From c93406d0c9e824ac369f2e4a62ce2a73eeef4c4f Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 26 Aug 2024 16:30:20 -0500 Subject: [PATCH 01/15] Add new cert procedure --- .../warp/user-side-certificates/index.mdx | 44 +++++++++++++++++-- 1 file changed, 40 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx index e489307bba33f05..608e7f7697cde5a 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx @@ -3,11 +3,47 @@ pcx_content_type: navigation title: User-side certificates sidebar: order: 4 - --- -import { DirectoryListing } from "~/components" +Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. + +Cloudflare assigns a unique root CA for each Zero Trust account. By default, you can [generate a certificate](#generate-a-cloudflare-root-certificate) and deploy it in Zero Trust. Alternatively, Enterprise users can upload their own [custom certificate](custom-certificate/). Once you deploy your certificate across Cloudflare and turn it on, you can install it on your user's devices either [via WARP](install-cert-with-warp/) or [manually](install-cloudflare-cert/). + +| Deployment status | Description | +| ----------------- | ---------------------------------------------------------------------------------------------- | +| Inactive | The certificate has been uploaded to Cloudflare but is not deployed across the global network. | +| Pending | The certificate is being activated or deactivated for use. | +| Active | The certificate is deployed across the Cloudflare global network and ready to be turned on. | +| In-Use | The certificate is turned on. Gateway will use the certificate for inspection. | + +## Generate a Cloudflare root certificate + +To generate a Cloudflare root certificate: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. +2. In **Certificates**, select **Manage**. +3. Select **Generate certificate**. +4. Choose a duration of time before the certificate expires. Cloudflare recommends expiration after five years. Alternatively, choose _Custom_ and enter a custom amount in days. +5. Select **Generate certificate**. + +The certificate will appear in your list of certificates as **Inactive**. To deploy your certificate and turn it on for inspection, you need to [activate the certificate](#activate-a-root-certificate). + +## Activate a root certificate + +Once a certificate is generated in or uploaded to Zero Trust, you need to activate it. Activating a certificate deploys it across the Cloudflare network. + +To manage the status of your root certificates: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. +2. In **Certificates**, select **Manage**. +3. Select the certificate you want to activate. +4. Select **Activate**. + +The status of the certificate will change to **Pending** while it deploys. Once your certificate is **Active**, you can turn it on for use in inspection: -Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. +2. In **Certificates**, select **Manage**. +3. Select the certificate you want to turn on. +4. In **Basic information**, select **Confirm and turn on certificate**. - +Only one certificate can be turned on for inspection at a time. Setting a certificate as **In-Use** will set any other turned on certificates as **Active** and prevent them from being used for inspection until turned on again. From 0b3ad9cda26df8f46a96ed1e97db5e21403ece03 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 26 Aug 2024 17:16:18 -0500 Subject: [PATCH 02/15] Add procedure to custom cert --- .../custom-certificate.mdx | 124 ++++++++++-------- .../warp/user-side-certificates/index.mdx | 2 +- 2 files changed, 72 insertions(+), 54 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx index ca46fb5695feed3..feb34e59bbbe693 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx @@ -8,7 +8,7 @@ description: Configure WARP to use a custom root certificate instead of the Cloudflare certificate. --- -import { Render } from "~/components"; +import { Render, Tabs, TabItem } from "~/components"; :::note @@ -61,58 +61,72 @@ openssl x509 -in .pem -text ## Deploy a custom root certificate -1. Verify that the certificate is installed on your devices. - -2. - -3. Enable the certificate in Gateway with its UUID. - - ```bash null {10} - curl --request PATCH \ - "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/configuration" \ - --header "X-Auth-Email: " \ - --header "X-Auth-Key: " \ - --header "Content-Type: application/json" \ - --data '{ - "settings": { - "custom_certificate": { - "enabled": true, - "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60" - } - } - }' - ``` - - The response will show the current status of the certificate: - - ```json null {13} - { - "success": true, - "errors": [], - "messages": [], - "result": { - "settings": { - "antivirus": {...}, - "block_page": {...}, - "custom_certificate": - { - "enabled": true, - "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60", - "binding_status": "pending_deployment", - "qs_pack_id": "50a78g31-a5b5-4k58d-a6ed-b0ac17da9k05" - }, - "tls_decrypt": {...}, - "activity_log": {...}, - "browser_isolation": {...}, - "fips": {...}, - }, - }, - "created_at": "2014-01-01T05:20:00.12345Z", - "updated_at": "2014-01-01T05:20:00.12345Z" - } - ``` - -Once `binding_status` changes to `active`, Gateway will sign your traffic using the custom root certificate and private key. If you disable the custom certificate, Gateway will revert to the default Cloudflare certificate. + + + + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. + 2. In **Certificates**, select **Manage**. + 3. Select **Upload certificate**. + 4. Enter the private key and SSL certificate you generated or select **Paste certificate from file** to upload them from a file. + 5. Select **Generate certificate**. + + + + 1. Verify that the certificate is installed on your devices. + + 2. + + 3. Enable the certificate in Gateway with its UUID. + + ```bash null {10} + curl --request PATCH \ + "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/configuration" \ + --header "X-Auth-Email: " \ + --header "X-Auth-Key: " \ + --header "Content-Type: application/json" \ + --data '{ + "settings": { + "custom_certificate": { + "enabled": true, + "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60" + } + } + }' + ``` + + The response will show the current status of the certificate: + + ```json null {13} + { + "success": true, + "errors": [], + "messages": [], + "result": { + "settings": { + "antivirus": {...}, + "block_page": {...}, + "custom_certificate": + { + "enabled": true, + "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60", + "binding_status": "pending_deployment", + "qs_pack_id": "50a78g31-a5b5-4k58d-a6ed-b0ac17da9k05" + }, + "tls_decrypt": {...}, + "activity_log": {...}, + "browser_isolation": {...}, + "fips": {...}, + }, + }, + "created_at": "2014-01-01T05:20:00.12345Z", + "updated_at": "2014-01-01T05:20:00.12345Z" + } + ``` + + Once `binding_status` changes to `active`, Gateway will sign your traffic using the custom root certificate and private key. If you disable the custom certificate, Gateway will revert to the default Cloudflare certificate generated for your Zero Trust account. + + + :::caution[Private key visibility] @@ -120,6 +134,10 @@ When you upload a private key to Zero Trust, Cloudflare encrypts the key and sto ::: +## Use a custom root certificate + +To use a custom root certificate you generated and uploaded to Cloudflare, refer to [Activate a root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#activate-a-root-certificate). + ## Troubleshoot HTTP errors If Gateway returns an **HTTP Response Code: 526** after deploying a custom certificate, you can [troubleshoot errors with our FAQ](/cloudflare-one/faq/teams-troubleshooting/#i-see-error-526-when-browsing-to-a-website). diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx index 608e7f7697cde5a..a15acbc0316a038 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx @@ -7,7 +7,7 @@ sidebar: Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. -Cloudflare assigns a unique root CA for each Zero Trust account. By default, you can [generate a certificate](#generate-a-cloudflare-root-certificate) and deploy it in Zero Trust. Alternatively, Enterprise users can upload their own [custom certificate](custom-certificate/). Once you deploy your certificate across Cloudflare and turn it on, you can install it on your user's devices either [via WARP](install-cert-with-warp/) or [manually](install-cloudflare-cert/). +Cloudflare assigns a unique root CA for each Zero Trust account. By default, you can [generate a certificate](#generate-a-cloudflare-root-certificate) and deploy it in Zero Trust. Alternatively, Enterprise users can upload their own [custom certificate](custom-certificate/). Once you deploy your certificate across Cloudflare and turn it on, you can install it on your user's devices either [with WARP](install-cert-with-warp/) or [manually](install-cloudflare-cert/). | Deployment status | Description | | ----------------- | ---------------------------------------------------------------------------------------------- | From f15528573bfe28bbfdba26f8d6263782ea53fc78 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 27 Aug 2024 13:25:54 -0500 Subject: [PATCH 03/15] Add block page to security features --- public/_redirects | 1 + .../agentless/dns/dns-over-https.mdx | 159 ++++---- .../custom-certificate.mdx | 2 +- .../warp/user-side-certificates/index.mdx | 2 +- ...figuring-block-page.mdx => block-page.mdx} | 10 +- .../policies/gateway/dns-policies/index.mdx | 290 +++++++------ .../dns-policies/test-dns-filtering.mdx | 4 +- .../policies/gateway/http-policies/index.mdx | 380 +++++++++--------- .../policies/gateway/initial-setup/dns.mdx | 16 +- .../gateway/initial-setup/network.mdx | 7 +- .../build-dns-policies/test-policy.mdx | 11 +- .../security/securing-data-in-transit.mdx | 19 +- 12 files changed, 437 insertions(+), 464 deletions(-) rename src/content/docs/cloudflare-one/policies/gateway/{configuring-block-page.mdx => block-page.mdx} (95%) diff --git a/public/_redirects b/public/_redirects index 769768c39b0b167..7c3f163f4eb0f79 100644 --- a/public/_redirects +++ b/public/_redirects @@ -1597,6 +1597,7 @@ /cloudflare-one/applications/custom-pages/ /cloudflare-one/applications/ 301 /cloudflare-one/identity/service-auth/service-tokens/ /cloudflare-one/identity/service-tokens/ 301 /cloudflare-one/identity/users/validating-json/ /cloudflare-one/identity/authorization-cookie/validating-json/ 301 +/cloudflare-one/policies/gateway/configuring-block-page/ /cloudflare-one/policies/gateway/block-page/ 301 /cloudflare-one/policies/lists/ /cloudflare-one/policies/gateway/lists 301 /cloudflare-one/policies/zero-trust/ /cloudflare-one/policies/access/ 301 /cloudflare-one/policies/zero-trust/app-paths/ /cloudflare-one/policies/access/app-paths/ 301 diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx index b04daa118eb0ad1..3b1b82d07142ff4 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx @@ -3,10 +3,9 @@ pcx_content_type: how-to title: DNS over HTTPS (DoH) sidebar: order: 3 - --- -import { Details, GlossaryTooltip, Render } from "~/components" +import { Details, GlossaryTooltip, Render } from "~/components"; With Cloudflare Gateway, you can filter DNS over HTTPS (DoH) requests by [DNS location](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) or by user without needing to install the WARP client on your devices. @@ -34,7 +33,6 @@ Your DNS queries will now be sent to Gateway for filtering. To filter these requ ### Configure operating system for DoH -
1. Obtain the `A` and `AAAA` record values associated with your location's DoH endpoint. @@ -71,20 +69,18 @@ Your DNS queries will now be sent to Gateway for filtering. To filter these requ 4. Under **DNS server assignment**, select **Edit**. -5. In the drop-down menu, choose *Manual*. +5. In the drop-down menu, choose _Manual_. 6. Enable **IPv4**. -7. In **Preferred DNS** and **Alternate DNS**, enter the IPv4 addresses from your `A` record command. Set **DNS over HTTPS** to *On (automatic template)*. +7. In **Preferred DNS** and **Alternate DNS**, enter the IPv4 addresses from your `A` record command. Set **DNS over HTTPS** to _On (automatic template)_. 8. Enable **IPv6**. -9. In **Preferred DNS** and **Alternate DNS**, enter the IPv6 addresses from your `AAAA` record command. Set **DNS over HTTPS** to *On (automatic template)*. - +9. In **Preferred DNS** and **Alternate DNS**, enter the IPv6 addresses from your `AAAA` record command. Set **DNS over HTTPS** to _On (automatic template)_.
