I’m using Cloudflare’s Access feature since a couple days ago, and I noticed that redirects from naked domain to the www version are not being enforced before Access. This forces me to create an Access Policy for both www and non-www domain for each URL I want Access to protect. So a regular WordPress site would need one policy for each of:
Not to mention other resources or subdomains a site may need authentication for.
It’s kind of cumbersome to have to maintain different Access Policies for the same purpose. Especially since I do have a redirect forcing non-www visits to go to the www version.
I suggest you guys work on an alternative that would let website owners to opt in to have a policy apply to both naked domain and its www version.
My site also has redirects, @sayman, but the other way around, from naked domain to www. This redirect is at htaccess level, while at Cloudflare it has Always Use Https on.
So, after I installed Access Policy to the www version of wp-admin and login URLs, I expected my website server to first redirect any request from the naked domain to the www version, at which point Access would then be triggered and show its authentication page.
Instead, I can access the resource at the naked domain! As can be seen on the screen shots, after I open Dev Tools to prevent the use of cache, the CSS file and the WP logo are not being loaded, as they’re being requested from wwww domain, and Access is not letting it, but the html is open. Access is working on the www.domain level, but not on the naked domain.
Yet I can only test this behavior on login and wp-admin pages. I just created a regular post as a test, and set an Access Policy to it, and when I try to load the post on naked domain, it is redirected and Access triggers in, as expected!
So I don’t know if this is a WordPress issue, a plugin issue, a Cloudflare Access issue, or a mix of any of those.
Thanks for the suggestion. Not sure if you speak by Cloudflare, but the idea of this post is to suggest to Cloudflare that it implements an easier way to solve this issue.
Sure, I can change wp-config.php. But as a matter of product management, I consider it a good idea to offer the users of WordPress (there are quite a few around) an easy way on Cloudflare’s interface to make it redirect any request with a naked domain to the www.domain for Access-protected URLs if the site owner so wishes.
Messing up with config files comes with a cost. At the very least, I (and millions of other WP users) would need to research all the pros and cons of doing so. Are there inadvertent consequences that may arise from this single change? Would it change in any way my theme’s behavior? etc. I don’t know, and it would take time to figure this out before I implement it.
So, for the time being, my suggestion stands. Ordinarily, such redirect can be done via Cloudflare by using a Page Rule. But for URLs where Access has been enabled, I just think it would be easier if we had an option while creating the Access Policy to make it apply to naked domain as well.
I agree that it would be nice if there were some sort of wildcard feature for Access, but I suspect this limitation is deliberate.
This wp-config change cements the URL for your site, which I think is good. A site should stick with one canonical URL: www or naked domain ; http or https. Without this setting, users maintain the flexibility for their site to respond as all of the above. It’s convenient, but not proper.
I think there should be an option to apply an Access Policy to both naked and www domains, as this is a decision almost every website owner makes, one way or another. A wild card would be a step further, as it would include other subdomains besides www, which may or may not be desirable, since one may want to have different Access Policies for say, blog.example.com and www.example.com, for any given relative URL.
So my suggestion is that when a site owner sets an Access Policy to an URL that is relative to either a naked domain or to the www subdomain, an option should be available for them to make the Access protection available to both. This would avoid having to create (and later maintain) two identical policies for what’s basically the same resource.
If you are redirecting everything form your root to www is there really a root? And what would the security policy do besides require you to log in twice (once for the root and a second time for the www)? On Cloudflare you can create a page rule to redirect root.example to www.root.example for all requests so that the redirection happens at the edge before ever communicating with the origin server. You can do that for the entire site or just for the admin portions. Then you only need one policy.
I recognize that it has become a fashion to think of www and the root domain as the same thing for kids like @matteo these days, but back in my day the internet wasn’t just www and when you wanted a webpage www represented where that lived.
I think the ability to clone or copy an Access Policy to protect a different resource could make sense as a feature. The Access team recently created reusable policy objects (users/groups and IP addresses) to try and simplify overall management. BTW you also need another policy to allow access to allow access to admin-ajax.php depending on your config.
Multiple domains in a single policy is a little harder… and something we are looking at. My (personal) experience with security though is if it’s too easy you are probably doing something wrong. May not be true with a single users, single website/use case but at scale it’s likely not nearly as secure as one would want.
@sdayman guessed correctly that there was a conscious decision not to allow a wildcard for the root domain.
I already have a Bypass policy for admin-ajax, thanks to the Dev docs.
I also use Access Groups, which saves me a lot of time. It would be nice if there could be Policy Groups, like Access Groups, so I can apply the same policy to different domains/paths…unless Cloudflare lets us list multiple Application Domains.
Rereading my response I sound a little shorter than usual… I don’t think it is a bad idea to be able to apply routes to multiple host names. And suggestions are good, we like feedback. I think in my mind would gate that new feature on being able to share the authentication across them all as well. I don’t work on the Access team (I just annoy them daily) but I believe some/most of that may already be planned.
Yes, @cs-cf, I am redirecting everything from root to wwww, as most people do, including Cloudflare. Some will do the other way around, like @sdayman, but I’ve never found a website that has naked and www domains offering different content on each.
For that reason, I use the redirects, normally on htaccess. But somehow on my website I just noticed that redirects are not working on the very assets I need to protect, my login page and my wp-admin section. As I said in a previous post, I don’t know whether this is a WP/plugin issue or a Cloudflare issue, but I need to create two policies for each relative URL. Otherwise I’ll have the login protected on www, but not on the naked domain. And no, Cloudflare will not make me login twice. I can login to naked domain, and I will subsequently move on to the wp-admin area (on the www domain), no second authentication needed.
What I suggested is that Cloudflare allow the user to opt to apply a given Access Policy to both the naked and www domains, since these are almost universally used in tandem, with the same content being provided by the server for either one (I know this can be programmed to be different, but reality is, most hosting companies have this setting as default).
So why bother creating (and having to later maintain) two different Access Policies for the same content? Now, your suggestion that a Page Rule may be set to redirect everything from naked to www makes sense, if in fact Cloudflare processes its Access Policies after PRs. But hey, since I have run out of page rules, I can’t test this on my end.