Running Hudu, on a self-hosted server offers flexibility and control, but it also introduces potential exposure if your instance is accessible directly over the internet.
By placing Hudu Cloudflare Zero Trust, you can restrict access to authorized users, and enforce identity-based authentication.
This guide walks through how to secure your Hudu deployment using Cloudflare Access, and how to correctly configure application bypass and policy routes based on Hudu’s internal endpoints.
Prerequisites
Before you begin, ensure you have:
A running Hudu instance (self-hosted);
A domain or subdomain (e.g. docs.yourcompany.com) managed by Cloudflare;
Access to Cloudflare Zero Trust Dashboard (https://one.dash.cloudflare.com);
Admin privileges for Hudu and Cloudflare.
Concept: How Cloudflare Zero Trust Works
Cloudflare Zero Trust (Access) functions as an identity-aware proxy that:
Intercepts all requests to your protected domain.
Authenticates users via identity providers (Google Workspace, Azure AD, Okta, etc.).
Applies allow/bypass rules based on specific URLs or paths.
Forwards allowed traffic securely to your origin server (your Hudu instance).
This means that even though your Hudu instance remains publicly routable, no request can reach it unless it’s authenticated through Cloudflare’s layer.
Setting Up Cloudflare Access for Hudu
Step 1 - Add an Application
In the Cloudflare Zero Trust dashboard:
Navigate to Access → Applications → Add an application;
Choose Self-hosted;
Give it a name, e.g. Hudu Docs;
Set the Application Domain to your Hudu URL, e.g. docs.yourcompany.com.
Step 2 - Define Access Policy
You’ll now define who can access the application.
Example policy:
Include: Emails ending in @yourcompany.com
Require: SSO authentication via your IDP
Exclude: (Optional) Service accounts or testing groups
Configuring Bypass and Allow Routes
Some Hudu paths need to remain unrestricted (bypassed) so the application works correctly — particularly for sharing, manifests, or integrations.
Below are recommended configurations for the main application:
| Application URL | Policy Type |
|---|---|
/ |
Allow – assign to your authenticated group |
/manifest.json |
Bypass – required for PWA and browser compatibility |
/secure_notes, /shared, /otp_shared_access, /shared_article, |
Bypass – allow access for public sharing; doesn’t take up a license |
/public_photo |
Bypass – allow access to view uploaded photots |
/app_assets |
Bypass – static assets such as JS/CSS |
/api/v1 |
Bypass or Allow – depends on your integration setup |
For external apps and extensions:
| Application URL | Policy Type |
|---|---|
/jwt/refresh |
Bypass – token refresh requests |
/external_apps/* |
Bypass – general endpoints for external apps/extensions |
/external_apps/companies, /external_apps/passwords, /external_apps/vault_passwords, /external_apps/password_folders, /external_apps/articles, /external_apps/article_folders, /external_apps/pins, /external_apps/styles
|
Bypass – these will allow access to specific endpoints |
⚠️ If you wish to restrict which external app/extensions can access your Hudu instance, skip the wildcard /external_apps/* bypass and specify only the paths required by your extensions.
Building the Rules in Cloudflare
In Cloudflare Zero Trust → Access → Applications:
Click Add an Application → Self-hosted;
Set the Application Domain to your Hudu subdomain (e.g. docs.yourcompany.com);
Under Paths, define the specific endpoint — e.g. /manifest.json;
Create a Bypass Policy (→ Add rule → Include → Everyone → Action: Bypass);
Save and repeat for each additional path requiring Bypass.
Tip: Keep your “Bypass” routes narrowly scoped. For example, restrict them to /manifest.json or /shared_article to avoid exposing unnecessary parts of your Hudu instance.
How This Works
Each “application” in Cloudflare Access corresponds to a domain or subdomain pattern (e.g. docs.yourcompany.com/manifest.json) and has its own policy.
When a request matches that path, Cloudflare enforces the rule attached to it, whether it’s Bypass, Allow, or Block.
Because of this design, you’ll create multiple small Access Applications for your Hudu instance:
One for your main application (/)
One for each bypass endpoint (like /manifest.json or /shared_article)
One for any external app integrations
Securing your self-hosted Hudu behind Cloudflare Zero Trust strengthens access control while keeping the user experience seamless.
By verifying your domain, creating distinct Access Applications, and applying precise Allow and Bypass rules, you ensure Hudu stays protected without breaking external applications or shared content.
Learn more in Cloudflare’s Access Policy documentation.