Skip to content

[Privacy Gateway] onboarding guide #18646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 6 commits into from
Closed

[Privacy Gateway] onboarding guide #18646

wants to merge 6 commits into from

Conversation

@deadlypants1973
Copy link
Contributor

@deadlypants1973 deadlypants1973 commented Dec 10, 2024
edited
Loading

14563

Summary

adding privacy proxy onboarding guide

Documentation checklist

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Dec 10, 2024
edited
Loading

Deploying cloudflare-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: a376513
Status: ✅  Deploy successful!
Preview URL: https://37d058d7.cloudflare-docs-7ou.pages.dev
Branch Preview URL: https://kate-fixes-pgg.cloudflare-docs-7ou.pages.dev

View logs

@github-actions
Copy link
Contributor

github-actions bot commented Dec 10, 2024

Files with changes (up to 15)

Original Link Updated Link
https://developers.cloudflare.com/privacy-gateway/privacy-proxy-onboarding/ https://kate-fixes-pgg.cloudflare-docs-7ou.pages.dev/privacy-gateway/privacy-proxy-onboarding/
https://developers.cloudflare.com/privacy-gateway/get-started/ https://kate-fixes-pgg.cloudflare-docs-7ou.pages.dev/privacy-gateway/get-started/

hyperlint-ai[bot]
hyperlint-ai bot reviewed Dec 11, 2024
View reviewed changes
Copy link
Contributor

@hyperlint-ai hyperlint-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 files reviewed, 2 total issue(s) found.

@github-actions github-actions bot added size/m and removed size/s labels Dec 11, 2024
hyperlint-ai[bot]
hyperlint-ai bot reviewed Dec 11, 2024
View reviewed changes
Copy link
Contributor

@hyperlint-ai hyperlint-ai bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 files reviewed, 9 total issue(s) found.

Note: We resolved prior Hyperlint review comments because:

We updated our inline suggestion AI.

We do this to avoid keeping outdated or irrelevant comments around. We'll leave a new review with current comments below.

deadlypants1973
deadlypants1973 commented Dec 12, 2024
View reviewed changes
Copy link
Contributor Author

@deadlypants1973 deadlypants1973 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Questions for Mari

@deadlypants1973 deadlypants1973 marked this pull request as ready for review December 12, 2024 00:21
@deadlypants1973 deadlypants1973 requested a review from a team as a code owner December 12, 2024 00:21
mgalicer
mgalicer reviewed Dec 27, 2024
View reviewed changes
Copy link
Contributor

@mgalicer mgalicer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@deadlypants1973 thanks for the comments!

src/content/docs/privacy-gateway/privacy-proxy-onboarding.mdx Outdated

DNS resolution uses [Cloudflare’s public resolver (1.1.1.1)](/1.1.1.1/) infrastructure for name resolution.

### System architecture
Copy link
Contributor

@mgalicer mgalicer Dec 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep!

src/content/docs/privacy-gateway/privacy-proxy-onboarding.mdx Outdated

A client requires configuration data (the region public key) to request tokens. The key is used to initialize the request for blinded tokens from the Privacy API.

The client should periodically refresh this public key, especially after IP address changes, since Cloudflare will use the IP address to map to the region.
Copy link
Contributor

@mgalicer mgalicer Dec 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should all be "region-based public key"

src/content/docs/privacy-gateway/privacy-proxy-onboarding.mdx Outdated

## Egress IP management

The Egress Selection service uses the client IP address to select an egress IP address that roughly approximates that of the client. Clients do not have control over which egress IP address is used, up to manually changing their IP address or location.
Copy link
Contributor

@mgalicer mgalicer Dec 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can cut the second part of the sentence.

i.e. "Clients do not have control over which egress IP address is used."

src/content/docs/privacy-gateway/privacy-proxy-onboarding.mdx
1. Allocating a PresharedToken PAT for test devices that is known only to the client provider and Cloudflare. This PAT is not associated with any production egress IP address. This PAT is allocated and distributed out-of-band between Cloudflare and the client provider.
2. Configuring control plane mutual TLS authentication for PrivacyToken issuance. Refer to [Appendix A. Control API](#appendix-a-control-api) for more details about this API.

