From 61fb5e0649825cd144fa5bfa26bc36ebed9d6768 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Thu, 23 Jan 2025 16:58:04 +0000 Subject: [PATCH 001/129] [DEX] device monitoring --- .../insights/dex/device-monitoring.mdx | 39 +++++++++++++++++++ .../insights/dex/fleet-status.mdx | 32 +++++++-------- 2 files changed, 54 insertions(+), 17 deletions(-) create mode 100644 src/content/docs/cloudflare-one/insights/dex/device-monitoring.mdx diff --git a/src/content/docs/cloudflare-one/insights/dex/device-monitoring.mdx b/src/content/docs/cloudflare-one/insights/dex/device-monitoring.mdx new file mode 100644 index 00000000000000..98459ed386a0c0 --- /dev/null +++ b/src/content/docs/cloudflare-one/insights/dex/device-monitoring.mdx @@ -0,0 +1,39 @@ +--- +pcx_content_type: reference +title: Device monitoring +sidebar: + order: 8 +--- + +In device monitoring, you will be able to review network and device performance data side by side with the information found +in [Fleet status](/cloudflare-one/insights/dex/fleet-status/). + +Network and device performance data helps IT administrators to troubleshoot performance issues, +investigate network connectivity problems, and monitor device health. + +## View a device's network performance + +To view a device's network performance metrics: + +1. Log in the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. +2. Select **Zero Trust** to go to the Zero Trust dashboard. +3. Select **My team** > **Devices**. +4. Select a device > **View details** > select the **DEX** tab > scroll down to **Network performance**. + +## Network and device performance metrics + +network perf + +- **Unique networks over time**: How many unique SSIDs was the device connected to. + +- **Network I/O**: How much data has been transferred (uploads and downloads) between the device and the network. + +device perf + +- **battery percentage and cycles**: + +cpu usage: + +memory util: + +Disk I/O: diff --git a/src/content/docs/cloudflare-one/insights/dex/fleet-status.mdx b/src/content/docs/cloudflare-one/insights/dex/fleet-status.mdx index 6b77dba0497935..b8e10f061d4af6 100644 --- a/src/content/docs/cloudflare-one/insights/dex/fleet-status.mdx +++ b/src/content/docs/cloudflare-one/insights/dex/fleet-status.mdx @@ -3,10 +3,9 @@ pcx_content_type: reference title: Fleet status sidebar: order: 1 - --- -With DEX, you can monitor your users' devices and connection status. +With DEX, you can monitor your users' devices and connection status. A fleet is a collection of user devices. All devices in a fleet have WARP installed and are connected to a [Cloudflare Zero Trust organization](/cloudflare-one/setup/#create-a-zero-trust-organization). ## View metrics @@ -16,26 +15,25 @@ To view analytics on a per-device level, go to **My Team** > **Devices**. The ** ## Available metrics -* **Devices connected by colo**: Number of devices that are connected to a given [Cloudflare data center](https://www.cloudflarestatus.com/). - -* **Connectivity status**: Percentage of devices in a given WARP client state. +- **Devices connected by colo**: Number of devices that are connected to a given [Cloudflare data center](https://www.cloudflarestatus.com/). - | Status | Description | - |-------------------|-------------| - | Connected | WARP has successfully established a connection to the Cloudflare global network. | - | Disconnected | WARP has been intentionally or unintentionally disconnected from the Cloudflare global network. | - | Paused | A user or administrator has taken an explicit action to temporarily turn off WARP, for example by entering an [Admin Override](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#admin-override) code. Paused clients will [auto-connect](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#auto-connect) after a timeout period. | - | Connecting | WARP is pending connection, but is actively trying to establish a connection to the Cloudflare global network. | +- **Connectivity status**: Percentage of devices in a given WARP client state. + | Status | Description | + | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | Connected | WARP has successfully established a connection to the Cloudflare global network. | + | Disconnected | WARP has been intentionally or unintentionally disconnected from the Cloudflare global network. | + | Paused | A user or administrator has taken an explicit action to temporarily turn off WARP, for example by entering an [Admin Override](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#admin-override) code. Paused clients will [auto-connect](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#auto-connect) after a timeout period. | + | Connecting | WARP is pending connection, but is actively trying to establish a connection to the Cloudflare global network. | -* **Mode**: [WARP mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) deployed on the device. +- **Mode**: [WARP mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) deployed on the device. -* **Colo**: Percentage of devices connected to a given Cloudflare data center. +- **Colo**: Percentage of devices connected to a given Cloudflare data center. -* **Platform**: Operating system of the device. +- **Platform**: Operating system of the device. -* **Major Version**: WARP client version installed on the device. +- **Major Version**: WARP client version installed on the device. -* **Device Status Over Time**: WARP client connection status over the selected time period. +- **Device Status Over Time**: WARP client connection status over the selected time period. -* **Connection Methods Over Time**: WARP mode used by the device over the selected time period. +- **Connection Methods Over Time**: WARP mode used by the device over the selected time period. From d49418e4e491318244959810323223e26314cd65 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Tue, 28 Jan 2025 18:28:25 +0000 Subject: [PATCH 002/129] monitoring page update --- .../dex/{fleet-status.mdx => monitoring.mdx} | 54 ++++++++++++++++--- 1 file changed, 48 insertions(+), 6 deletions(-) rename src/content/docs/cloudflare-one/insights/dex/{fleet-status.mdx => monitoring.mdx} (55%) diff --git a/src/content/docs/cloudflare-one/insights/dex/fleet-status.mdx b/src/content/docs/cloudflare-one/insights/dex/monitoring.mdx similarity index 55% rename from src/content/docs/cloudflare-one/insights/dex/fleet-status.mdx rename to src/content/docs/cloudflare-one/insights/dex/monitoring.mdx index b8e10f061d4af6..31a3ebd7b2d806 100644 --- a/src/content/docs/cloudflare-one/insights/dex/fleet-status.mdx +++ b/src/content/docs/cloudflare-one/insights/dex/monitoring.mdx @@ -1,19 +1,28 @@ --- pcx_content_type: reference -title: Fleet status +title: Monitoring sidebar: order: 1 --- -With DEX, you can monitor your users' devices and connection status. A fleet is a collection of user devices. All devices in a fleet have WARP installed and are connected to a [Cloudflare Zero Trust organization](/cloudflare-one/setup/#create-a-zero-trust-organization). +Monitor your organization's [fleet status](/cloudflare-one/insights/dex/monitoring/#fleet-status) as well as performance and network status for individual [user devices](/cloudflare-one/insights/dex/monitoring/#device-monitoring). -## View metrics +## Fleet status -To view an overview of all enrolled devices, go to **DEX** > **Monitoring**. The **Fleet Status** tab will show real-time and historical connectivity metrics for all devices in your organization. +A fleet is a collection of user devices. All devices in a fleet have WARP installed and are connected to a [Cloudflare Zero Trust organization](/cloudflare-one/setup/#create-a-zero-trust-organization). -To view analytics on a per-device level, go to **My Team** > **Devices**. The **Fleet Status** tab will show real-time and historical connectivity metrics for the selected device. +To view fleet status and an overview of all enrolled devices: -## Available metrics +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DEX** > **Monitoring**. +2. In **DEX Monitoring**, review the information under the **Fleet Status** tab. + +### View fleet metrics + +The **Fleet Status** tab will show real-time and historical connectivity metrics for all devices in your organization. + +To view analytics on a per-device level, go to [Device monitoring](/cloudflare-one/insights/dex/monitoring/#device-monitoring). + +### Available fleet metrics - **Devices connected by colo**: Number of devices that are connected to a given [Cloudflare data center](https://www.cloudflarestatus.com/). @@ -37,3 +46,36 @@ To view analytics on a per-device level, go to **My Team** > **Devices**. The ** - **Device Status Over Time**: WARP client connection status over the selected time period. - **Connection Methods Over Time**: WARP mode used by the device over the selected time period. + +## Device monitoring + +Review network and device performance for a device enrolled in your fleet. + +Network and device performance data helps IT administrators to troubleshoot performance issues, investigate network connectivity problems, and monitor device health. + +### View a device's performance + +To view a device's network and device performance metrics: + +1. Log in the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. +2. Select **Zero Trust** to go to the Zero Trust dashboard. +3. Select **My team** > **Devices**. +4. Select a device > **View details** > select the **DEX** tab > scroll down to **Network performance**. + +### Network and device performance metrics + +Review the metrics for network performance. + +- **Unique networks over time**: How many unique SSIDs the device was connected to. + +- **Network I/O**: How much data has been transferred (uploads and downloads) between the device and the network. + +Review the metrics for device performance. + +- **Battery percentage and cycles**: Compares battery percentage to battery health over time. Used to debug potential performance issues possibly related to power-saving measures that are triggered at low-battery levels. + +- **CPU usage**: CPU utilization over time. Used to debug slow system performance due to high CPU usage. + +- **Memory utilization**: Memory utilization over time. Used to debug performance issues related to an overtaxed memory. + +- **Disk I/O**: Displays number of disk bytes read/write operations over time. Used to debug performance errors due to heavy disk operations. From ede25ccd52c2fc2b8cb6fea1d885a22f35bc8018 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Tue, 28 Jan 2025 18:35:03 +0000 Subject: [PATCH 003/129] final touches --- .../docs/cloudflare-one/insights/dex/monitoring.mdx | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/content/docs/cloudflare-one/insights/dex/monitoring.mdx b/src/content/docs/cloudflare-one/insights/dex/monitoring.mdx index 31a3ebd7b2d806..93698ccabb6ec0 100644 --- a/src/content/docs/cloudflare-one/insights/dex/monitoring.mdx +++ b/src/content/docs/cloudflare-one/insights/dex/monitoring.mdx @@ -57,20 +57,19 @@ Network and device performance data helps IT administrators to troubleshoot perf To view a device's network and device performance metrics: -1. Log in the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. -2. Select **Zero Trust** to go to the Zero Trust dashboard. -3. Select **My team** > **Devices**. -4. Select a device > **View details** > select the **DEX** tab > scroll down to **Network performance**. +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **My team** > **Devices**. +2. Select a device > **View details**. +3. Select the **DEX** tab > in **Device Monitoring**, scroll down to **Network performance** and **Device Performance**. ### Network and device performance metrics -Review the metrics for network performance. +#### Network performance metrics - **Unique networks over time**: How many unique SSIDs the device was connected to. - **Network I/O**: How much data has been transferred (uploads and downloads) between the device and the network. -Review the metrics for device performance. +#### Device performance metrics - **Battery percentage and cycles**: Compares battery percentage to battery health over time. Used to debug potential performance issues possibly related to power-saving measures that are triggered at low-battery levels. From a8d3fb9b64480479b93213c6ec135061b55fd4e5 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Tue, 28 Jan 2025 18:43:12 +0000 Subject: [PATCH 004/129] redirects and stuff --- public/_redirects | 1 + .../insights/dex/device-monitoring.mdx | 39 ------------------- .../insights/dex/remote-captures.mdx | 37 ++++++++---------- .../insights/dex/tests/index.mdx | 5 +-- 4 files changed, 20 insertions(+), 62 deletions(-) delete mode 100644 src/content/docs/cloudflare-one/insights/dex/device-monitoring.mdx diff --git a/public/_redirects b/public/_redirects index 302b51524fb1e9..b336625ab74a1e 100644 --- a/public/_redirects +++ b/public/_redirects @@ -1843,6 +1843,7 @@ /cloudflare-one/policies/browser-isolation/agentless/* /cloudflare-one/policies/browser-isolation/setup/:splat 301 /cloudflare-one/policies/filtering/http-policies/data-loss-prevention/* /cloudflare-one/policies/data-loss-prevention/ 301 /cloudflare-one/policies/data-loss-prevention/configuration-guides/* /cloudflare-one/policies/data-loss-prevention/dlp-policies/common-policies/ 301 +/cloudflare-one/insights/dex/fleet-status/ /cloudflare-one/insights/dex/monitoring/ 301 # Learning paths /learning-paths/modules/cybersafe/cybersafe-account-creation/* /learning-paths/cybersafe/account-creation/:splat 301 diff --git a/src/content/docs/cloudflare-one/insights/dex/device-monitoring.mdx b/src/content/docs/cloudflare-one/insights/dex/device-monitoring.mdx deleted file mode 100644 index 98459ed386a0c0..00000000000000 --- a/src/content/docs/cloudflare-one/insights/dex/device-monitoring.mdx +++ /dev/null @@ -1,39 +0,0 @@ ---- -pcx_content_type: reference -title: Device monitoring -sidebar: - order: 8 ---- - -In device monitoring, you will be able to review network and device performance data side by side with the information found -in [Fleet status](/cloudflare-one/insights/dex/fleet-status/). - -Network and device performance data helps IT administrators to troubleshoot performance issues, -investigate network connectivity problems, and monitor device health. - -## View a device's network performance - -To view a device's network performance metrics: - -1. Log in the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. -2. Select **Zero Trust** to go to the Zero Trust dashboard. -3. Select **My team** > **Devices**. -4. Select a device > **View details** > select the **DEX** tab > scroll down to **Network performance**. - -## Network and device performance metrics - -network perf - -- **Unique networks over time**: How many unique SSIDs was the device connected to. - -- **Network I/O**: How much data has been transferred (uploads and downloads) between the device and the network. - -device perf - -- **battery percentage and cycles**: - -cpu usage: - -memory util: - -Disk I/O: diff --git a/src/content/docs/cloudflare-one/insights/dex/remote-captures.mdx b/src/content/docs/cloudflare-one/insights/dex/remote-captures.mdx index 040942d663be95..76195391cb8ad5 100644 --- a/src/content/docs/cloudflare-one/insights/dex/remote-captures.mdx +++ b/src/content/docs/cloudflare-one/insights/dex/remote-captures.mdx @@ -5,7 +5,7 @@ sidebar: order: 4 --- -import { Details } from "~/components" +import { Details } from "~/components";
@@ -15,12 +15,12 @@ import { Details } from "~/components" | System | Availability | Minimum WARP version | | -------- | ------------ | -------------------- | -| Windows | ✅ | 2024.12.492.0 | -| macOS | ✅ | 2024.12.492.0 | -| Linux | ✅ | 2024.12.492.0 | -| iOS | ❌ | | -| Android | ❌ | | -| ChromeOS | ❌ | | +| Windows | ✅ | 2024.12.492.0 | +| macOS | ✅ | 2024.12.492.0 | +| Linux | ✅ | 2024.12.492.0 | +| iOS | ❌ | | +| Android | ❌ | | +| ChromeOS | ❌ | |
