I have multiple apps running in AWS using API Gateway, load balancers etc.
I want to enable Cloudflare Zero Trust on those domains.
For each domain:
- I have set the CNAME to point to the publicly available API Gateway / LB domain.
- I have set the subdomain to be proxied via Cloudflare using Cloudflare DNS (orange cloud).
- I have setup CF Access on that domain from the Zero Trust section.
Now when I hit each domain CF access is setup correctly.
However, the issue I have is that if I curl the publicly available API Gateway / LB domain passing in the application header I can bypass CF access and still see my private content.
Example
Domain needing to be locked down: test.example.com
API Gateway domain: d-xxxxxxxx.execute-api.eu-west-1.amazonaws.com
example.com DNS
Type: CNAME
Name: test
Content: d-xxxxxxxx.execute-api.eu-west-1.amazonaws.com
Proxy Status: Proxied
Zero Trust application
Set to proxy test.example.com (all traffic).
Hitting https://test.example.com via browser → CF Access Page - Expected result.
Bypass Cloudflare returns page content.
curl -H "Host: test.example.com" https://d-xxxxxxxx.execute-api.eu-west-1.amazonaws.com
How can I make it impossible to bypass Cloudflare in this case?