Secure a private IP or hostname
You can configure a self-hosted Access application to manage access to specific IPs or hostnames on your private network.
- Private IPs and hostnames are reachable over Cloudflare WARP, Magic WAN or Browser Isolation. For more details, refer to Connect a private network.
- Private hostnames route to your custom DNS resolver through Local Domain Fallback or Gateway resolver policies.
- Gateway TLS decryption must be enabled if you would like to present a login page in the browser and issue an authorization JWT to your origin. Otherwise, users will receive a pop-up notification from the WARP client and all session management will be handled in the WARP client.
-
In Zero Trust ↗, go to Access > Applications.
-
Select Add an application.
-
Select Self-hosted.
-
Enter any name for the application.
-
In Session Duration, choose how often the user's application token should expire.
Cloudflare checks every HTTPS request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to Session management. If the application is non-HTTPS or you do not have TLS decryption turned on, the session is tracked by the WARP client per application.
-
Add the private IP and/or private hostname that represents the application. You can use wildcards with private hostnames to protect multiple parts of an application that share a root path.
-
Add Access policies to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access.
-
Configure how users will authenticate:
-
Select the Identity providers you want to enable for your application.
-
(Recommended) If you plan to only allow access via a single IdP, turn on Instant Auth. End users will not be shown the Cloudflare Access login page. Instead, Cloudflare will redirect users directly to your SSO login event.
-
(Recommended) Turn on WARP authentication identity to allow users to authenticate to the application using their WARP session identity. We recommend turning this on if your application is not in the browser and cannot handle a
302
redirect.
-
-
Select Next.
-
(Optional) Configure App Launcher settings for the application.
-
Under Block page, choose what end users will see when they are denied access to the application:
- Cloudflare default: Reload the login page and display a block message below the Cloudflare Access logo. The default message is
That account does not have access
, or you can enter a custom message. - Redirect URL: Redirect to the specified website.
- Custom page template: Display a custom block page hosted in Zero Trust.
- Cloudflare default: Reload the login page and display a block message below the Cloudflare Access logo. The default message is
-
Select Next.
-
(Optional) Configure advanced settings. These settings only apply to private hostnames and require Gateway TLS decryption.
- Cross-Origin Resource Sharing (CORS) settings
- Cookie settings
- Browser rendering settings:
- 401 Response for Service Auth policies: Return a
401
response code when a user (or machine) makes a request to the application without the correct service token.
-
Select Save.
Users can now connect to your private application after authenticating with Cloudflare Access.
By default, Cloudflare will evaluate a private application's Access policies after evaluating all Gateway network policies. To evaluate Access private applications before or after specific Gateway policies, create the following Gateway network policy:
Selector | Operator | Value | Action |
---|---|---|---|
All Access Private Apps | is | Enabled | Allow |
You can now drag and drop this policy in the Gateway policy builder to change its order of precedence.