[Gateway] Auth proxy followup (#27101)

Author: maxvp

src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx

@@ -17,7 +17,7 @@ import {
 :::note
 PAC files are only available on Enterprise plans.
 
-Authorization endpoints and PAC file hosting are available to all Enterprise plans during the closed beta period. For access, contact your account team.
+[Authorization endpoints](#authorization-endpoint) and [PAC file hosting](#create-a-hosted-pac-file) are in beta for Enterprise plans. To opt in, contact your account team.
 :::
 
 Proxy endpoints allow you to apply Gateway policies without installing a client on your devices. By configuring a Proxy Auto-Configuration (PAC) file at the browser level, you can route traffic through Gateway for filtering and policy enforcement. Cloudflare supports configuring two types of proxy endpoints: identity-based [authorization endpoints](#authorization-endpoint) and [source IP proxy endpoints](#source-ip-endpoint).
@@ -228,7 +228,7 @@ A PAC file is a text file written in JavaScript that specifies which traffic sho
 For detailed instructions and examples for creating a PAC file, refer to [PAC file best practices](/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/best-practices/).
 :::
 
-### Create a hosted PAC file
+### Create a hosted PAC file <Badge text="Beta" variant="caution" />
 
 When you create a PAC file in Cloudflare One, Cloudflare will host it in a publicly accessible Worker. Hosted PAC files are automatically distributed through Cloudflare's global network.
 
@@ -460,19 +460,22 @@ You can modify proxy endpoint settings after creation.
 
 ### Traffic limitations
 
-Source IP proxy endpoints do not support [identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/) or mTLS authentication.
+Each type of proxy endpoint supports the following features:
 
-Source IP proxy endpoints support TCP traffic, but authorization proxy endpoints only support HTTP/HTTPS. Source IP endpoints support non-HTTP TCP traffic.
+| Feature                                                                             | Source IP endpoint | Authorization endpoint |
+| ----------------------------------------------------------------------------------- | ------------------ | ---------------------- |
+| **HTTP/HTTPS traffic**                                                              | ✅[^1]             | ✅[^1]                 |
+| **Non-HTTP TCP traffic**                                                            | ✅                 | —                      |
+| **UDP traffic**                                                                     | —                  | —                      |
+| **[HTTP3](/cloudflare-one/traffic-policies/http-policies/http3/)**                  | —                  | —                      |
+| **[Identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/)** | —                  | ✅                     |
+| **mTLS authentication**                                                             | —                  | —                      |
+| **[Happy Eyeballs](https://datatracker.ietf.org/doc/html/rfc6555)**                 | —                  | —                      |
+| **Browser HTTPS auto-upgrade**                                                      | —[^2]              | —[^2]                  |
 
-Authorization endpoints do not support anything that is not HTTP/HTTPS. That means no other TCP or UDP protocol is supported, including [HTTP3](/cloudflare-one/traffic-policies/http-policies/http3/).
+[^1]: To access plaintext HTTP (non-HTTPS) origins through proxy endpoints, configure them as [self-hosted Access applications](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). This allows users to access HTTP resources while maintaining security through Access policies.
 
-[Happy Eyeballs](https://datatracker.ietf.org/doc/html/rfc6555) is not supported with proxy endpoints.
-
-Proxy endpoints do not support HTTPS when browsers automatically upgrade HTTP requests to HTTPS (such as Chrome's automatic HTTPS upgrades). If you encounter connection issues with sites that are being auto-upgraded, you may need to disable automatic HTTPS upgrades in your browser settings or configure the site as an exception.
-
-:::note
-To access plaintext HTTP (non-HTTPS) origins through proxy endpoints, configure them as [self-hosted Access applications](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). This allows users to access HTTP resources while maintaining security through Access policies.
-:::
+[^2]: Proxy endpoints do not support HTTPS when browsers automatically upgrade HTTP requests to HTTPS (such as Chrome's automatic HTTPS upgrades). If you encounter connection issues with sites that are being auto-upgraded, you may need to disable automatic HTTPS upgrades in your browser settings or configure the site as an exception.
 
 ### Session duration
 

src/content/docs/cloudflare-one/traffic-policies/network-policies/common-policies.mdx

@@ -191,9 +191,13 @@ If your organization blocks traffic by default with a Network policy and you wan
 
 ## Restrict private network access to proxy endpoint users
 
-When using [source IP proxy endpoints](/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#source-ip-endpoint), by default all devices added to the proxy endpoint can access your internal applications and services connected through [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/). To restrict access to only users connecting through the proxy endpoint from specific source IPs, create the following policies.
+When using proxy endpoints, by default all devices added to the proxy endpoint can access your internal applications and services connected through [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/). To restrict access and add an additional layer of security, create the following policies.
 
-### 1. Allow proxy endpoint traffic from specific source IPs
+### Source IP proxy endpoints
+
+When using [source IP proxy endpoints](/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#source-ip-endpoint), restrict access to only users connecting through the proxy endpoint from specific source IPs.
+
+#### 1. Allow proxy endpoint traffic from specific source IPs
 
 <Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
@@ -228,7 +232,7 @@ Replace `<PROXY_ENDPOINT_ID>` with your proxy endpoint ID.
 
 </TabItem> </Tabs>
 
-### 2. Block all other proxy endpoint traffic to private network
+#### 2. Block all other proxy endpoint traffic to private network
 
 <Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
@@ -262,6 +266,79 @@ Replace `<PROXY_ENDPOINT_ID>` with your proxy endpoint ID.
 
 </TabItem> </Tabs>
 
+### Authorization proxy endpoints
+
+When using [authorization proxy endpoints](/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#authorization-endpoint), add an additional layer of security by restricting access to only users connecting from specific source IPs. This prevents unauthorized access even if user credentials are compromised.
+
+#### 1. Allow proxy endpoint traffic from specific source IPs
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+| Selector       | Operator | Value            | Logic | Action |
+| -------------- | -------- | ---------------- | ----- | ------ |
+| Proxy Endpoint | in       | _Proxy Endpoint_ | And   | Allow  |
+| Source IP      | in       | `203.0.113.0/24` | And   |        |
+| Destination IP | in       | `10.0.0.0/8`     |       |        |
+
+</TabItem>
+
+<TabItem label="API">
+
+<APIRequest
+	path="/accounts/{account_id}/gateway/rules"
+	method="POST"
+	json={{
+		name: "Allow authorized proxy endpoint traffic from specific source IPs",
+		description:
+			"Allow traffic from authorization proxy endpoint users with specific source IPs to reach private network",
+		enabled: true,
+		action: "allow",
+		filters: ["l4"],
+		traffic:
+			'net.proxy_endpoint.ids[*] in {"<PROXY_ENDPOINT_ID>"} and net.src.ip in {203.0.113.0/24} and net.dst.ip in {10.0.0.0/8}',
+		identity: "",
+		device_posture: "",
+	}}
+/>
+
+Replace `<PROXY_ENDPOINT_ID>` with your proxy endpoint ID.
+
+</TabItem> </Tabs>
+
+#### 2. Block all other proxy endpoint traffic to private network
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+| Selector       | Operator | Value            | Logic | Action |
+| -------------- | -------- | ---------------- | ----- | ------ |
+| Proxy Endpoint | in       | _Proxy Endpoint_ | And   | Block  |
+| Destination IP | in       | `10.0.0.0/8`     |       |        |
+
+</TabItem>
+
+<TabItem label="API">
+
+<APIRequest
+	path="/accounts/{account_id}/gateway/rules"
+	method="POST"
+	json={{
+		name: "Block all other authorized proxy endpoint traffic",
+		description:
+			"Block any other authorization proxy endpoint traffic from accessing the private network",
+		enabled: true,
+		action: "block",
+		filters: ["l4"],
+		traffic:
+			'net.proxy_endpoint.ids[*] in {"<PROXY_ENDPOINT_ID>"} and net.dst.ip in {10.0.0.0/8}',
+		identity: "",
+		device_posture: "",
+	}}
+/>
+
+Replace `<PROXY_ENDPOINT_ID>` with your proxy endpoint ID.
+
+</TabItem> </Tabs>
+
 ## Restrict access to private networks
 
 Restrict access to resources which you have connected through [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/).