Multiple Subdomain Behind Cloudflare Access with Individual Authentication

Hi,

I am trying to secure multiple subdomains through Cloudflare access. The problem I am facing is if one person authenticates on one subdomain he is allowed access on the other through the cookie being set as samesite=none. If I am trying to change this setting I am seeing a “ERR_TOO_MANY_REDIRECTS” error on successful authentication.

Need some support on this. BTW the SSL is set to full strict and everything works normally on my website.

The website in question is www.cultureclub.cc and the other a subdomain called content.cultureclub.cc

Are you saying a user who isn’t authorized to log into content tries to log into it, that fails. But if they log into www they can then access content?

In your audit log you’ll see the user logged into both however

JSON web tokens · Cloudflare for Teams documentation

Two tokens are generated:

  • Team Domain Token : a token stored at the team domain that prevents a user from needing to login to each application. The token is stored as a cookie at your account’s team domain, for example, https://your-team-name.cloudflareaccess.com .
  • App Token : a token generated for each application that a user reaches. The token is stored as a cookie on the application, for example, https://jira.site.com .

You can use the JWT created by Cloudflare Access to validate requests on your origin.

This makes me wonder what the Access policy looks like. Did OP use a wildcard for the subdomain?

What i mean is if i have two sub domains behind cloudflare access if a user "john: authenticates on one he also has access to the other subdomain.

But an Access Policy/Application is associated with a hostname.

  • If you use two Access Policies, and John is allowed on both subdomains’ policies, then logs in on one, he’s now authenticated for the other.
  • If you use one Access Policy, but with a wildcard subdomain and John logs into one, then it’s just like before where he’s authenticated for both.

At least that’s how I believe it works.

If he has access to both, he’s authenticated against both polices, John just doesn’t have to log in twice.

Multiple Subdomain Behind Cloudflare Access with Individual Authentication - Security / Access - Cloudflare Community

You will see authentication for both applications in the Access log.

1 Like

So for example I open the rule list to users in India only and any Indian user who authenticates on one subdomain will be allowed in the other too?

Even if these are separate domains?

Are users in India allowed to access the other? Then yes. If users in India aren’t aren’t allowed by policy, then no.

Multiple Subdomain Behind Cloudflare Access with Individual Authentication - Security / Access - Cloudflare Community

If they are part of the same authentication realm / team domain then yes. Again, same link I’ve posted explains how/ why. If the Access policy allows them and they have already successfully authenticated they aren’t forced to manually log in repeatedly but their authentication is checked / logged for the new application and every subsequent request is checked for authorization.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.