Bypass login page when warp client active

joshua4 · April 12, 2022, 2:49pm

Hello,

I want to make a self hosted application internally available with Cloudflare access. Since the application needs to be accessed by browser and by a cli tool which doesn’t support custom headers I need a way to bypass the login page when the warp client is active. Is there a setting to do that?
Everything works fine if I add the application server’s ip as a network (but then I have to use the ip instead of the public hostname). Is there a way to do the same as with private networks but with a public hostname instead?

Kind regards
Joshua

KianNH · April 12, 2022, 9:45pm

This can be done with a policy with the Bypass action on your Access application that requires the Gateway device posture.

https://developers.cloudflare.com/cloudflare-one/identity/devices/require-gateway/

joshua4 · April 12, 2022, 10:36pm

Thank you, that worked. What’s the difference between the “Gateway” and “Warp” posture?
And I assume that it only allows Warp users who are logged into the same team to access, correct?

KianNH · April 12, 2022, 10:50pm

‘Warp’ means anyone using Warp (including the usual consumer Warp) whereas ‘Gateway’ means anyone who is enrolled into your Zero Trust organization using Warp for Teams.

Enrolling can be done with these instructions: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/

Note that for websites (aka Cloudflare Access) to be able to recognise you are using Gateway, you will need to enable ‘TLS decryption’ under Settings → Network in the Zero Trust dashboard.

You’ll know it’s working since when you visit /cdn-cgi/trace on a Cloudflare website, such as https://cloudflare.com/cdn-cgi/trace, you’ll see this:

warp=on
gateway=on

marivaldojr · April 29, 2022, 10:18am

Hi,

If I understand correctly, a Bypass with a Gateway rule would be enough to access when Warp was activated and logged in CF.

I have a Policy with Bypass action on an Access application with a Include Gateway rule. But I getting Forbidden when I try to access the application.

Policy

What is missing?

Regards,
Marivaldo

KianNH · April 29, 2022, 10:28am

Do you have TLS decryption enabled?

marivaldojr · April 29, 2022, 11:04am

Yes, Proxy and TLS decryption are enabled.

KianNH · April 29, 2022, 11:17am

What does https://cloudflare.com/cdn-cgi/trace say for ‘warp’ and ‘gateway’?

marivaldojr · April 29, 2022, 12:45pm

warp=on
gateway=on

congnv1 · May 23, 2022, 3:08am

Hello @KianNH ,

So option Gateway is worked, but is there anyway to limit bypass login to specifics Users/Groups instead of all users?