You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx
+29-3Lines changed: 29 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,7 +17,7 @@ Cloudflare Gateway can perform [SSL/TLS decryption](https://www.cloudflare.com/l
17
17
18
18
When you turn on TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a [user-side certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/).
19
19
20
-
Cloudflare prevents interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. You can configure where TLS decryption takes place with [Regional Services](/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](/data-localization/).
20
+
Cloudflare prevents traffic interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. Traffic on-ramped to Gateway with the WARP client will egress from [FedRAMP compliant data centers](#fedramp-compliance). You can configure where TLS decryption takes place with [Regional Services](/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](/data-localization/).
21
21
22
22
Cloudflare supports connections from users to Gateway over TLS 1.1, 1.2, and 1.3.
23
23
@@ -115,9 +115,35 @@ When FIPS compliance is enabled, Gateway will only choose [FIPS-compliant cipher
115
115
116
116
FIPS-compliant traffic defaults to [HTTP/3](/cloudflare-one/policies/gateway/http-policies/http3/). To enforce HTTP policies for UDP traffic, you must turn on the [Gateway proxy for UDP](/cloudflare-one/policies/gateway/http-policies/http3/#enable-http3-inspection).
117
117
118
-
### Cipher suites
118
+
##FedRAMP compliance
119
119
120
-
<GlossaryDefinitionterm="cipher suite" />
120
+
When you use the WARP client to on-ramp TLS traffic to Gateway, traffic will egress from a Cloudflare data center within Cloudflare's FedRAMP boundary. If a user's closest data center is non-FedRAMP compliant, their traffic will still egress from a FedRAMP compliant data center, maintaining FedRAMP compliance for the traffic.
121
+
122
+
```mermaid
123
+
flowchart LR
124
+
subgraph s1["Non-FedRAMP data center"]
125
+
n2["WARP TLS encryption terminated"]
126
+
end
127
+
subgraph s2["FedRAMP data center"]
128
+
n3["Gateway TLS encryption (FIPS) terminated"]
129
+
end
130
+
subgraph s3["Private internal network"]
131
+
n5["FedRAMP-compliant cloudflared"]
132
+
n6(["Private server"])
133
+
end
134
+
n1(["User near non-FedRAMP compliant data center"]) -- Gateway TLS connection wrapped with WARP TLS --> n2
135
+
n2 --> n3
136
+
n3 --> n4(["HTTPS server"])
137
+
n5 --> n3 & n6
138
+
139
+
n5@{ shape: rect}
140
+
```
141
+
142
+
To further control what data centers traffic egresses from, you can use [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/).
143
+
144
+
## Cipher suites
145
+
146
+
<GlossaryDefinitionterm="cipher suite"prepend="A cipher suite is " />
121
147
122
148
The following table lists the default cipher suites Gateway uses for TLS decryption.
0 commit comments