@@ -33,22 +33,18 @@ To capture data from a remote device: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DEX** > **Remote captures**. 2. Select up to 10 devices that you want to run a capture on. Devices must be [registered](/cloudflare-one/connections/connect-devices/warp/deployment/) in your Zero Trust organization. 3. Configure the types of captures to run. - - **PCAP**: Performs packet captures for traffic outside of the WARP tunnel (default network interface) and traffic inside of the WARP tunnel ([WARP virtual interface](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#ip-traffic)). - - **WARP Diagnostics Logs**: Generates a [WARP diagnostic log](/cloudflare-one/connections/connect-devices/warp/troubleshooting/warp-logs/#warp-diag-logs) of the past 96 hours. To include a routing test for all IPs and domains in your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/), select **Test all routes**. - :::note - **Test all routes** will extend the time for diagnostics to run and may temporarily impact device performance during the test. - ::: + - **PCAP**: Performs packet captures for traffic outside of the WARP tunnel (default network interface) and traffic inside of the WARP tunnel ([WARP virtual interface](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#ip-traffic)). + - **WARP Diagnostics Logs**: Generates a [WARP diagnostic log](/cloudflare-one/connections/connect-devices/warp/troubleshooting/warp-logs/#warp-diag-logs) of the past 96 hours. To include a routing test for all IPs and domains in your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/), select **Test all routes**. + :::note + **Test all routes** will extend the time for diagnostics to run and may temporarily impact device performance during the test. + ::: 4. Select **Start a capture**. DEX will now send capture requests to the configured devices. If the WARP client is disconnected, the capture will time out after 10 minutes. ## Check remote capture status -To view a list of captures, go to **DEX** > **Remote captures**. The **Status** column displays one of the following options: - - **Success**: The capture is complete and ready for download. Any partially successful captures will still upload to Cloudflare. For example, there could be a scenario where the PCAP succeeds on the primary network interface but fails on the WARP tunnel interface. You can [review PCAP results](/cloudflare-one/insights/dex/remote-captures/#download-remote-captures) to determine which PCAPs succeeded or failed. - - **Running**: The capture is in progress on the device. - - **Pending Upload**: The capture is complete but not yet ready for download. - - **Failed**: The capture has either timed out or encountered an error. To retry the capture, check the WARP client version and [connectivity status](/cloudflare-one/insights/dex/fleet-status/), then start a [new capture](/cloudflare-one/insights/dex/remote-captures/#start-a-remote-capture). +To view a list of captures, go to **DEX** > **Remote captures**. The **Status** column displays one of the following options: - **Success**: The capture is complete and ready for download. Any partially successful captures will still upload to Cloudflare. For example, there could be a scenario where the PCAP succeeds on the primary network interface but fails on the WARP tunnel interface. You can [review PCAP results](/cloudflare-one/insights/dex/remote-captures/#download-remote-captures) to determine which PCAPs succeeded or failed. - **Running**: The capture is in progress on the device. - **Pending Upload**: The capture is complete but not yet ready for download. - **Failed**: The capture has either timed out or encountered an error. To retry the capture, check the WARP client version and [connectivity status](/cloudflare-one/insights/dex/monitoring/#fleet-status), then start a [new capture](/cloudflare-one/insights/dex/remote-captures/#start-a-remote-capture). ## Download remote captures @@ -61,6 +57,7 @@ This will download a ZIP file to your local machine called `.zip`. D ### Device PCAP contents The downloaded PCAP folder contains three files: + - `capture-default.pcap`: Packet captures for the primary network interface. - `capture-tunnel.pcap`: Packet captures for traffic inside of the WARP tunnel. - `results.json`: Reports successful and failed packet captures. @@ -74,8 +71,8 @@ Refer to [WARP diagnostic logs](/cloudflare-one/connections/connect-devices/warp ## Limitations - Packet captures are subject to the following limits: - - **Maximum time limit**: 600 seconds - - **Maximum file size**: 50 MB - - **Maximum packet size**: 1500 bytes + - **Maximum time limit**: 600 seconds + - **Maximum file size**: 50 MB + - **Maximum packet size**: 1500 bytes - WARP diagnostic logs have no file size limit, but files larger than 100 MB cannot be uploaded to Cloudflare and must be shared directly with the admin. - Windows devices do not support concurrent remote captures. If you start a remote capture while another is in progress, the second capture will fail immediately. diff --git a/src/content/docs/cloudflare-one/insights/dex/tests/index.mdx b/src/content/docs/cloudflare-one/insights/dex/tests/index.mdx index 49df86137f2e05..704c964e5e1653 100644 --- a/src/content/docs/cloudflare-one/insights/dex/tests/index.mdx +++ b/src/content/docs/cloudflare-one/insights/dex/tests/index.mdx @@ -3,11 +3,10 @@ pcx_content_type: navigation title: Tests sidebar: order: 2 - --- -import { DirectoryListing } from "~/components" +import { DirectoryListing } from "~/components"; -With Digital Experience Monitoring (DEX), you can test if your devices can connect to a private or public endpoint through the WARP client. This tool allows you to monitor availability for a given application and investigate performance issues reported by your end users. DEX tests will only run when the WARP client is turned on, whereas [fleet status](/cloudflare-one/insights/dex/fleet-status/) metrics are always available. +With Digital Experience Monitoring (DEX), you can test if your devices can connect to a private or public endpoint through the WARP client. This tool allows you to monitor availability for a given application and investigate performance issues reported by your end users. DEX tests will only run when the WARP client is turned on, whereas [fleet status](/cloudflare-one/insights/dex/monitoring/#fleet-status) metrics are always available. From 26c5b59174777adca21145cb4b268b6299b2504b Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Wed, 29 Jan 2025 13:32:03 +0000 Subject: [PATCH 005/129] final edits from Josh comments --- .../cloudflare-one/insights/dex/monitoring.mdx | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/insights/dex/monitoring.mdx b/src/content/docs/cloudflare-one/insights/dex/monitoring.mdx index 93698ccabb6ec0..1fae7ce70ad852 100644 --- a/src/content/docs/cloudflare-one/insights/dex/monitoring.mdx +++ b/src/content/docs/cloudflare-one/insights/dex/monitoring.mdx @@ -5,13 +5,15 @@ sidebar: order: 1 --- -Monitor your organization's [fleet status](/cloudflare-one/insights/dex/monitoring/#fleet-status) as well as performance and network status for individual [user devices](/cloudflare-one/insights/dex/monitoring/#device-monitoring). +Monitor performance and network status for your organization's [fleet](/cloudflare-one/insights/dex/monitoring/#fleet-status) or individual [user devices](/cloudflare-one/insights/dex/monitoring/#device-monitoring). + +Network and device performance data helps IT administrators troubleshoot performance issues, investigate network connectivity problems, and monitor device health. ## Fleet status A fleet is a collection of user devices. All devices in a fleet have WARP installed and are connected to a [Cloudflare Zero Trust organization](/cloudflare-one/setup/#create-a-zero-trust-organization). -To view fleet status and an overview of all enrolled devices: +To view fleet status: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DEX** > **Monitoring**. 2. In **DEX Monitoring**, review the information under the **Fleet Status** tab. @@ -51,8 +53,6 @@ To view analytics on a per-device level, go to [Device monitoring](/cloudflare-o Review network and device performance for a device enrolled in your fleet. -Network and device performance data helps IT administrators to troubleshoot performance issues, investigate network connectivity problems, and monitor device health. - ### View a device's performance To view a device's network and device performance metrics: @@ -67,14 +67,14 @@ To view a device's network and device performance metrics: - **Unique networks over time**: How many unique SSIDs the device was connected to. -- **Network I/O**: How much data has been transferred (uploads and downloads) between the device and the network. +- **Network I/O**: How much data has been transferred (uploads and downloads) over the primary network interface. #### Device performance metrics -- **Battery percentage and cycles**: Compares battery percentage to battery health over time. Used to debug potential performance issues possibly related to power-saving measures that are triggered at low-battery levels. +- **Battery percentage and cycles**: Displays battery percentage and [battery cycles](https://support.apple.com/en-us/102888) over time. Used to debug potential performance issues possibly related to battery health or power-saving measures that are triggered at low-battery levels. - **CPU usage**: CPU utilization over time. Used to debug slow system performance due to high CPU usage. - **Memory utilization**: Memory utilization over time. Used to debug performance issues related to an overtaxed memory. -- **Disk I/O**: Displays number of disk bytes read/write operations over time. Used to debug performance errors due to heavy disk operations. +- **Disk I/O**: Displays number of disk read/write operations over time. Used to debug performance errors due to heavy disk operations. From c62293e68a77148d82fcdeb5be84fa474368542a Mon Sep 17 00:00:00 2001 From: "hyperlint-ai[bot]" <154288675+hyperlint-ai[bot]@users.noreply.github.com> Date: Wed, 22 Jan 2025 16:10:13 +0000 Subject: [PATCH 006/129] [LP] Workers: Fix broken anchor (#19352) Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> --- .../docs/learning-paths/workers/get-started/first-worker.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/workers/get-started/first-worker.mdx b/src/content/docs/learning-paths/workers/get-started/first-worker.mdx index 28b69e3c3c103a..b179eb3177fcbc 100644 --- a/src/content/docs/learning-paths/workers/get-started/first-worker.mdx +++ b/src/content/docs/learning-paths/workers/get-started/first-worker.mdx @@ -53,7 +53,7 @@ Refer to [How to run Wrangler commands](/workers/wrangler/commands/#how-to-run-w In your Worker project directory, C3 has generated the following: -1. `wrangler.toml`: Your [Wrangler](/workers/wrangler/configuration/#sample-wranglertoml-configuration) configuration file. +1. `wrangler.toml`: Your [Wrangler](/workers/wrangler/configuration/#sample-wrangler-configuration) configuration file. 2. `index.js` (in `/src`): A minimal `'Hello World!'` Worker written in [ES module](/workers/reference/migrate-to-module-workers/) syntax. 3. `package.json`: A minimal Node dependencies configuration file. 4. `package-lock.json`: Refer to [`npm` documentation on `package-lock.json`](https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json). From 2ab85084de90960237d2a8b769d2afe25c841497 Mon Sep 17 00:00:00 2001 From: Greg Brimble Date: Wed, 22 Jan 2025 11:56:42 -0500 Subject: [PATCH 007/129] Add WfP <> Assets docs (#19336) --- patches/@astrojs+starlight+0.29.3.patch | 26 ++++++ .../configuration/static-assets.mdx | 5 ++ .../workers/static-assets/direct-upload.mdx | 87 ++++++++++++++----- 3 files changed, 97 insertions(+), 21 deletions(-) create mode 100644 patches/@astrojs+starlight+0.29.3.patch create mode 100644 src/content/docs/cloudflare-for-platforms/workers-for-platforms/configuration/static-assets.mdx diff --git a/patches/@astrojs+starlight+0.29.3.patch b/patches/@astrojs+starlight+0.29.3.patch new file mode 100644 index 00000000000000..50cfcfdd1c967e --- /dev/null +++ b/patches/@astrojs+starlight+0.29.3.patch @@ -0,0 +1,26 @@ +diff --git a/node_modules/@astrojs/starlight/user-components/Tabs.astro b/node_modules/@astrojs/starlight/user-components/Tabs.astro +index 4234eb0..276d211 100644 +--- a/node_modules/@astrojs/starlight/user-components/Tabs.astro ++++ b/node_modules/@astrojs/starlight/user-components/Tabs.astro +@@ -3,10 +3,11 @@ import Icon from './Icon.astro'; + import { processPanels } from './rehype-tabs'; + + interface Props { ++ IconComponent?: typeof Icon; + syncKey?: string; + } + +-const { syncKey } = Astro.props; ++const { syncKey, IconComponent = Icon } = Astro.props; + const panelHtml = await Astro.slots.render('default'); + const { html, panels } = processPanels(panelHtml); + +@@ -84,7 +85,7 @@ if (isSynced) { + aria-selected={idx === 0 ? 'true' : 'false'} + tabindex={idx !== 0 ? -1 : 0} + > +- {icon && } ++ {icon && } + {label} + + diff --git a/src/content/docs/cloudflare-for-platforms/workers-for-platforms/configuration/static-assets.mdx b/src/content/docs/cloudflare-for-platforms/workers-for-platforms/configuration/static-assets.mdx new file mode 100644 index 00000000000000..360660fabd6183 --- /dev/null +++ b/src/content/docs/cloudflare-for-platforms/workers-for-platforms/configuration/static-assets.mdx @@ -0,0 +1,5 @@ +--- +pcx_content_type: navigation +title: Static Assets +external_link: /workers/static-assets/direct-upload/ +--- diff --git a/src/content/docs/workers/static-assets/direct-upload.mdx b/src/content/docs/workers/static-assets/direct-upload.mdx index be37acf487b6f6..478ae530bf44f4 100644 --- a/src/content/docs/workers/static-assets/direct-upload.mdx +++ b/src/content/docs/workers/static-assets/direct-upload.mdx @@ -16,15 +16,18 @@ import { TabItem, Tabs, } from "~/components"; +import { Icon } from "astro-icon/components"; :::note -Directly uploading assets via APIs is an advanced approach that most users will not need. Instead, we encourage users to deploy your Worker with [Wrangler](/workers/static-assets/get-started/#1-create-a-new-worker-project-using-the-cli). +Directly uploading assets via APIs is an advanced approach which, unless you are building a programatic integration, most users will not need. Instead, we encourage users to deploy your Worker with [Wrangler](/workers/static-assets/get-started/#1-create-a-new-worker-project-using-the-cli). ::: Our API empowers users to upload and include static assets as part of a Worker. These static assets can be served for free, and additionally, users can also fetch assets through an optional [assets binding](/workers/static-assets/binding/) to power more advanced applications. This guide will describe the process for attaching assets to your Worker directly with the API. + + ```mermaid sequenceDiagram participant User @@ -33,6 +36,18 @@ sequenceDiagram User<<->>Workers API: Upload files
POST /client/v4/accounts/:accountId/workers/assets/upload?base64=true User<<->>Workers API: Upload script version
PUT /client/v4/accounts/:accountId/workers/scripts/:scriptName ``` + + +```mermaid +sequenceDiagram + participant User + participant Workers API + User<<->>Workers API: Submit manifest
POST /client/v4/accounts/:accountId/workers/dispatch/namespaces/:dispatchNamespace/scripts/:scriptName/assets-upload-session + User<<->>Workers API: Upload files
POST /client/v4/accounts/:accountId/workers/assets/upload?base64=true + User<<->>Workers API: Upload script version
