Depends on whether application is configured to use app launcher or not. When App Launcher is NOT configured, the error message says the user does not have permission to accessthe resource. When the App Launcher is configured, accessing the application boots the user back to the App Launcher screen with no error message.
What is the issue you’re encountering
Unable to access applications.
What steps have you taken to resolve the issue?
Cloudflare docs
Cloudflare AI troubleshooting
Cloudflare forums
Endless chatGPT & other forum searching
Raising a support ticket (paid account, more than 2 weeks, NO response from Cloudflare)
I’ve following and tested every element of my configuration to the best of my ability - tunnels, applications, policies, etc. Based on all available documentation, the setup should work. Overall it has the appearance of an authentication bug.
I’ve been pretty patient with CF’s response times - but this has dragged on for far too long. I’m interested in any ideas to help me resolve this - or alternatively - using this to get some value out of CF support and have them work my support ticket (Case: 01400526)
What are the steps to reproduce the issue?
Tunnel:
cloudflared docker tunnel on VM with pathway to WAN. Tunnel connects to Cloudflare - health status and long running uptime.
Tunnel has 1 public hostname: app.company.au; this routes to an internal IP address for a service that is only accessible over https: → https://10.1.0.1:443 (for illustrative purposes).
The service and the cloudflared docker tunnel service run on the same VM
Application:
Identical public hostname as is called out in the tunnel config (app.company.au)
Application has policy_1
Login methods - all
App launcher - show in app launcher (disabling this causes the auth error message to show)
Policies:
Action - allow
Include - [email protected]
Require - Country=Australia
Policy tests fine to allow user
Problem presentation:
I can log into the application fine, and even the app launcher, but the application itself won’t load
user logs show the user has logged in and ‘access granted’ under decisioning.
browser dev tools show a 301 error against the original app url, which is then redirected to company.cloudflareaccess.com
With the app launcher configured, there isn’t any error to upload.
Thank you for taking the time to reply; I appreciate the inputs.
After delete the application, the error message “You do not have permission to connect to any applications in your account. If you feel this is a mistake, please contact your administrator.”
I’ve checked the logs, they show access granted to app launcher for this attempt.
I’m not clear on how to test the second point for a self-hosted application (directing it away from the existing tunnel), pointing it somewhere else… So I created a new application called google.company.au. authentication works, and firefox throws an error (“Hmm. We’re having trouble finding that site” - I suppose this is expected activity as the subdomain doesn’t point anywhere.
The trace showed something interesting - there was a global redirect to company (dot) cloudflareaccess (dot) com; throwing a 301 error. Curious as I’ve never had a redirect on this domain before.
I’ve disabled this rule, and reattempted application access. The re-direct to the app launcher still appears to be in effect.
I’ve run the trace again, and this time it’s shown that there is a WAF rule inplace, blocking non-AU (Australia) access attempts.
I did in fact put this rule in place, but this behaviour seems a touch unusual. I’m AU based, and do not have any VPNs active (so Cloudflare should recognise me as being in AU). Yet the trace still shows the WAF custom rule interdicting in the trace and blocking access due to me being “non-AU”. This seems like abnormal behaviour…
I’ve disabled that rule, as well, and run the trace again. This time there is no matches on any configuration, and the trace result returns 403 access denied - which I was assume is the correct response for a trace that isn’t able to authenticate.
Now, when I access app (dot) company (dot) au I get a 502bad gateway error. I can still access & authenticate with the app launcher via company (dot) cloudflareaccess (dot) com, and following the app icon also hits the 502 error screen (bad gateway). The screen shows green ticks for browser and cloudflare, but a red X for the host.
I’ve checked the zero trust access logs, and they’re showing authentication.
I appreciate that it may be easier for me to share the app and domain, but apologies, for the moment I’d rather not.
I’ve checked my cloudflared docker logs; there was a TLS verification error. I’ve adjusted the config to accommodate, and now I everything’s working as expected.
Thank you for the steering, in particular, pointing me towards the Trace functionality.