You can securely publish internal tools and applications by adding Cloudflare Access as an authentication layer between the end user and your origin server.

Prerequisites

1. Add your application to Access

2. Connect your origin to Cloudflare

Set up a Cloudflare Tunnel to publish your internal application. Only users who match your Access policies will be granted access.

Note We recommend creating an Access application before setting up the tunnel route. If you do not have an Access application in place, public hostname routes in Tunnel are available to anyone on the Internet.

If your application is already publicly routable, a Tunnel is not strictly required. However, you will then need to protect your origin IP using other methods.

To secure your origin, you must validate the application token issued by Cloudflare Access. Token validation ensures that any requests which bypass Cloudflare Access (for example, due to a network misconfiguration) are rejected.

One option is to configure the Cloudflare Tunnel daemon, cloudflared , to validate the token on your behalf. This is done by enabling Protect with Access in your Cloudflare Tunnel settings. Alternatively, if you do not wish to perform automatic validation with Cloudflare Tunnel, you can instead manually configure your origin to check all requests for a valid token.

Users can now connect to your self-hosted application after authenticating with Cloudflare Access.

Product compatibility

When using Access self-hosted applications, the majority of Cloudflare products will be compatible with your application.

However, the following products are not supported:

You can disable Automatic Signed Exchanges and Zaraz for a specific application - instead of across your entire zone - using a Configuration Rule scoped to the application domain.