diff --git a/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx b/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx index 761449b363c284..b53d48e341a3d7 100644 --- a/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx +++ b/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx @@ -16,9 +16,9 @@ By default, mTLS uses Client Certificates issued by a Cloudflare Managed CA. Clo ## 1. Enable mTLS 1. Go to your Cloudflare dashboard and select your account and domain. -2. Go to **SSL/TLS** > **[Client Certificates](/ssl/client-certificates/)** tab and select **Edit** to add the Hosts (hostnames) you want to [enable mTLS](/ssl/client-certificates/enable-mtls/) for. +2. Go to **SSL/TLS** > **[Client Certificates](/ssl/client-certificates/)** tab and select **Edit** to add the Hosts (hostnames) you want to [enable mTLS](/ssl/client-certificates/enable-mtls/) for. - Example host: `mtls-test.example.com` + Example host: `mtls-test.example.com` 3. Select **Create Certificate** and fill in the required fields. You can choose one of the following options: @@ -27,7 +27,7 @@ By default, mTLS uses Client Certificates issued by a Cloudflare Managed CA. Clo To generate and use your own CSR, you can run a command like the following: -```txt +```sh openssl req -new -newkey rsa:2048 -nodes -keyout client1.key -out client1.csr -subj '/C=GB/ST=London/L=London/O=Organization/CN=CommonName' ``` @@ -41,11 +41,11 @@ In order for a client to utilize the Client Certificate you created, it must be We generally recommended using one Client Certificate per device. Configuring your system to actually use the Public and Private Certificates is especially important. -An example is to [add both certificates to the Keychain](https://support.apple.com/en-gb/guide/keychain-access/kyca2431/mac) on a MacBook laptop. +An example is to [add both certificates to the Keychain](https://support.apple.com/en-gb/guide/keychain-access/kyca2431/mac) on a MacBook laptop. Another example is to generate a [PKCS12 (P12) certificate](https://en.wikipedia.org/wiki/PKCS_12) file and then [add it to your browser](https://www.ibm.com/docs/en/engineering-lifecycle-management-suite/lifecycle-management/7.0.2?topic=dashboards-importing-certificates-configuring-browsers): -```txt +```sh openssl pkcs12 -export -out certificate.p12 -inkey private-cert.pem -in cert.pem ``` @@ -53,7 +53,7 @@ Use the values from the previous step. Example using cURL command: -```cURL +```sh curl -v --cert cert.pem --key private-cert.pem ``` @@ -77,18 +77,22 @@ Ensure you are not using a VPN that could interfere with certificates or TLS dec With the Public and Private Certificates in the same directory, with this cURL command, we will gain access: -```curl +```sh curl -I --cert cert.pem --key private-cert.pem https://mtls-test.example.com/mtls-test +``` -HTTP/2 200 +```txt output +HTTP/2 200 server: cloudflare ``` Without the certificates, the terminal will display the following: -```curl -$ curl -I https://mtls-test.example.com/mtls-test +```sh +curl -I https://mtls-test.example.com/mtls-test +``` +```txt output HTTP/2 403 server: cloudflare -``` \ No newline at end of file +``` diff --git a/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx b/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx index 0ff4bdecf6b895..d377e73dc295a3 100644 --- a/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx +++ b/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx @@ -11,8 +11,8 @@ This requires an active Enterprise [Account](/fundamentals/setup/accounts-and-zo Setting up [mTLS](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/) with [Cloudflare Access](/cloudflare-one/policies/access/) can help in cases where the customer: -- Already has existing Client Certificates on devices. -- Needs to protect Access applications with Bring Your Own CA (BYOCA). +- Already has existing Client Certificates on devices. +- Needs to protect Access applications with Bring Your Own CA (BYOCA). - Needs to integrate with a Zero Trust solution. ## 1. Create a CA @@ -25,42 +25,42 @@ In case you want to [create your own CA](/cloudflare-one/identity/devices/access ```json { - "CN": "Cloudflare Access Testing CA", - "key": { - "algo": "rsa", - "size": 4096 - }, - "names": [ - { - "C": "US", - "L": "LA", - "O": "Access Testing", - "OU": "CA", - "ST": "California" - } - ] - } + "CN": "Cloudflare Access Testing CA", + "key": { + "algo": "rsa", + "size": 4096 + }, + "names": [ + { + "C": "US", + "L": "LA", + "O": "Access Testing", + "OU": "CA", + "ST": "California" + } + ] +} ``` 2. Create a JSON file called `ca-config.json`: ```json { - "signing": { - "default": { - "expiry": "8760h" - }, - "profiles": { - "server": { - "usages": ["signing", "key encipherment", "server