PUT /client/v4/accounts/:accountId/workers/dispatch/namespaces/:dispatchNamespace/scripts/:scriptName +``` + + The asset upload flow can be distilled into three distinct phases: @@ -48,6 +63,8 @@ The [manifest upload request](/api/resources/workers/subresources/scripts/subres `hash` represents a 32 hexadecimal character hash of the file, while `size` is the size (in bytes) of the file. + + ```bash curl -X POST https://api.cloudflare.com/client/v4/accounts/{account_id}/workers/scripts/{script_name}/assets-upload-session \ --header 'content-type: application/json' \ @@ -69,6 +86,31 @@ curl -X POST https://api.cloudflare.com/client/v4/accounts/{account_id}/workers/ } }' ``` + + +```bash +curl -X POST https://api.cloudflare.com/client/v4/accounts/{account_id}/workers/dispatch/namespaces/{dispatch_namespace}/scripts/{script_name}/assets-upload-session \ +--header 'content-type: application/json' \ +--header 'Authorization: Bearer ' \ +--data '{ + "manifest": { + "/filea.html": { + "hash": "08f1dfda4574284ab3c21666d1", + "size": 12 + }, + "/fileb.html": { + "hash": "4f1c1af44620d531446ceef93f", + "size": 23 + }, + "/filec.html": { + "hash": "54995e302614e0523757a04ec1", + "size": 23 + } + } +}' +``` + + The resulting response will contain a JWT, which provides authentication during file upload. The JWT is valid for one hour. @@ -110,7 +152,7 @@ Once every file in the manifest has been uploaded, a status code of 201 will be ## Create/Deploy New Version -[Script](/api/resources/workers/subresources/scripts/methods/update/) and [version](/api/resources/workers/subresources/scripts/subresources/versions/methods/create/) upload endpoints require specifying a metadata part in the form data. Here, we can provide the completion token from the previous (upload assets) step. +[Script](/api/resources/workers/subresources/scripts/methods/update/), [Version](/api/resources/workers/subresources/scripts/subresources/versions/methods/create/), and [Workers for Platform script](/api/resources/workers_for_platforms/subresources/dispatch/subresources/namespaces/subresources/scripts/methods/update/) upload endpoints require specifying a metadata part in the form data. Here, we can provide the completion token from the previous (upload assets) step. ```bash title="Example Worker Metadata Specifying Completion Token" { @@ -181,6 +223,7 @@ import "node:process"; const accountId: string = ""; // Replace with your actual account ID const filesDirectory: string = "assets"; // Adjust to your assets directory const scriptName: string = "my-new-script"; // Replace with desired script name +const dispatchNamespace: string = ""; // Replace with a dispatch namespace if using Workers for Platforms interface FileMetadata { hash: string; @@ -320,16 +363,17 @@ async function scriptUpload(completionToken: string): Promise { ), ); - const response = await fetch( - `https://api.cloudflare.com/client/v4/accounts/${accountId}/workers/scripts/${scriptName}`, - { - method: "PUT", - headers: { - Authorization: `Bearer ${process.env.CLOUDFLARE_API_TOKEN}`, - }, - body: form, + const url = dispatchNamespace + ? `https://api.cloudflare.com/client/v4/accounts/${accountId}/workers/dispatch/namespaces/${dispatchNamespace}/scripts/${scriptName}` + : `https://api.cloudflare.com/client/v4/accounts/${accountId}/workers/scripts/${scriptName}`; + + const response = await fetch(url, { + method: "PUT", + headers: { + Authorization: `Bearer ${process.env.CLOUDFLARE_API_TOKEN}`, }, - ); + body: form, + }); if (response.status != 200) { throw new Error("unexpected status code"); @@ -344,17 +388,18 @@ async function startUploadSession(): Promise { manifest: fileMetadata, }); - const response = await fetch( - `https://api.cloudflare.com/client/v4/accounts/${accountId}/workers/scripts/${scriptName}/assets-upload-session`, - { - method: "POST", - headers: { - Authorization: `Bearer ${process.env.CLOUDFLARE_API_TOKEN}`, - "Content-Type": "application/json", - }, - body: requestBody, + const url = dispatchNamespace + ? `https://api.cloudflare.com/client/v4/accounts/${accountId}/workers/dispatch/namespaces/${dispatchNamespace}/scripts/${scriptName}/assets-upload-session` + : `https://api.cloudflare.com/client/v4/accounts/${accountId}/workers/scripts/${scriptName}/assets-upload-session`; + + const response = await fetch(url, { + method: "POST", + headers: { + Authorization: `Bearer ${process.env.CLOUDFLARE_API_TOKEN}`, + "Content-Type": "application/json", }, - ); + body: requestBody, + }); const data = (await response.json()) as UploadResponse; const jwt = data.result.jwt; From 1e3b1d1143914313facdeea61676b9ab868c75ba Mon Sep 17 00:00:00 2001 From: Chris Martinelli <56095825+chris-martinelli@users.noreply.github.com> Date: Wed, 22 Jan 2025 11:04:39 -0600 Subject: [PATCH 008/129] Update settings.mdx (#19355) * Update settings.mdx elaboration on resolved host cache key setting * Update src/content/docs/cache/how-to/cache-rules/settings.mdx --------- Co-authored-by: angelampcosta <92738954+angelampcosta@users.noreply.github.com> --- src/content/docs/cache/how-to/cache-rules/settings.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cache/how-to/cache-rules/settings.mdx b/src/content/docs/cache/how-to/cache-rules/settings.mdx index 8a4ea68918902b..3f1e532d4e040b 100644 --- a/src/content/docs/cache/how-to/cache-rules/settings.mdx +++ b/src/content/docs/cache/how-to/cache-rules/settings.mdx @@ -186,7 +186,7 @@ Enterprise customers have these additional options for custom cache keys: To check for a header's presence without including its value, use the **Check presence of** option. You can also choose whether to **Include origin header**. - In the **Cookie** section, you can include cookie names and their values, and check for the presence of another cookie. -- In the **Host** section, you can select **Use original host** and **Resolved host**. In the **User** section, you can select **Device type**, **Country**, and **Language**. +- In the **Host** section, you can select **Use original host** and **Resolved host**. In the **User** section, you can select **Device type**, **Country**, and **Language**. Using **Resolved host** means the cache key will contain whatever hostname was used to resolve the origin IP which can be different depending on whether the [resolve override](/rules/origin-rules/features/#dns-record) feature is on or not.
From 9743397dd47f1806818eeb6447b0ec8515e18e6a Mon Sep 17 00:00:00 2001 From: Jun Lee Date: Wed, 22 Jan 2025 17:06:34 +0000 Subject: [PATCH 009/129] Adding serialized RPC limit. (#19356) --- src/content/docs/workers/runtime-apis/rpc/index.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/src/content/docs/workers/runtime-apis/rpc/index.mdx b/src/content/docs/workers/runtime-apis/rpc/index.mdx index 31210ba17e45e7..3d7f1a6be71f29 100644 --- a/src/content/docs/workers/runtime-apis/rpc/index.mdx +++ b/src/content/docs/workers/runtime-apis/rpc/index.mdx @@ -255,3 +255,4 @@ In this video, we explore how Cloudflare Workers support Remote Procedure Calls ## Limitations * [Smart Placement](/workers/configuration/smart-placement/) is currently ignored when making RPC calls. If Smart Placement is enabled for Worker A, and Worker B declares a [Service Binding](/workers/runtime-apis/bindings) to it, when Worker B calls Worker A via RPC, Worker A will run locally, on the same machine. +* The maximum serialized RPC limit is 1 MB. Consider using [`ReadableStream`](/workers/runtime-apis/streams/readablestream/) when returning more data. \ No newline at end of file From c4d74fb276bdcb2f80319d3d53e21fb23f9ef246 Mon Sep 17 00:00:00 2001 From: Diretnan Domnan Date: Wed, 22 Jan 2025 19:51:58 +0100 Subject: [PATCH 010/129] Free transformation as 9422 (#19076) --- src/content/docs/images/reference/troubleshooting.mdx | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/content/docs/images/reference/troubleshooting.mdx b/src/content/docs/images/reference/troubleshooting.mdx index f6521925b36cea..e9e8bda31cdbe3 100644 --- a/src/content/docs/images/reference/troubleshooting.mdx +++ b/src/content/docs/images/reference/troubleshooting.mdx @@ -36,14 +36,13 @@ When resizing fails, the response body contains an error message explaining the * 9413 — The image exceeds the maximum image area of 100 megapixels. Use a smaller image and try again. * 9420 — The origin server redirected to an invalid URL. Confirm settings at your origin and try again. * 9421 — The origin server redirected too many times. Confirm settings at your origin and try again. -* 9422 - The request is taking too long to process. -* 9423 - The transformation request is rejected because the usage limit was reached. If you need to request more than 5,000 unique transformations, upgrade to an Images Paid plan. +* 9422 - The transformation request is rejected because the usage limit was reached. If you need to request more than 5,000 unique transformations, upgrade to an Images Paid plan. * 9504, 9505, & 9510 — The origin server could not be contacted because the origin server may be down or overloaded. Try again later. * 9523 — The `/cdn-cgi/image/` resizing service could not perform resizing. This may happen when an image has invalid format. Use correctly formatted image and try again. * 9524 — The `/cdn-cgi/image/` resizing service could not perform resizing. This may happen when an image URL is intercepted by a Worker. As an alternative you can [resize within the Worker](/images/transform-images/transform-via-workers/). This can also happen when using a `pages.dev` URL of a [Cloudflare Pages](/pages/) project. In that case, you can use a [Custom Domain](/pages/configuration/custom-domains/) instead. * 9511 — The image format is not supported. Refer to [Supported formats and limitations](/images/transform-images/) to learn about supported input and output formats. * 9522 — The image exceeded the processing limit. This may happen briefly after purging an entire zone or when files with very large dimensions are requested. If the problem persists, contact support. -* 9424, 9516, 9517, 9518, 9522 & 9523 — Internal errors. Please contact support if you encounter these errors. +* 9422, 9424, 9516, 9517, 9518, 9522 & 9523 — Internal errors. Please contact support if you encounter these errors. *** From bd606641150eb5e38687a234b490adedf84c1ffe Mon Sep 17 00:00:00 2001 From: Matt Silverlock Date: Wed, 22 Jan 2025 15:02:24 -0500 Subject: [PATCH 011/129] workflows: fix event.payload references (#19191) --- .../workflows/build/events-and-parameters.mdx | 2 +- .../docs/workflows/build/rules-of-workflows.mdx | 15 ++++++++------- .../workflows/build/sleeping-and-retrying.mdx | 4 ++-- .../workflows/get-started/cli-quick-start.mdx | 3 +-- src/content/docs/workflows/get-started/guide.mdx | 4 +--- 5 files changed, 13 insertions(+), 15 deletions(-) diff --git a/src/content/docs/workflows/build/events-and-parameters.mdx b/src/content/docs/workflows/build/events-and-parameters.mdx index 57b5fe0fbe5aa8..143632df05b212 100644 --- a/src/content/docs/workflows/build/events-and-parameters.mdx +++ b/src/content/docs/workflows/build/events-and-parameters.mdx @@ -70,7 +70,7 @@ export type WorkflowEvent = { payload: T; // The timestamp that the Workflow was triggered timestamp: Date; - // ID of the associated instance + // ID of the current Workflow instance instanceId: string; }; ``` diff --git a/src/content/docs/workflows/build/rules-of-workflows.mdx b/src/content/docs/workflows/build/rules-of-workflows.mdx index ec2e50c4995788..7ce9e43bd8f9e1 100644 --- a/src/content/docs/workflows/build/rules-of-workflows.mdx +++ b/src/content/docs/workflows/build/rules-of-workflows.mdx @@ -219,17 +219,17 @@ interface MyEvent { export class MyWorkflow extends WorkflowEntrypoint { async run(event: WorkflowEvent, step: WorkflowStep) { // 🔴 Bad: Mutating the event - // This will not be persisted across steps and `event.data` will + // This will not be persisted across steps and `event.payload` will // take on its original value. await step.do("bad step that mutates the incoming event", async () => { - let userData = await env.KV.get(event.user) - event.data = userData + let userData = await env.KV.get(event.payload.user) + event.payload = userData }) // ✅ Good: persist data by returning it as state from your step // Use that state in subsequent steps let userData = await step.do("good step that returns state", async () => { - return await env.KV.get(event.user) + return await env.KV.get(event.payload.user) }) let someOtherData = await step.do("following step that uses that state", async () => { @@ -252,14 +252,15 @@ export class MyWorkflow extends WorkflowEntrypoint { // 🔴 Bad: Naming the step non-deterministically prevents it from being cached // This will cause the step to be re-run if subsequent steps fail. await step.do(`step #1 running at: ${Date.now()}`, async () => { - let userData = await env.KV.get(event.user) - event.data = userData + let userData = await env.KV.get(event.payload.user) + // Do not mutate event.payload + event.payload = userData }) // ✅ Good: give steps a deterministic name. // Return dynamic values in your state, or log them instead. let state = await step.do("fetch user data from KV", async () => { - let userData = await env.KV.get(event.user) + let userData = await env.KV.get(event.payload.user) console.log(`fetched at ${Date.now}`) return userData }) diff --git a/src/content/docs/workflows/build/sleeping-and-retrying.mdx b/src/content/docs/workflows/build/sleeping-and-retrying.mdx index a8a0f5c351318c..13f9a90f29ae7b 100644 --- a/src/content/docs/workflows/build/sleeping-and-retrying.mdx +++ b/src/content/docs/workflows/build/sleeping-and-retrying.mdx @@ -102,8 +102,8 @@ import { NonRetryableError } from 'cloudflare:workflows'; export class MyWorkflow extends WorkflowEntrypoint { async run(event: WorkflowEvent, step: WorkflowStep) { await step.do("some step", async () => { - if !(event.data) { - throw new NonRetryableError("event.data did not contain the expected payload") + if !(event.payload.data) { + throw new NonRetryableError("event.payload.data did not contain the expected payload") } }) } diff --git a/src/content/docs/workflows/get-started/cli-quick-start.mdx b/src/content/docs/workflows/get-started/cli-quick-start.mdx index 1b85f9a464261e..162a76f3feccce 100644 --- a/src/content/docs/workflows/get-started/cli-quick-start.mdx +++ b/src/content/docs/workflows/get-started/cli-quick-start.mdx @@ -66,12 +66,11 @@ type Params = { export class MyWorkflow extends WorkflowEntrypoint { async run(event: WorkflowEvent, step: WorkflowStep) { // Can access bindings on `this.env` - // Can access params on `event.params` + // Can access params on `event.payload` const files = await step.do('my first step', async () => { // Fetch a list of files from $SOME_SERVICE return { - inputParams: event, files: [ 'doc_7392_rev3.pdf', 'report_x29_final.pdf', diff --git a/src/content/docs/workflows/get-started/guide.mdx b/src/content/docs/workflows/get-started/guide.mdx index 081e8c660fd959..d4add4740f0ff4 100644 --- a/src/content/docs/workflows/get-started/guide.mdx +++ b/src/content/docs/workflows/get-started/guide.mdx @@ -67,7 +67,6 @@ export class MyWorkflow extends WorkflowEntrypoint { const files = await step.do('my first step', async () => { // Fetch a list of files from $SOME_SERVICE return { - inputParams: event, files: [ 'doc_7392_rev3.pdf', 'report_x29_final.pdf', @@ -290,12 +289,11 @@ type Params = { export class MyWorkflow extends WorkflowEntrypoint { async run(event: WorkflowEvent, step: WorkflowStep) { // Can access bindings on `this.env` - // Can access params on `event.params` + // Can access params on `event.payload` const files = await step.do('my first step', async () => { // Fetch a list of files from $SOME_SERVICE return { - inputParams: event, files: [ 'doc_7392_rev3.pdf', 'report_x29_final.pdf', From f101a02e5f080d182d33bbc24bdadcddebe6e897 Mon Sep 17 00:00:00 2001 From: Matt Silverlock Date: Wed, 22 Jan 2025 15:02:49 -0500 Subject: [PATCH 012/129] workflows: run return signature (#19329) --- src/content/docs/workflows/build/workers-api.mdx | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/content/docs/workflows/build/workers-api.mdx b/src/content/docs/workflows/build/workers-api.mdx index 109979330b9ace..61f2a2a15e2405 100644 --- a/src/content/docs/workflows/build/workers-api.mdx +++ b/src/content/docs/workflows/build/workers-api.mdx @@ -22,11 +22,27 @@ export class MyWorkflow extends WorkflowEntrypoint { }; ``` +### run + * run(event: WorkflowEvent<T>, step: WorkflowStep): Promise<T> * `event` - the event passed to the Workflow, including an optional `payload` containing data (parameters) * `step` - the `WorkflowStep` type that provides the step methods for your Workflow +The `run` method can optionally return data, which is available when querying the instance status via the [Workers API](/workflows/build/workers-api/#instancestatus), [REST API](/api/resources/workflows/subresources/instances/subresources/status/) and the Workflows dashboard. This can be useful if your Workflow is computing a result, returning the key to data stored in object storage, or generating some kind of identifier you need to act on. + +```ts +export class MyWorkflow extends WorkflowEntrypoint { + async run(event: WorkflowEvent, step: WorkflowStep) { + // Steps here + let someComputedState = step.do("my step", async () => { }) + + // Optional: return state from our run() method + return someComputedState + } +}; +``` + The `WorkflowEvent` type accepts an optional [type parameter](https://www.typescriptlang.org/docs/handbook/2/generics.html#working-with-generic-type-variables) that allows you to provide a type for the `payload` property within the `WorkflowEvent`. Refer to the [events and parameters](/workflows/build/events-and-parameters/) documentation for how to handle events within yur Workflow code. From d56fae36eec8e52af6d4c2a37a9334ea7f9d1631 Mon Sep 17 00:00:00 2001 From: Dario Piotrowicz Date: Wed, 22 Jan 2025 20:57:06 +0000 Subject: [PATCH 013/129] Fix typo in Next.js workers guide (#19361) --- src/content/docs/workers/frameworks/framework-guides/nextjs.