Cloudflare Access? Exclude Path from authentication?

Hello, I have a staging deployment of my application that I just secured with “Cloudflare Access”. It is working well, great product.

I would like to exclude a single path from authentication: /hooks

I need incoming webhooks from 3rd party service to be able to reach my service.

Any ideas?

You can certainly try and let us know. Access does seem to allow overlapping policies, but I don’t know which takes precedence. There is an “Everyone” group and you can set it to Bypass the Access screen.

Thanks. What did the trick was setting the policy decision to “Bypass”. The order does not seem to matter.

And the main policy still limits access everywhere else?

It appears so. It’s pretty cool.

Now if only Traefik (the reverse proxy of my choice) would support authentication Cloudflare requests OOTB. :wink:

Can you please share the setup? I cannot replicate it

I figured it out. You have to create two applications, a normal one with the bare domain/sub-domain without a path, which will have the policy to grant access. Then, you create a second application which specifies a path, shown in the screenshot. This application should have one bypass policy, also in the screenshot.

It’s a bit clunky, but works great.

Oh. I tried to do it. And this worked for about a month. However, the URL with the Bypass policy is now under authorization again. Seems CF Zero Trust does not guarantee the order of checks.