diff --git a/public/_redirects b/public/_redirects index 2c505e1c051473b..24cf8de17300c36 100644 --- a/public/_redirects +++ b/public/_redirects @@ -1657,6 +1657,7 @@ /cloudflare-one/identity/service-auth/service-tokens/ /cloudflare-one/identity/service-tokens/ 301 /cloudflare-one/identity/users/short-lived-certificates/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/ 301 /cloudflare-one/identity/users/validating-json/ /cloudflare-one/identity/authorization-cookie/validating-json/ 301 +/cloudflare-one/policies/gateway/configuring-block-page/ /cloudflare-one/policies/gateway/block-page/ 301 /cloudflare-one/policies/lists/ /cloudflare-one/policies/gateway/lists 301 /cloudflare-one/policies/gateway/dns-policies/scheduled-dns-policies/ /cloudflare-one/policies/gateway/timed-policies/#scheduled-policies 301 /cloudflare-one/policies/zero-trust/ /cloudflare-one/policies/access/ 301 diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx index b04daa118eb0ad1..3b1b82d07142ff4 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx @@ -3,10 +3,9 @@ pcx_content_type: how-to title: DNS over HTTPS (DoH) sidebar: order: 3 - --- -import { Details, GlossaryTooltip, Render } from "~/components" +import { Details, GlossaryTooltip, Render } from "~/components"; With Cloudflare Gateway, you can filter DNS over HTTPS (DoH) requests by [DNS location](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) or by user without needing to install the WARP client on your devices. @@ -34,7 +33,6 @@ Your DNS queries will now be sent to Gateway for filtering. To filter these requ ### Configure operating system for DoH -
1. Obtain the `A` and `AAAA` record values associated with your location's DoH endpoint. @@ -71,20 +69,18 @@ Your DNS queries will now be sent to Gateway for filtering. To filter these requ 4. Under **DNS server assignment**, select **Edit**. -5. In the drop-down menu, choose *Manual*. +5. In the drop-down menu, choose _Manual_. 6. Enable **IPv4**. -7. In **Preferred DNS** and **Alternate DNS**, enter the IPv4 addresses from your `A` record command. Set **DNS over HTTPS** to *On (automatic template)*. +7. In **Preferred DNS** and **Alternate DNS**, enter the IPv4 addresses from your `A` record command. Set **DNS over HTTPS** to _On (automatic template)_. 8. Enable **IPv6**. -9. In **Preferred DNS** and **Alternate DNS**, enter the IPv6 addresses from your `AAAA` record command. Set **DNS over HTTPS** to *On (automatic template)*. - +9. In **Preferred DNS** and **Alternate DNS**, enter the IPv6 addresses from your `AAAA` record command. Set **DNS over HTTPS** to _On (automatic template)_.
-
Obtain the `A` and `AAAA` record values associated with your location's DoH endpoint. @@ -107,7 +103,6 @@ nslookup -type=AAAA .cloudflare-gateway.com For more information, refer to [Microsoft's DoH guide](https://learn.microsoft.com/en-us/windows-server/networking/dns/doh-client-support) for Windows Server 2022 and newer. -
## Filter DoH requests by user @@ -128,27 +123,25 @@ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/service_ Save the service token's `client_id`, `client_secret`, and `id`. -
```json null {3,4,7} { - "result": { - "client_id": "88bf3b6d86161464f6509f7219099e57.access", - "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5", - "created_at": "2022-06-09T01:59:17Z", - "expires_at": "2023-06-09T01:59:17Z", - "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", - "name": "ACME Corporation service token", - "updated_at": "2022-06-09T01:59:17Z" - }, - "success": true, - "errors": [], - "messages": [] + "result": { + "client_id": "88bf3b6d86161464f6509f7219099e57.access", + "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5", + "created_at": "2022-06-09T01:59:17Z", + "expires_at": "2023-06-09T01:59:17Z", + "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", + "name": "ACME Corporation service token", + "updated_at": "2022-06-09T01:59:17Z" + }, + "success": true, + "errors": [], + "messages": [] } ``` -
