0

I have a Cloudflare Tunnel with two subdomains. I need one of them to be public and the other one to be blocked if the source isn't my IP. I created a network policy that says if SNI Domain is admin.example.com (that is the subdomain that I need to be blocked for othe IPs) and Source IP is not <my ip> then Block. This works for the Source IP part, but it also is blocking my other subdomain from any other IP, so the SNI Domain is admin.example.com is not doing what I need. What needs to be changed for this to work?

Globe
  • 11
  • 1
  • 3

2 Answers2

1

Based on the information provided, it looks like the issue is with the network policy you have created in Cloudflare Tunnel. The policy you have described is blocking traffic to the admin.example.com subdomain if the source IP is not your IP, but it is also blocking traffic to the other subdomain if the source IP is not your IP. This is likely because the policy is applying to all traffic, regardless of the subdomain it is going to.

To fix this issue, you will need to update your network policy to only apply to traffic going to the admin.example.com subdomain. This can be done by adding a condition to the policy that matches the subdomain of the incoming traffic. For example, you can use the SNI Domain condition to match traffic going to the admin.example.com subdomain.

Here is an example of how the updated network policy might look:

if SNI Domain is admin.example.com and Source IP is not <my ip> then Block

This updated policy will only apply to traffic going to the admin.example.com subdomain, and will block traffic from any source IP that is not your IP. This should allow the other subdomain to be accessed from any source IP, while still blocking access to the admin.example.com subdomain from other IPs.

It's also worth noting that you can use the SNI Domain condition to match multiple subdomains at once, if you have more than one subdomain that you want to block access to. For example, you could use a condition like this to block access to both the admin.example.com and secure.example.com subdomains:

if SNI Domain is admin.example.com or SNI Domain is secure.example.com and Source IP is not <my ip> then Block

This will block access to both subdomains if the source IP is not your IP, while allowing access to other subdomains. You can adjust the conditions in the network policy as needed to match your specific requirements.

Benjamin B
  • 36
  • 2
  • `if SNI Domain is admin.example.com and Source IP is not then Block` is what I already have. That’s why I’m confused, it should only be blocking the `amdin` subdomain, but it’s blocking everything. – Globe Dec 11 '22 at 17:01
  • Where does the SNI Domain come from? My SSL certificate covers all of the subdomains and main domain so that may be the issue. What other variable can I use to check? – Globe Dec 11 '22 at 17:07
0

It turns out I was using the wrong area for policies. Instead of Gateway -> Policies -> Network Policy, I needed to create an application (Access -> Applications -> Add an Application) for the admin subdomain. Then that application allows me to limit the IP ranges.

Globe
  • 11
  • 1
  • 3