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/workers/frameworks/framework-guides/nextjs.mdx b/src/content/docs/workers/frameworks/framework-guides/nextjs.mdx index aea9bd55fe9eb5..f01e1b0a5051b7 100644 --- a/src/content/docs/workers/frameworks/framework-guides/nextjs.mdx +++ b/src/content/docs/workers/frameworks/framework-guides/nextjs.mdx @@ -133,7 +133,7 @@ npm run preview:worker ``` This command will build your OpenNext application, also creating, if not already present, an `open-next.configs.ts` file for you. -This if necessary if you want to deploy your application with a GibHub/GitLab integration as presented in the next step. +This is necessary if you want to deploy your application with a GibHub/GitLab integration as presented in the next step. ### 7. Deploy to Cloudflare Workers From 0d78296e635f529d5db979f16daded19ab457947 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 22 Jan 2025 15:18:28 -0600 Subject: [PATCH 014/129] [Gateway] Proxy endpoint firewall config (#19265) Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> --- .../connect-devices/agentless/pac-files.mdx | 119 ++++++++++++++++-- 1 file changed, 112 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx index dba1aafe312a45..d294ca9815035a 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx @@ -8,9 +8,7 @@ sidebar: import { Details, GlossaryDefinition, TabItem, Tabs } from "~/components"; :::note - Only available on Enterprise plans. - ::: You can apply Gateway HTTP and DNS policies at the browser level by configuring a Proxy Auto-Configuration (PAC) file. @@ -28,7 +26,6 @@ Install a [Cloudflare certificate](/cloudflare-one/connections/connect-devices/u You can generate a proxy endpoint on the Zero Trust dashboard or through the Cloudflare API. :::caution - All devices you add to the proxy endpoint will be able to access your Cloudflare Tunnel applications and services. If you only want to proxy web traffic, you can build a network policy that blocks those source IPs from connecting to your internal resources. ::: @@ -48,9 +45,7 @@ All devices you add to the proxy endpoint will be able to access your Cloudflare - **IPv6**: `2001:0db8:0000:0000:0000:1234:5678:0000/109` :::note - Gateway limits the prefix length of source networks for proxy endpoints to `/8` for IPv4 networks and `/32` for IPv6 networks. - ::: 5. Select **Save endpoint** and confirm the endpoint creation. @@ -80,9 +75,7 @@ https://.proxy.cloudflare-gateway.com - **IPv6**: `2001:0db8:0000:0000:0000:1234:5678:0000/32` :::note - Gateway limits the prefix length of source networks for proxy endpoints to `/8` for IPv4 networks and `/32` for IPv6 networks. - ::: 2. After running the call, you should see an output similar to @@ -197,6 +190,118 @@ To test your configuration, you can test any [supported HTTP policy](#limitation You can now use the Proxy Endpoint selector in [network](/cloudflare-one/policies/gateway/network-policies/#proxy-endpoint) and [HTTP](/cloudflare-one/policies/gateway/http-policies/#proxy-endpoint) policies to filter traffic proxied via PAC files. +## Configure firewall + +You may need to configure your organization's firewall to allow your users to connect to a proxy endpoint. Depending on your firewall, you will need to create a rule using either your proxy endpoint's domain or IP addresses. + +To get the domain of a proxy endpoint: + + + + + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Proxy endpoints**. +2. Choose the proxy endpoint. Select **Edit**. +3. In **Proxy Endpoint**, copy the domain. + + + + + +1. Use the [List proxy endpoints](/api/resources/zero_trust/subresources/gateway/subresources/proxy_endpoints/methods/list/) operation to get a list of your proxy endpoints and their details. For example: + + ```bash + curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/proxy_endpoints \ + --header "Authorization: Bearer " + ``` + + ```json {10} output + { + "success": true, + "result": { + "id": "ed35569b41ce4d1facfe683550f54086", + "created_at": "2014-01-01T05:20:00.12345Z", + "ips": [ + "192.0.2.1/32" + ], + "name": "DevOps team", + "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", + "updated_at": "2014-01-01T05:20:00.12345Z" + } + } + ``` + +2. Find the proxy endpoint you want to use. +3. Copy the value of the `subdomain` key. + + + + + +Using your proxy endpoint's domain, you can get the IP addresses assigned to the proxy endpoint: + + + + + +1. Open a terminal. +2. Run `dig` on your proxy endpoint's A records to get its IPv4 addresses. For example: + + ```bash + dig A example.cloudflare-gateway.com +short + ``` + + ```txt output + 162.159.36.5 + 162.159.36.20 + ``` + +3. Run `dig` on your proxy endpoint's AAAA records to get its IPv6 addresses. For example: + + ```bash + dig AAAA example.cloudflare-gateway.com +short + ``` + + ```txt output + 2606:4700:54::a29f:2407 + 2606:4700:5c::a29f:2e07 + ``` + + + + + +1. Open a PowerShell terminal. +2. Run `Resolve-DnsName` on your proxy endpoint's A records. Your proxy endpoint's IPv4 addresses will appear under `IPAddress`. For example: + + ```powershell + Resolve-DnsName -Name example.cloudflare-gateway.com -Type A + ``` + + ```txt output + Name Type TTL Section IPAddress + ---- ---- --- ------- --------- + example.cloudflare-gateway.com A 300 Answer 162.159.36.5 + example.cloudflare-gateway.com A 300 Answer 162.159.36.20 + ``` + +3. Run `Resolve-DnsName` on your proxy endpoint's AAAA records. Your proxy endpoint's IPv6 addresses will appear under `IPAddress`. For example: + + ```powershell + Resolve-DnsName -Name example.cloudflare-gateway.com -Type AAAA + ``` + + ```txt output + Name Type TTL Section IPAddress + ---- ---- --- ------- --------- + example.cloudflare-gateway.com AAAA 300 Answer 2606:4700:5c::a29f:2e07 + example.cloudflare-gateway.com AAAA 300 Answer 2606:4700:54::a29f:2407 + ``` + + + + + ## Limitations ### Traffic limitations From d546e7779c59089767c7147c807d75a6067a336c Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 22 Jan 2025 16:31:46 -0600 Subject: [PATCH 015/129] [ZT] Java cert procedure (#19370) --- .../manual-deployment.mdx | 52 ++++++++++++++++++- 1 file changed, 50 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment.mdx index 6da5a2e1d8959e..3d87f75d714dcb 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment.mdx @@ -626,6 +626,54 @@ To install a certificate for use in a Docker container: +### Java + +Java may have multiple certificate keystore locations depending on different installations or applications that include Java. Depending on your Java Virtual Machine (JVM) installation, you may need to install the certificate for each instance. You may also need to manually configure each Java application to use and trust the certificate. + +To install a Cloudflare root certificate in the system JVM, follow the procedure for your operating system. These steps require you to [download a `.pem` certificate](#download-the-cloudflare-root-certificate). + + + + +1. Install [OpenSSL](https://www.openssl.org/). + +2. In a terminal, format the Cloudflare certificate for Java. + + ```sh + openssl x509 -in Cloudflare_CA.pem -inform pem -out Cloudflare_CA.der -outform der + ``` + +3. Import the converted certificate into the Java keystore. + + ```sh + sudo $JAVA_HOME/bin/keytool -import -trustcacerts -alias 'Cloudflare Root CA' -file Cloudflare_CA.der -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt 2>&1 + ``` + +4. Restart any instances of Java. + + + + + +1. Install [OpenSSL for Windows](https://slproweb.com/products/Win32OpenSSL.html). + +2. In an administrator PowerShell terminal, format the Cloudflare certificate for Java. + + ```powershell + openssl x509 -in Cloudflare_CA.pem -inform pem -out Cloudflare_CA.der -outform der + ``` + +3. Import the converted certificate into the Java keystore. + + ```powershell + "%JAVA_HOME%\bin\keytool" -import -trustcacerts -alias "Cloudflare Root CA" -file Cloudflare_CA.der -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -storepass changeit -noprompt + ``` + +4. Restart any instances of Java. + + + + ### Google Cloud #### Google Cloud SDK @@ -662,7 +710,7 @@ If you use Kaniko with Google Cloud SDK, you must install a Cloudflare certifica #### Google Drive for desktop -To trust a Cloudflare root certificate in the Google Drive desktop application, follow the procedure for your operating system. These steps require you to [download the .pem certificate](#download-the-cloudflare-root-certificate). +To trust a Cloudflare root certificate in the Google Drive desktop application, follow the procedure for your operating system. These steps require you to [download a `.pem` certificate](#download-the-cloudflare-root-certificate). @@ -760,7 +808,7 @@ To set the location of the certificate for use as an environment variable: ### PHP Composer -The command below will set the [`cafile`](https://getcomposer.org/doc/06-config.md#cafile) configuration inside of `composer.json` to use the Cloudflare root certificate. Make sure to [download the certificate](#download-the-cloudflare-root-certificate) in the `.pem` file type. +The command below will set the [`cafile`](https://getcomposer.org/doc/06-config.md#cafile) configuration inside of `composer.json` to use the Cloudflare root certificate. Make sure to [download a certificate](#download-the-cloudflare-root-certificate) in the `.pem` file type. ```sh composer config cafile [PATH_TO_CLOUDFLARE_CERT.pem] From e84040bdffc9d78729dd7d3e8763999cb8ea478d Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Wed, 22 Jan 2025 17:47:09 -0500 Subject: [PATCH 016/129] [ZT] New Access app settings UI (#19371) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * new Access app settings UI * Update src/content/docs/cloudflare-one/identity/users/session-management.mdx Co-authored-by: Denise Peña <75506267+dcpena@users.noreply.github.com> --------- Co-authored-by: Denise Peña <75506267+dcpena@users.noreply.github.com> --- .../non-http/browser-rendering.mdx | 4 ++-- .../automatic-cloudflared-authentication.mdx | 2 +- .../identity/authorization-cookie/cors.mdx | 10 ++++----- .../authorization-cookie/validating-json.mdx | 4 ++-- .../mutual-tls-authentication.mdx | 2 +- .../warp-client-checks/require-gateway.mdx | 16 ++++++++------ .../warp-client-checks/require-warp.mdx | 18 +++++++-------- .../identity/users/session-management.mdx | 11 ++++++---- .../policies/access/mfa-requirements.mdx | 20 ++++++++++------- .../access/require-purpose-justification.mdx | 22 ++++++++++--------- .../policies/access/temporary-auth.mdx | 9 +++++--- .../cloudflare-one/access/app-launcher.mdx | 20 ++++++++--------- .../access/enable-isolation.mdx | 9 ++++---- .../partials/cloudflare-one/access/tags.mdx | 2 +- 14 files changed, 81 insertions(+), 68 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx b/src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx index 1179e407043f3f..711c500ad2de66 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx @@ -19,8 +19,8 @@ To enable browser rendering: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. 2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**. 3. In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications. -4. In the **Settings** tab, scroll down to **Additional settings**. -5. For **Browser rendering**, choose *SSH* or *VNC*. +4. Go to **Advanced settings** > **Browser rendering settings**. +5. For **Browser rendering**, choose _SSH_ or _VNC_. 6. Select **Save application**. When users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser. diff --git a/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication.mdx b/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication.mdx index bd7941f02be4b8..219b288bb671db 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication.mdx @@ -16,7 +16,7 @@ To enable automatic `cloudflared` authentication: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. 2. Locate your application and select **Configure**. -3. In the **Settings** tab, scroll down to **Additional settings**. +3. Go to **Advanced settings** > **Browser rendering settings**. 4. Turn on **Enable automatic cloudflared authentication**. 5. Select **Save application**. diff --git a/src/content/docs/cloudflare-one/identity/authorization-cookie/cors.mdx b/src/content/docs/cloudflare-one/identity/authorization-cookie/cors.mdx index ef3da21b79b745..73012724cd54e6 100644 --- a/src/content/docs/cloudflare-one/identity/authorization-cookie/cors.mdx +++ b/src/content/docs/cloudflare-one/identity/authorization-cookie/cors.mdx @@ -51,8 +51,8 @@ There are three ways you can resolve this error: You can configure Cloudflare to send OPTIONS requests directly to your origin server. To bypass Access for OPTIONS requests: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. -2. Locate the origin that will be receiving OPTIONS requests and select **Edit**. -3. In the **Settings** tab, scroll down to **CORS settings**. +2. Locate the origin that will be receiving OPTIONS requests and select **Configure**. +3. Go to **Advanced settings** > **Cross-Origin Resource Sharing (CORS) settings**. 4. Turn on **Bypass options requests to origin**. This will remove all existing CORS settings for this application. It is still important to enforce CORS for the Access JWT -- this option should only be used if you have CORS enforcement established in your origin server. @@ -65,11 +65,11 @@ To configure how Cloudflare responds to preflight requests: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. -2. Locate the origin that will be receiving OPTIONS requests and select **Edit**. +2. Locate the origin that will be receiving OPTIONS requests and select **Configure**. -3. In the **Settings** tab, scroll down to **CORS settings**. +3. Go to **Advanced settings** > **Cross-Origin Resource Sharing (CORS) settings**. -4. Configure the dashboard [CORS settings](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#the_http_response_headers) to match the response headers sent by your origin. +4. Configure these [CORS settings](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#the_http_response_headers) to match the response headers sent by your origin. For example, if you have configured `api.mysite.com`to return the following headers: diff --git a/src/content/docs/cloudflare-one/identity/authorization-cookie/validating-json.mdx b/src/content/docs/cloudflare-one/identity/authorization-cookie/validating-json.mdx index 250346f1b032fd..d3a995afc72141 100644 --- a/src/content/docs/cloudflare-one/identity/authorization-cookie/validating-json.mdx +++ b/src/content/docs/cloudflare-one/identity/authorization-cookie/validating-json.mdx @@ -67,7 +67,7 @@ As shown in the example below, `https://.cloudflareaccess.com/cd * Validate tokens using the external endpoint rather than saving the public key as a hard-coded value. -* Do not fetch the current key from `public_cert`, since your origin may inadvertently read an expired value from an outdated cache. Instead, match the `kid` value in the JWT to the corresponding certificate in `public_certs`. +* Do not fetch the current key from `public_cert`, since your origin may inadvertently read an expired value from an outdated cache. Instead, match the `kid` value in the JWT to the corresponding certificate in `public_certs`. ::: ## Verify the JWT manually @@ -100,7 +100,7 @@ To get the AUD tag: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**. 2. Select **Configure** for your application. -3. On the **Overview** tab, copy the **Application Audience (AUD) Tag**. +3. From the **Basic information** tab, copy the **Application Audience (AUD) Tag**. You can now paste the AUD tag into your token validation script. The AUD tag will never change unless you delete or recreate the Access application. diff --git a/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx b/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx index f43cdf87ffdb1f..e2a8df40633e8f 100644 --- a/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx @@ -50,7 +50,7 @@ To enforce mTLS authentication from [Zero Trust](https://one.dash.cloudflare.com 7. Next, go to **Access** > **Applications**. -8. Find the application you would like to enforce mTLS on and select **Edit**. The application must be included in the **Associated hostnames** list from Step 5. +8. Find the application you would like to enforce mTLS on and select **Configure**. The application must be included in the **Associated hostnames** list from Step 5. 9. Create a new (or amend an existing) [Access policy](/cloudflare-one/policies/access/). diff --git a/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/require-gateway.mdx b/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/require-gateway.mdx index 2446897fc46104..1e2948fffe4390 100644 --- a/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/require-gateway.