Different policy for root and wildcard

I currently have something like:

  • example.com/app1/* - A more open application
  • example.com/app2/* - A private application
  • example.com/app3/* - A private application

/app1/ has a different policy to every other app. I’ve managed to set this up using path precedence, where example.com/ has one policy and example.com/app1 has another. app1 is available to more users than the others.

example.com/ redirects to example.com/app1/ (from the origin). This redirect is actually quite helpful and in this case I would prefer to not rely on the Access App Launcher (although having example.com/ redirect to the App Launcher would be fine).

Is there a way to have example.com/ use the same policy as example.com/app1/ in this example (or just another way to have this redirect without having the more restrictive rules used for all other applications)? Currently, if you have access to app1 but not the others, you cannot go to example.com/, hence you cannot get the convenient redirect, even though you do have access to app1, the target of the redirect.

The list of apps can change easily and would not be connected to another system, so calling the Cloudflare API to add a rule for every app individually isn’t viable (while the “more open” applications is much more static).

The docs suggested that /and /* were different, with /* not including the root path, but after trying this I found this wasn’t the case (and it has been removed).