Common Bypass Use Cases

Bypass Policies

Bypass policies designate an endpoint that Access will not protect. Common uses of bypass policies include opening up a particular endpoint so a third-party service can reach that destination, while protecting the rest of your site.

We have provided steps to common third-party service configurations you may want to set with an Access bypass policy.

Please carefully review all bypass policies that are created on your account to ensure that holes are not accidentally created for sections of your site that should otherwise be protected.

WordPress

WordPress relies on a standard endpoint to confirm a site is functional and provide some additional functionality via AJAX.

Once you have created a policy to lock down your application, follow the rules below to create a second policy so that traffic can reach the specific route required.

  • Create a new Access Policy; enter an Application Name like “WordPress Bypass”.
  • In the path field, input wp-admin/admin-ajax.php or the path specified by WordPress
  • Under Assigned Policies, give the new policy a name like “Bypass Rule”.
  • Under Decision, select “Bypass”.
  • Create an Include Rule and select “Everyone”
  • Save the rule.

Let’s Encrypt

Let’s Encrypt uses a remote server to read a file stored in a specific path on the origin to validate certificates. However, Access will block those requests if you have configured a policy that applies to the site at that path or any level higher in the hierarchy.

Once you have created a policy to lock down your application, follow the rules below to create a second policy so that traffic can reach the specific route required.

  • Create a new Access Policy; enter an Application Name like “Let’s Encrypt Bypass”.
  • In the path field, input the route (typically .well-known/acme-challenge/)
  • Under Assigned Policies, give the new policy a name like “Bypass Rule”.
  • Under Decision, select “Bypass”.
  • Create an Include Rule and select “Everyone”
  • Save the rule.