[Gateway] Proxy Happy Eyeballs algorithm (#19432)

maxvp · ranbel · deadlypants1973 · commit 06b44d94967e · 2025-01-29T15:29:16.000Z
Co-authored-by: ranbel &lt;101146722+ranbel@users.noreply.github.com&gt;
diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx
@@ -13,7 +13,7 @@ Only available on Enterprise plans.
 
 You can apply Gateway HTTP and DNS policies at the browser level by configuring a Proxy Auto-Configuration (PAC) file.
 
-<GlossaryDefinition term="PAC file" prepend="A PAC file is" />
+<GlossaryDefinition term="PAC file" prepend="A PAC file is " />
 
 When end users visit a website, their browser will send the request to a Cloudflare proxy server associated with your account to be filtered by Gateway. Note that Gateway [cannot filter every type of HTTP traffic](#limitations) proxied using PAC files.
 
@@ -215,19 +215,17 @@ To get the domain of a proxy endpoint:
    --header "Authorization: Bearer <API_TOKEN>"
    ```
 
-   ```json {10} output
+   ```json {8} output
    {
-    "success": true,
-    "result": {
-      "id": "ed35569b41ce4d1facfe683550f54086",
-      "created_at": "2014-01-01T05:20:00.12345Z",
-      "ips": [
-        "192.0.2.1/32"
-      ],
-      "name": "DevOps team",
-      "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com",
-      "updated_at": "2014-01-01T05:20:00.12345Z"
-    }
+   	"success": true,
+   	"result": {
+   		"id": "ed35569b41ce4d1facfe683550f54086",
+   		"created_at": "2014-01-01T05:20:00.12345Z",
+   		"ips": ["192.0.2.1/32"],
+   		"name": "DevOps team",
+   		"subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com",
+   		"updated_at": "2014-01-01T05:20:00.12345Z"
+   	}
    }
    ```
 
diff --git a/src/content/docs/cloudflare-one/policies/gateway/proxy.mdx b/src/content/docs/cloudflare-one/policies/gateway/proxy.mdx
@@ -11,7 +11,38 @@ You can forward [HTTP](/cloudflare-one/policies/gateway/initial-setup/http/) and
 
 The Gateway proxy is required for filtering HTTP and network traffic via the WARP client in Gateway with WARP mode. To proxy HTTP traffic without deploying the WARP client, you can configure [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/) on your devices.
 
-## Proxy protocols
+## Proxy algorithm
+
+Gateway uses the [Happy Eyeballs algorithm](https://datatracker.ietf.org/doc/html/rfc6555) to proxy traffic in the following order:
+
+1. The user's browser initiates the TCP handshake by sending Gateway a TCP SYN segment.
+2. Gateway sends a SYN segment to the origin server.
+3. If the origin server sends a SYN-ACK segment back, Gateway establishes distinct TCP connections between the user and Gateway and between Gateway and the origin server.
+4. Gateway inspects and filters traffic received from the user.
+5. If the traffic passes inspection, Gateway proxies traffic bidirectionally between the user and the origin server.
+
+```mermaid
+flowchart TD
+    %% Accessibility
+    accTitle: How Gateway proxy works
+    accDescr: Flowchart describing how the Gateway proxy uses the Happy Eyeballs algorithm to establish TCP connections and proxy user traffic.
+
+    %% Flowchart
+    A[User's device sends TCP SYN to Gateway] --> B[Gateway sends TCP SYN to origin server]
+    B --> C{{Origin server responds with TCP SYN-ACK?}}
+    C -->|Yes| E[TCP handshakes completed]
+    C -->|No| D[Connection fails]
+    E --> F{{Connection allowed?}}
+    F -->|Yes| G[Gateway proxies traffic bidirectionally]
+    F -->|No| H[Connection blocked by firewall policies]
+
+    %% Styling
+    style D stroke:#D50000
+    style G stroke:#00C853
+    style H stroke:#D50000
+```
+
+## Supported protocols
 
 Gateway supports proxying TCP, UDP, and ICMP traffic.
 
