I have just now started testing CF Access Restriction on my Origin Server. A few pages
on the Origin are used to administer the site and have one such page has many form
data input elements along with a submit button. When I try to submit this form I am
always presented with a Google Captcha for confirming if I am human.
Now my question, since the zone is already behind CF Access, can we not have an
option to disable WAF only if access authorization is active for the accessing IP address?
I tried all related options like using Bypass to the IP range in CF Access, Adding Firewall
Rules to allow access from predefined range, Adding Allow Rules to the IP Firewall but
still, I get the Captcha.
While I know and understand having a Captcha is good security practice, my client who
wish to administer the site are having their own firewall restricting Google Domain Access
and so the Captcha coming from Goolge is not accessible through to them.
I tried to emulate this at my end using Google oAuth Access Authorization and I am still
getting the Captcha. Is there any way we can disable WAF for the zone if and only if the
IP address accessing the form is authorized by CF Access? There are general page rule
options to disable WAF for any page but no such rule like DISABLE FIREWALL for CF
ACCESS authorized access. I hope my query is clear.
I know, since the zone is behind CF Access anyway, I can simply disable WAF for the
entire zone using Page Rule, but I am not sure if this is the right approach / the only way
we can solve this proble at present. Kindly advice and suggest.