Zero-trust + tunnel + argo - publichostnames - how to make limited to WARP users only

Hi All,

I have my ideal setup but I wanted to make it so if users are not on staging vnet then they cant access the public hostnames.

What part of the network rules and or public hostname settings can help limit access by forcing Cloudflare access or putting behind the login SSO.

I see there is a layer 7 security feature and when I turned it on sites are protected but im not sure how the config is suppose to be from the developer docs.

each publichostname has allow rules settings

settings #1


User Email
matches regex

are these policies best to setup only users on zero-trust / or logged into WARP?

setting #2

or maybe this section is better to protect at L7.

Protect with Access

For all L7 requests to these hostnames, Access will send the JWT to cloudflared as a Cf-Access-Jwt-Assertion request header.

Can someone give me insight on best way to have these resources protected based on if users are logged into WARP / ZT. Currently a IP blocklist is used to protect them but its much better to not manage a IP allowlist.

1 Like

I’ll take a stab at this.

  1. Close all ports.
  2. Install Tunnel Cloudflared, create tunnel.
  3. Setup Access Application for your hostnames.
  4. Create Access policy with Zero Trust/Warp IP range and the @ email option.

There was also recently announced a new method coming which may interest you.

  1. Setup Access Application for your hostnames. - I did this but for access only private server. Once I did this for public website URL (no public IP on server. using a tunnel) with access it worked by forcing 2FA using access. Last part im on is using vnats to access sites instead of forcing access on front page before access.

Hi @jon64 did you ever get this working? I’m working on something very similar but haven’t tried the Layer 7 feature. I have a similar rule for my public hostname which points to a Cloudflare tunnel but unauthenticated users are still allowed to access the application behind the tunnel and are not required to verify the email address.

I have WARP on my phone but tried it on other devices without WARP and in an incognito browser and they are still allowed through.

@JohnWick , can you clarify the step 4? I’m not sure I understand the Zero Trust/Warp IP range option in the rule…


Yes I got it working and it is restricted to Okta users in the group I specified.

Not specific to if they have WARP agent just if they are in our Okta.

You need a public hostname for sites that you want to do it with and set it to require for required login and in a group that is allowed to see website.


|Include|Emails ending in||
|Include|Access Group|your-team|

this is done in access > applications > self hosted app needs to be done with above settings even if you network privately.


1 Like

Thanks for confirming!

Following your tip to set it as a Self-Hosted App instead of a Private Network application worked. At least the rules were applied. Unfortunately, the app I am protecting is Nextcloud and while I can log in to the web interface, the other apps that connect to the resources aren’t able to handle the redirect to login to IdP (just OTP in my case) so they fail.

I’m giving up on the WARP requirement as well and will just use some WAF rules to reduce my exposure.