-
Obtain the `A` and `AAAA` record values associated with your location's DoH endpoint. @@ -107,7 +103,6 @@ nslookup -type=AAAA .cloudflare-gateway.com For more information, refer to [Microsoft's DoH guide](https://learn.microsoft.com/en-us/windows-server/networking/dns/doh-client-support) for Windows Server 2022 and newer. -
## Filter DoH requests by user @@ -128,27 +123,25 @@ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/service_ Save the service token's `client_id`, `client_secret`, and `id`. -
```json null {3,4,7} { - "result": { - "client_id": "88bf3b6d86161464f6509f7219099e57.access", - "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5", - "created_at": "2022-06-09T01:59:17Z", - "expires_at": "2023-06-09T01:59:17Z", - "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", - "name": "ACME Corporation service token", - "updated_at": "2022-06-09T01:59:17Z" - }, - "success": true, - "errors": [], - "messages": [] + "result": { + "client_id": "88bf3b6d86161464f6509f7219099e57.access", + "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5", + "created_at": "2022-06-09T01:59:17Z", + "expires_at": "2023-06-09T01:59:17Z", + "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", + "name": "ACME Corporation service token", + "updated_at": "2022-06-09T01:59:17Z" + }, + "success": true, + "errors": [], + "messages": [] } ``` -
### 2. Enable DoH functionality for the service token @@ -162,27 +155,25 @@ curl --request PUT \ If you get an `access.api.error.service_token_not_found` error, check that `{service_token_id}` is the value of `id` and not `client_id`. -
```json { - "result": { - "client_id": "88bf3b6d86161464f6509f7219099e57.access", - "created_at": "2022-06-09T01:59:17Z", - "expires_at": "2023-06-09T01:59:17Z", - "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", - "name": "ACME Corporation service token", - "updated_at": "2022-06-09T01:59:17Z", - "duration": "8760h" - }, - "success": true, - "errors": [], - "messages": [] + "result": { + "client_id": "88bf3b6d86161464f6509f7219099e57.access", + "created_at": "2022-06-09T01:59:17Z", + "expires_at": "2023-06-09T01:59:17Z", + "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", + "name": "ACME Corporation service token", + "updated_at": "2022-06-09T01:59:17Z", + "duration": "8760h" + }, + "success": true, + "errors": [], + "messages": [] } ``` -
### 3. Create a user @@ -203,43 +194,39 @@ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/users" \ Save the user's `id` returned in the response. -
```json null {3} { - "result": { - "id": "54d425de-7a78-4186-9975-d43c88ee7899", - "created_at": "2022-03-16T21:18:39.93598Z", - "updated_at": "2022-05-17T23:50:39.598345Z", - "uid": "54d425de-7a78-4186-9975-d43c88ee7899", - "name": "John Doe", - "email": "jdoe@acme.com", - "custom": { - "groups": [ - { - "email": "finance@acme.com", - "id": "02fk6b3p3majl10", - "name": "Finance" - } - ] - } - }, - "success": true, - "errors": [], - "messages": [] + "result": { + "id": "54d425de-7a78-4186-9975-d43c88ee7899", + "created_at": "2022-03-16T21:18:39.93598Z", + "updated_at": "2022-05-17T23:50:39.598345Z", + "uid": "54d425de-7a78-4186-9975-d43c88ee7899", + "name": "John Doe", + "email": "jdoe@acme.com", + "custom": { + "groups": [ + { + "email": "finance@acme.com", + "id": "02fk6b3p3majl10", + "name": "Finance" + } + ] + } + }, + "success": true, + "errors": [], + "messages": [] } ``` -
:::note - Steps 1-3 above only need to be completed once, while Steps 4-5 below would occur during normal operation. - ::: ### 4. Generate a DoH token for the user @@ -254,14 +241,14 @@ curl "https://.cloudflareaccess.com/cdn-cgi/access/doh-token?account- The response contains a unique DoH token associated with the user. This token expires in 24 hours. We recommend setting up a refresh flow for the DoH token instead of generating a new one for every DoH query. -
```json -{"token":"y2khbGciOiJSUzI1NiIsImtpZCI6ImJlZjVkYjg4ZTEwMjk3ZDEwNzhkMmEyYjE0MjMxZTljYTQwMjQ2NjAwOTQzNmJhOTQwOGJkODY3ZmI4OWFiOGQifQ.eyJ0eXBlIjoiZG9oIiwiYXVkIjoiY2xvdWRmbGFyZS1nYXRld2F5LmNvbSIsImlhdCI6MTY1NDc1MTg3NSwiZXhwIjoxNjU0ODM4Mjc1LCJhY2NvdW50LWlkIjoiMTA4MDM0OGIyZGYzYmQwN2QxZmI1MjM3Y2Q1ZDU5M2EiLCJ1c2VyLWlkIjoiNTRkNDI1ZGUtN2E3OC00MTg2LTk5NzUtZDQzYzg4ZWU3ODk5In0.I5p4WsH2dPhQ8vwy84zF05PsoBHCsUSXAaMpNhEH36oFZ3tXcs9ksLz7OzpZ_x3HxUfO3n57LlpAF1VehaBt2i94XCkvSgtHpYcwd_qZydLp-BGtcyfU1LbdXQC3m6zxKcIWu5VySi8I-J25UYlpyJhYgZ4DQUZIpqbSSt6WcVRKvA7OBa7xjkTux4OcqWAViO_ZS-GLwl-fqhvolmiwk37seBD3YuV1zG06VeWXfrMkZ5MbhooHD1DZDBHOZpTtmN8MbeKeI4tlY1mb_O3-jE-um6F9Hrl4NQm89MKFzsum-_Rywi5m4PTSlDza7fjdJs7RzFgJd3VWgzG-jgyQKw"} +{ + "token": "y2khbGciOiJSUzI1NiIsImtpZCI6ImJlZjVkYjg4ZTEwMjk3ZDEwNzhkMmEyYjE0MjMxZTljYTQwMjQ2NjAwOTQzNmJhOTQwOGJkODY3ZmI4OWFiOGQifQ.eyJ0eXBlIjoiZG9oIiwiYXVkIjoiY2xvdWRmbGFyZS1nYXRld2F5LmNvbSIsImlhdCI6MTY1NDc1MTg3NSwiZXhwIjoxNjU0ODM4Mjc1LCJhY2NvdW50LWlkIjoiMTA4MDM0OGIyZGYzYmQwN2QxZmI1MjM3Y2Q1ZDU5M2EiLCJ1c2VyLWlkIjoiNTRkNDI1ZGUtN2E3OC00MTg2LTk5NzUtZDQzYzg4ZWU3ODk5In0.I5p4WsH2dPhQ8vwy84zF05PsoBHCsUSXAaMpNhEH36oFZ3tXcs9ksLz7OzpZ_x3HxUfO3n57LlpAF1VehaBt2i94XCkvSgtHpYcwd_qZydLp-BGtcyfU1LbdXQC3m6zxKcIWu5VySi8I-J25UYlpyJhYgZ4DQUZIpqbSSt6WcVRKvA7OBa7xjkTux4OcqWAViO_ZS-GLwl-fqhvolmiwk37seBD3YuV1zG06VeWXfrMkZ5MbhooHD1DZDBHOZpTtmN8MbeKeI4tlY1mb_O3-jE-um6F9Hrl4NQm89MKFzsum-_Rywi5m4PTSlDza7fjdJs7RzFgJd3VWgzG-jgyQKw" +} ``` -
### 5. Send an authenticated DoH query @@ -274,37 +261,35 @@ curl --silent "https://.cloudflare-gateway.com/dns-query?name=exampl --header "CF-Authorization: " | jq ``` -If the site is blocked and you have enabled [**Display block page**](/cloudflare-one/policies/gateway/configuring-block-page/#turn-on-the-block-page) for the policy, the query will return `162.159.36.12` (the IP address of the Gateway block page). If the block page is disabled, the response will be `0.0.0.0`. - +If the site is blocked and you have enabled [**Display block page**](/cloudflare-one/policies/gateway/block-page/#turn-on-the-block-page) for the policy, the query will return `162.159.36.12` (the IP address of the Gateway block page). If the block page is disabled, the response will be `0.0.0.0`.