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/require-gateway.mdx @@ -11,13 +11,13 @@ head: import { Render } from "~/components" -With Require Gateway, you can allow access to your applications only to devices enrolled in your organization's instance of Gateway. Unlike [Require WARP](/cloudflare-one/identity/devices/warp-client-checks/require-warp/), which will check for any WARP instance (including the consumer version), Require Gateway will only allow requests coming from devices whose traffic is filtered by your organization's Cloudflare Gateway configuration. This policy is best used when you want to protect company-owned assets by only allowing access to employees. +With Require Gateway, you can allow access to your applications only to devices enrolled in your Zero Trust organization. Unlike [Require WARP](/cloudflare-one/identity/devices/warp-client-checks/require-warp/), which will check for any WARP instance (including the consumer version), Require Gateway will only allow requests coming from devices whose traffic is filtered by your organization's Cloudflare Gateway configuration. This policy is best used when you want to protect company-owned assets by only allowing access to employees. ## Prerequisites * -## Enable the Gateway check +## 1. Enable the Gateway check 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**. @@ -25,14 +25,16 @@ With Require Gateway, you can allow access to your applications only to devices 3. Select **Gateway**, then select **Save**. -## Add the check to an Access policy +## 2. Add the check to an Access application 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. -2. Select the application for which you want to require Gateway, then select **Configure**. +2. Locate the application for which you want to require Gateway. Select **Configure**. -3. To create a new Access policy, select **Add a policy**. To require Gateway for an existing policy, select a policy, then select **Configure**. +3. In the **Policies** tab, create a new Access policy or edit an existing policy. -4. Add an Include or Require rule which uses the Gateway selector. Select **Save policy**. +4. In the policy builder, add an Include or Require rule which uses the _Gateway_ selector. Save the policy. -Before granting access to the application, your policy will now check that the device is running the WARP client and enrolled in your Zero Trust organization. +5. Save the Access application. + +Before granting access to the application, the policy will check that the device is running the WARP client and enrolled in your Zero Trust organization. diff --git a/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/require-warp.mdx b/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/require-warp.mdx index a18892af75cbff..ce575c1a16d2c4 100644 --- a/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/require-warp.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/require-warp.mdx @@ -29,22 +29,20 @@ Cloudflare Zero Trust enables you to restrict access to your applications to dev 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**. 2. Ensure that **Proxy** is enabled. -3. Next, go to **Settings** > **WARP Client**. -4. Scroll down to **WARP client checks** and select **Add new**. -5. Select **WARP**. - -You are now ready to start requiring WARP for your Access applications. +3. Go to **Settings** > **WARP Client**. +4. In **WARP client checks**, select **Add new**. +5. Select **WARP**, then select **Save**. ## 2. Add the check to an Access policy 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. -2. Locate the application for which you want to require WARP. +2. Locate the application for which you want to require WARP. Select **Configure**. -3. Select **Edit**. +3. In the **Policies** tab, create a new Access policy or edit an existing policy. -4. To have an existing policy require WARP, select **Edit** for that specific policy. Then, add an **Include** or **Require** rule which uses the *WARP* selector. +4. In the policy builder, add an Include or Require rule which uses the _WARP_ selector. Save the policy. -5. Select **Save rule**. +5. Save the Access application. -Before granting access to the application, your policy will now check that the device is running the WARP client. +Before granting access to the application, the policy will check that the device is running the WARP client. diff --git a/src/content/docs/cloudflare-one/identity/users/session-management.mdx b/src/content/docs/cloudflare-one/identity/users/session-management.mdx index e97796abc04bdf..2d9ad22312f474 100644 --- a/src/content/docs/cloudflare-one/identity/users/session-management.mdx +++ b/src/content/docs/cloudflare-one/identity/users/session-management.mdx @@ -32,6 +32,7 @@ You can set a global session duration between 15 minutes and 1 month. 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. 2. Under **Global session timeout**, select **Edit**, 3. Select the desired timeout duration from the dropdown menu. +4. Select **Save**. The user will be required to re-authenticate with the IdP after this period of time. @@ -40,8 +41,9 @@ The user will be required to re-authenticate with the IdP after this period of t You can set an application session duration for self-hosted and private Access applications. Available session durations range from immediate timeout to 1 month. The default is 24 hours. 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. -2. Locate the application you want to configure and select **Edit**. -3. In the **Overview** tab, select a **Session Duration** from the dropdown menu. +2. Choose an application and select **Configure**. +3. Select a **Session Duration** from the dropdown menu. +4. Save the application. The application token will expire after this period of time (unless you have set a [policy session duration](#set-policy-session-duration)). @@ -56,6 +58,7 @@ You can set a policy session duration ranging from immediate timeout to one mont 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Policies**. 2. Choose a policy and select **Configure**. 3. Select a **Session Duration** from the dropdown menu. +4. Save the policy. Users who match this policy will be issued an application token with this expiration time. @@ -69,9 +72,9 @@ To immediately terminate all active sessions for a specific application: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. -2. Locate the application for which you would like to revoke active sessions and select **Edit**. +2. Locate the application for which you would like to revoke active sessions and select **Configure**. -3. In the **Overview** tab, select **Revoke existing tokens**. +3. Select **Revoke existing tokens**. Unless there are changes to rules in the policy, users can start a new session if their profile in your identity provider is still active. diff --git a/src/content/docs/cloudflare-one/policies/access/mfa-requirements.mdx b/src/content/docs/cloudflare-one/policies/access/mfa-requirements.mdx index 5ab03830f9e99e..b37e4d0ce38531 100644 --- a/src/content/docs/cloudflare-one/policies/access/mfa-requirements.mdx +++ b/src/content/docs/cloudflare-one/policies/access/mfa-requirements.mdx @@ -18,21 +18,25 @@ This feature is only available if you are using the following identity providers To enforce an MFA requirement to an application: -1. In Zero Trust, go to **Access** > **Applications**. +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**. -2. Find the application for which you want to enforce MFA and select **Edit**. Alternatively, [create a new application](/cloudflare-one/applications/configure-apps/). +2. Find the application for which you want to enforce MFA and select **Configure**. Alternatively, [create a new application](/cloudflare-one/applications/configure-apps/). -3. Go to the **Rules** section of the application. +3. Go to **Policies**. -4. If your application already has a rule containing an identity requirement, find it and select **Edit**. +4. If your application already has a policy containing an identity requirement, find it and select **Configure**. - The rule must contain an Include rule which defines an identity. For example, the Include rule should allow for users who are part of a [rule group](/cloudflare-one/policies/access/groups/), email domain, or identity provider group. + :::note + The policy should contain an Include rule that uses identity-based selectors. For example, the Include rule could allow users who are part of a [rule group](/cloudflare-one/policies/access/groups/), email domain, or identity provider group. + ::: -5. Add a _Require_ action to the rule. +5. Add the following rule to the policy: -6. Select _Authentication Method_ and choose `mfa - multiple-factor authentication`. + | Rule type | Selector | Value | + | ---------- | -------- | ------ | + | Require | Authentication method | `mfa - multiple-factor authentication` | -7. Save the rule. +6. Save the policy. :::caution[Important] diff --git a/src/content/docs/cloudflare-one/policies/access/require-purpose-justification.mdx b/src/content/docs/cloudflare-one/policies/access/require-purpose-justification.mdx index 6da5c3eab79857..793f7c9475f7f1 100644 --- a/src/content/docs/cloudflare-one/policies/access/require-purpose-justification.mdx +++ b/src/content/docs/cloudflare-one/policies/access/require-purpose-justification.mdx @@ -1,26 +1,28 @@ --- pcx_content_type: how-to -title: Require Purpose Justification +title: Require purpose justification sidebar: order: 3 head: - tag: title - content: Require Purpose Justification after login + content: Require purpose justification after login --- -Cloudflare Access allows security and IT teams to present users with a purpose justification screen directly after they log in to an Access application. This allows organizations to audit not only for *who* is accessing their resources, but also for *why* they are requesting access. +Cloudflare Access allows security and IT teams to present users with a purpose justification screen directly after they log in to an Access application. This allows organizations to audit not only for who is accessing their resources, but also for why they are requesting access. The purpose justification screen will show for any new sessions of an application. For example, if an Access application has a session time of eight hours, a user will see the purpose justification screen once every eight hours. Configuring a purpose justification screen is done as part of configuring an Access policy. -1. In Zero Trust, go to **Access** > **Applications**. -2. Select an application and select **Edit**. -3. Select the policy you want to configure with purpose justification. -4. Open **Optional Configurations**. -5. Enable purpose justification. -6. (Optional) set a custom purpose justification message. This will appear on the purpose justification screen and will be visible to the user. -7. Once configured, a user will see the following screen: +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. +2. Choose an application and select **Configure**. +3. Go to **Policies**. +4. Choose an **Allow** policy and select **Configure**. +5. Under **Additional settings**, turn on **Purpose justification**. +6. (Optional) Set a custom purpose justification message. This will appear on the purpose justification screen and will be visible to the user. +7. Save the policy. + +Users who match this policy will see the following screen: ![Finalized purpose justification screen displaying custom message.](~/assets/images/cloudflare-one/policies/purpose-justification.png) diff --git a/src/content/docs/cloudflare-one/policies/access/temporary-auth.mdx b/src/content/docs/cloudflare-one/policies/access/temporary-auth.mdx index 242c27cec5baf2..5b24cd305f50bd 100644 --- a/src/content/docs/cloudflare-one/policies/access/temporary-auth.mdx +++ b/src/content/docs/cloudflare-one/policies/access/temporary-auth.mdx @@ -11,11 +11,14 @@ With Cloudflare Access, you can require that users obtain approval before they c ## Set up temporary authentication 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. -2. Choose a **Self-hosted** or **SaaS** application and select **Edit**. -3. Choose the **Allow** policy you want to configure and select **Edit**. +2. Choose a **Self-hosted** or **SaaS** application and select **Configure**. +3. Choose an **Allow** policy and select **Configure**. 4. Under **Additional settings**, turn on [**Purpose justification**](/cloudflare-one/policies/access/require-purpose-justification/). 5. Turn on **Temporary authentication**. -6. Enter the **Email addresses of the approvers**. (Note: your approvers must be authenticated by Access. If they do not have an active session, Access will verify their identity against your [App Launcher Access policy](/cloudflare-one/applications/app-launcher/).) +6. Enter the **Email addresses of the approvers**. + :::note + Your approvers must be authenticated by Access. If they do not have an active session, Access will verify their identity against your [App Launcher Access policy](/cloudflare-one/applications/app-launcher/). + ::: 7. Save the policy. Temporary authentication is now enabled for users who match this policy. You can optionally add a second **Allow** policy for users who should have persistent access. Be sure the policy order is set to allow persistent users through. diff --git a/src/content/partials/cloudflare-one/access/app-launcher.mdx b/src/content/partials/cloudflare-one/access/app-launcher.mdx index 21dab17962a696..214fe491c5f7ba 100644 --- a/src/content/partials/cloudflare-one/access/app-launcher.mdx +++ b/src/content/partials/cloudflare-one/access/app-launcher.mdx @@ -38,21 +38,21 @@ To show an Access application in the App Launcher: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**. 2. Select an application and select **Configure**. -3. In the **Overview** tab, select **Enable App in App Launcher**. The App Launcher link will only appear for users who are allowed by your Access policies. Blocked users will not see the app in their App Launcher. +3. Go to **Experience settings**. +4. Select **Show application in App Launcher**. The App Launcher link will only appear for users who are allowed by your Access policies. Blocked users will not see the app in their App Launcher. -:::note + :::note -This toggle does not impact the user's ability to reach the application. Allowed users can always reach the application via a direct link, regardless of whether the toggle is enabled. Blocked users will never have access to the application. -::: + This toggle does not impact the user's ability to reach the application. Allowed users can always reach the application via a direct link, regardless of whether the toggle is enabled. Blocked users will never have access to the application. + ::: -4. Choose a domain to use for the App Launcher link. +5. (Optional) To use a custom logo for the application tile, select **Use custom logo** and enter a link to your desired image. -5. To use a custom logo for the application tile, select **Custom** and enter a link to your desired image. + :::note + If you are having issues specifying a custom logo, check that the image is served from an HTTPS endpoint. For example, `http://www.example.com/upload/logo.png` will not work. However, `https://www.example.com/upload/logo.png` will. + ::: -:::note - -If you are having issues specifying a custom logo, check that the image is served from an HTTPS endpoint. For example, `http://www.example.com/upload/logo.png` will not work. However, `https://www.example.com/upload/logo.png` will. -::: +6. In **Application domains**, choose a domain to use for the App Launcher link. ## Customize App Launcher appearance diff --git a/src/content/partials/cloudflare-one/access/enable-isolation.mdx b/src/content/partials/cloudflare-one/access/enable-isolation.mdx index cc58c670e38631..9717d8b73b5a79 100644 --- a/src/content/partials/cloudflare-one/access/enable-isolation.mdx +++ b/src/content/partials/cloudflare-one/access/enable-isolation.mdx @@ -7,11 +7,12 @@ import { Render } from "~/components" -3. Next, go to **Access** > **Applications**. +3. Go to **Access** > **Applications**. 4. Choose a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) and select **Configure**. -5. Choose an [Allow policy](/cloudflare-one/policies/access/) and select **Configure**. -6. Under **Additional settings**, turn on **Isolate application**. -7. Save the policy. +5. Go to **Policies**. +6. Choose an [Allow policy](/cloudflare-one/policies/access/) and select **Configure**. +7. Under **Additional settings**, turn on **Isolate application**. +8. Save the policy. Browser Isolation is now enabled for users who match this policy. After the user logs into Access, the application will launch in a remote browser. To confirm that the application is isolated, refer to [Check if a web page is isolated](/cloudflare-one/policies/browser-isolation/setup/#3-check-if-a-web-page-is-isolated). diff --git a/src/content/partials/cloudflare-one/access/tags.mdx b/src/content/partials/cloudflare-one/access/tags.mdx index 19681a56d28fae..f64172dc69b6ef 100644 --- a/src/content/partials/cloudflare-one/access/tags.mdx +++ b/src/content/partials/cloudflare-one/access/tags.mdx @@ -22,7 +22,7 @@ To add a tag to an existing Access application: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**. 