Hi everybody,
I have the following situation.
I have a file in an R2 bucket. This file should be accessible for my colleagues who are using Cloudflare WARP and not be accessible via the open internet.
My initial thought was to:
- create a firewall rule which blocks any access to the file
- create a rule in Cloudlare Zero Trust which allows access to the file if a user with a pre-defined email address tries to access the file
- enable Cloudflare WARP
- access file
However, this doesn’t work and I still see the “sorry, you have been blocked” message when I sign into Cloudflare WARP and try to access the file.
Is it possible to restrict the access to R2 files using Cloudflare Zero Trust / Cloudflare WARP or do I need to use a different approach?
Best regards,
Fabian
My guess is this part isn’t needed. If you have Access in front of it then it will run before the firewall rule but the firewall rule will still take place and block you.
Thank you for your response!
If I don’t create the firewall rule, the file can be opened by anybody via the custom domain I set.
Maybe I need to use the S3 URL?
EDIT:
I did the following but it’s still not working:
-
remove firewall rule
-
set firewall rule in Cloudflare Zero Trust
-
try to open file via S3 URL (…r2.cloudflarestorage.com…) → can’t open
-
connect to Cloudflare WARP and try to open file again → can’t open
As long as custom domain is protected by access, it will block all requests.
What do you mean by can’t open? Unless you have it enabled, you will get an error.
Sorry, I am still new to all this.
As long as custom domain is protected by access, it will block all requests.
How do I protect it by access? I only created a custom domain via the R2 settings of the bucket I created. Is there anything else that I need to set?
What do you mean by can’t open? Unless you have it enabled, you will get an error.
When I try to open it, I get the following error page, no matter if I am connected via Cloudflare WARP or not.
With access, all you need is an Access Application that covers your custom domain.
This error is coming from R2 saying you aren’t authorized to view it. Also, I believe, you shouldn’t be able to open files with the S3 API on a browser, it is just for the API.
Thank you! I got it to work but there is one last step which I would like to achieve.
With the current setup, when a user opens the URL, he gets redirected to the Google Workspace Sign-in page. Or if the user signed into the Google account in Chrome already, the page can directly be opened.
However, is it possible to allow opening the page automatically if the user is connected to our Cloudflare network via Cloudflare WARP?
The reason is that I want to set a .pac file in the OSX network settings. If I set the URL there, the Google Sign-In flow is not working.