```json { - "Status": 0, - "TC": false, - "RD": true, - "RA": true, - "AD": false, - "CD": false, - "Question": [ - { - "name": "example.com", - "type": 1 - } - ], - "Answer": [ - { - "name": "example.com", - "type": 1, - "TTL": 60, - "data": "162.159.36.12" - } - ] + "Status": 0, + "TC": false, + "RD": true, + "RA": true, + "AD": false, + "CD": false, + "Question": [ + { + "name": "example.com", + "type": 1 + } + ], + "Answer": [ + { + "name": "example.com", + "type": 1, + "TTL": 60, + "data": "162.159.36.12" + } + ] } ``` -
You can verify that the request was associated with the correct user email by checking your [Gateway DNS logs](/cloudflare-one/insights/logs/gateway-logs/). To filter these requests, build a DNS policy using any of the Gateway [identity-based selectors](/cloudflare-one/policies/gateway/identity-selectors/). diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx index feb34e59bbbe693..b1b5ce9c0007680 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx @@ -15,7 +15,7 @@ import { Render, Tabs, TabItem } from "~/components"; Only available on Enterprise plans. ::: -Enterprise customers who do not wish to install the [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/) have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required the Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/policies/gateway/configuring-block-page/). +Enterprise customers who do not wish to install the [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/) have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required the Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/policies/gateway/block-page/). :::caution diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx index a15acbc0316a038..2ce1e33bb9fc8b3 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx @@ -5,7 +5,7 @@ sidebar: order: 4 --- -Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. +Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [block pages](/cloudflare-one/policies/gateway/block-page/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. Cloudflare assigns a unique root CA for each Zero Trust account. By default, you can [generate a certificate](#generate-a-cloudflare-root-certificate) and deploy it in Zero Trust. Alternatively, Enterprise users can upload their own [custom certificate](custom-certificate/). Once you deploy your certificate across Cloudflare and turn it on, you can install it on your user's devices either [with WARP](install-cert-with-warp/) or [manually](install-cloudflare-cert/). diff --git a/src/content/docs/cloudflare-one/policies/gateway/configuring-block-page.mdx b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx similarity index 95% rename from src/content/docs/cloudflare-one/policies/gateway/configuring-block-page.mdx rename to src/content/docs/cloudflare-one/policies/gateway/block-page.mdx index 66b41e0fc952012..c437fdaa93c1d9e 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/configuring-block-page.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx @@ -3,10 +3,9 @@ pcx_content_type: how-to title: Block page sidebar: order: 11 - --- -import { Render } from "~/components" +import { Render } from "~/components"; Gateway responds to any domain blocked at the DNS level with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, and does not return that blocked domain's IP address. As a result, the browser will show a browser default error page, and users will not be able to reach that website. This may cause confusion and lead some users to think that their Internet connection is not working. @@ -24,7 +23,12 @@ For all HTTP Block policies, Gateway automatically displays a generic Cloudflare To turn on the block page and specify a custom block message: - Firewall Policies > DNS or Gateway > Firewall Policies > HTTP" }} /> + Firewall Policies > DNS or Gateway > Firewall Policies > HTTP", + }} +/> ## Troubleshoot the block page diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx index fab0ceae606fda6..154070686953d49 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx @@ -3,24 +3,26 @@ pcx_content_type: configuration title: DNS policies sidebar: order: 2 - --- -import { Details, InlineBadge, Render } from "~/components" +import { Details, InlineBadge, Render } from "~/components"; When a user makes a DNS request to Gateway, Gateway matches the request against the DNS policies you have set up for your organization. If the domain does not belong to any blocked categories, or if it matches an Override policy, the user's client receives the DNS resolution and initiates an HTTP connection. A DNS policy consists of an **Action** as well as a logical expression that determines the scope of the action. To build an expression, you need to choose a **Selector** and an **Operator**, and enter a value or range of values in the **Value** field. You can use **And** and **Or** logical operators to evaluate multiple conditions. -* [Actions](#actions) -* [Selectors](#selectors) -* [Comparison operators](#comparison-operators) -* [Value](#value) -* [Logical operators](#logical-operators) +- [Actions](#actions) +- [Selectors](#selectors) +- [Comparison operators](#comparison-operators) +- [Value](#value) +- [Logical operators](#logical-operators) -When creating a DNS policy, you can select as many security risk categories and content categories as needed to fully secure your network. Unless a more specific selector is configured in a policy (for example, *User Email* or *Source IP*), then the policy will be evaluated against all DNS queries that reach Gateway from your organization. +When creating a DNS policy, you can select as many security risk categories and content categories as needed to fully secure your network. Unless a more specific selector is configured in a policy (for example, _User Email_ or _Source IP_), then the policy will be evaluated against all DNS queries that reach Gateway from your organization. - + ## Actions @@ -28,52 +30,50 @@ Just like actions in HTTP policies, actions in DNS policies allow you to choose These are the action types you can choose from: -* [Allow](#allow) -* [Block](#block) -* [Override](#override) -* [Safe Search](#safe-search) -* [YouTube Restricted Mode](#youtube-restricted-mode) +- [Allow](#allow) +- [Block](#block) +- [Override](#override) +- [Safe Search](#safe-search) +- [YouTube Restricted Mode](#youtube-restricted-mode) ### Allow API value: `allow` -
**Traffic** -* [Application](#application) -* [Authoritative Nameserver IP](#authoritative-nameserver-ip) -* [Content Categories](#content-categories) -* [DNS CNAME Response Value](#dns-cname-record) -* [DNS MX Response Value](#dns-mx-record) -* [DNS PTR Response Value](#dns-ptr-record) -* [DNS Resolver IP](#dns-resolver-ip) -* [DNS TXT Response Value](#dns-txt-record) -* [DOH Subdomain](#doh-subdomain) -* [Domain](#domain) -* [Host](#host) -* [Indicator Feeds](#indicator-feeds) -* [Location](#location) -* [Query Record Type](#query-record-type) -* [Resolved Continent IP Geolocation](#resolved-continent) -* [Resolved Country IP Geolocation](#resolved-country) -* [Resolved IP](#resolved-ip) -* [Security Categories](#security-categories) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source IP](#source-ip) +- [Application](#application) +- [Authoritative Nameserver IP](#authoritative-nameserver-ip) +- [Content Categories](#content-categories) +- [DNS CNAME Response Value](#dns-cname-record) +- [DNS MX Response Value](#dns-mx-record) +- [DNS PTR Response Value](#dns-ptr-record) +- [DNS Resolver IP](#dns-resolver-ip) +- [DNS TXT Response Value](#dns-txt-record) +- [DOH Subdomain](#doh-subdomain) +- [Domain](#domain) +- [Host](#host) +- [Indicator Feeds](#indicator-feeds) +- [Location](#location) +- [Query Record Type](#query-record-type) +- [Resolved Continent IP Geolocation](#resolved-continent) +- [Resolved Country IP Geolocation](#resolved-country) +- [Resolved IP](#resolved-ip) +- [Security Categories](#security-categories) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source IP](#source-ip) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) - +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users)
@@ -91,42 +91,40 @@ When you select **Disable DNSSEC validation**, Gateway will resolve DNS queries API value: `block` -
**Traffic** -* [Application](#application) -* [Authoritative Nameserver IP](#authoritative-nameserver-ip) -* [Content Categories](#content-categories) -* [DNS CNAME Response Value](#dns-cname-record) -* [DNS MX Response Value](#dns-mx-record) -* [DNS PTR Response Value](#dns-ptr-record) -* [DNS Resolver IP](#dns-resolver-ip) -* [DNS TXT Response Value](#dns-txt-record) -* [DOH Subdomain](#doh-subdomain) -* [Domain](#domain) -* [Host](#host) -* [Indicator Feeds](#indicator-feeds) -* [Location](#location) -* [Query Record Type](#query-record-type) -* [Resolved Continent IP Geolocation](#resolved-continent) -* [Resolved Country IP Geolocation](#resolved-country) -* [Resolved IP](#resolved-ip) -* [Security Categories](#security-categories) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source IP](#source-ip) +- [Application](#application) +- [Authoritative Nameserver IP](#authoritative-nameserver-ip) +- [Content Categories](#content-categories) +- [DNS CNAME Response Value](#dns-cname-record) +- [DNS MX Response Value](#dns-mx-record) +- [DNS PTR Response Value](#dns-ptr-record) +- [DNS Resolver IP](#dns-resolver-ip) +- [DNS TXT Response Value](#dns-txt-record) +- [DOH Subdomain](#doh-subdomain) +- [Domain](#domain) +- [Host](#host) +- [Indicator Feeds](#indicator-feeds) +- [Location](#location) +- [Query Record Type](#query-record-type) +- [Resolved Continent IP Geolocation](#resolved-continent) +- [Resolved Country IP Geolocation](#resolved-country) +- [Resolved IP](#resolved-ip) +- [Security Categories](#security-categories) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source IP](#source-ip) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) - +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users)
@@ -138,7 +136,7 @@ Policies with Block actions block DNS queries to reach destinations you specify #### Custom block page -When choosing the Block action, turn on **Display custom block page** to respond to queries with a block page and to specify the message you want to display to users who go to blocked websites. If the block page is disabled, Gateway will respond to blocked queries with an `A` record of `0.0.0.0` for IPv4 destinations, or with an `AAAA` record of `::` for IPv6 destinations. For more information, refer to the dedicated documentation on [customizing the block page](/cloudflare-one/policies/gateway/configuring-block-page/). +When choosing the Block action, turn on **Display custom block page** to respond to queries with a block page and to specify the message you want to display to users who go to blocked websites. If the block page is disabled, Gateway will respond to blocked queries with an `A` record of `0.0.0.0` for IPv4 destinations, or with an `AAAA` record of `::` for IPv6 destinations. For more information, refer to the dedicated documentation on [customizing the block page](/cloudflare-one/policies/gateway/block-page/). #### WARP client block notifications @@ -148,37 +146,35 @@ When choosing the Block action, turn on **Display custom block page** to respond API value: `override` -
The Override action cannot be used with selectors evaluated during or after DNS resolution. **Traffic** -* [Application](#application) -* [Content Categories](#content-categories) -* [DNS Resolver IP](#dns-resolver-ip) -* [DOH Subdomain](#doh-subdomain) -* [Domain](#domain) -* [Host](#host) -* [Location](#location) -* [Query Record Type](#query-record-type) -* [Resolved Continent IP Geolocation](#resolved-continent) -* [Resolved Country IP Geolocation](#resolved-country) -* [Security Categories](#security-categories) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source IP](#source-ip) +- [Application](#application) +- [Content Categories](#content-categories) +- [DNS Resolver IP](#dns-resolver-ip) +- [DOH Subdomain](#doh-subdomain) +- [Domain](#domain) +- [Host](#host) +- [Location](#location) +- [Query Record Type](#query-record-type) +- [Resolved Continent IP Geolocation](#resolved-continent) +- [Resolved Country IP Geolocation](#resolved-country) +- [Security Categories](#security-categories) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source IP](#source-ip) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) - +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users)
@@ -192,35 +188,33 @@ Policies with Override actions allow you to respond to all DNS queries for a giv API value: `safesearch` -
**Traffic** -* [Application](#application) -* [Content Categories](#content-categories) -* [DNS Resolver IP](#dns-resolver-ip) -* [DOH Subdomain](#doh-subdomain) -* [Domain](#domain) -* [Host](#host) -* [Location](#location) -* [Query Record Type](#query-record-type) -* [Resolved Continent IP Geolocation](#resolved-continent) -* [Resolved Country IP Geolocation](#resolved-country) -* [Security Categories](#security-categories) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source IP](#source-ip) +- [Application](#application) +- [Content Categories](#content-categories) +- [DNS Resolver IP](#dns-resolver-ip) +- [DOH Subdomain](#doh-subdomain) +- [Domain](#domain) +- [Host](#host) +- [Location](#location) +- [Query Record Type](#query-record-type) +- [Resolved Continent IP Geolocation](#resolved-continent) +- [Resolved Country IP Geolocation](#resolved-country) +- [Security Categories](#security-categories) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source IP](#source-ip) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) - +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users)
@@ -236,39 +230,37 @@ You can use Cloudflare Gateway to enable SafeSearch on search engines like Googl API value: `ytrestricted` -
**Traffic** -* [Application](#application) -* [Content Categories](#content-categories) -* [DNS Resolver IP](#dns-resolver-ip) -* [DOH Subdomain](#doh-subdomain) -* [Domain](#domain) -* [Host](#host) -* [Location](#location) -* [Query Record Type](#query-record-type) -* [Resolved Continent IP Geolocation](#resolved-continent) -* [Resolved Country IP Geolocation](#resolved-country) -* [Security Categories](#security-categories) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source IP](#source-ip) +- [Application](#application) +- [Content Categories](#content-categories) +- [DNS Resolver IP](#dns-resolver-ip) +- [DOH Subdomain](#doh-subdomain) +- [Domain](#domain) +- [Host](#host) +- [Location](#location) +- [Query Record Type](#query-record-type) +- [Resolved Continent IP Geolocation](#resolved-continent) +- [Resolved Country IP Geolocation](#resolved-country) +- [Security Categories](#security-categories) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source IP](#source-ip) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) - +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users)
-Similarly, you can enforce YouTube Restricted mode by choosing the *YouTube Restricted* action. YouTube Restricted Mode is an automated filter for adult and offensive content built into YouTube. To enable YouTube Restricted Mode, you could set up a policy like the following: +Similarly, you can enforce YouTube Restricted mode by choosing the _YouTube Restricted_ action. YouTube Restricted Mode is an automated filter for adult and offensive content built into YouTube. To enable YouTube Restricted Mode, you could set up a policy like the following: | Selector | Operator | Value | Action | | ---------- | -------- | ------------- | ------------------ | @@ -308,7 +300,7 @@ Use this selector to filter DNS responses by their `CNAME` records. :::note -If one CNAME record points to another CNAME record, each record in the chain will be evaluated. For example, if `abc.example.com` points to `xyz.example.com`, then your DNS policy will evaluate both `abc.example.com` and `xyz.example.com`. +If one CNAME record points to another CNAME record, each record in the chain will be evaluated. For example, if `abc.example.com` points to `xyz.example.com`, then your DNS policy will evaluate both `abc.example.com` and `xyz.example.com`. ::: ### DNS MX Record @@ -367,14 +359,14 @@ Use this selector to filter DNS responses by their `TXT` records. Use this selector to filter based on the continent that the query resolves to. Geolocation is determined from the IP address in the response. To specify a continent, enter its two-letter code into the **Value** field: -* AF – Africa -* AN – Antarctica -* AS – Asia -* EU – Europe -* NA – North America -* OC – Oceania -* SA – South America -* T1 – Tor network +- AF – Africa +- AN – Antarctica +- AS – Asia +- EU – Europe +- NA – North America +- OC – Oceania +- SA – South America +- T1 – Tor network | UI name | API example | Evaluation phase | | --------------------------------- | ------------------------------- | -------------------- | diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx index cc978eb25daaa9c..eb02a5c3278457a 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx @@ -23,7 +23,7 @@ For example, if you created a policy to block `example.com`, you can do the foll 2. Type `dig example.com` (`nslookup example.com` if you are using Windows) and press **Enter**. -3. If the [block page](/cloudflare-one/policies/gateway/configuring-block-page/) is disabled for the policy, you should see `REFUSED` in the answer section: +3. If the [block page](/cloudflare-one/policies/gateway/block-page/) is disabled for the policy, you should see `REFUSED` in the answer section: ```sh dig example.com @@ -46,7 +46,7 @@ For example, if you created a policy to block `example.com`, you can do the foll ;; MSG SIZE rcvd: 29 ``` - If the [block page](/cloudflare-one/policies/gateway/configuring-block-page/) is enabled for the policy, you should see `NOERROR` in the answer section and `162.159.36.12` and `162.159.46.12` as the answers: + If the [block page](/cloudflare-one/policies/gateway/block-page/) is enabled for the policy, you should see `NOERROR` in the answer section and `162.159.36.12` and `162.159.46.12` as the answers: ```sh null dig example.com diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx index 219691f9ca5067d..6a62d04475826c4 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx @@ -3,30 +3,30 @@ pcx_content_type: configuration title: HTTP policies sidebar: order: 4 - --- -import { Details, InlineBadge, Render } from "~/components" +import { Details, InlineBadge, Render } from "~/components"; :::note - Install the Cloudflare Root Certificate before creating HTTP policies. - ::: HTTP policies allow you to intercept all HTTP and HTTPS requests and either block, allow, or override specific elements such as websites, IP addresses, and file types. HTTP policies operate on Layer 7 for all TCP (and [optionally UDP](/cloudflare-one/policies/gateway/initial-setup/http/#1-connect-to-gateway)) traffic sent over ports 80 and 443. An HTTP policy consists of an **Action** as well as a logical expression that determines the scope of the policy. To build an expression, you need to choose a **Selector** and an **Operator**, and enter a value or range of values in the **Value** field. You can use **And** and **Or** logical operators to evaluate multiple conditions. -* [Actions](#actions) -* [Selectors](#selectors) -* [Comparison operators](#comparison-operators) -* [Value](#value) -* [Logical operators](#logical-operators) +- [Actions](#actions) +- [Selectors](#selectors) +- [Comparison operators](#comparison-operators) +- [Value](#value) +- [Logical operators](#logical-operators) - + ## Actions @@ -36,50 +36,48 @@ Actions in HTTP policies allow you to choose what to do with a given set of elem API value: `allow` -
**Traffic** -* [Application](#application) -* [Content Categories](#content-categories) -* [Destination Continent IP Geolocation](#destination-continent) -* [Destination Country IP Geolocation](#destination-country) -* [Destination IP](#destination-ip) -* [DLP Profile](#dlp-profile) -* [Domain](#domain) -* [Download File Types](#download-and-upload-file-types) -* [Download Mime Type](#download-and-upload-mime-type) -* [Host](#host) -* [HTTP Method](#http-method) -* [HTTP Response](#http-response) -* [Proxy Endpoint](#proxy-endpoint) -* [Security Risks](#security-risks) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source Internal IP](#source-internal-ip) -* [Source IP](#source-ip) -* [Upload File Types](#download-and-upload-file-types) -* [Upload Mime Type](#download-and-upload-mime-type) -* [URL](#url) -* [URL Path](#url-path) -* [URL Path & Query](#url-path-and-query) -* [URL Query](#url-query) -* [Virtual Network](#virtual-network) +- [Application](#application) +- [Content Categories](#content-categories) +- [Destination Continent IP Geolocation](#destination-continent) +- [Destination Country IP Geolocation](#destination-country) +- [Destination IP](#destination-ip) +- [DLP Profile](#dlp-profile) +- [Domain](#domain) +- [Download File Types](#download-and-upload-file-types) +- [Download Mime Type](#download-and-upload-mime-type) +- [Host](#host) +- [HTTP Method](#http-method) +- [HTTP Response](#http-response) +- [Proxy Endpoint](#proxy-endpoint) +- [Security Risks](#security-risks) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source Internal IP](#source-internal-ip) +- [Source IP](#source-ip) +- [Upload File Types](#download-and-upload-file-types) +- [Upload Mime Type](#download-and-upload-mime-type) +- [URL](#url) +- [URL Path](#url-path) +- [URL Path & Query](#url-path-and-query) +- [URL Query](#url-query) +- [Virtual Network](#virtual-network) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users) **Device Posture** -* [Passed Device Posture Checks](#device-posture) - +- [Passed Device Posture Checks](#device-posture)
@@ -93,10 +91,8 @@ The Allow action allows outbound traffic to reach destinations you specify withi :::note - To use this feature, deploy a [custom root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). - ::: The **Untrusted certificate action** determines how to handle insecure requests. @@ -104,57 +100,55 @@ The **Untrusted certificate action** determines how to handle insecure requests. | Option | Action | | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Error | Display Gateway error page. Matches the default behavior when no action is configured. | -| Block | Display [block page](/cloudflare-one/policies/gateway/configuring-block-page/) as set in Zero Trust. | +| Block | Display [block page](/cloudflare-one/policies/gateway/block-page/) as set in Zero Trust. | | Pass through | Bypass insecure connection warnings and seamlessly connect to the upstream. To use this feature, deploy a [custom root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). For more information on what statuses are bypassed, refer to the [troubleshooting FAQ](/cloudflare-one/faq/teams-troubleshooting/#i-see-error-526-when-browsing-to-a-website). | ### Block API value: `block` -
**Traffic** -* [Application](#application) -* [Content Categories](#content-categories) -* [Destination Continent IP Geolocation](#destination-continent) -* [Destination Country IP Geolocation](#destination-country) -* [Destination IP](#destination-ip) -* [DLP Profile](#dlp-profile) -* [Domain](#domain) -* [Download File Types](#download-and-upload-file-types) -* [Download Mime Type](#download-and-upload-mime-type) -* [Host](#host) -* [HTTP Method](#http-method) -* [HTTP Response](#http-response) -* [Proxy Endpoint](#proxy-endpoint) -* [Security Risks](#security-risks) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source Internal IP](#source-internal-ip) -* [Source IP](#source-ip) -* [Upload File Types](#download-and-upload-file-types) -* [Upload Mime Type](#download-and-upload-mime-type) -* [URL](#url) -* [URL Path](#url-path) -* [URL Path & Query](#url-path-and-query) -* [URL Query](#url-query) -* [Virtual Network](#virtual-network) +- [Application](#application) +- [Content Categories](#content-categories) +- [Destination Continent IP Geolocation](#destination-continent) +- [Destination Country IP Geolocation](#destination-country) +- [Destination IP](#destination-ip) +- [DLP Profile](#dlp-profile) +- [Domain](#domain) +- [Download File Types](#download-and-upload-file-types) +- [Download Mime Type](#download-and-upload-mime-type) +- [Host](#host) +- [HTTP Method](#http-method) +- [HTTP Response](#http-response) +- [Proxy Endpoint](#proxy-endpoint) +- [Security Risks](#security-risks) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source Internal IP](#source-internal-ip) +- [Source IP](#source-ip) +- [Upload File Types](#download-and-upload-file-types) +- [Upload Mime Type](#download-and-upload-mime-type) +- [URL](#url) +- [URL Path](#url-path) +- [URL Path & Query](#url-path-and-query) +- [URL Query](#url-query) +- [Virtual Network](#virtual-network) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users) **Device Posture** -* [Passed Device Posture Checks](#device-posture) - +- [Passed Device Posture Checks](#device-posture)
@@ -173,37 +167,35 @@ The Block action blocks outbound traffic from reaching destinations you specify API value: `isolate` -
**Traffic** -* [Application](#application) -* [Content Categories](#content-categories) -* [Domain](#domain) -* [Host](#host) -* [HTTP Method](#http-method) -* [Security Risks](#security-risks) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [URL](#url) -* [URL Path](#url-path) -* [URL Path & Query](#url-path-and-query) -* [URL Query](#url-query) +- [Application](#application) +- [Content Categories](#content-categories) +- [Domain](#domain) +- [Host](#host) +- [HTTP Method](#http-method) +- [Security Risks](#security-risks) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [URL](#url) +- [URL Path](#url-path) +- [URL Path & Query](#url-path-and-query) +- [URL Query](#url-query) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users) **Device Posture** -* [Passed Device Posture Checks](#device-posture) - +- [Passed Device Posture Checks](#device-posture)
@@ -213,37 +205,35 @@ The Isolate action serves matched traffic to users via [Cloudflare Browser Isola API value: `noisolate` -
**Traffic** -* [Application](#application) -* [Content Categories](#content-categories) -* [Domain](#domain) -* [Host](#host) -* [HTTP Method](#http-method) -* [Security Risks](#security-risks) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [URL](#url) -* [URL Path](#url-path) -* [URL Path & Query](#url-path-and-query) -* [URL Query](#url-query) +- [Application](#application) +- [Content Categories](#content-categories) +- [Domain](#domain) +- [Host](#host) +- [HTTP Method](#http-method) +- [Security Risks](#security-risks) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [URL](#url) +- [URL Path](#url-path) +- [URL Path & Query](#url-path-and-query) +- [URL Query](#url-query) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users) **Device Posture** -* [Passed Device Posture Checks](#device-posture) - +- [Passed Device Posture Checks](#device-posture)
@@ -253,50 +243,46 @@ The Do Not Isolate action turns off browser isolation for matched traffic. For m API value: `off` -
**Traffic** -* [Application](#application) -* [Content Categories](#content-categories) -* [Destination Continent IP Geolocation](#destination-continent) -* [Destination Country IP Geolocation](#destination-country) -* [Destination IP](#destination-ip) -* [Domain](#domain) -* [Host](#host) -* [Proxy Endpoint](#proxy-endpoint) -* [Security Risks](#security-risks) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source Internal IP](#source-internal-ip) -* [Source IP](#source-ip) -* [Virtual Network](#virtual-network) +- [Application](#application) +- [Content Categories](#content-categories) +- [Destination Continent IP Geolocation](#destination-continent) +- [Destination Country IP Geolocation](#destination-country) +- [Destination IP](#destination-ip) +- [Domain](#domain) +- [Host](#host) +- [Proxy Endpoint](#proxy-endpoint) +- [Security Risks](#security-risks) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source Internal IP](#source-internal-ip) +- [Source IP](#source-ip) +- [Virtual Network](#virtual-network) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users) **Device Posture** -* [Passed Device Posture Checks](#device-posture) - +- [Passed Device Posture Checks](#device-posture)
:::caution[Visibility limitation] - When you create a Do Not Inspect policy for a given hostname, application, or app type, you will lose the ability to log or block HTTP requests, apply DLP policies, and perform AV scanning. Information contained within HTTPS encryption, such as the full requested URL, will not be visible if it bypasses Gateway inspection. However, you can still apply [network policies](/cloudflare-one/policies/gateway/network-policies/) to this traffic. For more information, refer to [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). - ::: Do Not Inspect lets you bypass certain elements from inspection. To prevent Gateway from decrypting and inspecting HTTPS traffic, your policy must match against the Server Name Indicator (SNI) in the TLS header. When accessing a Do Not Inspect site in the browser, your browser may display a **Your connection is not private** warning, which you can proceed through to connect. For more information about applications which may require a Do Not Inspect policy, refer to [TLS decryption limitations](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations). @@ -307,44 +293,42 @@ All Do Not Inspect rules are evaluated first, before any Allow or Block rules, t API value: `noscan` -
**Traffic** -* [Application](#application) -* [Content Categories](#content-categories) -* [Destination Continent IP Geolocation](#destination-continent) -* [Destination Country IP Geolocation](#destination-country) -* [Destination IP](#destination-ip) -* [Domain](#domain) -* [Host](#host) -* [HTTP Method](#http-method) -* [Proxy Endpoint](#proxy-endpoint) -* [Security Risks](#security-risks) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source Internal IP](#source-internal-ip) -* [Source IP](#source-ip) -* [URL](#url) -* [URL Path](#url-path) -* [URL Path & Query](#url-path-and-query) -* [URL Query](#url-query) -* [Virtual Network](#virtual-network) +- [Application](#application) +- [Content Categories](#content-categories) +- [Destination Continent IP Geolocation](#destination-continent) +- [Destination Country IP Geolocation](#destination-country) +- [Destination IP](#destination-ip) +- [Domain](#domain) +- [Host](#host) +- [HTTP Method](#http-method) +- [Proxy Endpoint](#proxy-endpoint) +- [Security Risks](#security-risks) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source Internal IP](#source-internal-ip) +- [Source IP](#source-ip) +- [URL](#url) +- [URL Path](#url-path) +- [URL Path & Query](#url-path-and-query) +- [URL Query](#url-query) +- [Virtual Network](#virtual-network) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users) **Device Posture** -* [Passed Device Posture Checks](#device-posture) - +- [Passed Device Posture Checks](#device-posture)
@@ -360,10 +344,8 @@ When a Do Not Scan rule matches, nothing is scanned, regardless of file size or :::note - Policies created using the URL selector are case-sensitive. - ::: Gateway matches HTTP traffic against the following selectors, or criteria: @@ -374,10 +356,8 @@ Gateway matches HTTP traffic against the following selectors, or criteria: :::caution[Multiple API selectors required for Terraform] - When using Terraform to create a policy with the [Do Not Inspect](#do-not-inspect) action, you must use the `app.hosts_ids` and `app.supports_ids` selectors. For example, to create a Do Not Inspect policy for Google Cloud Platform traffic, create a policy with both `any(app.hosts_ids[*] in {1245})` and `any(app.supports_ids[*] in {1245})`. - ::: ### Content Categories @@ -392,25 +372,31 @@ For more information, refer to our list of [content categories](/cloudflare-one/ :::note -Only applies to traffic sent through the [WARP client](/cloudflare-one/connections/connect-devices/warp/set-up-warp/#gateway-with-warp-default). +Only applies to traffic sent through the [WARP client](/cloudflare-one/connections/connect-devices/warp/set-up-warp/#gateway-with-warp-default). ::: - + ### Destination Country :::note -Only applies to traffic sent through the [WARP client](/cloudflare-one/connections/connect-devices/warp/set-up-warp/#gateway-with-warp-default). +Only applies to traffic sent through the [WARP client](/cloudflare-one/connections/connect-devices/warp/set-up-warp/#gateway-with-warp-default). ::: - + ### Destination IP :::note -Only applies to traffic sent through the [WARP client](/cloudflare-one/connections/connect-devices/warp/set-up-warp/#gateway-with-warp-default). +Only applies to traffic sent through the [WARP client](/cloudflare-one/connections/connect-devices/warp/set-up-warp/#gateway-with-warp-default). ::: | UI name | API example | @@ -433,10 +419,8 @@ Use this selector to match against a domain and all subdomains — for example, :::caution[Deprecated selectors] - The **Download File Types** and **Upload File Types** selectors supersede the **Download File Type** and **Upload File Type** selectors. Gateway will still evaluate policies with the previous selectors. However, Cloudflare recommends migrating any policies with deprecated selectors to the new corresponding selectors. - ::: These selectors will scan file signatures in the HTTP body. You can select from file categories or specific file types, including executables, archives and compressed files, Microsoft 365/Office documents, and Adobe files. @@ -475,10 +459,8 @@ Use this selector to match only the hostname specified — for example, if you :::note - Some hostnames (`example.com`) will invisibly redirect to the www subdomain (`www.example.com`). To match this type of website, use the [Domain](#domain) selector instead of the Host selector. - ::: ### HTTP Method @@ -515,7 +497,10 @@ The country of the user making the request. + ### Source IP @@ -555,7 +540,10 @@ The country of the user making the request. + ## Comparison operators @@ -567,6 +555,12 @@ The country of the user making the request. + - + diff --git a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx index be57bc3610e3dea..e5c67855f6f78de 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx @@ -6,16 +6,15 @@ sidebar: head: - tag: title content: Set up DNS filtering - --- -import { GlossaryTooltip, Render } from "~/components" +import { GlossaryTooltip, Render } from "~/components"; Secure Web Gateway allows you to inspect DNS traffic and control which websites users can visit. :::note -For a more detailed guide to filtering DNS queries and other traffic for your organization, refer to the [Secure your Internet traffic and SaaS apps](/learning-paths/secure-internet-traffic/) implementation guide. +For a more detailed guide to filtering DNS queries and other traffic for your organization, refer to the [Secure your Internet traffic and SaaS apps](/learning-paths/secure-internet-traffic/) implementation guide. ::: ## 1. Connect to Gateway @@ -26,7 +25,7 @@ To filter DNS requests from an individual device such as a laptop or phone: 1. [Install the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your device. 2. In the WARP client Settings, log in to your organization’s Zero Trust instance. -3. (Optional) If you want to display a [custom block page](/cloudflare-one/policies/gateway/configuring-block-page/), [install the Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your device. +3. (Optional) If you want to display a [custom block page](/cloudflare-one/policies/gateway/block-page/), [install the Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your device. ### Connect DNS locations @@ -39,13 +38,16 @@ To filter DNS requests from a location such as an office or data center: Gateway identifies locations differently depending on the DNS query protocol: -* **IPv4 queries** match to the source IP address. Under **Gateway** > **DNS Locations**, ensure that the **Source IPv4 Address** parameter is correct for the location you want to apply policies to. -* **IPv6, DOT, or DOH queries** match to the unique DNS forwarding address assigned to the DNS location. Ensure that your DNS resolver is configured for the location you want to apply policies to. +- **IPv4 queries** match to the source IP address. Under **Gateway** > **DNS Locations**, ensure that the **Source IPv4 Address** parameter is correct for the location you want to apply policies to. +- **IPv6, DOT, or DOH queries** match to the unique DNS forwarding address assigned to the DNS location. Ensure that your DNS resolver is configured for the location you want to apply policies to. ::: ## 2. Verify device connectivity - + ## 3. Add recommended policies diff --git a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/network.mdx b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/network.mdx index 3b0633eacfa4bcd..8490870f93e9764 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/network.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/network.mdx @@ -3,16 +3,15 @@ title: Network filtering pcx_content_type: how-to sidebar: order: 2 - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; Secure Web Gateway allows you to apply policies at the network level (Layers 3 and 4) to control which websites and non-HTTP applications users can access. :::note -For a more detailed guide to filtering network traffic and more for your organization, refer to the [Secure your Internet traffic and SaaS apps](/learning-paths/secure-internet-traffic/) implementation guide. +For a more detailed guide to filtering network traffic and more for your organization, refer to the [Secure your Internet traffic and SaaS apps](/learning-paths/secure-internet-traffic/) implementation guide. ::: ## 1. Connect to Gateway @@ -23,7 +22,7 @@ To filter network traffic from a device such as a laptop or phone: 1. [Install the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your device. 2. In the WARP client Settings, log in to your organization’s Zero Trust instance. -3. (Optional) If you want to display a [custom block page](/cloudflare-one/policies/gateway/configuring-block-page/), [install the Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your device . +3. (Optional) If you want to display a [custom block page](/cloudflare-one/policies/gateway/block-page/), [install the Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your device . 4. [Enable the Gateway proxy](/cloudflare-one/policies/gateway/proxy/#enable-the-gateway-proxy) for TCP. Optionally, you can enable the UDP proxy to inspect all port 443 UDP traffic. ### Connect private networks diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx index f752c11f4e18a60..b6fabce1eb35034 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx @@ -3,10 +3,9 @@ title: Test a policy pcx_content_type: learning-unit sidebar: order: 5 - --- -import { Render } from "~/components" +import { Render } from "~/components"; It is common for a misconfigured Gateway policy to accidentally block traffic to benign sites. To ensure a smooth deployment, we recommend testing a simple policy before deploying DNS filtering to your organization. @@ -17,14 +16,12 @@ It is common for a misconfigured Gateway policy to accidentally block traffic to 3. Turn on any existing security policies or create a policy to block all security categories: 4. Ensure that your browser is not configured to use an alternate DNS resolver. For example, Chrome has a **Use secure DNS** setting that will cause the browser to send requests to 1.1.1.1 and bypass your DNS policies. 5. In the browser, go to `malware.testcategory.com`. Your browser will display: - * The Gateway block page, if your device is connected via the WARP client in Gateway with WARP mode. - * A generic error page, if your device is connected via another method, such as Gateway with DoH mode. + - The Gateway block page, if your device is connected via the WARP client in Gateway with WARP mode. + - A generic error page, if your device is connected via another method, such as Gateway with DoH mode. :::note - -[Custom block pages](/cloudflare-one/policies/gateway/configuring-block-page/) require you to install a root certificate on the device. - +[Custom block pages](/cloudflare-one/policies/gateway/block-page/) require you to install a root certificate on the device. ::: diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx index d2f8a1e3150dc6e..b9305508cd3ec3a 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx @@ -6,16 +6,15 @@ sidebar: head: - tag: title content: "Reference Architecture Diagram: Securing data in transit" - --- ## Introduction -Data in transit typically means when it's traveling over the network. Because the Internet is made up of many thousands of networks, it is important to ensure your data is secure as it moves from device to server and back. These days, most common activities that generate data in transit are related to: +Data in transit typically means when it's traveling over the network. Because the Internet is made up of many thousands of networks, it is important to ensure your data is secure as it moves from device to server and back. These days, most common activities that generate data in transit are related to: -* Browsing online and uploading/download data to/from cloud applications -* Sending texts, pictures and emails -* Applications exposing and consuming data via APIs +- Browsing online and uploading/download data to/from cloud applications +- Sending texts, pictures and emails +- Applications exposing and consuming data via APIs Data in transit is often considered vulnerable to interception or tampering during transmission, so it is important to secure it through encryption techniques such as [QUIC](https://cloudflare-quic.com/), Transport Layer Security (TLS) or Secure Sockets Layer (SSL). This helps to ensure that the data remains confidential and protected from unauthorized access during its journey. There are other methods of inspecting data as it passes network boundaries to make decisions on if that data should continue to travel or not, Data Loss Prevention (DLP) technologies can be used to inspect the contents of network traffic and block sensitive data from going to a risky destination. This document outlines the methods Cloudflare has available to protect data in transit. @@ -23,8 +22,8 @@ Data in transit is often considered vulnerable to interception or tampering duri Cloudflare is one of the leading providers of cloud network security services. There are two main use cases Cloudflare is used to secure network traffic. -* Providing secure connectivity to public websites and APIs using SSL/TLS -* Creating secure tunnels to private networks and applications which are hosted either in the cloud or on-premises +- Providing secure connectivity to public websites and APIs using SSL/TLS +- Creating secure tunnels to private networks and applications which are hosted either in the cloud or on-premises Cloudflare's [SSL services](/ssl/) are used by millions of websites and are easily implemented by making changes to DNS entries, so that all connections to public websites and APIs are terminated on Cloudflare's edge network. Connectivity from Cloudflare to the destination website or API can also be secured using the same SSL technologies. To ensure the strongest security, Cloudflare uses [post quantum cryptography](https://blog.cloudflare.com/post-quantum-to-origins). @@ -58,9 +57,9 @@ The following diagram shows a common flow for how Cloudflare inspects a request 1. User attempts to upload a file to a SaaS application (via a secure tunnel to Cloudflare created by our [device agent](/cloudflare-one/connections/connect-devices/warp/download-warp/)). [Clientless](/cloudflare-one/connections/connect-devices/agentless/) options are supported as well. 2. Cloudflare’s [Secure Web Gateway](/cloudflare-one/policies/gateway/) (SWG) will first verify that the user is permitted to use the requested SaaS application, and then scrutinize the file’s payload for [malicious code](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/) and [sensitive data](/cloudflare-one/policies/data-loss-prevention/). 3. The DLP profile determines the file contains national identifiers like US Social Security Numbers (SSN). -4. The SWG policy is configured with a [‘block’ action](/cloudflare-one/policies/gateway/http-policies/#block), so the attempt is [logged](/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/) and a [block page](/cloudflare-one/policies/gateway/configuring-block-page/) returned to the end user’s web browser. +4. The SWG policy is configured with a [‘block’ action](/cloudflare-one/policies/gateway/http-policies/#block), so the attempt is [logged](/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/) and a [block page](/cloudflare-one/policies/gateway/block-page/) returned to the end user’s web browser. ## Related resources -* [Securing data in use](/reference-architecture/diagrams/security/securing-data-in-use/) -* [Securing data at rest](/reference-architecture/diagrams/security/securing-data-at-rest/) +- [Securing data in use](/reference-architecture/diagrams/security/securing-data-in-use/) +- [Securing data at rest](/reference-architecture/diagrams/security/securing-data-at-rest/) From c5ed42967a6b7c740249ce3c4487c4baf1c0838e Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 3 Sep 2024 11:57:25 -0500 Subject: [PATCH 04/15] Apply suggestions --- .../connect-devices/warp/user-side-certificates/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx index 2ce1e33bb9fc8b3..c052e74a04b6eaf 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx @@ -14,7 +14,7 @@ Cloudflare assigns a unique root CA for each Zero Trust account. By default, you | Inactive | The certificate has been uploaded to Cloudflare but is not deployed across the global network. | | Pending | The certificate is being activated or deactivated for use. | | Active | The certificate is deployed across the Cloudflare global network and ready to be turned on. | -| In-Use | The certificate is turned on. Gateway will use the certificate for inspection. | +| Active and In-Use | The certificate is turned on. Gateway will use the certificate for inspection. | ## Generate a Cloudflare root certificate From cc9660074c3cba275383d5a57bb8fa819e101f55 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 3 Sep 2024 16:27:37 -0500 Subject: [PATCH 05/15] Add suggestions --- .../diagrams/security/securing-data-in-transit.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx index b9305508cd3ec3a..505c89f8d30ba6b 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx @@ -55,9 +55,9 @@ The following diagram shows a common flow for how Cloudflare inspects a request ![Figure 4: Upload of file containing sensitive data blocked by Cloudflare DLP](~/assets/images/reference-architecture/securing-data-in-transit/securing-data-in-transit-fig4.svg "Figure 4: Upload of file containing sensitive data blocked by Cloudflare DLP") 1. User attempts to upload a file to a SaaS application (via a secure tunnel to Cloudflare created by our [device agent](/cloudflare-one/connections/connect-devices/warp/download-warp/)). [Clientless](/cloudflare-one/connections/connect-devices/agentless/) options are supported as well. -2. Cloudflare’s [Secure Web Gateway](/cloudflare-one/policies/gateway/) (SWG) will first verify that the user is permitted to use the requested SaaS application, and then scrutinize the file’s payload for [malicious code](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/) and [sensitive data](/cloudflare-one/policies/data-loss-prevention/). +2. Cloudflare's [Secure Web Gateway](/cloudflare-one/policies/gateway/) (SWG) will first verify that the user is permitted to use the requested SaaS application, and then scrutinize the file's payload for [malicious code](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/) and [sensitive data](/cloudflare-one/policies/data-loss-prevention/). 3. The DLP profile determines the file contains national identifiers like US Social Security Numbers (SSN). -4. The SWG policy is configured with a [‘block’ action](/cloudflare-one/policies/gateway/http-policies/#block), so the attempt is [logged](/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/) and a [block page](/cloudflare-one/policies/gateway/block-page/) returned to the end user’s web browser. +4. The SWG policy is configured with a ['block' action](/cloudflare-one/policies/gateway/http-policies/#block), so the attempt is [logged](/cloudflare-one/policies/data-loss-prevention/dlp-policies/payload-logging/) and a [block page](/cloudflare-one/policies/gateway/block-page/) returned to the end user's web browser. ## Related resources From ce3fb30a34802a7c3af742c133bf434f7f340277 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 3 Sep 2024 16:27:37 -0500 Subject: [PATCH 06/15] Change In-Use deployment status name --- .../warp/user-side-certificates/index.mdx | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx index c052e74a04b6eaf..0165e47cc447849 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx @@ -7,7 +7,9 @@ sidebar: Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [block pages](/cloudflare-one/policies/gateway/block-page/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. -Cloudflare assigns a unique root CA for each Zero Trust account. By default, you can [generate a certificate](#generate-a-cloudflare-root-certificate) and deploy it in Zero Trust. Alternatively, Enterprise users can upload their own [custom certificate](custom-certificate/). Once you deploy your certificate across Cloudflare and turn it on, you can install it on your user's devices either [with WARP](install-cert-with-warp/) or [manually](install-cloudflare-cert/). +Gateway [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each Zero Trust account and deploys its across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](custom-certificate/). + +Once you deploy your certificate across Cloudflare and turn it on, you can install it on your user's devices either [with WARP](install-cert-with-warp/) or [manually](install-cloudflare-cert/). | Deployment status | Description | | ----------------- | ---------------------------------------------------------------------------------------------- | @@ -18,7 +20,11 @@ Cloudflare assigns a unique root CA for each Zero Trust account. By default, you ## Generate a Cloudflare root certificate -To generate a Cloudflare root certificate: +:::note[Certificate generation limitation] +Each Zero Trust account can generate a new root certificate a maximum of three times. +::: + +To generate a new Cloudflare root certificate for your Zero Trust organization: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. 2. In **Certificates**, select **Manage**. @@ -32,14 +38,14 @@ The certificate will appear in your list of certificates as **Inactive**. To dep Once a certificate is generated in or uploaded to Zero Trust, you need to activate it. Activating a certificate deploys it across the Cloudflare network. -To manage the status of your root certificates: +To activate your root certificate: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. 2. In **Certificates**, select **Manage**. 3. Select the certificate you want to activate. 4. Select **Activate**. -The status of the certificate will change to **Pending** while it deploys. Once your certificate is **Active**, you can turn it on for use in inspection: +The status of the certificate will change to **Pending** while it deploys. Once the status of your certificate is **Active**, you can turn the certificate on for use in inspection: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. 2. In **Certificates**, select **Manage**. From f98f609cfbfbe08c84a7b148dec0cc74fb3fbe9c Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 4 Sep 2024 13:06:58 -0500 Subject: [PATCH 07/15] Add suggestions --- .../connect-devices/warp/user-side-certificates/index.mdx | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx index 0165e47cc447849..2fd4cfc47c35f22 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx @@ -36,6 +36,10 @@ The certificate will appear in your list of certificates as **Inactive**. To dep ## Activate a root certificate +:::tip +Zero Trust accounts using the Cloudflare certificate prior to September 2024 will need to redeploy and activate the newly generated certificate. Zero Trust accounts created during or after September 2024 will use an active certificate by default. +::: + Once a certificate is generated in or uploaded to Zero Trust, you need to activate it. Activating a certificate deploys it across the Cloudflare network. To activate your root certificate: From e52395781c5b8b33c8cc9e86a30f7568776c37c9 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 4 Sep 2024 13:30:39 -0500 Subject: [PATCH 08/15] Revamp download procedure --- .../install-cloudflare-cert.mdx | 40 ++++++++++++------- 1 file changed, 26 insertions(+), 14 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx index 8ffb064c2dc0b2d..b6d28b578b6f3f9 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx @@ -22,36 +22,48 @@ If your device does not support [certificate installation via WARP](/cloudflare- First, download the Cloudflare certificate. The certificate is available both as a `.pem` and as a `.crt` file. Certain applications require the certificate to be in a specific file type, so ensure you download the most appropriate file for your use case. -- [Download certificate (.crt)](/cloudflare-one/static/Cloudflare_CA.crt) -- [Download certificate (.pem)](/cloudflare-one/static/Cloudflare_CA.pem) +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. +2. In **Certificates**, select **Manage**. +3. Select the certificate you want to download. +4. Select either **Download .pem** or **Download .crt**. -### Verify the certificate fingerprint +### Verify the downloaded certificate -To verify your download, check that the certificate's thumbprint matches: +To verify your download, use a terminal to check that the downloaded certificate's hash matches the thumbprint listed under **Certificate thumbprint**. For example: #### SHA1 -```txt -BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C +```sh title="SHA1 .crt example" +openssl x509 -noout -fingerprint -sha1 -inform der -in ``` -``` -➜ ~ openssl x509 -noout -fingerprint -sha1 -inform der -in +```sh output SHA1 Fingerprint=BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C -➜ ~ openssl x509 -noout -fingerprint -sha1 -inform pem -in +``` + +```sh title="SHA1 .pem example" +openssl x509 -noout -fingerprint -sha1 -inform pem -in +``` + +```sh output SHA1 Fingerprint=BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C ``` #### SHA256 -```txt -F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF +```sh title="SHA256 .crt example" +openssl x509 -noout -fingerprint -sha256 -inform der -in ``` -``` -➜ ~ openssl x509 -noout -fingerprint -sha256 -inform der -in +```sh output sha256 Fingerprint=F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF -➜ ~ openssl x509 -noout -fingerprint -sha256 -inform pem -in +``` + +```sh title="SHA256 .pem example" +openssl x509 -noout -fingerprint -sha256 -inform pem -in +``` + +```sh output sha256 Fingerprint=F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF ``` From 71a2031e9fe5966d1187d80caeeef1ff9fef758a Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 4 Sep 2024 17:22:05 -0500 Subject: [PATCH 09/15] Add activate cert API endpoint guidance --- .../custom-certificate.mdx | 79 +++++++++++++------ .../cloudflare-one/upload-mtls-cert.mdx | 2 +- 2 files changed, 58 insertions(+), 23 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx index b1b5ce9c0007680..402d7ba111bb491 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx @@ -69,6 +69,8 @@ openssl x509 -in .pem -text 3. Select **Upload certificate**. 4. Enter the private key and SSL certificate you generated or select **Paste certificate from file** to upload them from a file. 5. Select **Generate certificate**. + + You can now [use the generated custom root certificate](#use-a-custom-root-certificate) for inspection. @@ -76,7 +78,7 @@ openssl x509 -in .pem -text 2. - 3. Enable the certificate in Gateway with its UUID. + 3. Deploy the certificate in Gateway using the certificate's UUID with the [Patch Zero Trust account configuration endpoint](/api/operations/zero-trust-accounts-patch-zero-trust-account-configuration). ```bash null {10} curl --request PATCH \ @@ -94,35 +96,68 @@ openssl x509 -in .pem -text }' ``` - The response will show the current status of the certificate: + The response will return the pending status of the certificate. For example: ```json null {13} { - "success": true, - "errors": [], - "messages": [], - "result": { - "settings": { - "antivirus": {...}, - "block_page": {...}, - "custom_certificate": - { - "enabled": true, - "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60", - "binding_status": "pending_deployment", - "qs_pack_id": "50a78g31-a5b5-4k58d-a6ed-b0ac17da9k05" + "success": true, + "errors": [], + "messages": [], + "result": { + "settings": { + "antivirus": {...}, + "block_page": {...}, + "custom_certificate": + { + "enabled": true, + "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60", + "binding_status": "pending_deployment", + "qs_pack_id": "50a78g31-a5b5-4k58d-a6ed-b0ac17da9k05" + }, + "tls_decrypt": {...}, + "activity_log": {...}, + "browser_isolation": {...}, + "fips": {...}, }, - "tls_decrypt": {...}, - "activity_log": {...}, - "browser_isolation": {...}, - "fips": {...}, }, - }, - "created_at": "2014-01-01T05:20:00.12345Z", - "updated_at": "2014-01-01T05:20:00.12345Z" + "created_at": "2014-01-01T05:20:00.12345Z", + "updated_at": "2014-01-01T05:20:00.12345Z" } ``` + 4. Activate the certificate for use in inspection with the [Activate a Zero Trust certificate endpoint](/api/operations/zero-trust-certificates-activate-zero-trust-certificate). + + ```bash + curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates/{certificate_id}/activate" \ + --header "X-Auth-Email: " \ + --header "X-Auth-Key: " \ + --header "Content-Type: application/json" + ``` + + The response will return the certificate and its current deployment status. For example: + + ```json null {6,12} + { + "errors": [], + "messages": [], + "success": true, + "result": { + "binding_status": "active", + "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", + "created_at": "2014-01-01T05:20:00.12345Z", + "expires_on": "2014-01-01T05:20:00.12345Z", + "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", + "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", + "in_use": true, + "issuer_org": "Example Inc.", + "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", + "type": "gateway_managed", + "updated_at": "2014-01-01T05:20:00.12345Z", + "uploaded_on": "2014-01-01T05:20:00.12345Z" + } + } + ``` + Once `binding_status` changes to `active`, Gateway will sign your traffic using the custom root certificate and private key. If you disable the custom certificate, Gateway will revert to the default Cloudflare certificate generated for your Zero Trust account. diff --git a/src/content/partials/cloudflare-one/upload-mtls-cert.mdx b/src/content/partials/cloudflare-one/upload-mtls-cert.mdx index 28edd4f475bad16..0517c47bbda6d82 100644 --- a/src/content/partials/cloudflare-one/upload-mtls-cert.mdx +++ b/src/content/partials/cloudflare-one/upload-mtls-cert.mdx @@ -20,7 +20,7 @@ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/mtls_certificat }' ``` -The response will return a UUID for the certificate: +The response will return a UUID for the certificate. For example: ```json null {6} { From 8e02a9487b5f991229475fe6cc3a972d65c35329 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 9 Sep 2024 16:31:00 -0400 Subject: [PATCH 10/15] Apply suggestions from code review Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> --- .../warp/user-side-certificates/custom-certificate.mdx | 8 ++++---- .../connect-devices/warp/user-side-certificates/index.mdx | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx index 402d7ba111bb491..3f2c2686b7fbd6b 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx @@ -61,7 +61,7 @@ openssl x509 -in .pem -text ## Deploy a custom root certificate - + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. @@ -128,10 +128,10 @@ openssl x509 -in .pem -text 4. Activate the certificate for use in inspection with the [Activate a Zero Trust certificate endpoint](/api/operations/zero-trust-certificates-activate-zero-trust-certificate). ```bash - curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates/{certificate_id}/activate" \ + curl --request POST \ + "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates/{certificate_id}/activate" \ --header "X-Auth-Email: " \ - --header "X-Auth-Key: " \ - --header "Content-Type: application/json" + --header "X-Auth-Key: " ``` The response will return the certificate and its current deployment status. For example: diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx index 2fd4cfc47c35f22..1e4f814ca61fbfa 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx @@ -7,9 +7,9 @@ sidebar: Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [block pages](/cloudflare-one/policies/gateway/block-page/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. -Gateway [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each Zero Trust account and deploys its across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](custom-certificate/). +Gateway [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each Zero Trust account and deploys its across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). -Once you deploy your certificate across Cloudflare and turn it on, you can install it on your user's devices either [with WARP](install-cert-with-warp/) or [manually](install-cloudflare-cert/). +Once you deploy your certificate across Cloudflare and turn it on, you can install it on your user's devices either [with WARP](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/) or [manually](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/). | Deployment status | Description | | ----------------- | ---------------------------------------------------------------------------------------------- | @@ -36,7 +36,7 @@ The certificate will appear in your list of certificates as **Inactive**. To dep ## Activate a root certificate -:::tip +:::note Zero Trust accounts using the Cloudflare certificate prior to September 2024 will need to redeploy and activate the newly generated certificate. Zero Trust accounts created during or after September 2024 will use an active certificate by default. ::: From 4fe38d8790de2f431d77e6bcc60b57e96172f6d0 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 9 Sep 2024 16:32:22 -0400 Subject: [PATCH 11/15] Apply suggestions from code review Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> --- .../policies/gateway/dns-policies/test-dns-filtering.mdx | 2 +- .../build-dns-policies/test-policy.mdx | 4 ++-- .../diagrams/security/securing-data-in-transit.mdx | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx index eb02a5c3278457a..2ab3a281a00fbc4 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx @@ -46,7 +46,7 @@ For example, if you created a policy to block `example.com`, you can do the foll ;; MSG SIZE rcvd: 29 ``` - If the [block page](/cloudflare-one/policies/gateway/block-page/) is enabled for the policy, you should see `NOERROR` in the answer section and `162.159.36.12` and `162.159.46.12` as the answers: + If the [block page](/cloudflare-one/policies/gateway/block-page/) is enabled for the policy, you should see `NOERROR` in the answer section with `162.159.36.12` and `162.159.46.12` as the answers: ```sh null dig example.com diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx index b6fabce1eb35034..4c931eff24cba37 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx @@ -16,8 +16,8 @@ It is common for a misconfigured Gateway policy to accidentally block traffic to 3. Turn on any existing security policies or create a policy to block all security categories: 4. Ensure that your browser is not configured to use an alternate DNS resolver. For example, Chrome has a **Use secure DNS** setting that will cause the browser to send requests to 1.1.1.1 and bypass your DNS policies. 5. In the browser, go to `malware.testcategory.com`. Your browser will display: - - The Gateway block page, if your device is connected via the WARP client in Gateway with WARP mode. - - A generic error page, if your device is connected via another method, such as Gateway with DoH mode. + - The Gateway block page, if your device is connected through the WARP client in Gateway with WARP mode. + - A generic error page, if your device is connected through another method, such as Gateway with DoH mode. :::note diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx index 505c89f8d30ba6b..93fef55f314f169 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx @@ -14,7 +14,7 @@ Data in transit typically means when it's traveling over the network. Because th - Browsing online and uploading/download data to/from cloud applications - Sending texts, pictures and emails -- Applications exposing and consuming data via APIs +- Applications exposing and consuming data through APIs Data in transit is often considered vulnerable to interception or tampering during transmission, so it is important to secure it through encryption techniques such as [QUIC](https://cloudflare-quic.com/), Transport Layer Security (TLS) or Secure Sockets Layer (SSL). This helps to ensure that the data remains confidential and protected from unauthorized access during its journey. There are other methods of inspecting data as it passes network boundaries to make decisions on if that data should continue to travel or not, Data Loss Prevention (DLP) technologies can be used to inspect the contents of network traffic and block sensitive data from going to a risky destination. This document outlines the methods Cloudflare has available to protect data in transit. From 9e300bcb04cb26f401362b2ba5664c518323e3ef Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 9 Sep 2024 15:50:25 -0500 Subject: [PATCH 12/15] Fix indentation --- .../custom-certificate.mdx | 184 ++++++++---------- 1 file changed, 85 insertions(+), 99 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx index 3f2c2686b7fbd6b..aa94ba01074fcbb 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx @@ -11,14 +11,12 @@ description: Configure WARP to use a custom root certificate instead of the import { Render, Tabs, TabItem } from "~/components"; :::note - Only available on Enterprise plans. ::: Enterprise customers who do not wish to install the [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/) have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required the Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/policies/gateway/block-page/). :::caution - Custom certificates are limited to use between your users and the Gateway proxy. Connections between Gateway and the origin server will use the Cloudflare certificate. ::: @@ -63,110 +61,98 @@ openssl x509 -in .pem -text - - 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. - 2. In **Certificates**, select **Manage**. - 3. Select **Upload certificate**. - 4. Enter the private key and SSL certificate you generated or select **Paste certificate from file** to upload them from a file. - 5. Select **Generate certificate**. - - You can now [use the generated custom root certificate](#use-a-custom-root-certificate) for inspection. - - - - 1. Verify that the certificate is installed on your devices. - - 2. - - 3. Deploy the certificate in Gateway using the certificate's UUID with the [Patch Zero Trust account configuration endpoint](/api/operations/zero-trust-accounts-patch-zero-trust-account-configuration). - - ```bash null {10} - curl --request PATCH \ - "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/configuration" \ - --header "X-Auth-Email: " \ - --header "X-Auth-Key: " \ - --header "Content-Type: application/json" \ - --data '{ - "settings": { - "custom_certificate": { - "enabled": true, - "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60" - } + + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. + 2. In **Certificates**, select **Manage**. + 3. Select **Upload certificate**. + 4. Enter the private key and SSL certificate you generated or select **Paste certificate from file** to upload them from a file. + 5. Select **Generate certificate**. + + You can now [use the generated custom root certificate](#use-a-custom-root-certificate) for inspection. + + + + + 1. Verify that the certificate is installed on your devices. + 2. + 3. Deploy the certificate in Gateway using the certificate's UUID with the [Patch Zero Trust account configuration endpoint](/api/operations/zero-trust-accounts-patch-zero-trust-account-configuration). + ```bash {10} + curl --request PATCH \ + "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/configuration" \ + --header "X-Auth-Email: " \ + --header "X-Auth-Key: " \ + --header "Content-Type: application/json" \ + --data '{ + "settings": { + "custom_certificate": { + "enabled": true, + "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60" } - }' - ``` - - The response will return the pending status of the certificate. For example: - - ```json null {13} - { - "success": true, - "errors": [], - "messages": [], - "result": { - "settings": { - "antivirus": {...