2. Select an application and select **Configure**. -3. Select the **Overview** tab. +3. Go to **Experience settings**. 4. In the **Tags** dropdown, select the tags that you would like to assign to this application. The tag must be [created](#create-a-tag) before you can select it in the dropdown. 5. Select **Save application**. From d64ccb402fe128b6abfedc7e742896397c67e6e8 Mon Sep 17 00:00:00 2001 From: Matt Silverlock Date: Thu, 23 Jan 2025 04:03:46 -0500 Subject: [PATCH 017/129] durable objects: examples for using type args with SQL API (#18516) * durable objects: examples for using type args with SQL API cc @geelen to keep me honest * Update src/content/docs/durable-objects/api/sql-storage.mdx * Update src/content/docs/durable-objects/api/sql-storage.mdx --------- Co-authored-by: Jun Lee --- .../docs/durable-objects/api/sql-storage.mdx | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/src/content/docs/durable-objects/api/sql-storage.mdx b/src/content/docs/durable-objects/api/sql-storage.mdx index da9c45957ed26f..c6f8b558b9194f 100644 --- a/src/content/docs/durable-objects/api/sql-storage.mdx +++ b/src/content/docs/durable-objects/api/sql-storage.mdx @@ -148,3 +148,57 @@ let now = new Date(); let bookmark = ctx.storage.getBookmarkForTime(now - 2); ctx.storage.onNextSessionRestoreBookmark(bookmark); ``` + +## TypeScript and query results + +You can use TypeScript [type parameters](https://www.typescriptlang.org/docs/handbook/2/generics.html#working-with-generic-type-variables) to provide a type for your results, allowing you to benefit from type hints and checks when iterating over the results of a query. + +:::caution + +Providing a type parameter does _not_ validate that the query result matches your type definition. In TypeScript, properties (fields) that do not exist in your result type will be silently dropped. + +::: + +Your type must conform to the shape of a TypeScript [Record](https://www.typescriptlang.org/docs/handbook/utility-types.html#recordkeys-type) type representing the name (`string`) of the column and the type of the column. The column type must be a valid `SqlStorageValue`: one of `ArrayBuffer | string | number | null`. + +For example, + +```ts +type User = { + id: string; + name: string; + email_address: string; + version: number; +} +``` + +This type can then be passed as the type parameter to a `sql.exec` call: + +```ts +// The type parameter is passed between the "pointy brackets" before the function argument: +const result = this.ctx.storage.sql.exec("SELECT id, name, email_address, version FROM users WHERE id = ?", [user_id]).one() +// result will now have a type of "User" + +// Alternatively, if you are iterating over results using a cursor +let cursor = this.sql.exec("SELECT id, name, email_address, version FROM users WHERE id = ?", [user_id]) +for (let row of cursor) { + // Each row object will be of type User +} + +// Or, if you are using raw() to convert results into an array, define an array type: +type UserRow = [ + id: string, + name: string, + email_address: string, + version: number, +]; + +// ... and then pass it as the type argument to the raw() method: +let cursor = sql.exec("SELECT id, name, email_address, version FROM users WHERE id = ?", [user_id]).raw(); + +for (let row of cursor) { + // row is of type User +} +``` + +You can represent the shape of any result type you wish, including more complex types. If you are performing a JOIN across multiple tables, you can compose a type that reflects the results of your queries. From a2ff46749d1024aca7158a3325e847a3f0b7a19a Mon Sep 17 00:00:00 2001 From: angelampcosta <92738954+angelampcosta@users.noreply.github.com> Date: Thu, 23 Jan 2025 09:50:51 +0000 Subject: [PATCH 018/129] Updates to connection multiplexing ent (#19379) --- .../docs/speed/optimization/protocol/http2-to-origin.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/speed/optimization/protocol/http2-to-origin.mdx b/src/content/docs/speed/optimization/protocol/http2-to-origin.mdx index db39698c9c9752..4fd5167fd0bf99 100644 --- a/src/content/docs/speed/optimization/protocol/http2-to-origin.mdx +++ b/src/content/docs/speed/optimization/protocol/http2-to-origin.mdx @@ -27,7 +27,7 @@ If you wish to disable HTTP/2 to Origin, you can follow these steps: ## Connection multiplexing -Connection multiplexing is enabled by default on Free, Pro and Business zones. Enterprise zones will be enabled at a later date. +Connection multiplexing is enabled by default on Free, Pro and Business zones. Enterprise zones can enable multiplexing manually and configure concurrent requests per connection. HTTP/2 uses multiplexing to allow multiple concurrent requests and responses over a single TCP connection. If your origin does not support multiplexing, enabling HTTP/2 to origin may result in 5xx errors, particularly 520s. From 22a7e2ae56ec7552c80e0f2070c420dbdcc9eff2 Mon Sep 17 00:00:00 2001 From: Ahmed Ashour Date: Thu, 23 Jan 2025 11:08:19 +0100 Subject: [PATCH 019/129] Fix typo in parameter (#19377) --- src/content/docs/r2/examples/aws/aws-sdk-java.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/r2/examples/aws/aws-sdk-java.mdx b/src/content/docs/r2/examples/aws/aws-sdk-java.mdx index 7f6a4dedbce4d0..1fd21e6027ab74 100644 --- a/src/content/docs/r2/examples/aws/aws-sdk-java.mdx +++ b/src/content/docs/r2/examples/aws/aws-sdk-java.mdx @@ -17,7 +17,7 @@ To mitigate, users can use `2.29.52` or add the following to their S3Config: ```java this.requestChecksumCalculation = "when_required", -this.esponseChecksumValidation = "when_required" +this.responseChecksumValidation = "when_required" ``` ::: From 447b6192675003248434e7974221b9ee2052b4f0 Mon Sep 17 00:00:00 2001 From: angelampcosta <92738954+angelampcosta@users.noreply.github.com> Date: Thu, 23 Jan 2025 10:13:01 +0000 Subject: [PATCH 020/129] Updates Regional Services limitations (#19380) --- src/content/docs/data-localization/limitations.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/data-localization/limitations.mdx b/src/content/docs/data-localization/limitations.mdx index 2e508cea295b42..efa28cf81adad5 100644 --- a/src/content/docs/data-localization/limitations.mdx +++ b/src/content/docs/data-localization/limitations.mdx @@ -38,7 +38,7 @@ The following features and protocols are not supported by Regional Services and Since Regional Services leverages Spectrum in the background, [Spectrum limitations](/spectrum/reference/limitations/) apply. -Regional Services does not apply to [Subrequests](/workers/platform/limits/#subrequests). +Regional Services does not apply to [Subrequests](/workers/platform/limits/#subrequests). Regional Services operates on your hostname's IPs. We recommend using [DNSSEC](/learning-paths/application-security/default-traffic-security/dnssec/) and/or [DNS over HTTPS](/1.1.1.1/encryption/dns-over-https/) to ensure that DNS responses are secure and correct. ## Customer Metadata Boundary From dd3ecc4e78329f6889189df99b0906adb2d231db Mon Sep 17 00:00:00 2001 From: Krzysztof Szarlej <16528258+kszarlej@users.noreply.github.com> Date: Thu, 23 Jan 2025 14:10:00 +0100 Subject: [PATCH 021/129] [Rules] Fix API permission name for Origin Rules (#19381) --- src/content/docs/rules/origin-rules/create-api.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/rules/origin-rules/create-api.mdx b/src/content/docs/rules/origin-rules/create-api.mdx index ac344025ca5cbb..8ce0cca8ccc8d6 100644 --- a/src/content/docs/rules/origin-rules/create-api.mdx +++ b/src/content/docs/rules/origin-rules/create-api.mdx @@ -242,4 +242,4 @@ https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id} \ The API token used in API requests to manage origin rules must have at least the following permission: -- _Origin_ > _Edit_ +- _Zone_ > _Origin Rules_ > _Edit_ From 0318e392ec384a88ac9523d42e28aea799f8ffd8 Mon Sep 17 00:00:00 2001 From: Jun Lee Date: Thu, 23 Jan 2025 13:55:19 +0000 Subject: [PATCH 022/129] Adding the limit increase footnote to the 50k limit. (#19384) --- src/content/docs/d1/platform/limits.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/d1/platform/limits.mdx b/src/content/docs/d1/platform/limits.mdx index 8de517c65a7023..2074b06ee94828 100644 --- a/src/content/docs/d1/platform/limits.mdx +++ b/src/content/docs/d1/platform/limits.mdx @@ -10,7 +10,7 @@ import { Render } from "~/components"; | Feature | Limit | | ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- | -| Databases | 50,000 (Workers Paid) / 10 (Free) | +| Databases | 50,000 (Workers Paid)[^1] / 10 (Free) | | Maximum database size | 10 GB (Workers Paid) / 500 MB (Free) | | Maximum storage per account | 250 GB (Workers Paid)[^1] / 5 GB (Free) | | [Time Travel](/d1/reference/time-travel/) duration (point-in-time recovery) | 30 days (Workers Paid) / 7 days (Free) | From 933d3fa85c7d531f762ee06131cf8a13b295e832 Mon Sep 17 00:00:00 2001 From: "hyperlint-ai[bot]" <154288675+hyperlint-ai[bot]@users.noreply.github.com> Date: Thu, 23 Jan 2025 08:03:11 -0600 Subject: [PATCH 023/129] Fix issue: WorkspaceTaskSubType.META_DESCRIPTION (#19357) Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> --- src/content/docs/support/contacting-cloudflare-support.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/support/contacting-cloudflare-support.mdx b/src/content/docs/support/contacting-cloudflare-support.mdx index 958bb3c7375c7b..81024b79164a51 100644 --- a/src/content/docs/support/contacting-cloudflare-support.mdx +++ b/src/content/docs/support/contacting-cloudflare-support.mdx @@ -2,10 +2,10 @@ pcx_content_type: troubleshooting source: https://support.cloudflare.com/hc/en-us/articles/200172476-Contacting-Cloudflare-Support title: Contacting Cloudflare Support +description: Learn how to contact Cloudflare Support through various methods, including live chat and phone, with guidelines for identity verification and case submission. sidebar: order: 1 --- - ## Guidelines for contacting Cloudflare support Cloudflare Support _cannot_ perform the following actions: From 3e6421e170ced649da11a149c5144f6cdfde2436 Mon Sep 17 00:00:00 2001 From: Craig Dennis Date: Thu, 23 Jan 2025 06:03:58 -0800 Subject: [PATCH 024/129] Removes beta (#19368) --- src/content/workers-ai-models/llama-3.1-70b-instruct.json | 1 - src/content/workers-ai-models/llama-3.1-8b-instruct-fast.json | 1 - 2 files changed, 2 deletions(-) diff --git a/src/content/workers-ai-models/llama-3.1-70b-instruct.json b/src/content/workers-ai-models/llama-3.1-70b-instruct.json index 477593df273881..2b77283503f7f0 100644 --- a/src/content/workers-ai-models/llama-3.1-70b-instruct.json +++ b/src/content/workers-ai-models/llama-3.1-70b-instruct.json @@ -10,7 +10,6 @@ }, "tags": [], "properties": [ - { "property_id": "beta", "value": "true" }, { "property_id": "terms", "value": "https://github.com/meta-llama/llama-models/blob/main/models/llama3_1/LICENSE" diff --git a/src/content/workers-ai-models/llama-3.1-8b-instruct-fast.json b/src/content/workers-ai-models/llama-3.1-8b-instruct-fast.json index 19bb8d167044df..faed7b7e05148d 100644 --- a/src/content/workers-ai-models/llama-3.1-8b-instruct-fast.json +++ b/src/content/workers-ai-models/llama-3.1-8b-instruct-fast.json @@ -22,7 +22,6 @@ "properties": [ - { "property_id": "beta", "value": "true" }, { From f72511acb4d6beb7f68aac5442145e5eedb3d655 Mon Sep 17 00:00:00 2001 From: Harshil Agrawal <18901032+harshil1712@users.noreply.github.com> Date: Thu, 23 Jan 2025 16:31:47 +0100 Subject: [PATCH 025/129] Clarify overlapping event rules (#19130) * add note for overlapping event rules * clarify confliciting rules --- src/content/docs/r2/buckets/event-notifications.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/content/docs/r2/buckets/event-notifications.mdx b/src/content/docs/r2/buckets/event-notifications.mdx index 8243543adafad9..12405763766669 100644 --- a/src/content/docs/r2/buckets/event-notifications.mdx +++ b/src/content/docs/r2/buckets/event-notifications.mdx @@ -232,3 +232,5 @@ Queue consumers receive notifications as [Messages](/queues/configuration/javasc ## Notes - Queues [per-queue message throughput](/queues/platform/limits/) is currently 5,000 messages per second. If your workload produces more than 5,000 notifications per second, we recommend splitting notification rules across multiple queues. +- Rules without prefix/suffix apply to all objects in the bucket. +- Overlapping or conflicting rules that could trigger multiple notifications for the same event are not allowed. For example, if you have an `object-create` (or `PutObject` action) rule without a prefix and suffix, then adding another `object-create` (or `PutObject` action) rule with a prefix like `images/` could trigger more than one notification for a single upload, which is invalid. From 9a6236669a1ecf2495dacb9098e9e691496973b0 Mon Sep 17 00:00:00 2001 From: Kian Date: Thu, 23 Jan 2025 16:25:44 +0000 Subject: [PATCH 026/129] [Docs Site] Add CompatibilityFlag component (#19376) --- src/components/CompatibilityFlag.astro | 32 +++++++++++++++++++ src/components/index.ts | 1 + .../components/compatibility-flag.mdx | 17 ++++++++++ 3 files changed, 50 insertions(+) create mode 100644 src/components/CompatibilityFlag.astro create mode 100644 src/content/docs/style-guide/components/compatibility-flag.mdx diff --git a/src/components/CompatibilityFlag.astro b/src/components/CompatibilityFlag.astro new file mode 100644 index 00000000000000..dc80b2878c5230 --- /dev/null +++ b/src/components/CompatibilityFlag.astro @@ -0,0 +1,32 @@ +--- +import { Aside } from "@astrojs/starlight/components"; +import { reference, getEntry } from "astro:content"; +import { z } from "astro:schema"; + +const props = z.object({ + flag: reference("compatibility-flags"), +}); + +const { flag } = await props.parseAsync(Astro.props); + +const { data } = await getEntry("compatibility-flags", flag.slug); + +const { enable_flag, enable_date } = data; +--- + + diff --git a/src/components/index.ts b/src/components/index.ts index a52dbcbc622eac..2e85b1a6cba551 100644 --- a/src/components/index.ts +++ b/src/components/index.ts @@ -7,6 +7,7 @@ export { Icon as AstroIcon } from "astro-icon/components"; // Custom components export { default as AnchorHeading } from "./AnchorHeading.astro"; export { default as AvailableNotifications } from "./AvailableNotifications.astro"; +export { default as CompatibilityFlag } from "./CompatibilityFlag.astro"; export { default as CompatibilityFlags } from "./CompatibilityFlags.astro"; export { default as Description } from "./Description.astro"; export { default as Details } from "./Details.astro"; diff --git a/src/content/docs/style-guide/components/compatibility-flag.mdx b/src/content/docs/style-guide/components/compatibility-flag.mdx new file mode 100644 index 00000000000000..ae0716693dd3f9 --- /dev/null +++ b/src/content/docs/style-guide/components/compatibility-flag.mdx @@ -0,0 +1,17 @@ +--- +title: Compatibility flag +--- + +This component will create an aside with the `enable_date` (if present) and the `enable_flag` of a given flag. + +The flag must match the name of a file in the [`compatibility-flags` collection](https://github.com/cloudflare/cloudflare-docs/tree/production/src/content/compatibility-flags), without the file extension. + +## Component + +```mdx live +import { CompatibilityFlag } from "~/components"; + + + + +``` From 393fc3b76dfdd5e790315fe959e30c4c0a2334ab Mon Sep 17 00:00:00 2001 From: Kody Jackson Date: Thu, 23 Jan 2025 10:31:14 -0600 Subject: [PATCH 027/129] Add "AI" metadata to Browser Rendering (#19386) Update browser-rending.yaml to add grouping for AI products --- src/content/products/browser-rendering.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/content/products/browser-rendering.yaml b/src/content/products/browser-rendering.yaml index a82a262f484ae5..54fb4bc73e42ca 100644 --- a/src/content/products/browser-rendering.yaml +++ b/src/content/products/browser-rendering.yaml @@ -4,6 +4,7 @@ product: title: Browser Rendering url: /browser-rendering/ group: Developer platform + additional_groups: [AI] meta: title: Browser Rendering docs From e64b85be6eea94042e4d78e0d30bd1dd91a2101b Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 23 Jan 2025 11:17:17 -0600 Subject: [PATCH 028/129] [DLP] Confidence levels for source code changelog entry (#19206) --- src/content/changelogs/dlp.