### 2. Enable DoH functionality for the service token @@ -162,27 +155,25 @@ curl --request PUT \ If you get an `access.api.error.service_token_not_found` error, check that `{service_token_id}` is the value of `id` and not `client_id`. -
```json { - "result": { - "client_id": "88bf3b6d86161464f6509f7219099e57.access", - "created_at": "2022-06-09T01:59:17Z", - "expires_at": "2023-06-09T01:59:17Z", - "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", - "name": "ACME Corporation service token", - "updated_at": "2022-06-09T01:59:17Z", - "duration": "8760h" - }, - "success": true, - "errors": [], - "messages": [] + "result": { + "client_id": "88bf3b6d86161464f6509f7219099e57.access", + "created_at": "2022-06-09T01:59:17Z", + "expires_at": "2023-06-09T01:59:17Z", + "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", + "name": "ACME Corporation service token", + "updated_at": "2022-06-09T01:59:17Z", + "duration": "8760h" + }, + "success": true, + "errors": [], + "messages": [] } ``` -
### 3. Create a user @@ -203,43 +194,39 @@ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/users" \ Save the user's `id` returned in the response. -
```json null {3} { - "result": { - "id": "54d425de-7a78-4186-9975-d43c88ee7899", - "created_at": "2022-03-16T21:18:39.93598Z", - "updated_at": "2022-05-17T23:50:39.598345Z", - "uid": "54d425de-7a78-4186-9975-d43c88ee7899", - "name": "John Doe", - "email": "jdoe@acme.com", - "custom": { - "groups": [ - { - "email": "finance@acme.com", - "id": "02fk6b3p3majl10", - "name": "Finance" - } - ] - } - }, - "success": true, - "errors": [], - "messages": [] + "result": { + "id": "54d425de-7a78-4186-9975-d43c88ee7899", + "created_at": "2022-03-16T21:18:39.93598Z", + "updated_at": "2022-05-17T23:50:39.598345Z", + "uid": "54d425de-7a78-4186-9975-d43c88ee7899", + "name": "John Doe", + "email": "jdoe@acme.com", + "custom": { + "groups": [ + { + "email": "finance@acme.com", + "id": "02fk6b3p3majl10", + "name": "Finance" + } + ] + } + }, + "success": true, + "errors": [], + "messages": [] } ``` -
:::note - Steps 1-3 above only need to be completed once, while Steps 4-5 below would occur during normal operation. - ::: ### 4. Generate a DoH token for the user @@ -254,14 +241,14 @@ curl "https://.cloudflareaccess.com/cdn-cgi/access/doh-token?account- The response contains a unique DoH token associated with the user. This token expires in 24 hours. We recommend setting up a refresh flow for the DoH token instead of generating a new one for every DoH query. -
```json -{"token":"y2khbGciOiJSUzI1NiIsImtpZCI6ImJlZjVkYjg4ZTEwMjk3ZDEwNzhkMmEyYjE0MjMxZTljYTQwMjQ2NjAwOTQzNmJhOTQwOGJkODY3ZmI4OWFiOGQifQ.eyJ0eXBlIjoiZG9oIiwiYXVkIjoiY2xvdWRmbGFyZS1nYXRld2F5LmNvbSIsImlhdCI6MTY1NDc1MTg3NSwiZXhwIjoxNjU0ODM4Mjc1LCJhY2NvdW50LWlkIjoiMTA4MDM0OGIyZGYzYmQwN2QxZmI1MjM3Y2Q1ZDU5M2EiLCJ1c2VyLWlkIjoiNTRkNDI1ZGUtN2E3OC00MTg2LTk5NzUtZDQzYzg4ZWU3ODk5In0.I5p4WsH2dPhQ8vwy84zF05PsoBHCsUSXAaMpNhEH36oFZ3tXcs9ksLz7OzpZ_x3HxUfO3n57LlpAF1VehaBt2i94XCkvSgtHpYcwd_qZydLp-BGtcyfU1LbdXQC3m6zxKcIWu5VySi8I-J25UYlpyJhYgZ4DQUZIpqbSSt6WcVRKvA7OBa7xjkTux4OcqWAViO_ZS-GLwl-fqhvolmiwk37seBD3YuV1zG06VeWXfrMkZ5MbhooHD1DZDBHOZpTtmN8MbeKeI4tlY1mb_O3-jE-um6F9Hrl4NQm89MKFzsum-_Rywi5m4PTSlDza7fjdJs7RzFgJd3VWgzG-jgyQKw"} +{ + "token": "y2khbGciOiJSUzI1NiIsImtpZCI6ImJlZjVkYjg4ZTEwMjk3ZDEwNzhkMmEyYjE0MjMxZTljYTQwMjQ2NjAwOTQzNmJhOTQwOGJkODY3ZmI4OWFiOGQifQ.eyJ0eXBlIjoiZG9oIiwiYXVkIjoiY2xvdWRmbGFyZS1nYXRld2F5LmNvbSIsImlhdCI6MTY1NDc1MTg3NSwiZXhwIjoxNjU0ODM4Mjc1LCJhY2NvdW50LWlkIjoiMTA4MDM0OGIyZGYzYmQwN2QxZmI1MjM3Y2Q1ZDU5M2EiLCJ1c2VyLWlkIjoiNTRkNDI1ZGUtN2E3OC00MTg2LTk5NzUtZDQzYzg4ZWU3ODk5In0.I5p4WsH2dPhQ8vwy84zF05PsoBHCsUSXAaMpNhEH36oFZ3tXcs9ksLz7OzpZ_x3HxUfO3n57LlpAF1VehaBt2i94XCkvSgtHpYcwd_qZydLp-BGtcyfU1LbdXQC3m6zxKcIWu5VySi8I-J25UYlpyJhYgZ4DQUZIpqbSSt6WcVRKvA7OBa7xjkTux4OcqWAViO_ZS-GLwl-fqhvolmiwk37seBD3YuV1zG06VeWXfrMkZ5MbhooHD1DZDBHOZpTtmN8MbeKeI4tlY1mb_O3-jE-um6F9Hrl4NQm89MKFzsum-_Rywi5m4PTSlDza7fjdJs7RzFgJd3VWgzG-jgyQKw" +} ``` -
### 5. Send an authenticated DoH query @@ -274,37 +261,35 @@ curl --silent "https://.cloudflare-gateway.com/dns-query?name=exampl --header "CF-Authorization: " | jq ``` -If the site is blocked and you have enabled [**Display block page**](/cloudflare-one/policies/gateway/configuring-block-page/#turn-on-the-block-page) for the policy, the query will return `162.159.36.12` (the IP address of the Gateway block page). If the block page is disabled, the response will be `0.0.0.0`. - +If the site is blocked and you have enabled [**Display block page**](/cloudflare-one/policies/gateway/block-page/#turn-on-the-block-page) for the policy, the query will return `162.159.36.12` (the IP address of the Gateway block page). If the block page is disabled, the response will be `0.0.0.0`.
```json { - "Status": 0, - "TC": false, - "RD": true, - "RA": true, - "AD": false, - "CD": false, - "Question": [ - { - "name": "example.com", - "type": 1 - } - ], - "Answer": [ - { - "name": "example.com", - "type": 1, - "TTL": 60, - "data": "162.159.36.12" - } - ] + "Status": 0, + "TC": false, + "RD": true, + "RA": true, + "AD": false, + "CD": false, + "Question": [ + { + "name": "example.com", + "type": 1 + } + ], + "Answer": [ + { + "name": "example.com", + "type": 1, + "TTL": 60, + "data": "162.159.36.12" + } + ] } ``` -
You can verify that the request was associated with the correct user email by checking your [Gateway DNS logs](/cloudflare-one/insights/logs/gateway-logs/). To filter these requests, build a DNS policy using any of the Gateway [identity-based selectors](/cloudflare-one/policies/gateway/identity-selectors/). diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx index 5aeb5ff2374cd9d..c7787e58cc1c8ca 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx @@ -8,17 +8,15 @@ description: Configure WARP to use a custom root certificate instead of the Cloudflare certificate. --- -import { Render } from "~/components"; +import { Render, Tabs, TabItem } from "~/components"; :::note - Only available on Enterprise plans. ::: -Enterprise customers who do not wish to install the [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/) have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required the Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/policies/gateway/configuring-block-page/). +Enterprise customers who do not wish to install the [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/) have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required the Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/policies/gateway/block-page/). :::caution - Custom certificates are limited to use between your users and the Gateway proxy. Connections between Gateway and the origin server will use the Cloudflare certificate. ::: @@ -61,65 +59,106 @@ openssl x509 -in .pem -text ## Deploy a custom root certificate -1. Verify that the certificate is installed on your devices. - -2. - -3. Enable the certificate in Gateway with its UUID. - - ```bash null {10} - curl --request PATCH \ - "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/configuration" \ - --header "X-Auth-Email: " \ - --header "X-Auth-Key: " \ - --header "Content-Type: application/json" \ - --data '{ - "settings": { - "custom_certificate": { - "enabled": true, - "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60" - } - } - }' - ``` - - The response will show the current status of the certificate: - - ```json null {13} - { - "success": true, - "errors": [], - "messages": [], - "result": { - "settings": { - "antivirus": {...}, - "block_page": {...}, - "custom_certificate": - { - "enabled": true, - "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60", - "binding_status": "pending_deployment", - "qs_pack_id": "50a78g31-a5b5-4k58d-a6ed-b0ac17da9k05" - }, - "tls_decrypt": {...}, - "activity_log": {...}, - "browser_isolation": {...}, - "fips": {...}, - }, - }, - "created_at": "2014-01-01T05:20:00.12345Z", - "updated_at": "2014-01-01T05:20:00.12345Z" - } - ``` - -Once `binding_status` changes to `active`, Gateway will sign your traffic using the custom root certificate and private key. If you disable the custom certificate, Gateway will revert to the default Cloudflare certificate. + + + + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. + 2. In **Certificates**, select **Manage**. + 3. Select **Upload certificate**. + 4. Enter the private key and SSL certificate you generated or select **Paste certificate from file** to upload them from a file. + 5. Select **Generate certificate**. + + You can now [use the generated custom root certificate](#use-a-custom-root-certificate) for inspection. + + + + + 1. Verify that the certificate is installed on your devices. + 2. + 3. Deploy the certificate in Gateway using the certificate's UUID with the [Patch Zero Trust account configuration endpoint](/api/operations/zero-trust-accounts-patch-zero-trust-account-configuration). + ```bash {10} + curl --request PATCH \ + "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/configuration" \ + --header "X-Auth-Email: " \ + --header "X-Auth-Key: " \ + --header "Content-Type: application/json" \ + --data '{ + "settings": { + "custom_certificate": { + "enabled": true, + "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60" + } + } + }' + ``` + The response will return the pending status of the certificate. For example: + ```json {13} + { + "success": true, + "errors": [], + "messages": [], + "result": { + "settings": { + "antivirus": {}, + "block_page": {}, + "custom_certificate": + { + "enabled": true, + "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60", + "binding_status": "pending_deployment", + "qs_pack_id": "50a78g31-a5b5-4k58d-a6ed-b0ac17da9k05" + }, + "tls_decrypt": {}, + "activity_log": {}, + "browser_isolation": {}, + "fips": {}, + }, + }, + "created_at": "2014-01-01T05:20:00.12345Z", + "updated_at": "2014-01-01T05:20:00.12345Z" + } + ``` + 4. Activate the certificate for use in inspection with the [Activate a Zero Trust certificate endpoint](/api/operations/zero-trust-certificates-activate-zero-trust-certificate). + ```bash + curl --request POST \ + "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates/{certificate_id}/activate" \ + --header "X-Auth-Email: " \ + --header "X-Auth-Key: " + ``` + The response will return the certificate and its current deployment status. For example: + ```json {6,12} + { + "errors": [], + "messages": [], + "success": true, + "result": { + "binding_status": "active", + "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", + "created_at": "2014-01-01T05:20:00.12345Z", + "expires_on": "2014-01-01T05:20:00.12345Z", + "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", + "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", + "in_use": true, + "issuer_org": "Example Inc.", + "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", + "type": "gateway_managed", + "updated_at": "2014-01-01T05:20:00.12345Z", + "uploaded_on": "2014-01-01T05:20:00.12345Z" + } + } + ``` + Once `binding_status` changes to `active`, Gateway will sign your traffic using the custom root certificate and private key. If you disable the custom certificate, Gateway will revert to the default Cloudflare certificate generated for your Zero Trust account. + + :::caution[Private key visibility] - When you upload a private key to Zero Trust, Cloudflare encrypts the key and stores it at rest. Only your delegated apps have the necessary decryption keys to decrypt the private key. You will not be able to retrieve the private key after upload. - ::: +## Use a custom root certificate + +To use a custom root certificate you generated and uploaded to Cloudflare, refer to [Activate a root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#activate-a-root-certificate). + ## Troubleshoot HTTP errors If Gateway returns an **HTTP Response Code: 526** after deploying a custom certificate, you can [troubleshoot errors with our FAQ](/cloudflare-one/faq/troubleshooting/#i-see-error-526-when-browsing-to-a-website). diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx index cdae4700c0316c7..1aa4c50546a1efc 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx @@ -3,11 +3,57 @@ pcx_content_type: navigation title: User-side certificates sidebar: order: 4 - --- -import { DirectoryListing } from "~/components" - Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. - +Gateway [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each Zero Trust account and deploys its across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). + +Once you deploy your certificate across Cloudflare and turn it on, you can install it on your user's devices either [with WARP](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/) or [manually](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/). + +| Deployment status | Description | +| ----------------- | ---------------------------------------------------------------------------------------------- | +| Inactive | The certificate has been uploaded to Cloudflare but is not deployed across the global network. | +| Pending | The certificate is being activated or deactivated for use. | +| Active | The certificate is deployed across the Cloudflare global network and ready to be turned on. | +| Active and In-Use | The certificate is turned on. Gateway will use the certificate for inspection. | + +## Generate a Cloudflare root certificate + +:::note[Certificate generation limitation] +Each Zero Trust account can generate a new root certificate a maximum of three times per day. +::: + +To generate a new Cloudflare root certificate for your Zero Trust organization: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. +2. In **Certificates**, select **Manage**. +3. Select **Generate certificate**. +4. Choose a duration of time before the certificate expires. Cloudflare recommends expiration after five years. Alternatively, choose _Custom_ and enter a custom amount in days. +5. Select **Generate certificate**. + +The certificate will appear in your list of certificates as **Inactive**. To deploy your certificate and turn it on for inspection, you need to [activate the certificate](#activate-a-root-certificate). + +## Activate a root certificate + +:::note +Zero Trust accounts using the Cloudflare certificate prior to September 2024 will need to redeploy and activate the newly generated certificate. Zero Trust accounts created during or after September 2024 will use an active certificate by default. +::: + +Once a certificate is generated in or uploaded to Zero Trust, you need to activate it. Activating a certificate deploys it across the Cloudflare network. + +To activate your root certificate: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. +2. In **Certificates**, select **Manage**. +3. Select the certificate you want to activate. +4. Select **Activate**. + +The status of the certificate will change to **Pending** while it deploys. Once the status of your certificate is **Active**, you can turn the certificate on for use in inspection: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. +2. In **Certificates**, select **Manage**. +3. Select the certificate you want to turn on. +4. In **Basic information**, select **Confirm and turn on certificate**. + +Only one certificate can be turned on for inspection at a time. Setting a certificate as **In-Use** will set any other turned on certificates as **Active** and prevent them from being used for inspection until turned on again. diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx index 4daa89b6127a5bf..18821d93c096327 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx @@ -22,36 +22,48 @@ If your device does not support [certificate installation via WARP](/cloudflare- First, download the Cloudflare certificate. The certificate is available both as a `.pem` and as a `.crt` file. Certain applications require the certificate to be in a specific file type, so ensure you download the most appropriate file for your use case. -- [Download certificate (.crt)](/cloudflare-one/static/Cloudflare_CA.crt) -- [Download certificate (.pem)](/cloudflare-one/static/Cloudflare_CA.pem) +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. +2. In **Certificates**, select **Manage**. +3. Select the certificate you want to download. +4. Select either **Download .pem** or **Download .crt**. -### Verify the certificate fingerprint +### Verify the downloaded certificate -To verify your download, check that the certificate's thumbprint matches: +To verify your download, use a terminal to check that the downloaded certificate's hash matches the thumbprint listed under **Certificate thumbprint**. For example: #### SHA1 -```txt -BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C +```sh title="SHA1 .crt example" +openssl x509 -noout -fingerprint -sha1 -inform der -in ``` -``` -➜ ~ openssl x509 -noout -fingerprint -sha1 -inform der -in +```sh output SHA1 Fingerprint=BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C -➜ ~ openssl x509 -noout -fingerprint -sha1 -inform pem -in +``` + +```sh title="SHA1 .pem example" +openssl x509 -noout -fingerprint -sha1 -inform pem -in +``` + +```sh output SHA1 Fingerprint=BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C ``` #### SHA256 -```txt -F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF +```sh title="SHA256 .crt example" +openssl x509 -noout -fingerprint -sha256 -inform der -in ``` -``` -➜ ~ openssl x509 -noout -fingerprint -sha256 -inform der -in +```sh output sha256 Fingerprint=F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF -➜ ~ openssl x509 -noout -fingerprint -sha256 -inform pem -in +``` + +```sh title="SHA256 .pem example" +openssl x509 -noout -fingerprint -sha256 -inform pem -in +``` + +```sh output sha256 Fingerprint=F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF ``` diff --git a/src/content/docs/cloudflare-one/policies/gateway/configuring-block-page.mdx b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx similarity index 95% rename from src/content/docs/cloudflare-one/policies/gateway/configuring-block-page.mdx rename to src/content/docs/cloudflare-one/policies/gateway/block-page.mdx index 66b41e0fc952012..c437fdaa93c1d9e 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/configuring-block-page.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx @@ -3,10 +3,9 @@ pcx_content_type: how-to title: Block page sidebar: order: 11 - --- -import { Render } from "~/components" +import { Render } from "~/components"; Gateway responds to any domain blocked at the DNS level with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, and does not return that blocked domain's IP address. As a result, the browser will show a browser default error page, and users will not be able to reach that website. This may cause confusion and lead some users to think that their Internet connection is not working. @@ -24,7 +23,12 @@ For all HTTP Block policies, Gateway automatically displays a generic Cloudflare To turn on the block page and specify a custom block message: - Firewall Policies > DNS or Gateway > Firewall Policies > HTTP" }} /> + Firewall Policies > DNS or Gateway > Firewall Policies > HTTP", + }} +/> ## Troubleshoot the block page diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx index fab0ceae606fda6..154070686953d49 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx @@ -3,24 +3,26 @@ pcx_content_type: configuration title: DNS policies sidebar: order: 2 - --- -import { Details, InlineBadge, Render } from "~/components" +import { Details, InlineBadge, Render } from "~/components"; When a user makes a DNS request to Gateway, Gateway matches the request against the DNS policies you have set up for your organization. If the domain does not belong to any blocked categories, or if it matches an Override policy, the user's client receives the DNS resolution and initiates an HTTP connection. A DNS policy consists of an **Action** as well as a logical expression that determines the scope of the action. To build an expression, you need to choose a **Selector** and an **Operator**, and enter a value or range of values in the **Value** field. You can use **And** and **Or** logical operators to evaluate multiple conditions. -* [Actions](#actions) -* [Selectors](#selectors) -* [Comparison operators](#comparison-operators) -* [Value](#value) -* [Logical operators](#logical-operators) +- [Actions](#actions) +- [Selectors](#selectors) +- [Comparison operators](#comparison-operators) +- [Value](#value) +- [Logical operators](#logical-operators) -When creating a DNS policy, you can select as many security risk categories and content categories as needed to fully secure your network. Unless a more specific selector is configured in a policy (for example, *User Email* or *Source IP*), then the policy will be evaluated against all DNS queries that reach Gateway from your organization. +When creating a DNS policy, you can select as many security risk categories and content categories as needed to fully secure your network. Unless a more specific selector is configured in a policy (for example, _User Email_ or _Source IP_), then the policy will be evaluated against all DNS queries that reach Gateway from your organization. - + ## Actions @@ -28,52 +30,50 @@ Just like actions in HTTP policies, actions in DNS policies allow you to choose These are the action types you can choose from: -* [Allow](#allow) -* [Block](#block) -* [Override](#override) -* [Safe Search](#safe-search) -* [YouTube Restricted Mode](#youtube-restricted-mode) +- [Allow](#allow) +- [Block](#block) +- [Override](#override) +- [Safe Search](#safe-search) +- [YouTube Restricted Mode](#youtube-restricted-mode) ### Allow API value: `allow` -
**Traffic** -* [Application](#application) -* [Authoritative Nameserver IP](#authoritative-nameserver-ip) -* [Content Categories](#content-categories) -* [DNS CNAME Response Value](#dns-cname-record) -* [DNS MX Response Value](#dns-mx-record) -* [DNS PTR Response Value](#dns-ptr-record) -* [DNS Resolver IP](#dns-resolver-ip) -* [DNS TXT Response Value](#dns-txt-record) -* [DOH Subdomain](#doh-subdomain) -* [Domain](#domain) -* [Host](#host) -* [Indicator Feeds](#indicator-feeds) -* [Location](#location) -* [Query Record Type](#query-record-type) -* [Resolved Continent IP Geolocation](#resolved-continent) -* [Resolved Country IP Geolocation](#resolved-country) -* [Resolved IP](#resolved-ip) -* [Security Categories](#security-categories) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source IP](#source-ip) +- [Application](#application) +- [Authoritative Nameserver IP](#authoritative-nameserver-ip) +- [Content Categories](#content-categories) +- [DNS CNAME Response Value](#dns-cname-record) +- [DNS MX Response Value](#dns-mx-record) +- [DNS PTR Response Value](#dns-ptr-record) +- [DNS Resolver IP](#dns-resolver-ip) +- [DNS TXT Response Value](#dns-txt-record) +- [DOH Subdomain](#doh-subdomain) +- [Domain](#domain) +- [Host](#host) +- [Indicator Feeds](#indicator-feeds) +- [Location](#location) +- [Query Record Type](#query-record-type) +- [Resolved Continent IP Geolocation](#resolved-continent) +- [Resolved Country IP Geolocation](#resolved-country) +- [Resolved IP](#resolved-ip) +- [Security Categories](#security-categories) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source IP](#source-ip) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) - +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users)
@@ -91,42 +91,40 @@ When you select **Disable DNSSEC validation**, Gateway will resolve DNS queries API value: `block` -
**Traffic** -* [Application](#application) -* [Authoritative Nameserver IP](#authoritative-nameserver-ip) -* [Content Categories](#content-categories) -* [DNS CNAME Response Value](#dns-cname-record) -* [DNS MX Response Value](#dns-mx-record) -* [DNS PTR Response Value](#dns-ptr-record) -* [DNS Resolver IP](#dns-resolver-ip) -* [DNS TXT Response Value](#dns-txt-record) -* [DOH Subdomain](#doh-subdomain) -* [Domain](#domain) -* [Host](#host) -* [Indicator Feeds](#indicator-feeds) -* [Location](#location) -* [Query Record Type](#query-record-type) -* [Resolved Continent IP Geolocation](#resolved-continent) -* [Resolved Country IP Geolocation](#resolved-country) -* [Resolved IP](#resolved-ip) -* [Security Categories](#security-categories) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source IP](#source-ip) +- [Application](#application) +- [Authoritative Nameserver IP](#authoritative-nameserver-ip) +- [Content Categories](#content-categories) +- [DNS CNAME Response Value](#dns-cname-record) +- [DNS MX Response Value](#dns-mx-record) +- [DNS PTR Response Value](#dns-ptr-record) +- [DNS Resolver IP](#dns-resolver-ip) +- [DNS TXT Response Value](#dns-txt-record) +- [DOH Subdomain](#doh-subdomain) +- [Domain](#domain) +- [Host](#host) +- [Indicator Feeds](#indicator-feeds) +- [Location](#location) +- [Query Record Type](#query-record-type) +- [Resolved Continent IP Geolocation](#resolved-continent) +- [Resolved Country IP Geolocation](#resolved-country) +- [Resolved IP](#resolved-ip) +- [Security Categories](#security-categories) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source IP](#source-ip) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) - +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users)
@@ -138,7 +136,7 @@ Policies with Block actions block DNS queries to reach destinations you specify #### Custom block page -When choosing the Block action, turn on **Display custom block page** to respond to queries with a block page and to specify the message you want to display to users who go to blocked websites. If the block page is disabled, Gateway will respond to blocked queries with an `A` record of `0.0.0.0` for IPv4 destinations, or with an `AAAA` record of `::` for IPv6 destinations. For more information, refer to the dedicated documentation on [customizing the block page](/cloudflare-one/policies/gateway/configuring-block-page/). +When choosing the Block action, turn on **Display custom block page** to respond to queries with a block page and to specify the message you want to display to users who go to blocked websites. If the block page is disabled, Gateway will respond to blocked queries with an `A` record of `0.0.0.0` for IPv4 destinations, or with an `AAAA` record of `::` for IPv6 destinations. For more information, refer to the dedicated documentation on [customizing the block page](/cloudflare-one/policies/gateway/block-page/). #### WARP client block notifications @@ -148,37 +146,35 @@ When choosing the Block action, turn on **Display custom block page** to respond API value: `override` -
The Override action cannot be used with selectors evaluated during or after DNS resolution. **Traffic** -* [Application](#application) -* [Content Categories](#content-categories) -* [DNS Resolver IP](#dns-resolver-ip) -* [DOH Subdomain](#doh-subdomain) -* [Domain](#domain) -* [Host](#host) -* [Location](#location) -* [Query Record Type](#query-record-type) -* [Resolved Continent IP Geolocation](#resolved-continent) -* [Resolved Country IP Geolocation](#resolved-country) -* [Security Categories](#security-categories) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source IP](#source-ip) +- [Application](#application) +- [Content Categories](#content-categories) +- [DNS Resolver IP](#dns-resolver-ip) +- [DOH Subdomain](#doh-subdomain) +- [Domain](#domain) +- [Host](#host) +- [Location](#location) +- [Query Record Type](#query-record-type) +- [Resolved Continent IP Geolocation](#resolved-continent) +- [Resolved Country IP Geolocation](#resolved-country) +- [Security Categories](#security-categories) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source IP](#source-ip) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) - +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users)
@@ -192,35 +188,33 @@ Policies with Override actions allow you to respond to all DNS queries for a giv API value: `safesearch` -
**Traffic** -* [Application](#application) -* [Content Categories](#content-categories) -* [DNS Resolver IP](#dns-resolver-ip) -* [DOH Subdomain](#doh-subdomain) -* [Domain](#domain) -* [Host](#host) -* [Location](#location) -* [Query Record Type](#query-record-type) -* [Resolved Continent IP Geolocation](#resolved-continent) -* [Resolved Country IP Geolocation](#resolved-country) -* [Security Categories](#security-categories) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source IP](#source-ip) +- [Application](#application) +- [Content Categories](#content-categories) +- [DNS Resolver IP](#dns-resolver-ip) +- [DOH Subdomain](#doh-subdomain) +- [Domain](#domain) +- [Host](#host) +- [Location](#location) +- [Query Record Type](#query-record-type) +- [Resolved Continent IP Geolocation](#resolved-continent) +- [Resolved Country IP Geolocation](#resolved-country) +- [Security Categories](#security-categories) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source IP](#source-ip) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) - +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users)
@@ -236,39 +230,37 @@ You can use Cloudflare Gateway to enable SafeSearch on search engines like Googl API value: `ytrestricted` -
**Traffic** -* [Application](#application) -* [Content Categories](#content-categories) -* [DNS Resolver IP](#dns-resolver-ip) -* [DOH Subdomain](#doh-subdomain) -* [Domain](#domain) -* [Host](#host) -* [Location](#location) -* [Query Record Type](#query-record-type) -* [Resolved Continent IP Geolocation](#resolved-continent) -* [Resolved Country IP Geolocation](#resolved-country) -* [Security Categories](#security-categories) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source IP](#source-ip) +- [Application](#application) +- [Content Categories](#content-categories) +- [DNS Resolver IP](#dns-resolver-ip) +- [DOH Subdomain](#doh-subdomain) +- [Domain](#domain) +- [Host](#host) +- [Location](#location) +- [Query Record Type](#query-record-type) +- [Resolved Continent IP Geolocation](#resolved-continent) +- [Resolved Country IP Geolocation](#resolved-country) +- [Security Categories](#security-categories) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source IP](#source-ip) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) - +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users)
-Similarly, you can enforce YouTube Restricted mode by choosing the *YouTube Restricted* action. YouTube Restricted Mode is an automated filter for adult and offensive content built into YouTube. To enable YouTube Restricted Mode, you could set up a policy like the following: +Similarly, you can enforce YouTube Restricted mode by choosing the _YouTube Restricted_ action. YouTube Restricted Mode is an automated filter for adult and offensive content built into YouTube. To enable YouTube Restricted Mode, you could set up a policy like the following: | Selector | Operator | Value | Action | | ---------- | -------- | ------------- | ------------------ | @@ -308,7 +300,7 @@ Use this selector to filter DNS responses by their `CNAME` records. :::note -If one CNAME record points to another CNAME record, each record in the chain will be evaluated. For example, if `abc.example.com` points to `xyz.example.com`, then your DNS policy will evaluate both `abc.example.com` and `xyz.example.com`. +If one CNAME record points to another CNAME record, each record in the chain will be evaluated. For example, if `abc.example.com` points to `xyz.example.com`, then your DNS policy will evaluate both `abc.example.com` and `xyz.example.com`. ::: ### DNS MX Record @@ -367,14 +359,14 @@ Use this selector to filter DNS responses by their `TXT` records. Use this selector to filter based on the continent that the query resolves to. Geolocation is determined from the IP address in the response. To specify a continent, enter its two-letter code into the **Value** field: -* AF – Africa -* AN – Antarctica -* AS – Asia -* EU – Europe -* NA – North America -* OC – Oceania -* SA – South America -* T1 – Tor network +- AF – Africa +- AN – Antarctica +- AS – Asia +- EU – Europe +- NA – North America +- OC – Oceania +- SA – South America +- T1 – Tor network | UI name | API example | Evaluation phase | | --------------------------------- | ------------------------------- | -------------------- | diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx index e81936c45b87084..4bcad30dbe5a2d3 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx @@ -23,7 +23,7 @@ For example, if you created a policy to block `example.com`, you can do the foll 2. Type `dig example.com` (`nslookup example.com` if you are using Windows) and press **Enter**. -3. If the [block page](/cloudflare-one/policies/gateway/configuring-block-page/) is disabled for the policy, you should see `REFUSED` in the answer section: +3. If the [block page](/cloudflare-one/policies/gateway/block-page/) is disabled for the policy, you should see `REFUSED` in the answer section: ```sh dig example.com @@ -46,7 +46,7 @@ For example, if you created a policy to block `example.com`, you can do the foll ;; MSG SIZE rcvd: 29 ``` - If the [block page](/cloudflare-one/policies/gateway/configuring-block-page/) is enabled for the policy, you should see `NOERROR` in the answer section and `162.159.36.12` and `162.159.46.12` as the answers: + If the [block page](/cloudflare-one/policies/gateway/block-page/) is enabled for the policy, you should see `NOERROR` in the answer section with `162.159.36.12` and `162.159.46.12` as the answers: ```sh null dig example.com diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx index cd6bc2ac89f394c..89fcf78292e8358 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx @@ -96,7 +96,7 @@ The **Untrusted certificate action** determines how to handle insecure requests. | Option | Action | | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Error | Display Gateway error page. Matches the default behavior when no action is configured. | -| Block | Display [block page](/cloudflare-one/policies/gateway/configuring-block-page/) as set in Zero Trust. | +| Block | Display [block page](/cloudflare-one/policies/gateway/block-page/) as set in Zero Trust. | | Pass through | Bypass insecure connection warnings and seamlessly connect to the upstream. To use this feature, deploy a [custom root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). For more information on what statuses are bypassed, refer to the [troubleshooting FAQ](/cloudflare-one/faq/troubleshooting/#i-see-error-526-when-browsing-to-a-website). | ### Block diff --git a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx index 6deaa38dd79d356..87485468a178232 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx @@ -25,7 +25,7 @@ To filter DNS requests from an individual device such as a laptop or phone: 1. [Install the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your device. 