Skip to content

Commit 221b5f3

Browse files
deadlypants1973deadlypants1973
authored
[CF1] bypass clarity (#20316)
1 parent d426b7c commit 221b5f3

File tree

1 file changed

+36
-32
lines changed
  • src/content/docs/cloudflare-one/policies/access

1 file changed

+36
-32
lines changed

src/content/docs/cloudflare-one/policies/access/index.mdx

Lines changed: 36 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -55,17 +55,21 @@ For example, this configuration blocks every request to the application, except
5555

5656
:::caution[Warning]
5757

58-
Bypass does not enforce any Access security controls and requests are not logged. This should be tested before deploying to production. Consider using Service Auth if you would like to enforce policies and maintain logging without requiring user authentication.
58+
Bypass does not enforce any Access security controls and requests are not logged. Bypass policies should be tested before deploying to production. Consider using [Service Auth](/cloudflare-one/policies/access/#service-auth) if you would like to enforce policies and maintain logging without requiring user authentication.
59+
60+
As Bypass does not enforce Access security controls, Bypass policies do not support identity-based [rule types](/cloudflare-one/policies/access/#rule-types). When making Bypass policies, you will not be able to apply certain identity-based [selectors](/cloudflare-one/policies/access/#selectors) (such as email, or IP).
5961

6062
:::
6163

62-
The Bypass action disables any Access enforcement for traffic that meets the defined rule criteria. Bypass is typically used to enable applications that require specific endpoints to be public. For example, some applications have an endpoint under the `/admin` route that must be publicly routable. In this situation, you could create an Access application for the domain `test.example.com/admin/<your-url>` and add the following Bypass policy:
64+
The Bypass action disables any Access enforcement for traffic that meets the defined rule criteria. Bypass is typically used to enable applications that require specific endpoints to be public.
65+
66+
For example, some applications have an endpoint under the `/admin` route that must be publicly routable. In this situation, you could create an Access application for the domain `test.example.com/admin/<your-url>` and add the following Bypass policy:
6367

6468
| Action | Rule type | Selector | Value |
6569
| ------ | --------- | -------- | ---------- |
6670
| Bypass | Include | Everyone | `Everyone` |
6771

68-
As part of implementing a Zero Trust security model, we do not recommend using Bypass to grant direct permanent access to your internal applications. To enable seamless and secure access for on-network employees, use Cloudflare Tunnel to [connect your private network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/) and have users connect through WARP.
72+
As part of implementing a Zero Trust security model, Cloudflare does not recommend using Bypass to grant direct permanent access to your internal applications. To enable seamless and secure access for on-network employees, use Cloudflare Tunnel to [connect your private network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/) and have users connect through WARP.
6973

7074
:::note
7175

@@ -110,45 +114,45 @@ the policy will only grant access to people reaching the application from both t
110114

111115
To require only one country and one email ending:
112116

113-
1. [Create a rule group](/cloudflare-one/policies/access/groups/) that includes users in Portugal OR in the United States:
117+
1. [Create a rule group](/cloudflare-one/policies/access/groups/) that includes users in Portugal OR in the United States:
114118

115-
| Rule type | Selector | Value |
116-
| --------- | -------- | --------------------------- |
117-
| Include | Country | `United States`, `Portugal` |
119+
| Rule type | Selector | Value |
120+
| --------- | -------- | --------------------------- |
121+
| Include | Country | `United States`, `Portugal` |
118122

119-
2. Create a policy that requires the rule group, and that also includes users with emails ending in either `@cloudflare.com` OR `@contractors.com`:
123+
2. Create a policy that requires the rule group, and that also includes users with emails ending in either `@cloudflare.com` OR `@contractors.com`:
120124

