ZeroTrust Application domain matching rule inconsistent/not working as expected

I have 2 applications that match the domain, one with no Path specified, and one matching a sub-path.

One URL matches the sub-path one, while another very similar one which should too does not.
For security reasons I cannot share the specific URLs, but they look similar to:

domain.example/a/b/1/2
and
domain.example/a/b/3/4

the path expression is set to “a/b”

Am I using this not as intended or am I missing something?

Thanks!

Reference:

While Cloudflare Zero Trust allows you to create unique rules for parts of an application that share a root path, when multiple rules are set for a common root path, the more specific rule takes precedence.

Imagine an example application is deployed at dashboard.com/eng that anyone on the engineering team should be able to access. However, a tool deployed at dashboard.com/eng/exec should only be accessed by the executive team.

For example, when setting rules for dashboard.com/eng and dashboard.com/eng/exec separately, the more specific rule for dashboard.com/eng/exec takes precedence, and no rule is inherited from dashboard.com/eng. If no separate, specific rule is set for dashboard.com/eng/exec, it will inherit any rules set for dashboard.com/eng.

If a URL already matches the more specific rule, the less specific rule will not get triggered for the same URL.

Also, you might need to use wildcard like a/b* or a/b/*, read more about how to use wildcard in your Cloudflare Zero Trust Access Policies here: Application paths · Cloudflare Zero Trust docs

Thank you for this, @andronicus_cf. My case is about the more specific rule not being applied first in one of the 2 circumstances. I am out of options in debugging this further. This seems like a bug to me: the application being routed is clearly the generic URL one. Is there something else you would suggest me to try or to attempt fixing it? Happy to share private URLs with you privately. Thanks.

Hi @accounts97,

Thank you for elaborating the issue further. It does sounds like an unexpected behavior if the more specific rule is not being applied and the application is routed to the more generic rule instead.

Do you happen to have a support case opened? If you haven’t done so you could follow the steps in Contacting Cloudflare Support · Cloudflare Support docs to submit a support ticket. You can then mention the ticket ID here (or DM me the ticket ID) and I will ask the support team to follow up.

Hi @andronicus_cf, unfortunately I am on the free tier and I only have the option to create a thread in this forum. Anything else I can do? Thanks.

Sorry for the late reply. I raised a ticket #3173167 for you, let’s follow up on the ticket. Thanks.