Bypass also generates JWTs, just without auth info

HHello, I’m Allie!Bypass also generates JWTs, just without auth info

dave•9/7/23, 8:12 PM

you sure? If you run:

curl -v "https://cache-test-behind-access-worker.ai.moda/get-cache"

curl -v "https://cache-test-behind-access-worker.ai.moda/get-cache"

You won't see any CF Access headers.

Ddave you sure? If you run: ``` curl -v "https://cache-test-behind-access-worker.ai.m...

Hello, I’m Allie!OP•9/7/23, 8:13 PM

I mean to your origin

dave•9/7/23, 8:13 PM

Hello, I’m Allie!OP•9/7/23, 8:13 PM

Jinx

Hello, I’m Allie!OP•9/7/23, 8:13 PM

You owe me a soda

HHello, I’m Allie!You owe me a soda

dave•9/7/23, 8:19 PM

if you come visit Cayman I'll buy ya one

dave•9/7/23, 8:20 PM

is there a general idea on how frequent I should be hitting the cache to prevent an object from being evicted?

HHello, I’m Allie!Bypass also generates JWTs, just without auth info

Chaika•9/7/23, 8:26 PM

bypass completely exits the normal access flow, no jwts or anything, even to origin, hence why if you use CF Tunnels with Access enabled, using Bypass gets blocked, only service auth works

Ddave is there a general idea on how frequent I should be hitting the cache to prevent...

Chaika•9/7/23, 8:28 PM

don't know exact answer but it's worth keeping in mind some CF Pops are multi-colo, each with their own cache, so you could be hitting the same colo name (like ORD), but a different colo cache

Chaika•9/7/23, 8:28 PM

if you wanted to keep yourself in cache globally you'd have to hit some 500+ colos with enough frequency lol

Chaika•9/7/23, 8:28 PM

might be worth using DOs storage depending on your use case

CChaika don't know exact answer but it's worth keeping in mind some CF Pops are multi-co...

dave•9/7/23, 8:29 PM

iirc there's a way to check which server your Worker is running in a colo, right?

Chaika•9/7/23, 8:30 PM

either fl from cdn-cgi/trace or transform rule response header for cf.metal.id

CChaika bypass completely exits the normal access flow, no jwts or anything, even to ori...

Hello, I’m Allie!OP•9/7/23, 8:42 PM

Must have changed that, because I used bypass to validate JWTs in Tunnels without having to log in

Hello, I’m Allie!OP•9/7/23, 8:42 PM

Isn’t that the whole point?

Hello, I’m Allie!OP•9/7/23, 8:42 PM

If you don’t want JWTs at all, you delete the app

Chaika•9/7/23, 8:42 PM

That's the point of Service Auth, logging in without an identity

Hello, I’m Allie!OP•9/7/23, 8:43 PM

Wait…

Hello, I’m Allie!OP•9/7/23, 8:43 PM

Wut

Chaika•9/7/23, 8:43 PM

now you're making me question if I'm crazy lol

Hello, I’m Allie!OP•9/7/23, 8:43 PM

What was I doing…

Chaika•9/7/23, 8:44 PM

afaik it's always been that way, if under tunnel additional settings you enabled Access, you have to use Service Auth over Bypass because otherwise no jwt/tunnel block

CChaika now you're making me question if I'm crazy lol

Hello, I’m Allie!OP•9/7/23, 8:44 PM

Isn’t service auth for if you do want to enforce Service Tokens or mTLS?

Hello, I’m Allie!OP•9/7/23, 8:45 PM

So if you don’t want that, you use Bypass?

Chaika•9/7/23, 8:46 PM

Service Auth is if you meet these conditions, log in without identity flow

Service Auth rules enforce authentication flows that do not require an identity provider IdP login, such as service tokens and mutual TLS.

Bypass is if you meet these conditions, skip flow and go back to normal zone security settings

Warning
Bypass does not enforce any Access security controls and requests are not logged. This should be tested before deploying to production. Consider using Service Auth if you would like to enforce policies and maintain logging without requiring user authentication.
The Bypass action disables any Access enforcement for traffic that meets the defined rule criteria. This may be useful if you want to ensure your employees have direct permanent access to your internal applications, while still ensuring that any external resource is always asked to authenticate.

Like if you do bypass on a certain set of IPs

When applying a Bypass action, security settings revert to the defaults configured for the zone and any configured page rules. If Always use HTTPS is enabled for the site, then traffic to the bypassed destination continues in HTTPS. If Always use HTTPS is disabled, traffic is HTTP.

https://developers.cloudflare.com/cloudflare-one/policies/access/#bypass

Hello, I’m Allie!OP•9/7/23, 8:47 PM

I stand corrected:

CChaika Service Auth is if you meet these conditions, log in without identity flow > Ser...

Hello, I’m Allie!OP•9/7/23, 8:48 PM

The confuzzling thing here is that while the rule does say that Bypass disable all Access Enforcement, I’m not 100% sure the JWT would apply. Since the presence of a signed JWT without any actual Access related data shouldn’t have anything to do with Enforcement, at least on the part of Access

Hello, I’m Allie!OP•9/7/23, 8:48 PM

Maybe it needs a Docs PR

Chaika•9/7/23, 8:50 PM

I mean Access Enforcement and the JWT being generated go hand in hand

Chaika•9/7/23, 8:51 PM

Access issues the jwt on successful flow, the jwt contains information about your user (email, audience tag, access app/url, id of user, etc)

Chaika•9/7/23, 8:52 PM

it is a bit confusing in general to people because you can set up the tunnel integration, create the access policy bypass, and then it just doesn't work, makes sense if you understand more why but i think from a user point of view, the idea that they can go through your access app/policy but not be counted as going through your access/app policy does confuse people

probably doesn't help that the tunnel failed jwt page is just a blank 403 page lol, if it said something more helpful of the error people might be able to better self help

CChaika either fl from cdn-cgi/trace or transform rule response header for cf.metal.id

dave•9/7/23, 8:53 PM

thanks, cf.metal.id is what I was thinking bout!

CChaika Service Auth is if you meet these conditions, log in without identity flow > Ser...

dave•9/7/23, 8:54 PM

yea, I'm basically using Access kinda like a WAF rule

CChaika don't know exact answer but it's worth keeping in mind some CF Pops are multi-co...

dave•9/7/23, 9:01 PM

is the cache unique per-metal ID?

Chaika•9/7/23, 9:04 PM

it's unique per colo

dave•9/7/23, 9:05 PM