Firewall vs Teams/Applications

Cloudflare has a number of products which interact with each other. As a newb (just started getting things set up this week), it can be a bit much to figure out the best way to configure access to a specific application/URI.

Example:
We have web hooks that come in from a few services.
The path to the script that processes these is within a separate application.
One of the services doesn’t provide a list of their IPs, so we had been handling it only allowing access to the web hook script for their service by User Agent (there is additional auth happening in the script, but I figured - why not also limit it by user agent?).

Let’s say we have:
/funapp
/funapp/webhooks/servicea.php
/funapp/webhooks/serviceb.php

We had an application set up in Cloudflare for Teams with a policy to block access to /funapp unless logged in, but of course this blocks the webhooks.

I went in and created a Firewall rule to allow access (and I could see in the CF firewall log that it was allowing access). But the hook was still failing. I thought it could be a problem with CF messing with the request, so I changed the rule to Bypass instead of Allow, still no luck.
Then I created another “Application” in Teams, specifically targeting /funapp/webhooks/servicea.php and allowing Everyone. Now it works.

So, am I correct in my thinking the order to think about things is:
Level 1: Firewall - Broad level allow/deny policies
Level 2: Teams/Applications - Lower level authentication?

In this specific instance, because I had no other firewall rules set up for /funapp, I believe I only actually need the 2 “Applications” I created in CF Teams - but I could add a rule to the Firewall to block access to /funapp/webhooks/servicea.php if the User Agent didn’t match (if desired).

(I know a user agent block is somewhat meaningless since someone could fake that).

Cloudflare Access triggers after the request passes the Firewall. So if you configure anything in Firewall to block certain traffic, the Firewall will block them first.

What if you just specify /funapp/webhooks? It should allow everything starts with /funapp/webhooks.

2 Likes

Thanks! Got it, so Firewall → Access (Teams).

Where do Page/Transform rules fall in here?

I was trying to use a Transform rule the other day for a backend app, and it wasn’t working (I found out since that it’s because I was trying to use a regex match and that is only available on Business/Enterprise accounts…).

In the meantime I had set up some Page rules:
Page Rule 1
URI Path Match: /index.php/fooapp
Note: No trailing slash, this is a valid path for the application and doesn’t auto-redirect within the application.
Forwarding URL (Status Code: 301 - Permanent Redirect, Url: https://example.com/index.php/fooapp/)

Page Rule 2
URI Path Match:: /fooapp*
Forwarding URL (Status Code: 301 - Permanent Redirect, Url: https://example.com/index.php/fooapp $1

Page Rule 3
URI Path Match: /index.php/fooapp*
Mirage: Off, Always Online: Off, Security Level: High, Cache Level: Bypass, Disable Performance
Note: this is the one I really wanted from the start, but had no way to specify the path to match all relevant URI patterns without using additional Page/Transform rules (AFAIK)

I believe that instead of this I can set up a Transform rule that captures the first two URIs and Rewrites them to the correct format? Then I’d have 1 Transform rule, 1 Page rule?

Yeah, that is likely what I’ll do - I just wanted to be specific for this example.
Thanks again!

You’ll probably want to create a bypass rule for the specific path(s) either funapp/webhooks/* or each service individually. Bypass policy configurations · Cloudflare Access docs for an example.

1 Like