121-
| Action | Rule type | Selector | Value |
122-
| ------ | --------- | ----------------- | ------------------------------------- |
123-
| Allow | Require | Rule group | `Country requirements` |
124-
| | Include | Emails ending in | `@cloudflare.com`, `@contractors.com` |
125+
| Action | Rule type | Selector | Value |
126+
| ------ | --------- | ----------------- | ------------------------------------- |
127+
| Allow | Require | Rule group | `Country requirements` |
128+
| | Include | Emails ending in | `@cloudflare.com`, `@contractors.com` |
125129

126130
## Selectors
127131

128132
When you add a rule to your policy, you will be asked to specify the criteria/attributes you want users to meet. These attributes are available for all Access application types, including [SaaS](/cloudflare-one/applications/configure-apps/saas-apps/), [self-hosted](/cloudflare-one/applications/configure-apps/self-hosted-public-app/), and [non-HTTP](/cloudflare-one/applications/non-http/) applications.
129133

130134
Identity-based attributes are only checked when a user authenticates to Access, whereas non-identity attributes are polled continuously for changes during the [user session](/cloudflare-one/identity/users/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/identity/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.
131135

132-
| Selector | Description | Checked at login | Checked continuously<sup>1</sup> |
133-
| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- |
134-
| Emails | `[email protected]` |||
135-
| Emails ending in | `@company.com` |||
136-
| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/policies/access/external-evaluation/) in an external API. |||
137-
| IP ranges | `192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) |||
138-
| Country | Uses the IP address to determine country. |||
139-
| Everyone | Allows, denies, or bypasses access to everyone. |||
140-
| Common Name | The request will need to present a valid certificate with an expected common name. |||
141-
| Valid Certificate | The request will need to present any valid client certificate. |||
142-
| Service Token | The request will need to present the correct service token headers configured for the specific application. |||
143-
| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/identity/service-tokens/) created for this account. |||
144-
| Login Methods | Checks the identity provider used at the time of login. |||
145-
| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/policies/access/mfa-requirements/) method used by the user, if supported by the identity provider. |||
146-
| Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/identity/users/scim/). |||
147-
| SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/identity/idp-integration/generic-saml/) identity provider. |||
148-
| OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/) identity provider. |||
149-
| Device posture | Checks [device posture signals](/cloudflare-one/identity/devices/) from the WARP client or a third-party service provider. |||
150-
| Warp | Checks that the device is connected to WARP, including the consumer version. |||
151-
| Gateway | Checks that the device is connected to your Zero Trust instance through the [WARP client](/cloudflare-one/connections/connect-devices/warp/). |||
136+
| Selector | Description | Checked at login | Checked continuously<sup>1</sup> |
137+
| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- |
138+
| Emails | `[email protected]` |||
139+
| Emails ending in | `@company.com` |||
140+
| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/policies/access/external-evaluation/) in an external API. |||
141+
| IP ranges | `192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) |||
142+
| Country | Uses the IP address to determine country. |||
143+
| Everyone | Allows, denies, or bypasses access to everyone. |||
144+
| Common Name | The request will need to present a valid certificate with an expected common name. |||
145+
| Valid Certificate | The request will need to present any valid client certificate. |||
146+
| Service Token | The request will need to present the correct service token headers configured for the specific application. |||
147+
| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/identity/service-tokens/) created for this account. |||
148+
| Login Methods | Checks the identity provider used at the time of login. |||
149+
| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/policies/access/mfa-requirements/) method used by the user, if supported by the identity provider. |||
150+
| Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/identity/users/scim/). |||
151+
| SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/identity/idp-integration/generic-saml/) identity provider. |||
152+
| OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/) identity provider. |||
153+
| Device posture | Checks [device posture signals](/cloudflare-one/identity/devices/) from the WARP client or a third-party service provider. |||
154+
| Warp | Checks that the device is connected to WARP, including the consumer version. |||
155+
| Gateway | Checks that the device is connected to your Zero Trust instance through the [WARP client](/cloudflare-one/connections/connect-devices/warp/). |||
152156

153157
<sup>1</sup> For SaaS applications, Access can only enforce policies at the time
154158
of initial sign on and when reissuing the SaaS session. Once the user has

0 commit comments

Comments
 (0)