#Issue with cloudflare access allowing my tcp service to other machines.

Hello!
I successfully set up a cloudflare tunnel that goes from my m2 machine to m3 and m4. However i was told to use cloudflare access tokens in order to make everything more secure. The tunnels have been provided the user and key required however as soon as i deploy the application i seem to be getting issues.

Jul 23 16:39:58 ZeanoxM4 cloudflared[822]: 2024-07-23T15:39:58Z ERR failed to connect to origin error="websocket: bad handshake" originURL=https://example.mydomain.dev/

Is there anything i am missing from the application i need to select or change? As well as that when the connection is active it completely bricks every single machine and makes them unusable.

Any help would be greatly appriciated!

e cloudflare access tokens
You mean service tokens? I'm not sure how they would work with that, they require headers on the request to bypass access

failed to connect to origin error="websocket: bad handshake" originURL=https://example.mydomain.dev/
something's blocking the websocket entirely. Either a misconfigured policy to try to enforce tokens or something else on your website (like the waf, etc). Does it work without the policy?
As well as that when the connection is active it completely bricks every single machine and makes them unusable.
What command are you using?

Thats the command that it runs i just restart the service
And yeah sorry i do mean the service tokens.
And it works completely fine without the policy 🙂

show me the policy? Is it service auth?

So in app launcher is disabled warp authentication and identity providers are disabled.

needs to be action: "Service Auth"

Okay no worries and for the 401 responce just leave that off?

you could turn it on, doesn't matter too much, might make errors from cloudflared better. It's just a way if they don't meet the policy to 401 instead of giving it a login screen

Amazing that has fixed it thank you so much for your help!!

"Allow" always forces identity / through an identity provider, even if the service auth policy let them through because they had the right headers, still needed to login to google/etc to get an identity. Service Auth lets you skip the identity part

Ahh i understand, im assuming this wont be the case for ssh access?

As id like to confirm both

it's just how policy actions work in general. What do you mean for ssh access?

So next thing id be setting up is allowing certain users ssh access with the use of there warp device and a login

However not too sure how it would work using an external terminal such as mobaxterm