2. In the WARP client Settings, log in to your organization's Zero Trust instance. -3. (Optional) If you want to display a [custom block page](/cloudflare-one/policies/gateway/configuring-block-page/), [install the Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your device. +3. (Optional) If you want to display a [custom block page](/cloudflare-one/policies/gateway/block-page/), [install the Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your device. ### Connect DNS locations diff --git a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/network.mdx b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/network.mdx index 22cbf7d684d72e0..191be9903336aaa 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/network.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/network.mdx @@ -25,7 +25,7 @@ To filter network traffic from a device such as a laptop or phone: 1. [Install the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your device. 2. In the WARP client Settings, log in to your organization's Zero Trust instance. -3. (Optional) If you want to display a [custom block page](/cloudflare-one/policies/gateway/configuring-block-page/), [install the Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your device . +3. (Optional) If you want to display a [custom block page](/cloudflare-one/policies/gateway/block-page/), [install the Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your device . 4. [Enable the Gateway proxy](/cloudflare-one/policies/gateway/proxy/#enable-the-gateway-proxy) for TCP. Optionally, you can enable the UDP proxy to inspect all port 443 UDP traffic. ### Connect private networks diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx index 05bdf06bdc14e9d..ae125b90869fae6 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx @@ -16,12 +16,12 @@ It is common for a misconfigured Gateway policy to accidentally block traffic to 3. Turn on any existing security policies or create a policy to block all security categories: 4. Ensure that your browser is not configured to use an alternate DNS resolver. For example, Chrome has a **Use secure DNS** setting that will cause the browser to send requests to 1.1.1.1 and bypass your DNS policies. 5. In the browser, go to `malware.testcategory.com`. Your browser will display: - - The Gateway block page, if your device is connected via the WARP client in Gateway with WARP mode. - - A generic error page, if your device is connected via another method, such as Gateway with DoH mode. + - The Gateway block page, if your device is connected through the WARP client in Gateway with WARP mode. + - A generic error page, if your device is connected through another method, such as Gateway with DoH mode. :::note -[Custom block pages](/cloudflare-one/policies/gateway/configuring-block-page/) require you to install a root certificate on the device. +[Custom block pages](/cloudflare-one/policies/gateway/block-page/) require you to install a root certificate on the device. ::: diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx index 1bc39e748bea2a3..83b0160f94deb39 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx @@ -4,6 +4,9 @@ pcx_content_type: reference-architecture-diagram sidebar: order: 1 label: Securing data in transit +head: + - tag: title + content: "Reference Architecture Diagram: Securing data in transit" updated: 2024-05-01 --- @@ -13,7 +16,7 @@ Data in transit typically means when it's traveling over the network. Because th - Browsing online and uploading/download data to/from cloud applications - Sending texts, pictures and emails -- Applications exposing and consuming data via APIs +- Applications exposing and consuming data through APIs Data in transit is often considered vulnerable to interception or tampering during transmission, so it is important to secure it through encryption techniques such as [QUIC](https://cloudflare-quic.com/), Transport Layer Security (TLS) or Secure Sockets Layer (SSL). This helps to ensure that the data remains confidential and protected from unauthorized access during its journey. There are other methods of inspecting data as it passes network boundaries to make decisions on if that data should continue to travel or not, Data Loss Prevention (DLP) technologies can be used to inspect the contents of network traffic and block sensitive data from going to a risky destination. This document outlines the methods Cloudflare has available to protect data in transit. @@ -54,9 +57,9 @@ The following diagram shows a common flow for how Cloudflare inspects a request ![Figure 4: Upload of file containing sensitive data blocked by Cloudflare DLP](~/assets/images/reference-architecture/securing-data-in-transit/securing-data-in-transit-fig4.svg "Figure 4: Upload of file containing sensitive data blocked by Cloudflare DLP") 1. User attempts to upload a file to a SaaS application (via a secure tunnel to Cloudflare created by our [device agent](/cloudflare-one/connections/connect-devices/warp/download-warp/)). [Clientless](/cloudflare-one/connections/connect-devices/agentless/) options are supported as well. -2. Cloudflare’s [Secure Web Gateway](/cloudflare-one/policies/gateway/) (SWG) will first verify that the user is permitted to use the requested SaaS application, and then scrutinize the file’s payload for [malicious code](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/) and [sensitive data](/cloudflare-one/policies/data-loss-prevention/). +2. Cloudflare's [Secure Web Gateway](/cloudflare-one/policies/gateway/) (SWG) will first verify that the user is permitted to use the requested SaaS application, and then scrutinize the file's payload for [malicious code](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/) and [sensitive data](/cloudflare-one/policies/data-loss-prevention/). 3. The DLP profile determines the file contains national identifiers like US Social Security Numbers (SSN). -4. The SWG policy is configured with a [‘block’ action](/cloudflare-one/policies/gateway/http-policies/#block), so the attempt is [logged](/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/) and a [block page](/cloudflare-one/policies/gateway/configuring-block-page/) returned to the end user’s web browser. +4. The SWG policy is configured with a ['block' action](/cloudflare-one/policies/gateway/http-policies/#block), so the attempt is [logged](/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/) and a [block page](/cloudflare-one/policies/gateway/block-page/) returned to the end user's web browser. ## Related resources diff --git a/src/content/partials/cloudflare-one/access/block-page.mdx b/src/content/partials/cloudflare-one/access/block-page.mdx index bb0b00d4e83eac0..3b54fb16a0df6d5 100644 --- a/src/content/partials/cloudflare-one/access/block-page.mdx +++ b/src/content/partials/cloudflare-one/access/block-page.mdx @@ -1,18 +1,17 @@ --- {} - --- :::note -Only available on Pay-as-you-go and Enterprise plans. +Only available on Pay-as-you-go and Enterprise plans. ::: You can display a custom block page when users fail to authenticate to an Access application. Each application can have a different block page. :::note -To customize the page that users see when they are blocked by a Gateway firewall policy, refer to [Gateway block page](/cloudflare-one/policies/gateway/configuring-block-page/). +To customize the page that users see when they are blocked by a Gateway firewall policy, refer to [Gateway block page](/cloudflare-one/policies/gateway/block-page/). ::: ## Create a custom block page @@ -34,15 +33,13 @@ To create a custom block page for Access: 7. In **Custom HTML**, enter the HTML code for your custom page. For example, ```html - + - - -

Access denied.

