via a custom subdomain (e.g. app1 . mycompany . com)

In Zero Trust Center → Access → Tunnels I’ve added public hostnames for the required applications (app1 . mycompony . com, app2 . mycompany . com,…)
In Zero Trust Center → Access → Applications I’ve created applications for those subdomains restricting who can access those applications (identity, context, …)

All is working fine, however there is one thing that bothers me: If I would create an additional public hostname in the Tunnel config (step 1) and “forget” about creating a corresponding application policy (step 2), the application is publicly available to everyone without any restrictions.

I’ve currently set up an additional fictional application for *.mycompany.com with a “Block everyone” policy to make sure that can’t happen, but I’m somehow not satisfied with that solution. Is there a more elegant way to handle that?

In my understanding, a Zero Trust Policy should block access to all applications that have no matching application policy by default.

cscharff · August 2, 2022, 3:39pm

That’s one approach. That isn’t the one Cloudflare has taken… probably because for a domain with a variety of use cases that wouldn’t follow the principle of least surprise

arenk · August 11, 2022, 7:14am

Makes sense. Still, I think it would be great to have an option “Block access to applications without matching policy” - even if this option is disabled by default.

nm1 · November 10, 2022, 6:28pm

This was also a big WTF moment for me when I was using ZeroTrust for the first time. It’s very surprising when a private application behind the firewall is suddenly publicly accessible, especially when using a product that is called ZeroTrust.