Cloudflare has a number of products which interact with each other. As a newb (just started getting things set up this week), it can be a bit much to figure out the best way to configure access to a specific application/URI.
We have web hooks that come in from a few services.
The path to the script that processes these is within a separate application.
One of the services doesn’t provide a list of their IPs, so we had been handling it only allowing access to the web hook script for their service by User Agent (there is additional auth happening in the script, but I figured - why not also limit it by user agent?).
Let’s say we have:
We had an application set up in Cloudflare for Teams with a policy to block access to /funapp unless logged in, but of course this blocks the webhooks.
I went in and created a Firewall rule to allow access (and I could see in the CF firewall log that it was allowing access). But the hook was still failing. I thought it could be a problem with CF messing with the request, so I changed the rule to Bypass instead of Allow, still no luck.
Then I created another “Application” in Teams, specifically targeting /funapp/webhooks/servicea.php and allowing Everyone. Now it works.
So, am I correct in my thinking the order to think about things is:
Level 1: Firewall - Broad level allow/deny policies
Level 2: Teams/Applications - Lower level authentication?
In this specific instance, because I had no other firewall rules set up for /funapp, I believe I only actually need the 2 “Applications” I created in CF Teams - but I could add a rule to the Firewall to block access to /funapp/webhooks/servicea.php if the User Agent didn’t match (if desired).
(I know a user agent block is somewhat meaningless since someone could fake that).