- -

To obtain access, contact your IT administrator.

+ +

Access denied.

- +

To obtain access, contact your IT administrator.

+ ``` diff --git a/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx b/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx index c0de73c31de4401..a9e74eec96a0bb4 100644 --- a/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx +++ b/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx @@ -1,6 +1,5 @@ --- {} - --- You can customize the block page by making global changes that will show up every time a user visits a block page, independently of the type of rule (DNS or HTTP) that is blocking the website. @@ -13,12 +12,12 @@ To apply customizations to your block page: 3. Select **Customize**. Available global customizations include: - * Adding your organization's name - * Adding a [logo](/cloudflare-one/policies/gateway/configuring-block-page/#add-a-logo-image) - * Adding a header text - * Adding a global block message, which will be displayed above the policy-specific block message - * Adding a [Mailto link](/cloudflare-one/policies/gateway/configuring-block-page/#allow-users-to-email-an-administrator) - * Choosing a background color + - Adding your organization's name + - Adding a [logo](/cloudflare-one/policies/gateway/block-page/#add-a-logo-image) + - Adding a header text + - Adding a global block message, which will be displayed above the policy-specific block message + - Adding a [Mailto link](/cloudflare-one/policies/gateway/block-page/#allow-users-to-email-an-administrator) + - Choosing a background color 4. Select **Save**. diff --git a/src/content/partials/cloudflare-one/upload-mtls-cert.mdx b/src/content/partials/cloudflare-one/upload-mtls-cert.mdx index 28edd4f475bad16..0517c47bbda6d82 100644 --- a/src/content/partials/cloudflare-one/upload-mtls-cert.mdx +++ b/src/content/partials/cloudflare-one/upload-mtls-cert.mdx @@ -20,7 +20,7 @@ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/mtls_certificat }' ``` -The response will return a UUID for the certificate: +The response will return a UUID for the certificate. For example: ```json null {6} { diff --git a/src/content/partials/fundamentals/account-permissions-table.mdx b/src/content/partials/fundamentals/account-permissions-table.mdx index 55a9c37f71df417..ca5ca5450f76adf 100644 --- a/src/content/partials/fundamentals/account-permissions-table.mdx +++ b/src/content/partials/fundamentals/account-permissions-table.mdx @@ -10,8 +10,8 @@ import { Markdown } from "~/components"; | Access: Apps and Policies Revoke | Grants ability to revoke all tokens to [Cloudflare Access](/cloudflare-one/policies/access/) account resources. | | Access: Apps and Policies {props.one} | Grants write access to [Cloudflare Access](/cloudflare-one/policies/access/) account resources. | | Access: Audit Logs Read | Grants read access to [Cloudflare Access audit logs](/cloudflare-one/insights/logs/audit-logs/). | -| Access: Custom Pages Read | Grants read access to [Cloudflare Access Custom Pages](/cloudflare-one/policies/gateway/configuring-block-page/). | -| Access: Custom Pages {props.one} | Grants write access to [Cloudflare Access Custom Pages](/cloudflare-one/policies/gateway/configuring-block-page/). | +| Access: Custom Pages Read | Grants read access to [Cloudflare Access Custom Pages](/cloudflare-one/policies/gateway/block-page/). | +| Access: Custom Pages {props.one} | Grants write access to [Cloudflare Access Custom Pages](/cloudflare-one/policies/gateway/block-page/). | | Access: Device Posture Read | Grants read access to [Cloudflare Access Device Posture](/cloudflare-one/identity/devices/). | | Access: Device Posture {props.one} | Grants write access to [Cloudflare Access Device Posture](/cloudflare-one/identity/devices/). | | Access: Mutual TLS Certificates Read | Grants read access to [Cloudflare Access mTLS certificates](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/). | diff --git a/src/content/partials/learning-paths/zero-trust/device-profiles.mdx b/src/content/partials/learning-paths/zero-trust/device-profiles.mdx index 2aed4fe21334a30..411b106ccc846e2 100644 --- a/src/content/partials/learning-paths/zero-trust/device-profiles.mdx +++ b/src/content/partials/learning-paths/zero-trust/device-profiles.mdx @@ -38,7 +38,7 @@ To customize the default settings: 5. Under **Global settings**, 1. (Recommended) Enable **Admin override code** if you turned on **Lock WARP switch**. - 2. Enable **Install CA to system certificate store** if you want users to see a [custom block page](/cloudflare-one/policies/gateway/configuring-block-page/). + 2. Enable **Install CA to system certificate store** if you want users to see a [custom block page](/cloudflare-one/policies/gateway/block-page/).