I want to make a self hosted application internally available with Cloudflare access. Since the application needs to be accessed by browser and by a cli tool which doesn’t support custom headers I need a way to bypass the login page when the warp client is active. Is there a setting to do that?
Everything works fine if I add the application server’s ip as a network (but then I have to use the ip instead of the public hostname). Is there a way to do the same as with private networks but with a public hostname instead?
This can be done with a policy with the
Bypass action on your Access application that requires the
Gateway device posture.
Thank you, that worked. What’s the difference between the “Gateway” and “Warp” posture?
And I assume that it only allows Warp users who are logged into the same team to access, correct?
‘Warp’ means anyone using Warp (including the usual consumer Warp) whereas ‘Gateway’ means anyone who is enrolled into your Zero Trust organization using Warp for Teams.
Enrolling can be done with these instructions: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/
Note that for websites (aka Cloudflare Access) to be able to recognise you are using Gateway, you will need to enable ‘TLS decryption’ under Settings → Network in the Zero Trust dashboard.
You’ll know it’s working since when you visit
/cdn-cgi/trace on a Cloudflare website, such as https://cloudflare.com/cdn-cgi/trace, you’ll see this:
If I understand correctly, a Bypass with a Gateway rule would be enough to access when Warp was activated and logged in CF.
I have a Policy with
Bypass action on an Access application with a Include
Gateway rule. But I getting Forbidden when I try to access the application.
What is missing?
Do you have TLS decryption enabled?
Yes, Proxy and TLS decryption are enabled.
What does https://cloudflare.com/cdn-cgi/trace say for ‘warp’ and ‘gateway’?
Hello @KianNH ,
Gateway is worked, but is there anyway to limit bypass login to specifics Users/Groups instead of all users?