Inconsistencies in Cloudflare Zero-Trust documentation

I find the Zero-Trust management UI convenient for managing all aspects of the Cloudflare Tunnels. However, I am struggling to get the Access Policies to work. Unless I am doing something wrong, there seems to be a lot of inconsistencies/discrepancies in the documentation regarding this specific topic. For instance :

1. Block policy with “Exclude” entry not working

According to this section of the documentation, I can create a “Block” policy set to include “everyone” and exclude a specific email address in order to block everyone trying to access the endpoint except for the owner of that email address. Trying to do so on my end does not work. While testing the policy both with the policy tester and in an actual production environment, I get denied the access.

Here is a screen capture of the result in the Policy Tester :

2. “Block” policy alongside “Allow” policy (in the correct order) not working

Looking at the order of execution of the policies in the documentation, the “Allow” and “Block” policies are executed after the “Bypass” and “Service Auth” policies and are executed in order of their position in the UI (top to bottom). There is also a specific note below that same section in the documentation in the light orange square that states the following :

“Block policies will not terminate policy evaluation. If a user matches a block policy but passes a subsequent Allow policy, they will be allowed into the application.”

So theoretically, if I create a “Block” policy set to include “everyone” and then create a separate “Allow” policy set to include a specific “email” and set them in order in the UI (the “Block” policy first and then the “Allow”), the result should be the same as the example above with a single “Block” policy set with both “include” and “exclude” statements. However, I am still getting denied the access :

Here is a screen capture of the result in the Policy Tester :

3. Impossible to create “Require-only” rule-type policies

According to this section of the documentation, it is possible to create policies requiring multiple conditions to be met (using only the “Require” tag) in order to grant access to a specific endpoint. The example described in the documentation shows two “Require” rule-types within an “Allow” policy. However, there seems to be no way of creating “Require-only” rules. There must absolutely be at least one “Include” statement in every policy in order to be able to add a “Require” rule.

I believe the Cloudflare team is doing a good job at providing such tools to customers but all of these things combined make it hard to deploy anything in production with confidence. Am I doing something wrong on my end? Is my interpretation of the documentation wrong? How can we achieve the desired results since the ways mentioned in the documentation are not deployable in the production environment?

1 Like

Hi Remy, this is great feedback. I will open a pull request against the docs with some updates and post it here.

Hi Kenny, thank you very much for your input - I appreciate that.

In the meantime, in order to continue designing the security structure of our Access Policies, should I assume that the current behaviour of the policies is the one desired and will remain the same (apart from having the docs revised to reflect the current behaviour)?

Yep! No underlying functionality will change, just the docs to match up. Here is my PR for the documentation change if you would like to see before they get shipped out: Updating Access policy overview to be more clear by kennyj42 · Pull Request #7195 · cloudflare/cloudflare-docs (github.com)

Thank you for the follow-up. However I am still confused. Let’s take this section of the docs as a reference :

Is the following statement still accurate?

[…] this configuration blocks every request to the application, except for requests from [email protected]

As stated in the first item of my initial post, this doesn’t work in production.

According to this section of the documentation , I can create a “Block” policy set to include “everyone” and exclude a specific email address in order to block everyone trying to access the endpoint except for the owner of that email address. Trying to do so on my end does not work. While testing the policy both with the policy tester and in an actual production environment, I get denied the access.

Here is a screen capture of the result in the Policy Tester :

Ah, so Access is deny by default unless a user passes an Allow or Service Auth policy. Along with the Block policy, you will need to create a policy explicitly granting that user access.

For what it’s worth, a “block Everyone” rule is redundant because Access is set to Deny by default. For example, if you delete all policies then no users will be able to access the application.