I’ve got a test site that I want to control access to. I’m using firewall rules blocking based on source IP not being in a list for now but this isn’t a viable solution for us long term. Too many dynamic IPs out there on people’s home Internet.
I was hoping to use Zero Trust as a VPN style solution for our users but Cloudflare seems to see the traffic as originating from their Internet IP rather than the Cloudflare tunnel IP.
Also, that won’t work for external users who we want to give access to.
Does anyone have a clever solution to this challenge?
Thanks for any thoughts.
Don’t wait for an answer, find it fast! Search for
Test Before You Post
Unsure of the issue? Test before posting using the Cloudflare Diagnostic Center: Diagnostic Center | Check SSL and Test Website Security | Cloudflare
Why won’t it work? Create a Zero Trust policy based on something other than IP address (which is what you indicated you want to move away from). Zero Trust is evaluated before traffic is allowed to route to a tunnel.
Not all of the users that access the site are behind Cloudflare Zero Trust so I don’t think that will work for me?
Sorry, I think I missed a vital piece of information, the site is behind Cloudflare WAF (which is where the firewall rules are implemented).
Sorry I guess I am confused. It sounds like you have IP address allow rules on the WAF which doesn’t scale and want to move to Cloudflare’s Zero Trust rules instead.
So create one or more Access Policies in the Zero Trust dashboard which allow the users you want to have access and then delete the WAF rule.
They are with the appropriate policy. Visit httpbin.demo.dog … you aren’t a user in my identity provider but you can still log in and access the resource because I have a different policy which allows you to use the OTP policy to get an email sent to let you log in.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.