Unable to access Zero Trust application — redirects to /cdn-cgi/access/login and ends with 404
I’ve set up a Cloudflare Tunnel and Zero Trust Access application for my internal site ops.hungrytimes.in.
Tunnel configuration:
ops.hungrytimes.in → http://127.0.0.1:80
api-ops.hungrytimes.in → http://127.0.0.1:5000
DNS records:
Both ops and api-ops are CNAMEs pointing to the tunnel UUID, proxied (orange cloud).
Access Application:
Self-hosted app created for ops.hungrytimes.in
Policy: ALLOW for my email with One-time PIN enabled as login method
Session duration: 1 week
Login method: One-time PIN (tested successfully, OTP is delivered and accepted)
Observed behavior:
When I visit https://ops.hungrytimes.in, I am redirected to https://hungrytimes.cloudflareaccess.com/cdn-cgi/access/login?... and can enter the OTP.
After submitting OTP, instead of being redirected back into the app, the page flashes briefly then ends up at:
https://ops.hungrytimes.in/cdn-cgi/access/login?...
which returns HTTP ERROR 404.
curl -I https://ops.hungrytimes.in shows a 302 to Cloudflare Access, so the redirect is happening, but the application itself isn’t being found.
This happens in both normal and private/incognito browsers, after clearing cookies, and across different networks.
Notes:
The backend/API at api-ops.hungrytimes.in works fine (returns 200 with JSON).
Tunnel is healthy (cloudflared is running).
Access application policies and login methods are already in place (ALLOW + OTP).
I am on the Free Zero Trust plan.
Question:
Why does the login flow redirect me back to /cdn-cgi/access/login on my origin instead of completing authentication? Is this a configuration issue, or is it related to plan limitations (e.g. Free vs. Paid)?
Tunnel configuration:
ops.hungrytimes.in → http://127.0.0.1:80
api-ops.hungrytimes.in → http://127.0.0.1:5000
DNS records:
Both ops and api-ops are CNAMEs pointing to the tunnel UUID, proxied (orange cloud).
Access Application:
Self-hosted app created for ops.hungrytimes.in
Policy: ALLOW for my email with One-time PIN enabled as login method
Session duration: 1 week
Login method: One-time PIN (tested successfully, OTP is delivered and accepted)
Observed behavior:
When I visit https://ops.hungrytimes.in, I am redirected to https://hungrytimes.cloudflareaccess.com/cdn-cgi/access/login?... and can enter the OTP.
After submitting OTP, instead of being redirected back into the app, the page flashes briefly then ends up at:
https://ops.hungrytimes.in/cdn-cgi/access/login?...
which returns HTTP ERROR 404.
curl -I https://ops.hungrytimes.in shows a 302 to Cloudflare Access, so the redirect is happening, but the application itself isn’t being found.
This happens in both normal and private/incognito browsers, after clearing cookies, and across different networks.
Notes:
The backend/API at api-ops.hungrytimes.in works fine (returns 200 with JSON).
Tunnel is healthy (cloudflared is running).
Access application policies and login methods are already in place (ALLOW + OTP).
I am on the Free Zero Trust plan.
Question:
Why does the login flow redirect me back to /cdn-cgi/access/login on my origin instead of completing authentication? Is this a configuration issue, or is it related to plan limitations (e.g. Free vs. Paid)?
Welcome to the official Cloudflare Developers server. Here you can ask for help and stay updated with the latest news
85,042Members
Resources
Was this page helpful?