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/content/changelogs/dlp.yaml b/src/content/changelogs/dlp.yaml index 3646f21e002c80..bfb3dea1ccbba7 100644 --- a/src/content/changelogs/dlp.yaml +++ b/src/content/changelogs/dlp.yaml @@ -5,6 +5,10 @@ productLink: "/cloudflare-one/policies/data-loss-prevention/" productArea: Cloudflare One productAreaLink: /cloudflare-one/changelog/ entries: + - publish_date: "2025-01-23" + title: Source code confidence levels + description: |- + DLP now supports setting a confidence level for [source code profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#source-code). - publish_date: "2024-11-25" title: Profile confidence levels description: |- From 945ca5a4736b9589ee4f175ec1649774bd70a02d Mon Sep 17 00:00:00 2001 From: Kian Date: Thu, 23 Jan 2025 17:42:52 +0000 Subject: [PATCH 029/129] [Docs Site] Refactor rehype plugins (#19360) * [Docs Site] Refactor rehype plugins * fix closing tag in anchorheading --- astro.config.ts | 119 +++------------ ec.config.mjs | 6 +- package-lock.json | 139 +----------------- package.json | 3 +- src/components/AnchorHeading.astro | 25 ++-- src/components/overrides/Sidebar.astro | 4 +- .../style-guide/components/anchor-heading.mdx | 11 +- .../docs/style-guide/formatting/footnotes.mdx | 2 - src/footnotes.css | 19 +++ src/kbd.css | 6 - src/littlefoot.css | 13 -- .../expressive-code/default-titles.js | 0 .../plugins}/expressive-code/output-frame.js | 0 .../expressive-code/workers-playground.js | 0 src/plugins/rehype/autolink-headings.ts | 39 +++++ src/plugins/rehype/external-links.ts | 19 +++ .../plugins}/rehype/heading-slugs.ts | 5 +- src/plugins/rehype/mermaid.ts | 89 +++++++++++ src/tooltips.css | 12 -- src/util/description.ts | 5 +- src/util/sidebar.ts | 23 +++ 21 files changed, 237 insertions(+), 302 deletions(-) create mode 100644 src/footnotes.css delete mode 100644 src/kbd.css delete mode 100644 src/littlefoot.css rename {plugins => src/plugins}/expressive-code/default-titles.js (100%) rename {plugins => src/plugins}/expressive-code/output-frame.js (100%) rename {plugins => src/plugins}/expressive-code/workers-playground.js (100%) create mode 100644 src/plugins/rehype/autolink-headings.ts create mode 100644 src/plugins/rehype/external-links.ts rename {plugins => src/plugins}/rehype/heading-slugs.ts (86%) create mode 100644 src/plugins/rehype/mermaid.ts delete mode 100644 src/tooltips.css diff --git a/astro.config.ts b/astro.config.ts index 1be914ecb79707..f0d9bf393ee5e1 100644 --- a/astro.config.ts +++ b/astro.config.ts @@ -4,71 +4,20 @@ import tailwind from "@astrojs/tailwind"; import starlightDocSearch from "@astrojs/starlight-docsearch"; import starlightImageZoom from "starlight-image-zoom"; import liveCode from "astro-live-code"; -import rehypeMermaid from "rehype-mermaid"; -import rehypeAutolinkHeadings, { - type Options as rehypeAutolinkHeadingsOptions, -} from "rehype-autolink-headings"; -import rehypeExternalLinks from "rehype-external-links"; import starlightLinksValidator from "starlight-links-validator"; -import { h } from "hastscript"; -import { readdir } from "fs/promises"; import icon from "astro-icon"; import sitemap from "@astrojs/sitemap"; import react from "@astrojs/react"; + import rehypeTitleFigure from "rehype-title-figure"; -import rehypeHeadingSlugs from "./plugins/rehype/heading-slugs"; +import rehypeMermaid from "./src/plugins/rehype/mermaid.ts"; +import rehypeAutolinkHeadings from "./src/plugins/rehype/autolink-headings.ts"; +import rehypeExternalLinks from "./src/plugins/rehype/external-links.ts"; +import rehypeHeadingSlugs from "./src/plugins/rehype/heading-slugs.ts"; -const runLinkCheck = process.env.RUN_LINK_CHECK || false; +import { sidebar } from "./src/util/sidebar.ts"; -async function autogenSections() { - const sections = ( - await readdir("./src/content/docs/", { - withFileTypes: true, - }) - ) - .filter((x) => x.isDirectory()) - .map((x) => x.name); - return sections.map((x) => { - return { - label: x, - autogenerate: { - directory: x, - collapsed: true, - }, - }; - }); -} -const AnchorLinkIcon = h( - "span", - { - ariaHidden: "true", - class: "anchor-icon", - }, - h( - "svg", - { - width: 16, - height: 16, - viewBox: "0 0 24 24", - }, - h("path", { - fill: "currentcolor", - d: "m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z", - }), - ), -); -const autolinkConfig: rehypeAutolinkHeadingsOptions = { - properties: { - class: "anchor-link", - }, - behavior: "after", - group: ({ tagName }) => - h("div", { - tabIndex: -1, - class: `heading-wrapper level-${tagName}`, - }), - content: () => [AnchorLinkIcon], -}; +const runLinkCheck = process.env.RUN_LINK_CHECK || false; // https://astro.build/config export default defineConfig({ @@ -76,28 +25,11 @@ export default defineConfig({ markdown: { smartypants: false, rehypePlugins: [ - [ - rehypeMermaid, - { - strategy: "pre-mermaid", - }, - ], - [ - rehypeExternalLinks, - { - content: { - type: "text", - value: " ↗", - }, - properties: { - target: "_blank", - }, - rel: ["noopener"], - }, - ], + rehypeMermaid, + rehypeExternalLinks, rehypeHeadingSlugs, - [rehypeAutolinkHeadings, autolinkConfig], - // @ts-expect-error TODO: fix types + rehypeAutolinkHeadings, + // @ts-expect-error plugins types are outdated but functional rehypeTitleFigure, ], }, @@ -116,29 +48,15 @@ export default defineConfig({ src: "./src/assets/logo.svg", }, favicon: "/favicon.png", - head: [ - { - tag: "meta", - attrs: { - name: "image", - content: "https://developers.cloudflare.com/cf-twitter-card.png", - }, - }, - { + head: ["image", "og:image", "twitter:image"].map((name) => { + return { tag: "meta", attrs: { - name: "og:image", + name, content: "https://developers.cloudflare.com/cf-twitter-card.png", }, - }, - { - tag: "meta", - attrs: { - name: "twitter:image", - content: "https://developers.cloudflare.com/cf-twitter-card.png", - }, - }, - ], + }; + }), social: { github: "https://github.com/cloudflare/cloudflare-docs", "x.com": "https://x.com/cloudflare", @@ -161,18 +79,17 @@ export default defineConfig({ SkipLink: "./src/components/overrides/SkipLink.astro", TableOfContents: "./src/components/overrides/TableOfContents.astro", }, - sidebar: await autogenSections(), + sidebar, customCss: [ "./src/asides.css", "./src/code.css", + "./src/footnotes.css", "./src/headings.css", "./src/input.css", - "./src/littlefoot.css", "./src/mermaid.css", "./src/table.css", "./src/tailwind.css", "./src/title.css", - "./src/tooltips.css", ], pagination: false, plugins: [ diff --git a/ec.config.mjs b/ec.config.mjs index 2d24023b4f653a..e68681f1ac852b 100644 --- a/ec.config.mjs +++ b/ec.config.mjs @@ -2,9 +2,9 @@ import darkTheme from "solarflare-theme/themes/cloudflare-dark-color-theme.json" with { type: "json" }; import lightTheme from "solarflare-theme/themes/cloudflare-light-color-theme.json" with { type: "json" }; -import pluginWorkersPlayground from "./plugins/expressive-code/workers-playground.js"; -import pluginOutputFrame from "./plugins/expressive-code/output-frame.js"; -import pluginDefaultTitles from "./plugins/expressive-code/default-titles.js"; +import pluginWorkersPlayground from "./src/plugins/expressive-code/workers-playground.js"; +import pluginOutputFrame from "./src/plugins/expressive-code/output-frame.js"; +import pluginDefaultTitles from "./src/plugins/expressive-code/default-titles.js"; import { pluginCollapsibleSections } from "@expressive-code/plugin-collapsible-sections"; diff --git a/package-lock.json b/package-lock.json index dce2df925b16a8..3e95cc2df14de4 100644 --- a/package-lock.json +++ b/package-lock.json @@ -55,7 +55,6 @@ "mdast-util-mdx-expression": "2.0.1", "mermaid": "11.4.1", "node-html-parser": "7.0.1", - "playwright": "1.49.1", "prettier": "3.4.2", "prettier-plugin-astro": "0.14.1", "prettier-plugin-tailwindcss": "0.6.9", @@ -65,9 +64,9 @@ "react-dom": "19.0.0", "react-markdown": "9.0.3", "redirects-in-workers": "0.0.5", + "rehype": "13.0.2", "rehype-autolink-headings": "7.1.0", "rehype-external-links": "3.0.0", - "rehype-mermaid": "3.0.0", "rehype-title-figure": "0.1.2", "remark": "15.0.1", "sharp": "0.33.5", @@ -3186,16 +3185,6 @@ "node": ">=14" } }, - "node_modules/@fortawesome/fontawesome-free": { - "version": "6.7.2", - "resolved": "https://registry.npmjs.org/@fortawesome/fontawesome-free/-/fontawesome-free-6.7.2.tgz", - "integrity": "sha512-JUOtgFW6k9u4Y+xeIaEiLr3+cjoUPiAuLXoyKOJSia6Duzb7pq+A76P9ZdPDoAoxHdHzq6gE9/jKBGXlZT8FbA==", - "dev": true, - "license": "(CC-BY-4.0 AND OFL-1.1 AND MIT)", - "engines": { - "node": ">=6" - } - }, "node_modules/@humanfs/core": { "version": "0.19.1", "resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.1.tgz", @@ -11617,22 +11606,6 @@ "url": "https://opencollective.com/unified" } }, - "node_modules/hast-util-from-dom": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/hast-util-from-dom/-/hast-util-from-dom-5.0.1.tgz", - "integrity": "sha512-N+LqofjR2zuzTjCPzyDUdSshy4Ma6li7p/c3pA78uTwzFgENbgbUrm2ugwsOdcjI1muO+o6Dgzp9p8WHtn/39Q==", - "dev": true, - "license": "ISC", - "dependencies": { - "@types/hast": "^3.0.0", - "hastscript": "^9.0.0", - "web-namespaces": "^2.0.0" - }, - "funding": { - "type": "opencollective", - "url": "https://opencollective.com/unified" - } - }, "node_modules/hast-util-from-html": { "version": "2.0.3", "resolved": "https://registry.npmjs.org/hast-util-from-html/-/hast-util-from-html-2.0.3.tgz", @@ -11652,23 +11625,6 @@ "url": "https://opencollective.com/unified" } }, - "node_modules/hast-util-from-html-isomorphic": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/hast-util-from-html-isomorphic/-/hast-util-from-html-isomorphic-2.0.0.tgz", - "integrity": "sha512-zJfpXq44yff2hmE0XmwEOzdWin5xwH+QIhMLOScpX91e/NSGPsAzNCvLQDIEPyO2TXi+lBmU6hjLIhV8MwP2kw==", - "dev": true, - "license": "MIT", - "dependencies": { - "@types/hast": "^3.0.0", - "hast-util-from-dom": "^5.0.0", - "hast-util-from-html": "^2.0.0", - "unist-util-remove-position": "^5.0.0" - }, - "funding": { - "type": "opencollective", - "url": "https://opencollective.com/unified" - } - }, "node_modules/hast-util-from-parse5": { "version": "8.0.2", "resolved": "https://registry.npmjs.org/hast-util-from-parse5/-/hast-util-from-parse5-8.0.2.tgz", @@ -13897,28 +13853,6 @@ "uuid": "^9.0.1" } }, - "node_modules/mermaid-isomorphic": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/mermaid-isomorphic/-/mermaid-isomorphic-3.0.0.tgz", - "integrity": "sha512-6RBUQD0ZWzBHO4KZ8JMK3a/lNL7383N6K4nXzOdA2Ylnhz34qC8Nls2ZgOJVjGuB9Iq1bP61XKE0K/fNOD2n6g==", - "dev": true, - "license": "MIT", - "dependencies": { - "@fortawesome/fontawesome-free": "^6.0.0", - "mermaid": "^11.0.0" - }, - "funding": { - "url": "https://github.com/sponsors/remcohaszing" - }, - "peerDependencies": { - "playwright": "1" - }, - "peerDependenciesMeta": { - "playwright": { - "optional": true - } - } - }, "node_modules/mermaid/node_modules/marked": { "version": "13.0.3", "resolved": "https://registry.npmjs.org/marked/-/marked-13.0.3.tgz", @@ -14782,16 +14716,6 @@ "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/mini-svg-data-uri": { - "version": "1.4.4", - "resolved": "https://registry.npmjs.org/mini-svg-data-uri/-/mini-svg-data-uri-1.4.4.tgz", - "integrity": "sha512-r9deDe9p5FJUPZAk3A59wGH7Ii9YrjjWw0jmw/liSbHl2CHiyXj6FcDXDu2K3TjVAXqiJdaw3xxwlZZr9E6nHg==", - "dev": true, - "license": "MIT", - "bin": { - "mini-svg-data-uri": "cli.js" - } - }, "node_modules/miniflare": { "version": "3.20241230.1", "resolved": "https://registry.npmjs.org/miniflare/-/miniflare-3.20241230.1.tgz", @@ -15913,38 +15837,6 @@ "dev": true, "license": "MIT" }, - "node_modules/playwright": { - "version": "1.49.1", - "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.49.1.tgz", - "integrity": "sha512-VYL8zLoNTBxVOrJBbDuRgDWa3i+mfQgDTrL8Ah9QXZ7ax4Dsj0MSq5bYgytRnDVVe+njoKnfsYkH3HzqVj5UZA==", - "dev": true, - "license": "Apache-2.0", - "dependencies": { - "playwright-core": "1.49.1" - }, - "bin": { - "playwright": "cli.js" - }, - "engines": { - "node": ">=18" - }, - "optionalDependencies": { - "fsevents": "2.3.2" - } - }, - "node_modules/playwright-core": { - "version": "1.49.1", - "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.49.1.tgz", - "integrity": "sha512-BzmpVcs4kE2CH15rWfzpjzVGhWERJfmnXmniSyKeRZUs9Ws65m+RGIi7mjJK/euCegfn3i7jvqWeWyHe9y3Vgg==", - "dev": true, - "license": "Apache-2.0", - "bin": { - "playwright-core": "cli.js" - }, - "engines": { - "node": ">=18" - } - }, "node_modules/points-on-curve": { "version": "0.2.0", "resolved": "https://registry.npmjs.org/points-on-curve/-/points-on-curve-0.2.0.tgz", @@ -17046,35 +16938,6 @@ "url": "https://opencollective.com/unified" } }, - "node_modules/rehype-mermaid": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/rehype-mermaid/-/rehype-mermaid-3.0.0.tgz", - "integrity": "sha512-fxrD5E4Fa1WXUjmjNDvLOMT4XB1WaxcfycFIWiYU0yEMQhcTDElc9aDFnbDFRLxG1Cfo1I3mfD5kg4sjlWaB+Q==", - "dev": true, - "license": "MIT", - "dependencies": { - "@types/hast": "^3.0.0", - "hast-util-from-html-isomorphic": "^2.0.0", - "hast-util-to-text": "^4.0.0", - "mermaid-isomorphic": "^3.0.0", - "mini-svg-data-uri": "^1.0.0", - "space-separated-tokens": "^2.0.0", - "unified": "^11.0.0", - "unist-util-visit-parents": "^6.0.0", - "vfile": "^6.0.0" - }, - "funding": { - "url": "https://github.com/sponsors/remcohaszing" - }, - "peerDependencies": { - "playwright": "1" - }, - "peerDependenciesMeta": { - "playwright": { - "optional": true - } - } - }, "node_modules/rehype-parse": { "version": "9.0.1", "resolved": "https://registry.npmjs.org/rehype-parse/-/rehype-parse-9.0.1.tgz", diff --git a/package.json b/package.json index 4a58ac67daceaf..a5d6d5a58b0c34 100644 --- a/package.json +++ b/package.json @@ -74,7 +74,6 @@ "mdast-util-mdx-expression": "2.0.1", "mermaid": "11.4.1", "node-html-parser": "7.0.1", - "playwright": "1.49.1", "prettier": "3.4.2", "prettier-plugin-astro": "0.14.1", "prettier-plugin-tailwindcss": "0.6.9", @@ -84,9 +83,9 @@ "react-dom": "19.0.0", "react-markdown": "9.0.3", "redirects-in-workers": "0.0.5", + "rehype": "13.0.2", "rehype-autolink-headings": "7.1.0", "rehype-external-links": "3.0.0", - "rehype-mermaid": "3.0.0", "rehype-title-figure": "0.1.2", "remark": "15.0.1", "sharp": "0.33.5", diff --git a/src/components/AnchorHeading.astro b/src/components/AnchorHeading.astro index e33fb6e58e58a7..8d9b9849cb0af7 100644 --- a/src/components/AnchorHeading.astro +++ b/src/components/AnchorHeading.astro @@ -3,6 +3,9 @@ import { z } from "astro:schema"; import { marked } from "marked"; import { slug as GithubSlug } from "github-slugger"; +import { rehype } from "rehype"; +import rehypeAutoLinkHeadings from "~/plugins/rehype/autolink-headings"; + type Props = z.infer; const props = z.object({ @@ -15,19 +18,13 @@ const { title, slug, depth } = props.parse(Astro.props); const slugified = GithubSlug(slug ?? title); -const Heading = `h${depth}` as "h1" | "h2" | "h3" | "h4" | "h5" | "h6"; +const tag = `h${depth}` as "h1" | "h2" | "h3" | "h4" | "h5" | "h6"; + +const file = await rehype() + .use(rehypeAutoLinkHeadings) + .process(`<${tag} id=${slugified}>${marked.parseInline(title)}`); + +const html = file.toString(); --- -
- - - - - - - - -
+ diff --git a/src/components/overrides/Sidebar.astro b/src/components/overrides/Sidebar.astro index e470eccd9403c8..c94f3bfae50d31 100644 --- a/src/components/overrides/Sidebar.astro +++ b/src/components/overrides/Sidebar.astro @@ -7,6 +7,8 @@ import { getEntry } from "astro:content"; import { Badge } from "@astrojs/starlight/components"; import type { ComponentProps, HTMLAttributes } from "astro/types"; +import { rehypeExternalLinksOptions } from "~/plugins/rehype/external-links"; + const { sidebar, slug } = Astro.props; interface Link { @@ -134,7 +136,7 @@ async function handleLink(link: Link): Promise { if (frontmatter.external_link) { return { ...link, - label: link.label.concat(" ↗"), + label: link.label.concat(rehypeExternalLinksOptions.content.value), href: frontmatter.external_link, badge: frontmatter.external_link.startsWith("/api") ? { diff --git a/src/content/docs/style-guide/components/anchor-heading.mdx b/src/content/docs/style-guide/components/anchor-heading.mdx index 64b7a3d2110246..90b2ff1ab0c817 100644 --- a/src/content/docs/style-guide/components/anchor-heading.mdx +++ b/src/content/docs/style-guide/components/anchor-heading.mdx @@ -19,14 +19,9 @@ Markdown files (including partials) have this behavior by default, applied via r To override the ID given to a heading within Markdown, add an MDX comment at the end of the line: -```mdx -# foo {/*bar*/} -``` - -It will result in the following HTML: - -```html -foo +```mdx live +## foo {/*bar*/} +{/* HTML:

