Hi,
Issue: While trying to authenticate using the Access feature that is a part of Cloudflare Zero Trust, a redirect loop occurs, resulting in ERR_TOO_MANY_REDIRECTS.
Setup:
Traefik and cloudflared are installed as part of a kubernetes cluster within TrueNAS Scale. Traefik basically acts as a broker for cloudflared. That is, all of my hostname entries point to the same origin service URL, just with different sub-domains:
Internet → Cloudflare → cloudflared client → Traefik → Services
Details:
The problem seems very similar to this post.
Connecting to all of my services externally works fine, the issue only lies with the Access feature. When connecting to a sub-domain that is protected by Access, after logging in at the Cloudflare prompt an infinite redirect loop occurs. I have both the standard OTP option and Google Account OAuth enabled, and the issue occurs when using either.
The following requests can be observed within the Network logging on Chrome after clicking “Sign In”:
- https://TEAM_NAME.cloudflareaccess.com/cdn-cgi/access/callback
- https://TEAM_NAME.com/cdn-cgi/access/authorized?nonce=…
- https://TEAM_NAME.com/index.html?t=1674885157863
- https://TEAM_NAME.cloudflareaccess.com/cdn-cgi/access/login/DOMAIN_NAME.com?kid=…
which then loops between 2-4 before eventually failing at an attempt of 2 with HTTP 404.
I tested this feature out after initially setting up my domain with just the OTP option and it worked fine. While I can’t be sure, uncannily enough I think it might be after I added Google Account OAuth like in the linked post (but to be clear it happens when attempting to use either auth method).
Configuration:
- Traefik set to forward ‘web’ to ‘websecure’ (so I believe http to https)
- Hostname settings for tunnel are only exposed via HTTPS (443), so the above shouldn’t matter
- SSL/TLS setting for my domain is set to ‘Full (Strict)’
- Traefik serves a valid SSL certificate for my domain and its wildcards with Cloudflare as the CA
- No TLS Verify is enabled for each tunnel hostname as I don’t care about the encryption between cloudflared and Traefik and want to use my own cert so that its valid locally
- The Cookie Settings for each application that matches each hostname are set as: ‘Strict’, ‘HTTP Only’ , and ‘Enable Binding’ cookie
After authenticating, if I manually get out of the loop by just reentering the original domain into the URL bar and hitting go, I am able to successfully get to the page while authenticated. So the authentication works, its just the redirect back that fails.
Unlike in the other post, changing my team name did not help anything, and clearing ALL cookies on a given client did not either. Though, I didn’t try removing the Google Account OAuth provider before changing my team name like the other poster implied because in the end that’s the main provider I need to use.
Happy to provide more details, but I basically just learned how to setup everything within the past 2-3 weeks so I’m not sure what else is relevant and am pretty stuck.
Have no idea what to make of this.