Cloudflare Access issue with 'Require Gateway'

I’m currently using Cloudflare Teams + WARP + Gateway + Access.

On one of my apps, I’ve made ‘Require Gateway’ a requirement (along with emails ending with a certain domain).

When I visit https://cloudflare.com/cdn-cgi/trace it shows that “warp=on,gateway=on”

Yet when I visit my app, I get the Cloudflare Access “Forbidden” page

When I remove the “Require Gateway” requirement, it starts working again.

Anyone know what would/could cause this?

Have you contacted Cloudflare Support? If yes, you can post the ticket number here.

Yes, ticket #2242553

I had this exact error occur to us. I have those permissions set and it works fine for us now, however, 2-3 weeks ago we had the exact error.
It kind of fixed itself eventually, which is something that unfortunately I have faced with teams and access a bunch of times now.

That’s very odd. Not very re-assuring. Could someone from Cloudflare see why this happens?

Where did you add the require rules, on the application or the group itself?

On the application itself.

Hey y’all. I’m investigating this a bit further. Thank you for including a ticket ID

-Kenny J
Access PM

Did you the rule as a service auth rule?

See the below topic

Cadish, not trying to “bypass”, but want it added is an additional requirement.

I’m still waiting to hear back from support about this. I’ve attached a HAR file showing the request on the ticket. This seems to be a bug/issue with Cloudflare Access’s “Require Gateway” setting.

I’d advise trying to set it on the group, that fixed it for me. I know its far from being optimal but that’s all I can suggest from my side.

I’d advise trying to set it on the group, that fixed it for me. I know its far from being optimal but that’s all I can suggest from my side.

jnperamo, I tried that too and that didn’t work

Thank you for sharing the har file. We are going to have the engineering team review this issue tomorrow.

1 Like

Are you by chance using Spectrum, gRPC or HTTP3 when attempting to use Require Gateway?

We’re continuing to investigate based on the har information. We’ve been unable to reproduce this, but are continuing to investigate. I wanted to grab any additional information we can. Thank you for bearing with us here.

No Spectrum. No gPRC. But “HTTP/3 (with QUIC)” is enabled.

Should I disable HTTP/3?

We also had some cloudflare Workers protecting the endpoint, but we’ve removed those and it is still the same issue when we enable “Require Gateway”.

Similarly, when I enable “Require Warp” only, it has the same issue.
If I’m connected via Warp, it will still show: “Cloudflare Access, Forbidden You do not have permission to view this page Ray ID: 694056dd56bd54c1”

So both “Require Gateway” and “Require Warp” don’t work properly, even if you’re connected to Gateway/Warp respectively.
So for some reason, Cloudflare Access seems to have an issue detecting the warp/warp+gateway connection.

QUIC-HTTP/3 would likely cause issues because we don’t yet proxy Gateway traffic for HTTP/3. Could you try disabling that for your Zone and Browser to see if that makes a difference? I observed issues when testing this myself on QUIC-HTTP/3.

With QUIC-HTTP3 deactivated, it still does the same thing (blocks access when Require Gateway is enabled).
Do the Gateway Access logs provide a reason why a request was blocked?

Ok, thank you for giving that a try. We’re going to continue to inspect the logs from our end.

Are you using Automatic Platform Optimization (APO) for your Wordpress site? https://support.cloudflare.com/hc/en-us/articles/360049822312-Understanding-Automatic-Platform-Optimization-APO-with-WordPress

I’ve gone back and uncovered a known issue with Access and APO that could be causing this. Could you try with a non-Wordpress resource or switch off APO and give it a try?