auth"], - "expiry": "8760h" - }, - "client": { - "usages": ["signing","key encipherment","client auth"], - "expiry": "8760h" - } - } - } + "signing": { + "default": { + "expiry": "8760h" + }, + "profiles": { + "server": { + "usages": ["signing", "key encipherment", "server auth"], + "expiry": "8760h" + }, + "client": { + "usages": ["signing", "key encipherment", "client auth"], + "expiry": "8760h" + } + } + } } ``` @@ -92,11 +92,11 @@ cfssl gencert -initca ca-csr.json | cfssljson -bare ca } ] } - ``` +``` 2. Now you can run the following command to generate the Client Certificates, which will output the files `client.pem`, `client-key.pem` and `client.csr`: -```txt +```sh cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json | cfssljson -bare client ``` @@ -114,7 +114,7 @@ Additionally, authenticated requests also send the `Cf-Access-Jwt-Assertion\` JW ## 4. Create the self-hosted applications -Finally, the hostname you want to protect with mTLS needs to be added as a [self-hosted app](/cloudflare-one/applications/configure-apps/self-hosted-apps/) in Cloudflare Access, defining an [Access Policy](/cloudflare-one/policies/access/) which uses the action [Service Auth](/cloudflare-one/policies/access/#service-auth) and the Selector *“Valid Certificate”*, or simply requiring an [IdP](/cloudflare-one/identity/idp-integration/) authentication. You can also take advantage of extra requirements, such as the “Common Name” (CN), which expects the indicated hostname, and more [Selectors](/cloudflare-one/policies/access/#selectors). Alternatively, one can also [extend ZTNA with external authorization and serverless computing](/reference-architecture/diagrams/sase/augment-access-with-serverless/). +Finally, the hostname you want to protect with mTLS needs to be added as a [self-hosted app](/cloudflare-one/applications/configure-apps/self-hosted-apps/) in Cloudflare Access, defining an [Access Policy](/cloudflare-one/policies/access/) which uses the action [Service Auth](/cloudflare-one/policies/access/#service-auth) and the Selector _"Valid Certificate"_, or simply requiring an [IdP](/cloudflare-one/identity/idp-integration/) authentication. You can also take advantage of extra requirements, such as the "Common Name" (CN), which expects the indicated hostname, and more [Selectors](/cloudflare-one/policies/access/#selectors). Alternatively, one can also [extend ZTNA with external authorization and serverless computing](/reference-architecture/diagrams/sase/augment-access-with-serverless/). ## Demo @@ -124,18 +124,22 @@ Make sure that you are not using any VPN that could interfere with the certifica With the Public and Private Client Certificates in the same directory, with this cURL command, we will gain access: -```curl +```sh curl -IXGET --cert client.pem --key client-key.pem https://mtls-access.example.com/ +``` -HTTP/2 200 +```txt output +HTTP/2 200 server: cloudflare ``` -Without the certificates, we'd see the following: +Without the certificates, we would see the following: -```curl +```sh curl -I https://mtls-access.example.com/mtls-test +``` -HTTP/2 401 +```txt output +HTTP/2 401 server: cloudflare -``` \ No newline at end of file +``` diff --git a/src/content/docs/r2/tutorials/summarize-pdf.mdx b/src/content/docs/r2/tutorials/summarize-pdf.mdx index f38c064de1cc28..f8ce61ce6f66bb 100644 --- a/src/content/docs/r2/tutorials/summarize-pdf.mdx +++ b/src/content/docs/r2/tutorials/summarize-pdf.mdx @@ -218,7 +218,7 @@ To view the front-end of your application, run the following command and navigat npm run dev ``` -```output +```txt output ⛅️ wrangler 3.80.2 ------------------- @@ -239,8 +239,6 @@ When you open the URL in your browser, you will see that there is a file upload To handle the file upload, you will first need to add the R2 binding. In the `wrangler.toml` file, add the following code: - - ```toml @@ -309,8 +307,6 @@ npx wrangler queues create pdf-summarizer Add the binding to the `wrangler.toml` file: - - ```toml title="wrangler.toml" @@ -393,8 +389,6 @@ The above code does the following: To use Workers AI, you will need to add the Workers AI binding to the `wrangler.toml` file. The `wrangler.toml` file should contain the following code: - - ```toml title="wrangler.toml" diff --git a/src/content/docs/workers/static-assets/binding.mdx b/src/content/docs/workers/static-assets/binding.mdx index 337af00b4f6ff8..3c6855147c4c7c 100644 --- a/src/content/docs/workers/static-assets/binding.mdx +++ b/src/content/docs/workers/static-assets/binding.mdx @@ -52,7 +52,7 @@ You are migrating from a Pages project where the assets directory is `dist`. You do not want to upload the server-side Worker code nor Pages configuration files as public client-side assets. Add the following `.assetsignore` file: -```gitignore +```txt _worker.js _redirects _headers