Cloudflare Access: Internal CMS API Security¶
Cloudflare Access is used to block all public inbound traffic to the internal CMS API endpoints (/api/internal/*). These endpoints are intended for server-to-server communication only and should never be reachable directly from the public internet.
Problem¶
The internal API endpoints of Brekz CMS were publicly accessible. Endpoints under /api/internal/* are intended for server-to-server communication (e.g. brekz-website to brekz-cms) and should never be reachable directly from the public internet.
Solution¶
Cloudflare Access blocks all public inbound traffic to /api/internal/*. Only traffic via Cloudflare WARP (Flooris datacenter servers FL09/FL10) and internal service-to-service calls are allowed through.
Technical Details¶
Routes¶
The internal routes are grouped under the IsInternalServiceApiCallMiddleware middleware with the internal prefix. Refer to routes/api.php in the brekz-cms repository for the current list of routes.
Cloudflare Access Application¶
| Field | Value |
|---|---|
| Name | Brekz CMS - Internal API blocking |
| Subdomain | brekz-cms |
| Domain | ftest.nl / brekz.nl |
| Path | api/internal/* |
| Session duration | No duration (expires immediately) |
| Login methods | Accept all available identity providers |
| AUD Tag | cf93fd2908492f7547413b9fe623c72371eff528e429453952163d8eb1df4165 |
Local Development¶
Cloudflare Access does not apply to local environments. To force requests to go directly to the local CMS instead of over the internet, point CMS_BASE_URL in your .env to the local service URL (e.g. the internal Docker network hostname). This bypasses Cloudflare entirely and ensures requests stay within your local stack.
Rollout Status¶
| Environment | Status |
|---|---|
| Test (ftest.nl) | Active and verified |
| Accept | Pending |
| Production | Pending |
WARP Policy (FL09 / FL10)¶
Flooris datacenter servers FL09 and FL10 need to be allowed through the Access block via a Cloudflare WARP device policy, so that internal server-to-server traffic is not blocked.
To configure: Cloudflare Zero Trust > Settings > WARP Client > Device enrollment rules.
Related ClickUp Task¶
Cloudflare Access: Internal CMS API security - deploy to accept + prod + configure Warp policy