Cloudflare Access is a new attractive feature from Cloudflare, based more or less on Google's BeyondCorp (a reverse-proxy with login which should replace VPN in accessing internal network applications).
I am concerned about how secure their implementation really is.
The idea behind BeyondCorp is that the server should be on the "edge" of the network, when protected application server does not have any public IPs and cannot be accessed directly from the internet.
In case of Cloudflare implementation - application server must have public IP (as with the rest of their CDN services) and it is "hidden" by their own IPs.
Hidden IP can be mistakenly exposed (even by some JavaScript) or detecte by some other techniques. And even if your applications has Firewall which limits traffic only from Cloudflare IPs - those IPs can be spoofed.
Am I missing something?
Hopefully someone from Cloudflare would address those concerns.
Thanks