Which pages are affected?
What is wrong?
The "Origin configuration" section teaches that a top-level originRequest block sets defaults for all ingress rules, and the access parameter page says to "add the following rule to originRequest" without qualifying where. Following the two pages together, a reasonable reading is that this protects every service behind the tunnel:
originRequest:
access:
required: true
teamName: <team>
audTag:
- <aud>
ingress:
- hostname: app.example.com
service: http://localhost:8000
- service: http_status:404
In reality cloudflared silently ignores a top-level access block. The config validates, no warning is logged, and unauthenticated traffic is forwarded to the origin. The JWT validation middleware is only attached when the access block sits under an individual ingress rule: validateIngress in ingress/ingress.go reads the raw per-rule r.OriginRequest.Access, not the merged defaults (the merge in ingress/config.go copies the top-level block, but its result is never consulted for middleware attachment).
Verified on cloudflared 2026.7.1 with an A/B test against the same hostname (no Access app on the hostname, so no JWT on any request): top-level block returned 200 from the origin; the identical block moved under the ingress rule returned 403 from cloudflared.
This is a known cloudflared behaviour: cloudflare/cloudflared#784 (open since 2022) reports it, and a maintainer described it as "largely intended" because Access rules are tied to hostnames. The docs have not been updated to match, which matters because the failure mode is a security control that users believe is active but is not (see also the last comment on that issue).
Suggested fix
- In the configuration-file partial's "Origin configuration" section, note that
access is an exception to top-level inheritance and must be set on each ingress rule.
- In the origin-parameters partial's
access section, state explicitly that the block must be placed under originRequest of each individual ingress rule, and that a top-level block is not enforced.
Which pages are affected?
(source:
src/content/partials/cloudflare-one/tunnel/locally-managed/configuration-file.mdx)(source:
src/content/partials/cloudflare-one/tunnel/origin-parameters.mdx)What is wrong?
The "Origin configuration" section teaches that a top-level
originRequestblock sets defaults for all ingress rules, and theaccessparameter page says to "add the following rule tooriginRequest" without qualifying where. Following the two pages together, a reasonable reading is that this protects every service behind the tunnel:In reality
cloudflaredsilently ignores a top-levelaccessblock. The config validates, no warning is logged, and unauthenticated traffic is forwarded to the origin. The JWT validation middleware is only attached when theaccessblock sits under an individual ingress rule:validateIngressiningress/ingress.goreads the raw per-ruler.OriginRequest.Access, not the merged defaults (the merge iningress/config.gocopies the top-level block, but its result is never consulted for middleware attachment).Verified on
cloudflared2026.7.1 with an A/B test against the same hostname (no Access app on the hostname, so no JWT on any request): top-level block returned200from the origin; the identical block moved under the ingress rule returned403fromcloudflared.This is a known cloudflared behaviour: cloudflare/cloudflared#784 (open since 2022) reports it, and a maintainer described it as "largely intended" because Access rules are tied to hostnames. The docs have not been updated to match, which matters because the failure mode is a security control that users believe is active but is not (see also the last comment on that issue).
Suggested fix
accessis an exception to top-level inheritance and must be set on each ingress rule.accesssection, state explicitly that the block must be placed underoriginRequestof each individual ingress rule, and that a top-level block is not enforced.