Pages+custom domain+access: public on main, private on preview
It's a basic use case that I am surprised Cloudflare hasn't thought about.
* I use Cloudflare Pages.
* The pages system builds a production build (available at example.pages.dev), and a preview build (available at two urls: git-branch-name.example.pages.dev and git-commit-hash.example.pages.dev)
* I add a custom domain, example.com.
* I follow the thirteen step process in https://developers.cloudflare.com/cloudflare-one/policies/access/ to modify access
* The website remains unaccessible
I want:
* example.com to be accessible and public
* any subdomain to be private, i.e. git-branch-name.example.com and git-commit-hash.example.com
I've set, the root domain (example.com) and pages root (example.pages.dev, note no asterisk); with a single policy of 'Allow Everyone'.
Access policies · Cloudflare Zero Trust docs
Cloudflare Access determines who can reach your application by applying the Access policies you configure.
11 Replies
The issue is that when access is applied to the
pages.dev domain, it also blocks your custom domain, even if said custom domain has an allow all rule. If you are just trying to prevent access to your pages.dev domain, you can use this guide.Thanks for the input. I created an account level redirect, but still, requesting the custom domain, or the pages.dev url just redirects to Cloudflare Access login page. It seems to want to do this before doing any redirect work.
Try disabling the Access Apps
I don't see an optition to disable them, only delete the entire thing. I've now set rules for custom domain, the pages.dev etc so EVERYONE BYPASS and now the redirect to the custom domain works, but the custom domain itself still shows the cloudflare access login page. At this point I've spent 4 hours on this so will reach out to Cloudflare support. Their product doesn't appear to be functioning correctly.
Custom Domains and Access don’t work together, so just delete the apps entirely
Should still work fine
Yeh if I remove the rules/apps it does work and become accessible, but then the preview domains are also publicly accessible which isn't acceptable for us. Pages publishes every git commit and branch as a subdomain so it's trivial to guess them. I also can't setup the same repo with two different pages projects.
Anyway @HardAtWork I appreciate your input this sunday!
You can apply the redirect rules to the branches/previews so they all redirect to your custom domain
Or enable access on only the previews(as long as they don’t also have a custom domain).
the previews get the custom domain, there's no way to change this. the custom domain basically replaces pages.dev with your domain, so the preview subdomains are still there. Yeh I can redirect them but we still want the preview domains. It's surprising it's this hard, as I thought preview domains being private, and the production domain being public is a really basic use case. Nobody wants their preview domains to be public.
Ok, so that's a bit more complex. Here's the Gist, assuming all of the rules(Access and Redirect) are removed first:
1. Add Redirects for every branch domain that you want covered, like so:
qa.project.pages.dev to qa.custom.domain.
2. Add a Redirect Rule from project.pages.dev to custom.domain, following the tutorial. Toggle subdomain matching.
3. Apply Access Rules as you like on the custom branch domains you want protected, not the pages.dev domains: qa.custom.domain ALLOW Okta authed(or however you want to verify auth).
They were out of order, sorry.
And then see if everything works as it should.
Oh wait, I misunderstood.
Do you care if the Preview URLs are visible via the custom domain?
Or just that they are behind Access?yeh we want the preview urls to be privately accessible, but wait @HardAtWork I managed to solve it.
example.com > changed from EVERYONE ALLOW to EVERYONE BYPASS
example.pages.dev > also changed from EVERYONE ALLOW to EVERYONE BYPASS
*.example.pages.dev > added private access rules (i.e. Allowed IP only)
Then, critically, I left it half an hour, then it all started working.
The combination of 'allow' to 'bypass' and then giving it time to actually apply made the difference. I noted the lag when I deleted the application but the domain kept trying to redirect to the access login page for like 20 minutes then suddenly started working as expected.
Still think cloudflare just needs to add a 'make preview urls private' button to avoid having to setup this casserole of nonsense.
Thanks again for all your input.
Note that EVERYONE BYPASS is the same as the app just not being there, so if it doesn’t matter, you can just delete both of those apps entirely