From 1634e69f1d300f36d2ca497cf755caced2b4ca53 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 11 Oct 2024 15:22:24 -0500 Subject: [PATCH 1/5] Add Host selector --- .../gateway/http-policies/common-policies.mdx | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 520848fa0ddabd..c833d902fb6f57 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -6,10 +6,9 @@ sidebar: head: - tag: title content: Common HTTP policies - --- -import { Render } from "~/components" +import { Render } from "~/components"; The following policies are commonly used to secure HTTP traffic. @@ -53,7 +52,7 @@ Gateway [evaluates Do Not Inspect policies first](/cloudflare-one/policies/gatew :::note -You can select either individual applications or the entire Do Not Inspect set, which will update as new applications are added. +You can select either individual applications or the entire Do Not Inspect set, which will update as new applications are added. ::: ## Check device posture @@ -105,10 +104,11 @@ To enable Gateway inspection for Google Drive traffic, you must [add the Cloudfl Block file uploads to Google Drive. -| Selector | Operator | Value | Logic | Action | -| ---------------- | ------------- | ------------ | ----- | ------ | -| Application | in | Google Drive | And | Block | -| Upload Mime Type | matches regex | `.*` | | | +| Selector | Operator | Value | Logic | Action | +| ---------------- | ------------- | -------------------------------------- | ----- | ------ | +| Application | in | Google Drive | And | Block | +| Upload Mime Type | matches regex | `.*` | And | | +| Host | is not | `drivefrontend-pa.clients6.google.com` | | | ### Block Google Drive downloads From ca234c891128ea925ba375eadb989a37b1ac5d86 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 4 Feb 2025 14:59:53 -0600 Subject: [PATCH 2/5] Fix styling --- .../policies/gateway/http-policies/common-policies.mdx | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 9670d721b78f3e..18f7d842dd8ce8 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -352,7 +352,6 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ - ## Block file types @@ -397,11 +396,11 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ ``` - + ### Block Google Drive uploads - + Block file uploads from Google Drive. - + | Selector | Operator | Value | Logic | Action | | ---------------- | ------------- | -------------------------------------- | ----- | ------ | | Application | in | Google Drive | And | Block | From de048823ba4b87394aec8bf1b4f4e3ffd70ea294 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 4 Feb 2025 15:05:31 -0600 Subject: [PATCH 3/5] Add API call --- .../gateway/http-policies/common-policies.mdx | 28 ++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 18f7d842dd8ce8..fd012f4aa2ab13 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -401,12 +401,38 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ Block file uploads from Google Drive. + + | Selector | Operator | Value | Logic | Action | | ---------------- | ------------- | -------------------------------------- | ----- | ------ | -| Application | in | Google Drive | And | Block | +| Application | in | _Google Drive_ | And | Block | | Upload Mime Type | matches regex | `.*` | And | | | Host | is not | `drivefrontend-pa.clients6.google.com` | | | + + + + +```bash +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block Google Drive uploads", + "description": "Block file uploads to Google Drive", + "enabled": true, + "action": "block", + "filters": [ + "http" + ], + "traffic": "any(app.ids[*] in {554}) and http.upload.mime matches \".*\" and not(http.request.host == \"drivefrontend-pa.clients6.google.com\")", + "identity": "", + "device_posture": "" +}' +``` + + + ### Block Gmail downloads Block file downloads from Gmail. From 40c77c0fd4df71ef16d6e4602e5ecf12015ab3cc Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 4 Feb 2025 17:05:34 -0500 Subject: [PATCH 4/5] Update variables --- .../policies/gateway/http-policies/common-policies.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index fd012f4aa2ab13..c848d4501e959d 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -69,9 +69,9 @@ Block a section of a site without blocking the entire site. For example, you can ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block sites by URL", "description": "Block specific parts of a site without blocking the hostname", From 7a6a518b6e05127c37456d47a72157c77ccf0c92 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 4 Feb 2025 17:07:33 -0500 Subject: [PATCH 5/5] Update variables again --- .../policies/gateway/http-policies/common-policies.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index c848d4501e959d..14ee2c097db031 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -69,9 +69,9 @@ Block a section of a site without blocking the entire site. For example, you can ```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--header "Authorization: Bearer " \ --data '{ "name": "Block sites by URL", "description": "Block specific parts of a site without blocking the hostname", @@ -414,9 +414,9 @@ Block file uploads from Google Drive. ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block Google Drive uploads", "description": "Block file uploads to Google Drive",