I’m completely confused here. I have a frontend and backend infrastructure running on AWS. I’ve created firewall groups (AWS security groups) that only allow the Cloudflare reverse proxy IPs to connect to my AWS EC2 instances. As soon as I disable 80/443 access for 0.0.0.0/0, I get a 500 error in the Chrome console when the frontend tries to connect to the backend API. If I leave it in place long enough, I end up with a CORS error.
All domains and subdomains are proxied through Cloudflare, so at no point am I directly connecting to either the frontend or backend. Why is blocking 0.0.0.0/0 causing an issue? What could I be missing here?
In short: Deny rules take precedence over allow rules.
I’m not aware of AWS security groups, but usually, deny rules have priority on allow. Without further details and configuration, I would assume that even though you’re allowing Cloudflare IP range, the fact you’re blocking 0.0.0.0/0 will override the first and block access to everything.
I’m not blocking it. The only allow rules are from the CF reverse IPs (and the local infrastructure). And I can still connect to both the frontend and backend using DNS.
These sites are currently protected by Cloudflare Access, and I did find an article about Access and CORS errors, so I may have a lead.