Control Cloudflare Access with Workers


#1

I didn’t see anything mentioned in the “controlling Cloudflare features” documentation. Is it possible to control Cloudflare Access with Workers?


#2

Hi @sreed-dci,

Cloudflare Access actually protects access to your workers – if someone has not successfully authenticated, then they cannot cause your worker to run. Unfortunately, this means that by the time your worker runs, any access checks necessarily already happened, so it’s too late to control them. We would like to find a way to solve this, but it’s tricky.

In the meantime, we’d love to hear what you were hoping to do here! It would help us design the right integration in the future.


#3

Thanks. I’m wanting to allow those connecting from the office IP to not have to authenticate through Cloudflare Access, while having those that are outside of the office be routed through it.

I’m utilizing Cloudflare Access in order to require two-factor authentication to a web application to users outside of the office. It’s a quick way to integrate GSuite capabilities we already have.


#4

You could use split brain DNS I suppose (an internal DNS server that resolved direct to the origin). Access was really intended to be something like the model described as in Google’s BeyondCorp. In that model there is no trusted or inside network. Everyone authenticates to access the resources because everyone and everything is suspect.


#5

Yeah, that would work, though it would be pretty cumbersome for the desired solution. Someone from support had told me that IP whitelisting for Access would be possible in the future, I was just hoping to find a Cloudflare Worker solution until then.


#6

We want to only allow a small group of people to access the application from outside of the network, and they have to login with GSuite with two-factor authentication in order to do so (placed in a specific GSuite group requiring this permission and this group being the only one allowed through Cloudflare Access). We don’t want other users to be able to access the application from outside of the network.