What they mean is that you need to block everything except cloudflare on your origin or a firewall in front on it to prevent CloudFlare Access is being bypassed by connecting to the origin IP directly or any other DNS name. Many host probviders use own names for their servers like vps12345.hosting-company.com to make it easier for customers to connect to their server. Those DNS names are not protected by cloudflare.
So if you have access to the server firewall, iptables for example, you should block them there. Many hosts provide a UI like Plesk or CPanel for where you can set those rules. Basically Cloudflare Access is like a VPN. Everything is denied by default.
Bypass IPs, allowed emails and so on.
To make things a bit more clear:
Test 1 allows direct access to the page if I connect from the 195.x.x.x. IP without email code or use the given email address @gmail.com from everywhere.
Test 2 requires that i login with the given email address only from 195.x.x.x. When i try to login from anywhere else I don’t get a code emailed.
Since this is just a playgound, I don’t have any Firewall rules on this server. But I think it’s a good example:
With CF Access. (Notice the logout bar on top!?)
And the same server, CF Access bypassed with direct IP access:
So thats why you should use iptables or whatever you want to allow Clourdflare only
For sure you could allow everyone to access the pages and deny single IPs or net ranges for example. Lets say you know your boss is stalking you while he’s at work. Block the office IPs…