CloudFlare Access without Argo tunnel?

Something that isn’t clear from the Access dashboard under Access Policies:

To secure your origin, you must also enable Argo Tunnel or limit connections to your origin to allow only Cloudflare and verify the JWT.

It makes it sounds like it’s possible to use CloudFlare Access without the additional Argo tunnel feature (which is billed separately). However going through the docs, it seems like this only possible with Argo Tunnel enabled?

Can someone please clarify if Argo Tunnel is a must? If not, are there any guides to setup without it?


1 Like

It certainly isn’t required. Anybody can add Access to their plan.

The warning is that attackers can bypass Cloudflare unless you’ve taken steps to stop this. Either Argo Tunnel for a forced connection to Cloudflare, or limit connections by server firewall (this is what I do).


Thanks @sdayman.
Any chance you can clarify how to set this up?

Say I have under Access Policies configured. What’s next? Do I need to configure DNS A record to point to the origin?

This is what I’m trying to do but getting endless redirect loop and see no traffic on the origin itself (tcpdump).

This “Access” feature is a layer on top of an already-working URL. So if I created a site and don’t want random people visiting it, I’d already have it in DNS, and it would be publicly available, but then I’d create an Access Policy to password protect it.

So, yes, “test” needs a DNS record.

Another option for verification is checking the JWT token in the cookies. I got a small example application at that does exactly that


I run just a plain vanilla nginx process that servers the generic welcome page on an ec2 instance with a public IP attached. I can access that page with my browser via DNS records. When adding the Access Policy, I will get the login page and get through the login page with my GitHub OAUTH. However after that, my chrome will display ERR_TOO_MANY_REDIRECTS.
I will not see any traffic on my origin.

Managed to figure out the issue.
Looks like with SSL/TLS encryption mode set to Off, the browser will go into http -> https -> http redirect loop when combined with Access. SSL/TLS must be set to at least Flexible to fix that.

Thank you for your help

1 Like

The docs are extremely confusing. I only discovered Access yesterday and was totally puzzled by this exact statement. In my head, if I have firewall rules to only allow Cloudflare IP addresses CIDRs, it’s safe enough but this paragraph makes me doubt the whole setup.

I’m probably going to pass on Access as it’s all too confusing. I’ve not even started with things like ssh and my head is spinning

Hi @sdayman,

Thanks for the insight. I don’t want to use Argo tunnel and even after setting up CF access can access the app directly with its domain name. I have already restricted my server access to cloudflare IP ranges and use both CF DNS and proxy options.

Is there a setting that I in CF Access that I am missing (I am on CF free plan)?

Thanks in advance.

UPDATE: There was some issue with the way I created rules. I followed this article and managed to resolve the issue: