[Gateway] Per-account certs (#16467)

Co-authored-by: Pedro Sousa <[email protected]>
Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com>

Author: 3 people

public/_redirects

@@ -1657,6 +1657,7 @@
 /cloudflare-one/identity/service-auth/service-tokens/ /cloudflare-one/identity/service-tokens/ 301
 /cloudflare-one/identity/users/short-lived-certificates/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/ 301
 /cloudflare-one/identity/users/validating-json/ /cloudflare-one/identity/authorization-cookie/validating-json/ 301
+/cloudflare-one/policies/gateway/configuring-block-page/ /cloudflare-one/policies/gateway/block-page/ 301
 /cloudflare-one/policies/lists/ /cloudflare-one/policies/gateway/lists 301
 /cloudflare-one/policies/gateway/dns-policies/scheduled-dns-policies/ /cloudflare-one/policies/gateway/timed-policies/#scheduled-policies 301
 /cloudflare-one/policies/zero-trust/ /cloudflare-one/policies/access/ 301

src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx

@@ -3,10 +3,9 @@ pcx_content_type: how-to
 title: DNS over HTTPS (DoH)
 sidebar:
   order: 3
-
 ---
 
-import { Details, GlossaryTooltip, Render } from "~/components"
+import { Details, GlossaryTooltip, Render } from "~/components";
 
 With Cloudflare Gateway, you can filter DNS over HTTPS (DoH) requests by [DNS location](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) or by user without needing to install the WARP client on your devices.
 
@@ -34,7 +33,6 @@ Your DNS queries will now be sent to Gateway for filtering. To filter these requ
 
 ### Configure operating system for DoH
 
-
 <Details header="Windows 11">
 
 1. Obtain the `A` and `AAAA` record values associated with your location's DoH endpoint.
@@ -71,20 +69,18 @@ Your DNS queries will now be sent to Gateway for filtering. To filter these requ
 
 4. Under **DNS server assignment**, select **Edit**.
 
-5. In the drop-down menu, choose *Manual*.
+5. In the drop-down menu, choose _Manual_.
 
 6. Enable **IPv4**.
 
-7. In **Preferred DNS** and **Alternate DNS**, enter the IPv4 addresses from your `A` record command. Set **DNS over HTTPS** to *On (automatic template)*.
+7. In **Preferred DNS** and **Alternate DNS**, enter the IPv4 addresses from your `A` record command. Set **DNS over HTTPS** to _On (automatic template)_.
 
 8. Enable **IPv6**.
 
-9. In **Preferred DNS** and **Alternate DNS**, enter the IPv6 addresses from your `AAAA` record command. Set **DNS over HTTPS** to *On (automatic template)*.
-
+9. In **Preferred DNS** and **Alternate DNS**, enter the IPv6 addresses from your `AAAA` record command. Set **DNS over HTTPS** to _On (automatic template)_.
 
 </Details>
 
-
 <Details header="Windows Server 2022">
 
 Obtain the `A` and `AAAA` record values associated with your location's DoH endpoint.
@@ -107,7 +103,6 @@ nslookup -type=AAAA <your-subdomain>.cloudflare-gateway.com
 
 For more information, refer to [Microsoft's DoH guide](https://learn.microsoft.com/en-us/windows-server/networking/dns/doh-client-support) for Windows Server 2022 and newer.
 
-
 </Details>
 
 ## Filter DoH requests by user
@@ -128,27 +123,25 @@ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/service_
 
 Save the service token's `client_id`, `client_secret`, and `id`.
 
-
 <Details header="Example response">
 
 ```json null {3,4,7}
 {
-  "result": {
-    "client_id": "88bf3b6d86161464f6509f7219099e57.access",
-    "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5",
-    "created_at": "2022-06-09T01:59:17Z",
-    "expires_at": "2023-06-09T01:59:17Z",
-    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
-    "name": "ACME Corporation service token",
-    "updated_at": "2022-06-09T01:59:17Z"
-  },
-  "success": true,
-  "errors": [],
-  "messages": []
+	"result": {
+		"client_id": "88bf3b6d86161464f6509f7219099e57.access",
+		"client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5",
+		"created_at": "2022-06-09T01:59:17Z",
+		"expires_at": "2023-06-09T01:59:17Z",
+		"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
+		"name": "ACME Corporation service token",
+		"updated_at": "2022-06-09T01:59:17Z"
+	},
+	"success": true,
+	"errors": [],
+	"messages": []
 }
 ```
 
-
 </Details>
 
 ### 2. Enable DoH functionality for the service token
@@ -162,27 +155,25 @@ curl --request PUT \
 
 If you get an `access.api.error.service_token_not_found` error, check that `{service_token_id}` is the value of `id` and not `client_id`.
 
-
 <Details header="Example response">
 
 ```json
 {
-  "result": {
-    "client_id": "88bf3b6d86161464f6509f7219099e57.access",
-    "created_at": "2022-06-09T01:59:17Z",
-    "expires_at": "2023-06-09T01:59:17Z",
-    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
-    "name": "ACME Corporation service token",
-    "updated_at": "2022-06-09T01:59:17Z",
-    "duration": "8760h"
-  },
-  "success": true,
-  "errors": [],
-  "messages": []
+	"result": {
+		"client_id": "88bf3b6d86161464f6509f7219099e57.access",
+		"created_at": "2022-06-09T01:59:17Z",
+		"expires_at": "2023-06-09T01:59:17Z",
+		"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
+		"name": "ACME Corporation service token",
+		"updated_at": "2022-06-09T01:59:17Z",
+		"duration": "8760h"
+	},
+	"success": true,
+	"errors": [],
+	"messages": []
 }
 ```
 
-
 </Details>
 
 ### 3. Create a user
@@ -203,43 +194,39 @@ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/users" \
 
 Save the user's `id` returned in the response.
 
-
 <Details header="Example response">
 
 ```json null {3}
 {
-  "result": {
-    "id": "54d425de-7a78-4186-9975-d43c88ee7899",
-    "created_at": "2022-03-16T21:18:39.93598Z",
-    "updated_at": "2022-05-17T23:50:39.598345Z",
-    "uid": "54d425de-7a78-4186-9975-d43c88ee7899",
-    "name": "John Doe",
-    "email": "[email protected]",
-    "custom": {
-      "groups": [
-        {
-          "email": "[email protected]",
-          "id": "02fk6b3p3majl10",
-          "name": "Finance"
-        }
-      ]
-    }
-  },
-  "success": true,
-  "errors": [],
-  "messages": []
+	"result": {
+		"id": "54d425de-7a78-4186-9975-d43c88ee7899",
+		"created_at": "2022-03-16T21:18:39.93598Z",
+		"updated_at": "2022-05-17T23:50:39.598345Z",
+		"uid": "54d425de-7a78-4186-9975-d43c88ee7899",
+		"name": "John Doe",
+		"email": "[email protected]",
+		"custom": {
+			"groups": [
+				{
+					"email": "[email protected]",
+					"id": "02fk6b3p3majl10",
+					"name": "Finance"
+				}
+			]
+		}
+	},
+	"success": true,
+	"errors": [],
+	"messages": []
 }
 ```
 
-
 </Details>
 
 :::note
 
-
 Steps 1-3 above only need to be completed once, while Steps 4-5 below would occur during normal operation.
 
-
 :::
 
 ### 4. Generate a DoH token for the user
@@ -254,14 +241,14 @@ curl "https://<TEAM_NAME>.cloudflareaccess.com/cdn-cgi/access/doh-token?account-
 
 The response contains a unique DoH token associated with the user. This token expires in 24 hours. We recommend setting up a refresh flow for the DoH token instead of generating a new one for every DoH query.
 
-
 <Details header="Example response">
 
 ```json
-{"token":"y2khbGciOiJSUzI1NiIsImtpZCI6ImJlZjVkYjg4ZTEwMjk3ZDEwNzhkMmEyYjE0MjMxZTljYTQwMjQ2NjAwOTQzNmJhOTQwOGJkODY3ZmI4OWFiOGQifQ.eyJ0eXBlIjoiZG9oIiwiYXVkIjoiY2xvdWRmbGFyZS1nYXRld2F5LmNvbSIsImlhdCI6MTY1NDc1MTg3NSwiZXhwIjoxNjU0ODM4Mjc1LCJhY2NvdW50LWlkIjoiMTA4MDM0OGIyZGYzYmQwN2QxZmI1MjM3Y2Q1ZDU5M2EiLCJ1c2VyLWlkIjoiNTRkNDI1ZGUtN2E3OC00MTg2LTk5NzUtZDQzYzg4ZWU3ODk5In0.I5p4WsH2dPhQ8vwy84zF05PsoBHCsUSXAaMpNhEH36oFZ3tXcs9ksLz7OzpZ_x3HxUfO3n57LlpAF1VehaBt2i94XCkvSgtHpYcwd_qZydLp-BGtcyfU1LbdXQC3m6zxKcIWu5VySi8I-J25UYlpyJhYgZ4DQUZIpqbSSt6WcVRKvA7OBa7xjkTux4OcqWAViO_ZS-GLwl-fqhvolmiwk37seBD3YuV1zG06VeWXfrMkZ5MbhooHD1DZDBHOZpTtmN8MbeKeI4tlY1mb_O3-jE-um6F9Hrl4NQm89MKFzsum-_Rywi5m4PTSlDza7fjdJs7RzFgJd3VWgzG-jgyQKw"}
+{
+	"token": "y2khbGciOiJSUzI1NiIsImtpZCI6ImJlZjVkYjg4ZTEwMjk3ZDEwNzhkMmEyYjE0MjMxZTljYTQwMjQ2NjAwOTQzNmJhOTQwOGJkODY3ZmI4OWFiOGQifQ.eyJ0eXBlIjoiZG9oIiwiYXVkIjoiY2xvdWRmbGFyZS1nYXRld2F5LmNvbSIsImlhdCI6MTY1NDc1MTg3NSwiZXhwIjoxNjU0ODM4Mjc1LCJhY2NvdW50LWlkIjoiMTA4MDM0OGIyZGYzYmQwN2QxZmI1MjM3Y2Q1ZDU5M2EiLCJ1c2VyLWlkIjoiNTRkNDI1ZGUtN2E3OC00MTg2LTk5NzUtZDQzYzg4ZWU3ODk5In0.I5p4WsH2dPhQ8vwy84zF05PsoBHCsUSXAaMpNhEH36oFZ3tXcs9ksLz7OzpZ_x3HxUfO3n57LlpAF1VehaBt2i94XCkvSgtHpYcwd_qZydLp-BGtcyfU1LbdXQC3m6zxKcIWu5VySi8I-J25UYlpyJhYgZ4DQUZIpqbSSt6WcVRKvA7OBa7xjkTux4OcqWAViO_ZS-GLwl-fqhvolmiwk37seBD3YuV1zG06VeWXfrMkZ5MbhooHD1DZDBHOZpTtmN8MbeKeI4tlY1mb_O3-jE-um6F9Hrl4NQm89MKFzsum-_Rywi5m4PTSlDza7fjdJs7RzFgJd3VWgzG-jgyQKw"
+}
 ```
 
-
 </Details>
 
 ### 5. Send an authenticated DoH query
@@ -274,37 +261,35 @@ curl --silent "https://<ACCOUNT_ID>.cloudflare-gateway.com/dns-query?name=exampl
 --header "CF-Authorization: <USER_DOH_TOKEN>" | jq
 ```
 
-If the site is blocked and you have enabled [**Display block page**](/cloudflare-one/policies/gateway/configuring-block-page/#turn-on-the-block-page) for the policy, the query will return `162.159.36.12` (the IP address of the Gateway block page). If the block page is disabled, the response will be `0.0.0.0`.
-
+If the site is blocked and you have enabled [**Display block page**](/cloudflare-one/policies/gateway/block-page/#turn-on-the-block-page) for the policy, the query will return `162.159.36.12` (the IP address of the Gateway block page). If the block page is disabled, the response will be `0.0.0.0`.
 
 <Details header="Example response">
 
 ```json
 {
-  "Status": 0,
-  "TC": false,
-  "RD": true,
-  "RA": true,
-  "AD": false,
-  "CD": false,
-  "Question": [
-    {
-      "name": "example.com",
-      "type": 1
-    }
-  ],
-  "Answer": [
-    {
-      "name": "example.com",
-      "type": 1,
-      "TTL": 60,
-      "data": "162.159.36.12"
-    }
-  ]
+	"Status": 0,
+	"TC": false,
+	"RD": true,
+	"RA": true,
+	"AD": false,
+	"CD": false,
+	"Question": [
+		{
+			"name": "example.com",
+			"type": 1
+		}
+	],
+	"Answer": [
+		{
+			"name": "example.com",
+			"type": 1,
+			"TTL": 60,
+			"data": "162.159.36.12"
+		}
+	]
 }
 ```
 
-
 </Details>
 
 You can verify that the request was associated with the correct user email by checking your [Gateway DNS logs](/cloudflare-one/insights/logs/gateway-logs/). To filter these requests, build a DNS policy using any of the Gateway [identity-based selectors](/cloudflare-one/policies/gateway/identity-selectors/).