}, - "block_page": {...}, - "custom_certificate": - { - "enabled": true, - "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60", - "binding_status": "pending_deployment", - "qs_pack_id": "50a78g31-a5b5-4k58d-a6ed-b0ac17da9k05" - }, - "tls_decrypt": {...}, - "activity_log": {...}, - "browser_isolation": {...}, - "fips": {...}, - }, - }, - "created_at": "2014-01-01T05:20:00.12345Z", - "updated_at": "2014-01-01T05:20:00.12345Z" } - ``` - - 4. Activate the certificate for use in inspection with the [Activate a Zero Trust certificate endpoint](/api/operations/zero-trust-certificates-activate-zero-trust-certificate). - - ```bash - curl --request POST \ - "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates/{certificate_id}/activate" \ - --header "X-Auth-Email: " \ - --header "X-Auth-Key: " - ``` - - The response will return the certificate and its current deployment status. For example: - - ```json null {6,12} - { - "errors": [], - "messages": [], - "success": true, - "result": { - "binding_status": "active", - "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", - "created_at": "2014-01-01T05:20:00.12345Z", - "expires_on": "2014-01-01T05:20:00.12345Z", - "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", - "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", - "in_use": true, - "issuer_org": "Example Inc.", - "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", - "type": "gateway_managed", - "updated_at": "2014-01-01T05:20:00.12345Z", - "uploaded_on": "2014-01-01T05:20:00.12345Z" - } + }' + ``` + The response will return the pending status of the certificate. For example: + ```json {13} + { + "success": true, + "errors": [], + "messages": [], + "result": { + "settings": { + "antivirus": {}, + "block_page": {}, + "custom_certificate": + { + "enabled": true, + "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60", + "binding_status": "pending_deployment", + "qs_pack_id": "50a78g31-a5b5-4k58d-a6ed-b0ac17da9k05" + }, + "tls_decrypt": {}, + "activity_log": {}, + "browser_isolation": {}, + "fips": {}, + }, + }, + "created_at": "2014-01-01T05:20:00.12345Z", + "updated_at": "2014-01-01T05:20:00.12345Z" + } + ``` + 4. Activate the certificate for use in inspection with the [Activate a Zero Trust certificate endpoint](/api/operations/zero-trust-certificates-activate-zero-trust-certificate). + ```bash + curl --request POST \ + "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates/{certificate_id}/activate" \ + --header "X-Auth-Email: " \ + --header "X-Auth-Key: " + ``` + The response will return the certificate and its current deployment status. For example: + ```json {6,12} + { + "errors": [], + "messages": [], + "success": true, + "result": { + "binding_status": "active", + "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", + "created_at": "2014-01-01T05:20:00.12345Z", + "expires_on": "2014-01-01T05:20:00.12345Z", + "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", + "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", + "in_use": true, + "issuer_org": "Example Inc.", + "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", + "type": "gateway_managed", + "updated_at": "2014-01-01T05:20:00.12345Z", + "uploaded_on": "2014-01-01T05:20:00.12345Z" } - ``` - - Once `binding_status` changes to `active`, Gateway will sign your traffic using the custom root certificate and private key. If you disable the custom certificate, Gateway will revert to the default Cloudflare certificate generated for your Zero Trust account. - - + } + ``` + Once `binding_status` changes to `active`, Gateway will sign your traffic using the custom root certificate and private key. If you disable the custom certificate, Gateway will revert to the default Cloudflare certificate generated for your Zero Trust account. + :::caution[Private key visibility] - When you upload a private key to Zero Trust, Cloudflare encrypts the key and stores it at rest. Only your delegated apps have the necessary decryption keys to decrypt the private key. You will not be able to retrieve the private key after upload. - ::: ## Use a custom root certificate From 6673b97ee24b84d9bcce4584e2266c59b788c7ef Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 11 Sep 2024 13:27:48 -0500 Subject: [PATCH 13/15] Adjust cert roll limit --- .../connect-devices/warp/user-side-certificates/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx index 1e4f814ca61fbfa..a131e4f7c521a37 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx @@ -21,7 +21,7 @@ Once you deploy your certificate across Cloudflare and turn it on, you can insta ## Generate a Cloudflare root certificate :::note[Certificate generation limitation] -Each Zero Trust account can generate a new root certificate a maximum of three times. +Each Zero Trust account can generate a new root certificate a maximum of three times per day. ::: To generate a new Cloudflare root certificate for your Zero Trust organization: From c74e118cbf71baa765811c7551d604fbea7a15d3 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 19 Sep 2024 12:28:32 -0500 Subject: [PATCH 14/15] Add advanced feature callout --- .../connect-devices/warp/user-side-certificates/index.mdx | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx index 4ab0a548cbf674b..1aa4c50546a1efc 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx @@ -5,7 +5,7 @@ sidebar: order: 4 --- -Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [block pages](/cloudflare-one/policies/gateway/block-page/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. +Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. Gateway [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each Zero Trust account and deploys its across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). @@ -56,6 +56,4 @@ The status of the certificate will change to **Pending** while it deploys. Once 3. Select the certificate you want to turn on. 4. In **Basic information**, select **Confirm and turn on certificate**. -Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. - Only one certificate can be turned on for inspection at a time. Setting a certificate as **In-Use** will set any other turned on certificates as **Active** and prevent them from being used for inspection until turned on again. From 8bf24997ddc5cf84aa9c4ad30bc40f395316a100 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 17 Oct 2024 16:03:48 -0500 Subject: [PATCH 15/15] Fix broken block page links --- .../policies/gateway/http-policies/index.mdx | 2 +- .../cloudflare-one/access/block-page.mdx | 17 +++++++---------- .../gateway/customize-block-page.mdx | 13 ++++++------- .../fundamentals/account-permissions-table.mdx | 4 ++-- .../zero-trust/device-profiles.mdx | 2 +- 5 files changed, 17 insertions(+), 21 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx index cd6bc2ac89f394c..89fcf78292e8358 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx @@ -96,7 +96,7 @@ The **Untrusted certificate action** determines how to handle insecure requests. | Option | Action | | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Error | Display Gateway error page. Matches the default behavior when no action is configured. | -| Block | Display [block page](/cloudflare-one/policies/gateway/configuring-block-page/) as set in Zero Trust. | +| Block | Display [block page](/cloudflare-one/policies/gateway/block-page/) as set in Zero Trust. | | Pass through | Bypass insecure connection warnings and seamlessly connect to the upstream. To use this feature, deploy a [custom root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). For more information on what statuses are bypassed, refer to the [troubleshooting FAQ](/cloudflare-one/faq/troubleshooting/#i-see-error-526-when-browsing-to-a-website). | ### Block diff --git a/src/content/partials/cloudflare-one/access/block-page.mdx b/src/content/partials/cloudflare-one/access/block-page.mdx index bb0b00d4e83eac0..3b54fb16a0df6d5 100644 --- a/src/content/partials/cloudflare-one/access/block-page.mdx +++ b/src/content/partials/cloudflare-one/access/block-page.mdx @@ -1,18 +1,17 @@ --- {} - --- :::note -Only available on Pay-as-you-go and Enterprise plans. +Only available on Pay-as-you-go and Enterprise plans. ::: You can display a custom block page when users fail to authenticate to an Access application. Each application can have a different block page. :::note -To customize the page that users see when they are blocked by a Gateway firewall policy, refer to [Gateway block page](/cloudflare-one/policies/gateway/configuring-block-page/). +To customize the page that users see when they are blocked by a Gateway firewall policy, refer to [Gateway block page](/cloudflare-one/policies/gateway/block-page/). ::: ## Create a custom block page @@ -34,15 +33,13 @@ To create a custom block page for Access: 7. In **Custom HTML**, enter the HTML code for your custom page. For example, ```html - + - - -

Access denied.

- -

To obtain access, contact your IT administrator.

+ +

Access denied.

- +

To obtain access, contact your IT administrator.

+ ``` diff --git a/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx b/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx index c0de73c31de4401..a9e74eec96a0bb4 100644 --- a/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx +++ b/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx @@ -1,6 +1,5 @@ --- {} - --- You can customize the block page by making global changes that will show up every time a user visits a block page, independently of the type of rule (DNS or HTTP) that is blocking the website. @@ -13,12 +12,12 @@ To apply customizations to your block page: 3. Select **Customize**. Available global customizations include: - * Adding your organization's name - * Adding a [logo](/cloudflare-one/policies/gateway/configuring-block-page/#add-a-logo-image) - * Adding a header text - * Adding a global block message, which will be displayed above the policy-specific block message - * Adding a [Mailto link](/cloudflare-one/policies/gateway/configuring-block-page/#allow-users-to-email-an-administrator) - * Choosing a background color + - Adding your organization's name + - Adding a [logo](/cloudflare-one/policies/gateway/block-page/#add-a-logo-image) + - Adding a header text + - Adding a global block message, which will be displayed above the policy-specific block message + - Adding a [Mailto link](/cloudflare-one/policies/gateway/block-page/#allow-users-to-email-an-administrator) + - Choosing a background color 4. Select **Save**. diff --git a/src/content/partials/fundamentals/account-permissions-table.mdx b/src/content/partials/fundamentals/account-permissions-table.mdx index 55a9c37f71df417..ca5ca5450f76adf 100644 --- a/src/content/partials/fundamentals/account-permissions-table.mdx +++ b/src/content/partials/fundamentals/account-permissions-table.mdx @@ -10,8 +10,8 @@ import { Markdown } from "~/components"; | Access: Apps and Policies Revoke | Grants ability to revoke all tokens to [Cloudflare Access](/cloudflare-one/policies/access/) account resources. | | Access: Apps and Policies {props.one} | Grants write access to [Cloudflare Access](/cloudflare-one/policies/access/) account resources. | | Access: Audit Logs Read | Grants read access to [Cloudflare Access audit logs](/cloudflare-one/insights/logs/audit-logs/). | -| Access: Custom Pages Read | Grants read access to [Cloudflare Access Custom Pages](/cloudflare-one/policies/gateway/configuring-block-page/). | -| Access: Custom Pages {props.one} | Grants write access to [Cloudflare Access Custom Pages](/cloudflare-one/policies/gateway/configuring-block-page/). | +| Access: Custom Pages Read | Grants read access to [Cloudflare Access Custom Pages](/cloudflare-one/policies/gateway/block-page/). | +| Access: Custom Pages {props.one} | Grants write access to [Cloudflare Access Custom Pages](/cloudflare-one/policies/gateway/block-page/). | | Access: Device Posture Read | Grants read access to [Cloudflare Access Device Posture](/cloudflare-one/identity/devices/). | | Access: Device Posture {props.one} | Grants write access to [Cloudflare Access Device Posture](/cloudflare-one/identity/devices/). | | Access: Mutual TLS Certificates Read | Grants read access to [Cloudflare Access mTLS certificates](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/). | diff --git a/src/content/partials/learning-paths/zero-trust/device-profiles.mdx b/src/content/partials/learning-paths/zero-trust/device-profiles.mdx index 2aed4fe21334a30..411b106ccc846e2 100644 --- a/src/content/partials/learning-paths/zero-trust/device-profiles.mdx +++ b/src/content/partials/learning-paths/zero-trust/device-profiles.mdx @@ -38,7 +38,7 @@ To customize the default settings: 5. Under **Global settings**, 1. (Recommended) Enable **Admin override code** if you turned on **Lock WARP switch**. - 2. Enable **Install CA to system certificate store** if you want users to see a [custom block page](/cloudflare-one/policies/gateway/configuring-block-page/). + 2. Enable **Install CA to system certificate store** if you want users to see a [custom block page](/cloudflare-one/policies/gateway/block-page/).