I find the Zero-Trust management UI convenient for managing all aspects of the Cloudflare Tunnels. However, I am struggling to get the Access Policies to work. Unless I am doing something wrong, there seems to be a lot of inconsistencies/discrepancies in the documentation regarding this specific topic. For instance :
1. Block policy with “Exclude” entry not working
According to this section of the documentation, I can create a “Block” policy set to include “everyone” and exclude a specific email address in order to block everyone trying to access the endpoint except for the owner of that email address. Trying to do so on my end does not work. While testing the policy both with the policy tester and in an actual production environment, I get denied the access.
Here is a screen capture of the result in the Policy Tester :
2. “Block” policy alongside “Allow” policy (in the correct order) not working
Looking at the order of execution of the policies in the documentation, the “Allow” and “Block” policies are executed after the “Bypass” and “Service Auth” policies and are executed in order of their position in the UI (top to bottom). There is also a specific note below that same section in the documentation in the light orange square that states the following :
“Block policies will not terminate policy evaluation. If a user matches a block policy but passes a subsequent Allow policy, they will be allowed into the application.”
So theoretically, if I create a “Block” policy set to include “everyone” and then create a separate “Allow” policy set to include a specific “email” and set them in order in the UI (the “Block” policy first and then the “Allow”), the result should be the same as the example above with a single “Block” policy set with both “include” and “exclude” statements. However, I am still getting denied the access :
Here is a screen capture of the result in the Policy Tester :
3. Impossible to create “Require-only” rule-type policies
According to this section of the documentation, it is possible to create policies requiring multiple conditions to be met (using only the “Require” tag) in order to grant access to a specific endpoint. The example described in the documentation shows two “Require” rule-types within an “Allow” policy. However, there seems to be no way of creating “Require-only” rules. There must absolutely be at least one “Include” statement in every policy in order to be able to add a “Require” rule.
I believe the Cloudflare team is doing a good job at providing such tools to customers but all of these things combined make it hard to deploy anything in production with confidence. Am I doing something wrong on my end? Is my interpretation of the documentation wrong? How can we achieve the desired results since the ways mentioned in the documentation are not deployable in the production environment?
