r/CloudFlare: Cannot get Cloudflare Application security to work

💡
This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/zax6bq/cannot_get_cloudflare_application_security_to_work/

Question

I am playing around with Cloudflare and I am attempting to protect a web application (self hosted) with Cloudflare Zero Trust access functionality. Before I enabled this, the website worked fine publicly.

I have been able to both setup Google and Azure AD as sign-on methods, and the tests there work properly. But I cannot get the website to work at all. It is currently connected to Cloudflare via a tunnel and the tunnel reports that it is working properly.

I tried to setup a very basic rule for access- only allowing my personal email account and my work domain to be able to access. But it will not work. Even when I deleted the rules, it will not work, it just 404s.

It WAS working when I had normal A DNS entries pointing to the site, although I believe the documentation said I needed to create a Cloudflare tunnel to use the Access restrictions.

Since i’ve deleted the tunnel and the respective DNS entries, it again works fine with the normal cloudflare DNS entries.

What am I doing wrong here? I’ve been following all the guides.

Answer

You don't need Cloudflare Tunnel for Cloudflare Access to work, having the DNS zone on Cloudflare is the only requirement since the proxy is what sends the user traffic through the CF One suite.

However, CF Tunnel are heavily recommended since then your server isn't exposed via port forwardings.

Now to your actual problem, 404s have nothing to do with CF Access.
Double check what public hostnames you have configured in your tunnel config. If you are not sure these are working, just get the tunnel to publish your website successfully first, before actually enabling any Access rule on top of it.

Access will only add authentication and other checks on top of the traffic, but if you can't actually reach your app, these Access rules will be useless.

Comment 1 on Answer

I was attempting to use CloudFlare Access without CloudFlare Tunnel to begin with, but I thought I read in one of the documentation points that it was necessary or something. I do have port forwarding setup (this is a dev system) so it was publicly available before the tunnel.

I will see if I can verify this is working without a tunnel and no access policies, then try and add on access policies.

My response to comment 1

The difference between having CF Tunnel set up or not is that if no Tunnel exists to privately forward the traffic to the origin server, you have to configure port forwardings and then limit the incoming traffic to just allow Cloudflare's IPs, or else anyone calling your server directly via its IP would still get to your app without authentication.

What I meant in my first post was to just setup CF Tunnel first and get that working, then go forward with configuring any Access Policies.