Cloudflare Access Question - Allow Access on premise

Is it possible to allow access to an application without having to authenticate to Cloudflare Access or the idP associated when accessing the site from a specified IP range? Trying to figure this one out. I’d like to require authentication if accessing off-prem only. Thank you :slight_smile:

That would be a Bypass for those IP addresses.

1 Like

2 Likes

So I put a Bypass rule in an app, that has a group which sets who can access. I put my gateway IP in the Bypass rule, but get the following when attempting to save:

Error configuring your Access Application: access.api.error.invalid_policy

What a I missing? Thanks :slight_smile:

I don’t know what part that’s stuck in, but this is what mine looks like:

1 Like

Thanks! So my Group name and Bypass Rule were the same name, it didn’t like it and wouldn’t let me add it as a result. :slight_smile:

1 Like

As @sdayman and @erictung have demonstrated it can be done. I’d argue a better question is should it be done. My short answer: No.

I mean I get that people will do it and not everyone takes the same approach I do but… I think of Access policies as a way to enforce zero trust and I trust internal users even less than I trust campaign promises.

YMMV of course and sometimes ya gotta do what the CEO says, even when they’re wrong. But in general I try to avoid whitelisting on premises users as a matter of policy and reserve it for use cases where they really may not be another good option.

My opinion and $4.95 will get you a coffee at Starbucks so feel free to take what you can use and leave the rest. :smiley:

3 Likes

This is a temporary solution, as I’m not ready to roll this out to all my users yet without training.

Basically I’ve put these self hosted sites behind Access and have it tied into my idP, Azure AD. The users don’t know that they have accounts in Azure yet and haven’t set passwords, etc.

So this is a way for me to set everything up, get it configured and have it lying in wait for when I’m ready to flip the switch.

There are nice intended consequences with this as well, like being able to install Cloudflare’s origin cert on the web servers so I don’t have to worry about certs for a really long time, if ever on those servers.

Anyway, I agree, but this is a nice way to get a lot of CF’s benefits, while keeping workflow the same until I’m ready to flip the switch internally as well. :slight_smile:

3 Likes

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.