To test that the PAT is configured correctly, clients can run the following test cURL command:
Copy link
Contributor

@mgalicer mgalicer Dec 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PAT

deadlypants1973
deadlypants1973 commented Jan 24, 2025
View reviewed changes
deadlypants1973
deadlypants1973 commented Jan 24, 2025
View reviewed changes
deadlypants1973
deadlypants1973 commented Jan 24, 2025
View reviewed changes
deadlypants1973
deadlypants1973 commented Jan 24, 2025
View reviewed changes
deadlypants1973
deadlypants1973 commented Jan 24, 2025
View reviewed changes
@deadlypants1973 @hyperlint-ai
Apply suggestions from code review
6bcd48b 
Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com>
hyperlint-ai[bot]
hyperlint-ai bot reviewed Jan 24, 2025
View reviewed changes
Copy link
Contributor

@hyperlint-ai hyperlint-ai bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 files reviewed, 2 total issue(s) found.

Note: We resolved prior Hyperlint review comments because:

We updated our inline suggestion AI.

We do this to avoid keeping outdated or irrelevant comments around. We'll leave a new review with current comments below.

ToriLindsay and others added 2 commits February 6, 2025 12:24
@ToriLindsay @hyperlint-ai
Update src/content/docs/privacy-gateway/privacy-proxy-onboarding.mdx
66a2b81 
Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com>
@ToriLindsay @hyperlint-ai
Update src/content/docs/privacy-gateway/privacy-proxy-onboarding.mdx
a376513 
Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com>
hyperlint-ai[bot]
hyperlint-ai bot reviewed Feb 6, 2025
View reviewed changes
src/content/docs/privacy-gateway/privacy-proxy-onboarding.mdx Outdated
The first CONNECT request in a newly established tunnel must provide a PAT. Until a PAT has been presented, each CONNECT request fails with a HTTP `401` error. Details about authenticating with a PAT are in [client authentication](#client-authentication).

- Each CONNECT request can identify a target either by name or IP address.
- In the case of a name, Cloudflare’s DNS Resolver service will be queried to map the name to an IP address.
Copy link
Contributor

@hyperlint-ai hyperlint-ai bot Feb 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- In the case of a name, Cloudflares DNS Resolver service will be queried to map the name to an IP address.
- In the case of a name, Cloudflare's DNS Resolver service will be queried to map the name to an IP address.

Issues:

  • Style Guide - (cloudflare.NonStandardQuotes-warning) Use standard single quotes or double quotes only. Do not use any of the following quote mark types: ‘ ’ “ ”. In the text, we found this character: ’

Fix Explanation:

The non-standard single quote (‘) in 'Cloudflare’s' should be replaced with a standard single quote (') to adhere to the style guide.

@ToriLindsay ToriLindsay mentioned this pull request Mar 10, 2025
Closed
@ToriLindsay
Copy link
Contributor

ToriLindsay commented Mar 10, 2025

Per conversation with @mgalicer , moving this content over to a new folder/tile instead of adding it here. That work is happening at #20681

@deadlypants1973 deadlypants1973 deleted the kate/fixes-pgg branch May 15, 2025 11:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crwaters16 crwaters16 Awaiting requested review from crwaters16

2 more reviewers

@mgalicer mgalicer mgalicer left review comments

@hyperlint-ai hyperlint-ai[bot] hyperlint-ai[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@pedrosousa pedrosousa

@dcpena dcpena

@haleycode haleycode

@patriciasantaana patriciasantaana

Labels

product:privacy-gateway size/m

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@deadlypants1973 @ToriLindsay @mgalicer @pedrosousa @dcpena @haleycode @patriciasantaana