Can't get validate email page working on a Tunnel

Zero Trust Access
1

What is the name of the domain?

applications are live, don’t want to post publicly

What is the error number?

No number shown.

What is the error message?

Error testing your policy: access.api.error.invalid_user_id

What is the issue you’re encountering

Can’t get cloudflare’s validate email page working on a Tunnel

What steps have you taken to resolve the issue?

To secure a self-hosted application I have created a Tunnel.

In Zero-Trust I have added a Application.

In the Application I created an Policy of “Must have authorized email”, and added 4 user emails via "Include > emails > “one@email”, “two@email”, etc.

Problems:
When viewing the self-hosted app via the Tunnel url, I never get the cloudflare authentication page, all requests go straight to the self-hosted app.

When I go to Zero-Trust > Access > Applications > Edit an App > Policies > “Test Policies” and enter any of the 4 emails such as “one@email” I get the error “Error testing your policy: access.api.error.invalid_user_id”.

I have the full dns with cloudflare. I’ve checked everything I can think of.

Any suggestions please, things I should double check??

What are the steps to reproduce the issue?

When ever I visit a tunnel domain the cloudflare validate email page does not appear, I go straight to the web app.

2

Not really much that can be done without any specific information like the domain or screenshots of your settings.

That one is expected, though not very helpful:

3

First, let me thank you for responding. Your time and responses are VERY appreciated. Thank you, thank you.

The domain is donutpro.xyz

My main problem is the tunnel email authorization screen is never presented. It feels like the Access Application is not ‘turned on’.

So I have never had the opportunity to authorize any of my 4 email addresses. Which explains the “Error testing your policy: access.api.error.invalid_user_id”.

Here are some screen shots of the application and policy. I will have to upload them in separate posts as I am a new on the Community Board and limited to one image upload per post.

1+2
1+2960×720 46.6 KB

1 Like
4

3+4
3+4960×720 47.6 KB

5

apps 5
apps 51101×703 67.9 KB

6

apps 6
apps 61087×732 63.6 KB

7

apps 7
apps 71041×723 67.2 KB

8

Right now, you don’t have any DNS records for the domain.

Can you create a proxied DNS record? Doesn’t have to be to your actual app, just some random record.

9

I just added an proxied A record pointing to 192.0.0.1.

I don’t have any MX, A records on this domain as I don’t use email or any type of website.

10

You seem to have some WAF rule that’s blocking me.

11

Yes, I have WAF rule ‘block all traffic not from my country’.

I have disabled it.

12

Now I see the access page. Do you not see it?

13

Yeah! I get a access page when I visit donutpro.xyz

Do you think that’s because of the dns A record I added?

When I enter a valid email I get a “connection timed out” error. Screen Shot Attached.

I can still go directly to a self hosted app like this led light bulb: gui020268.donutpro.xyz WITHOUT a Access page.

I have no need to have donutpro.xyz resolve as I don’t want any web sites or web apps on the top level domain.

I do want individual self-hosted apps such as hostedapp.donutpro.xyz secured with Access. Do you know how I can get this done?

I am happy you are supporting me.

time out
time out1232×882 51.6 KB

14

I mean, you added an a record that leads to nowhere, so a timeout should be the expected result?

Your Access Application is for donutpro.xyz, not for a subdomain. Enter the subdomain if you want to use Access for the subdomain.

15

I changed Access Application to *.donutpro.xyz and it appears all is working!!

Laudian, you’re the best. thank you.

1 Like