Umbraco.Cloud.Issues icon indicating copy to clipboard operation
Umbraco.Cloud.Issues copied to clipboard
verified publisher icon umbraco

Apparent bug in Umbraco Cloud Public Access feature

Open gcotterman opened this issue 7 months ago • 4 comments

Issue description

We are using Umbraco Cloud CMS version 13.8.0

We have been working with Nikitha from Umbraco Support for several weeks now on an issue with the Public Access feature of Umbraco Cloud. We are using an application named Zscaler across our company. For Zscaler we put in the domain name that we are using and Zscaler routes all the traffic to that domain name through a set range of IP addresses. At this point we have had two test sessions of the Public Access feature. In both sessions we put the domain name of our development site Zscaler and then we put the IP address range into the Umbraco Cloud Allowlist. We also set the Umbraco Cloud dev site to "Basic Authentication" in the "On" position. In both of these sessions we were able to navigate without login to the dev site when we were on Zscaler. This is correct, this is what we expect and want. The problem is that when we try to navigate to another page within the dev website from the page that we are on or if we refresh the page that we are on, we are then given the standard Umbraco ID login page. This behavior is only expected when someone is trying to navigate to the dev site from outside of Zscaler or in other words outside of the IP range that Zscaler sends everyone through when navigating to the domain.

The pattern of this problem has been consistent for both test sessions. The second test session was during a call with Nikitha and Davis Hedgepeth from Umbraco and they observed what I am describing. Since then Nikitha has communicated regularly with developers on the Umbraco side and she recently responded that "our developers have noted that this appears to be a bug with the Public Access feature." Nikitha went on to recommend that I open this issue to track and fix the apparent bug.

Please reach out to me for any further details and with any follow-up questions. As I have said, we have been working this issue for several weeks now and it would be good if we could confirm that this is indeed due to a bug and if so if we could find out an approximate timeline in which the problem can be identified and fixed.

Thanks, Greg

gcotterman avatar Apr 25 '25 23:04 gcotterman

Hi @gcotterman

Thanks for reporting the issue. It does sound really wierd, and this is something we havnt seen before.

Is there any way that you can confirm that the IP address when routing through Zscaler is the same on every request, and that the domain remains the same as the expected one?

could the ZScaler application maybe strip some headers away from the requests?

As all traffic is routed via Cloudflare, we start by looking for the whitelisted IP addresses in the header called CF-Connecting-IP - this is what Cloudflares rounting system ends up putting in the original IP. If this header for some reason is removed, we cant check the original IP address that requested the webpages. All traffic would look like they come from an Cloudflare IP, over your original IP.

mikkelhm avatar May 20 '25 14:05 mikkelhm

Hi @mikkelhm

Thanks for your thoughtful response. We reached out to Zscaler support today and ended up getting on an hour Zoom call. We did some testing and found something that could account for some of the inconsistency that we are seeing. We have another Zoom call planned for 3:00 pm ET Wednesday. I don't know your time zone but I am guessing that you are in Europe so it seems unlikely that the time of this meeting will work for you but if it does please let me know. It would be good to have a direct dialog with the Zscaler team if possible. Also, if you get this before this meeting and if you can't attend the meeting could you please respond with any specific questions that you want for me to pass on to Zscaler support. I appreciate your attention to this.

gcotterman avatar May 20 '25 23:05 gcotterman

Hi @mikkelhm

This is an update on my previous comment. We have decided to hold off on working on solving this issue with Zscaler until after our new website/brand launch which is planned for June 17. Would it be possible to put this issue on hold until approximately the week of June 23? This will allow us to get beyond the launch to a time when we can use the new domain name publicly. Considering the time that has been required to get to this point, I am hoping that waiting another month before continuing won't be a problem. Please let me know your thoughts on this issue and whether you think that this is a reasonable request.

Thanks, Greg

gcotterman avatar May 21 '25 17:05 gcotterman

Hi @gcotterman

No problem with waiting, to be honest we havn't dont anything to the case for now. I think it sounds reasonable to wait to process any further until you have launched the website.

As for joining support calls with the Zscalar support, I think you need to go to your partner manager at Umbraco, to schedule souch - we would normally not do so.

As for the issue in question - It does look like they are doing something when doing the connection, so the questions to them would be

  • Are you altering the headers on requests going through Szcalar, such as adding/removing headers to the requests.
  • Are the requests altered between the first request to a website and the following requests.

Kind regards - Mikkel

mikkelhm avatar May 26 '25 08:05 mikkelhm