foo

*/} ``` :::note diff --git a/src/content/docs/style-guide/formatting/footnotes.mdx b/src/content/docs/style-guide/formatting/footnotes.mdx index 72117516a4565f..8a3b560070b227 100644 --- a/src/content/docs/style-guide/formatting/footnotes.mdx +++ b/src/content/docs/style-guide/formatting/footnotes.mdx @@ -5,6 +5,4 @@ title: Footnotes Footnotes are useful when you want to provide additional context about an item but that context would greatly distract from the flow of reading through the document (legal disclaimers, pricing, etc.). -We use [https://littlefoot.js.org/](https://littlefoot.js.org/), which helps us render fancy footnotes in context of what you are talking about (and also are much better for mobile). - To implement footnotes, use standard [markdown footnote formatting](https://github.blog/changelog/2021-09-30-footnotes-now-supported-in-markdown-fields/). You can also see an example in the [Load Balancing documentation](https://github.com/cloudflare/cloudflare-docs/blob/production/src/content/docs/load-balancing/additional-options/spectrum.mdx?plain=1#L42). diff --git a/src/footnotes.css b/src/footnotes.css new file mode 100644 index 00000000000000..c53ff3d6aafa13 --- /dev/null +++ b/src/footnotes.css @@ -0,0 +1,19 @@ +.footnote { + font-size: 0.75rem; + line-height: 1rem; + color: var(--sl-color-accent); + font-weight: 600; + padding: 0.25rem; + margin: -0.25rem; +} + +.data-footnote-backref { + display: none; +} + +.tippy-box { + background-color: var(--sl-color-bg-nav); + border-color: var(--sl-color-text); + border: 0.1em solid; + color: var(--sl-color-white); +} diff --git a/src/kbd.css b/src/kbd.css deleted file mode 100644 index 6dc8fc7ba9f973..00000000000000 --- a/src/kbd.css +++ /dev/null @@ -1,6 +0,0 @@ -kbd { - border: 1px solid rgb(251 146 60); - border-radius: 0.25rem; - background-color: rgb(251 146 60 / 0.1); - padding: 0.1rem; -} diff --git a/src/littlefoot.css b/src/littlefoot.css deleted file mode 100644 index c03bac3fd397da..00000000000000 --- a/src/littlefoot.css +++ /dev/null @@ -1,13 +0,0 @@ -.littlefoot { - --popover-font-family: var(--sl-font-system); - --popover-background-color: var(--sl-color-bg); - --popover-text-color: var(--sl-color-white); -} - -.littlefoot__content > p > a { - color: var(--sl-color-text-accent); -} - -.data-footnote-backref { - display: none; -} diff --git a/plugins/expressive-code/default-titles.js b/src/plugins/expressive-code/default-titles.js similarity index 100% rename from plugins/expressive-code/default-titles.js rename to src/plugins/expressive-code/default-titles.js diff --git a/plugins/expressive-code/output-frame.js b/src/plugins/expressive-code/output-frame.js similarity index 100% rename from plugins/expressive-code/output-frame.js rename to src/plugins/expressive-code/output-frame.js diff --git a/plugins/expressive-code/workers-playground.js b/src/plugins/expressive-code/workers-playground.js similarity index 100% rename from plugins/expressive-code/workers-playground.js rename to src/plugins/expressive-code/workers-playground.js diff --git a/src/plugins/rehype/autolink-headings.ts b/src/plugins/rehype/autolink-headings.ts new file mode 100644 index 00000000000000..4fd5baa6e047cf --- /dev/null +++ b/src/plugins/rehype/autolink-headings.ts @@ -0,0 +1,39 @@ +import rehypeAutolinkHeadings, { type Options } from "rehype-autolink-headings"; +import { h } from "hastscript"; + +export const rehypeAutolinkHeadingsOptions = { + properties: { + class: "anchor-link", + }, + behavior: "after", + group: ({ tagName }: { tagName: string }) => + h("div", { + tabIndex: -1, + class: `heading-wrapper level-${tagName}`, + }), + content: () => [AnchorLinkIcon], +} as const satisfies Options; + +const AnchorLinkIcon = h( + "span", + { + ariaHidden: "true", + class: "anchor-icon", + }, + h( + "svg", + { + width: 16, + height: 16, + viewBox: "0 0 24 24", + }, + h("path", { + fill: "currentcolor", + d: "m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z", + }), + ), +); + +export default function () { + return rehypeAutolinkHeadings(rehypeAutolinkHeadingsOptions); +} diff --git a/src/plugins/rehype/external-links.ts b/src/plugins/rehype/external-links.ts new file mode 100644 index 00000000000000..68039f18f0fc91 --- /dev/null +++ b/src/plugins/rehype/external-links.ts @@ -0,0 +1,19 @@ +import rehypeExternalLinks, { type Options } from "rehype-external-links"; + +export const rehypeExternalLinksOptions = { + content: { + type: "text", + value: " ↗", + }, + contentProperties: { + class: "external-link", + }, + properties: { + target: "_blank", + }, + rel: ["noopener"], +} as const satisfies Options; + +export default function () { + return rehypeExternalLinks(rehypeExternalLinksOptions); +} diff --git a/plugins/rehype/heading-slugs.ts b/src/plugins/rehype/heading-slugs.ts similarity index 86% rename from plugins/rehype/heading-slugs.ts rename to src/plugins/rehype/heading-slugs.ts index 232afaea962201..f20e250d175c42 100644 --- a/plugins/rehype/heading-slugs.ts +++ b/src/plugins/rehype/heading-slugs.ts @@ -1,6 +1,7 @@ import { toString } from "hast-util-to-string"; import { visit } from "unist-util-visit"; import GithubSlugger from "github-slugger"; +import { rehypeExternalLinksOptions } from "./external-links"; import type { Root } from "hast"; import type { MdxTextExpression } from "mdast-util-mdx-expression"; @@ -31,7 +32,9 @@ export default function () { } } else { if (!element.properties.id) { - const string = toString(element).replaceAll(" ↗", "").trimEnd(); + const string = toString(element) + .replaceAll(rehypeExternalLinksOptions.content.value, "") + .trimEnd(); element.properties.id = slugs.slug(string); } diff --git a/src/plugins/rehype/mermaid.ts b/src/plugins/rehype/mermaid.ts new file mode 100644 index 00000000000000..fd1d17d50c8711 --- /dev/null +++ b/src/plugins/rehype/mermaid.ts @@ -0,0 +1,89 @@ +/** + * Taken from https://github.com/remcohaszing/rehype-mermaid + * to only support the "pre-mermaid" strategy. + */ + +import { visitParents } from "unist-util-visit-parents"; +import type { Root, Element } from "hast"; +import { parse } from "space-separated-tokens"; +import { toText } from "hast-util-to-text"; + +interface CodeInstance { + diagram: string; + ancestors: Element[]; +} + +const nonWhitespacePattern = /\w/; + +function isMermaidElement(element: Element): boolean { + let mermaidClassName: string; + + if (element.tagName === "code") { + mermaidClassName = "language-mermaid"; + } else { + return false; + } + + let className = element.properties?.className; + if (typeof className === "string") { + className = parse(className); + } + + if (!Array.isArray(className)) { + return false; + } + + return className.includes(mermaidClassName); +} + +export default function () { + return function (tree: Root) { + const instances: CodeInstance[] = []; + + visitParents(tree, "element", (node, ancestors) => { + if (!isMermaidElement(node)) { + return; + } + + const parent = ancestors.at(-1)!; + let inclusiveAncestors = ancestors as Element[]; + + if (parent.type === "element" && parent.tagName === "pre") { + for (const child of parent.children) { + if (child.type === "text") { + if (nonWhitespacePattern.test(child.value)) { + return; + } + } else if (child !== node) { + return; + } + } + } else { + inclusiveAncestors = [...inclusiveAncestors, node]; + } + + instances.push({ + diagram: toText(node, { whitespace: "pre" }), + ancestors: inclusiveAncestors, + }); + }); + + if (!instances.length) { + return; + } + + for (const { ancestors, diagram } of instances) { + const parent = ancestors.at(-2)!; + const node = ancestors.at(-1)!; + + parent.children[parent.children.indexOf(node)] = { + type: "element", + tagName: "pre", + properties: { + className: ["mermaid"], + }, + children: [{ type: "text", value: diagram }], + }; + } + }; +} diff --git a/src/tooltips.css b/src/tooltips.css deleted file mode 100644 index fb22d581fcfec4..00000000000000 --- a/src/tooltips.css +++ /dev/null @@ -1,12 +0,0 @@ -@tailwind utilities; - -.footnote { - @apply text-xs !text-[--sl-color-accent] font-semibold p-1 -m-1; -} - -.tippy-box { - background-color: var(--sl-color-bg-nav); - border-color: var(--sl-color-text); - border: 0.1em solid; - color: var(--sl-color-white); -} diff --git a/src/util/description.ts b/src/util/description.ts index c694583bbb3aad..625fcca4661774 100644 --- a/src/util/description.ts +++ b/src/util/description.ts @@ -4,6 +4,7 @@ import { entryToString } from "./container"; import { remark } from "remark"; import strip from "strip-markdown"; import he from "he"; +import { rehypeExternalLinksOptions } from "~/plugins/rehype/external-links"; /** * Generates a plain-text description for use in the `description` and `og:description` meta tags. @@ -33,5 +34,7 @@ export async function getPageDescription( if (paragraph) description = he.decode(paragraph.innerText); } - return description?.replaceAll(" ↗", "").trim(); + return description + ?.replaceAll(rehypeExternalLinksOptions.content.value, "") + .trim(); } diff --git a/src/util/sidebar.ts b/src/util/sidebar.ts index ab2cb411c0610c..5b0a295538af8d 100644 --- a/src/util/sidebar.ts +++ b/src/util/sidebar.ts @@ -1,3 +1,5 @@ +import { readdir } from "fs/promises"; + export function sortBySidebarOrder(a: any, b: any): number { const collator = new Intl.Collator("en"); @@ -6,3 +8,24 @@ export function sortBySidebarOrder(a: any, b: any): number { return collator.compare(a.data.title, b.data.title); } + +async function autogenSections() { + const sections = ( + await readdir("./src/content/docs/", { + withFileTypes: true, + }) + ) + .filter((x) => x.isDirectory()) + .map((x) => x.name); + return sections.map((x) => { + return { + label: x, + autogenerate: { + directory: x, + collapsed: true, + }, + }; + }); +} + +export const sidebar = await autogenSections(); From 3050f5149c974e8db2786929bc2df3b9f372502d Mon Sep 17 00:00:00 2001 From: Kian Date: Thu, 23 Jan 2025 17:43:14 +0000 Subject: [PATCH 030/129] [Docs Site] Override ws in @cloudflare/puppeteer to fix vulnerability (#19349) --- package-lock.json | 72 ++--------------------------------------------- package.json | 5 ++++ 2 files changed, 8 insertions(+), 69 deletions(-) diff --git a/package-lock.json b/package-lock.json index 3e95cc2df14de4..68a1c9c02feb74 100644 --- a/package-lock.json +++ b/package-lock.json @@ -14756,28 +14756,6 @@ "node": ">=14.0" } }, - "node_modules/miniflare/node_modules/ws": { - "version": "8.18.0", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.0.tgz", - "integrity": "sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=10.0.0" - }, - "peerDependencies": { - "bufferutil": "^4.0.1", - "utf-8-validate": ">=5.0.2" - }, - "peerDependenciesMeta": { - "bufferutil": { - "optional": true - }, - "utf-8-validate": { - "optional": true - } - } - }, "node_modules/minimatch": { "version": "9.0.5", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz", @@ -16426,28 +16404,6 @@ "bare-path": "^3.0.0" } }, - "node_modules/puppeteer-core/node_modules/ws": { - "version": "8.18.0", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.0.tgz", - "integrity": "sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=10.0.0" - }, - "peerDependencies": { - "bufferutil": "^4.0.1", - "utf-8-validate": ">=5.0.2" - }, - "peerDependenciesMeta": { - "bufferutil": { - "optional": true - }, - "utf-8-validate": { - "optional": true - } - } - }, "node_modules/puppeteer-core/node_modules/zod": { "version": "3.23.8", "resolved": "https://registry.npmjs.org/zod/-/zod-3.23.8.tgz", @@ -22367,28 +22323,6 @@ "node": ">=14.0" } }, - "node_modules/wrangler/node_modules/ws": { - "version": "8.18.0", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.0.tgz", - "integrity": "sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=10.0.0" - }, - "peerDependencies": { - "bufferutil": "^4.0.1", - "utf-8-validate": ">=5.0.2" - }, - "peerDependenciesMeta": { - "bufferutil": { - "optional": true - }, - "utf-8-validate": { - "optional": true - } - } - }, "node_modules/wrap-ansi": { "version": "9.0.0", "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-9.0.0.tgz", @@ -22495,9 +22429,9 @@ "license": "ISC" }, "node_modules/ws": { - "version": "8.13.0", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.13.0.tgz", - "integrity": "sha512-x9vcZYTrFPC7aSIbj7sRCYo7L/Xb8Iy+pW0ng0wt2vCJv7M9HOMy0UoN3rr+IFC7hb7vXoqS+P9ktyLLLhO+LA==", + "version": "8.18.0", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.0.tgz", + "integrity": "sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw==", "dev": true, "license": "MIT", "engines": { diff --git a/package.json b/package.json index a5d6d5a58b0c34..f736454641c78a 100644 --- a/package.json +++ b/package.json @@ -105,6 +105,11 @@ "vitest": "2.1.8", "wrangler": "3.103.2" }, + "overrides": { + "@cloudflare/puppeteer": { + "ws": "8.18.0" + } + }, "engines": { "node": ">=22" }, From a5461ffead9f273d504b51806fe8c2a96865c8a3 Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Thu, 23 Jan 2025 12:52:00 -0500 Subject: [PATCH 031/129] API placeholder guidelines (#19387) --- .../guidelines-for-curl-commands.mdx | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/src/content/docs/style-guide/api-content-strategy/guidelines-for-curl-commands.mdx b/src/content/docs/style-guide/api-content-strategy/guidelines-for-curl-commands.mdx index 288358e9f74188..1f6cb2b69f8cee 100644 --- a/src/content/docs/style-guide/api-content-strategy/guidelines-for-curl-commands.mdx +++ b/src/content/docs/style-guide/api-content-strategy/guidelines-for-curl-commands.mdx @@ -6,7 +6,7 @@ sidebar: --- -Use long parameter names, like in the [API reference documentation](/api/), for clarity: +Use long parameter names for clarity: * `--header` (instead of `-H`) * `--request` (when needed, instead of `-X`) @@ -33,7 +33,7 @@ If you must suggest the use of this tool, you can add a link to the [Make API ca ### Preliminary notes * Make sure not to use typographical or smart quotes in a cURL command, or the command will fail. -* Placeholders in the URL should follow the same format as in the API documentation: `{zone_id}` +* Placeholders in the URL should follow the same format as in the API documentation: `$ZONE_ID` * Placeholders in the request body (that is, the data included in a `POST`/`PUT`/`PATCH` request) should use this format: `` The same placeholder name should correspond to the same value – use different placeholder names for different ID values. You can use the same request placeholders in the response, if they should match the values in the request. @@ -43,19 +43,19 @@ The same placeholder name should correspond to the same value – use different If using Email + API Key authentication, include the following arguments in the cURL command to add the two required HTTP headers to the request: ```txt ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +--header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ +--header "X-Auth-Key: $CLOUDFLARE_API_KEY" \ ``` :::note -Ending slashes included to facilitate copy and paste. Do not include the last slash if this is the last line of the cURL command. +Ending slashes included to facilitate copy and paste. Do not include the last slash if this is the last line of the cURL command. ::: If using API Token (the preferred authentication method), include the following arguments in the cURL command to add the required HTTP header to the request: ```txt ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ``` ### Request without body content (`GET`, `DELETE`) @@ -66,12 +66,12 @@ For `GET` requests, do not include the `--request GET` command-line argument, si ```txt curl {full_url_with_placeholders} \ ---header "Authorization: Bearer " +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ```bash title="Example" -curl https://api.cloudflare.com/client/v4/zones/{zone_id}/firewall/rules \ ---header "Authorization: Bearer " +curl https://api.cloudflare.com/client/v4/zones/$ZONE_ID/firewall/rules \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### `DELETE` request template @@ -79,7 +79,7 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/firewall/rules \ ```txt curl --request DELETE \ {full_url_with_placeholders} \ ---header "Authorization: Bearer " +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` Requests without a body do not need syntax highlight, but we use `bash` syntax highlighting to highlight the several delimited strings. @@ -96,7 +96,7 @@ For `POST` requests with a body, do not include the `--request POST` command-lin ```txt curl {full_url_with_placeholders} \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '({|[) (...JSON content, pretty printed, using 2-space indents...) @@ -104,8 +104,8 @@ curl {full_url_with_placeholders} \ ``` ```bash title="Example" -curl https://api.cloudflare.com/client/v4/zones/{zone_id}/firewall/rules \ ---header "Authorization: Bearer " \ +curl https://api.cloudflare.com/client/v4/zones/$ZONE_ID/firewall/rules \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '[ { @@ -123,7 +123,7 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/firewall/rules \ ```txt curl --request (PUT/PATCH) \ {full_url_with_placeholders} \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '({|[) (...JSON content, pretty printed, using 2-space indents...) @@ -141,8 +141,8 @@ The recommended way of escaping a single quote inside the body is the following Which means "close string, add escaped single quote, begin string again". ```bash title="Example" -curl https://api.cloudflare.com/api/v4/zones/{zone_id}/page_shield/policies \ ---header "Authorization: Bearer " \ +curl https://api.cloudflare.com/api/v4/zones/$ZONE_ID/page_shield/policies \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "value": "script-src myapp.example.com cdnjs.cloudflare.com https://www.google-analytics.com/analytics.js '\''self'\''" @@ -156,7 +156,7 @@ If you have a `POST` request without a body, you must add the `--request POST` a ```txt curl --request POST \ {full_url_with_placeholders} \ ---header "Authorization: Bearer " +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ### Additional information @@ -166,8 +166,8 @@ Code blocks with example requests that include a JSON body should use `bash` syn ### Full request example ```bash -curl https://api.cloudflare.com/api/v4/zones/{zone_id}/page_shield/policies \ ---header "Authorization: Bearer " \ +curl https://api.cloudflare.com/api/v4/zones/$ZONE_ID/page_shield/policies \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "description": "My first policy in log mode", From 040e3c50fbfa40a780e7867dbd6f0bc00bfcde9e Mon Sep 17 00:00:00 2001 From: Kian Date: Thu, 23 Jan 2025 17:58:56 +0000 Subject: [PATCH 032/129] [Docs Site] Various changelog improvements (#19362) * [Docs Site] Various changelog improvements * open rss feed link in new tab --- src/components/ProductChangelog.astro | 31 +++++++---- src/pages/changelog/index.astro | 74 ++++++++++++++------------- src/util/changelogs.ts | 2 +- 3 files changed, 60 insertions(+), 47 deletions(-) diff --git a/src/components/ProductChangelog.astro b/src/components/ProductChangelog.astro index 715709ccdd42ff..72aed0cca49416 100644 --- a/src/components/ProductChangelog.astro +++ b/src/components/ProductChangelog.astro @@ -65,6 +65,15 @@ if (!changelogs) { } --- +{ + page.data.pcx_content_type === "changelog" && ( +

+ + Subscribe to RSS + +

+ ) +} { changelogs.map(([date, entries]) => (
@@ -104,16 +113,18 @@ if (!changelogs) { } else { description = marked.parse(entry.description as string); return ( - -
- {page.data.changelog_product_area_name && ( -

- {entry.product} -

- )} - {entry.title && {entry.title}} - {} -
+ <> + +
+ {page.data.changelog_product_area_name && ( +

+ {entry.product} +

+ )} + {entry.title && {entry.title}} + {} +
+ ); } })} diff --git a/src/pages/changelog/index.astro b/src/pages/changelog/index.astro index 39a2d3926549fe..d9a83a25ef0d8b 100644 --- a/src/pages/changelog/index.astro +++ b/src/pages/changelog/index.astro @@ -4,6 +4,7 @@ import { Aside } from "~/components"; import { marked } from "marked"; import { format } from "date-fns"; import { getChangelogs } from "~/util/changelogs"; +import { getEntry } from "astro:content"; const { products, productAreas, changelogs } = await getChangelogs(); --- @@ -52,42 +53,43 @@ const { products, productAreas, changelogs } = await getChangelogs();

{format(date, "do MMMM yyyy")}

- {entries?.map((entry) => ( -
-

- {entry.product} -

- {["WAF", "DDoS protection"].includes(entry.product) && ( -

- )} - {entry.title && ( -

- )} - {["WAF", "DDoS protection"].includes(entry.product) ? ( -

- ) : ( -

- )} -

- ))} + {entries?.map(async (entry) => { + let title = entry.title; + let description = entry.description || ""; + + if (entry.individual_page) { + const page = await getEntry( + "docs", + entry.individual_page.slice(1, -1), + ); + + if (!page) { + throw new Error( + `[Changelog] Unable to load page ${entry.individual_page}.`, + ); + } + + title = `${entry.product} - ${page.data.title}`; + description = `For more details, refer to the dedicated page for [${title}](${entry.individual_page}).`; + } + + return ( +
+

+ {entry.product} +

+ {title && ( +

+ {title} +

+ )} + +
+ ); + })}
)) diff --git a/src/util/changelogs.ts b/src/util/changelogs.ts index dbab19dc9965b1..4725a3bc3b27b9 100644 --- a/src/util/changelogs.ts +++ b/src/util/changelogs.ts @@ -61,7 +61,7 @@ export async function getWranglerChangelog(): Promise< CollectionEntry<"changelogs"> > { const response = await fetch( - "https://api.github.com/repos/cloudflare/workers-sdk/releases", + "https://api.github.com/repos/cloudflare/workers-sdk/releases?per_page=100", ); if (!response.ok) { From 877bc1a6b765bf39e762d02523e688dac0207366 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Thu, 23 Jan 2025 18:07:43 +0000 Subject: [PATCH 033/129] [Docs] Exclude false positives from unused images audit (#19383) * Exclude Workers AI logos * Exclude AI Assistant images * Exclude Changelog Next images --- .github/workflows/image-audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-audit.yml b/.github/workflows/image-audit.yml index 3e21e7393d5b02..ee368a67069d33 100644 --- a/.github/workflows/image-audit.yml +++ b/.github/workflows/image-audit.yml @@ -21,7 +21,7 @@ jobs: id: find-files run: | # Find all .png and .svg files, but only look in the ./src/assets/images directory - FILES=$(find . -type f \( -name "*.png" -o -name "*.svg" \) -path "./src/assets/images/*") + FILES=$(find . -type f \( -name "*.png" -o -name "*.svg" \) -path "./src/assets/images/*" -not -path "./src/assets/images/workers-ai/*.svg" -not -path "./src/assets/images/workers/ai/*.png" -not -path "./src/assets/images/changelog-next/*") # Check if files are referenced in any markdown file UNUSED_FILES="" From ccdcfe77bf34b51e1ca219182eeb84892bdccd97 Mon Sep 17 00:00:00 2001 From: Matt Silverlock Date: Thu, 23 Jan 2025 14:00:47 -0500 Subject: [PATCH 034/129] r2: terraform - make the required options even clearer (#19389) Makes the `skip_region_validation = true` and related options clearer. --- src/content/docs/r2/examples/terraform-aws.mdx | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/content/docs/r2/examples/terraform-aws.mdx b/src/content/docs/r2/examples/terraform-aws.mdx index 30a53f1a9c262d..1d6be7b07b313d 100644 --- a/src/content/docs/r2/examples/terraform-aws.mdx +++ b/src/content/docs/r2/examples/terraform-aws.mdx @@ -18,7 +18,12 @@ For using only the Cloudflare provider, see [Terraform](/r2/examples/terraform/) ::: -With [`terraform`](https://developer.hashicorp.com/terraform/downloads) installed, create `main.tf` and copy the content below replacing with your Account ID and R2 credentials. +With [`terraform`](https://developer.hashicorp.com/terraform/downloads) installed: + +1. Create `main.tf` file, or edit your existing Terraform configuration +2. Populate the endpoint URL at `endpoints.s3` with your [Cloudflare account ID](/fundamentals/setup/find-account-and-zone-ids/) +3. Populate `access_key` and `secret_key` with the corresponding [R2 API credentials](/r2/api/s3/tokens/). +4. Ensure that `skip_region_validation = true`, `skip_requesting_account_id = true`, and `skip_credentials_validation = true` are set in the provider configuration. ```hcl terraform { @@ -36,6 +41,8 @@ provider "aws" { access_key = secret_key = + # Required for R2. + # These options disable S3-specific validation on the client (Terraform) side. skip_credentials_validation = true skip_region_validation = true skip_requesting_account_id = true From f0d1a30bc4ce7558f4b4245c01b3abceb42d3324 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> Date: Thu, 23 Jan 2025 19:21:02 +0000 Subject: [PATCH 035/129] [SSL] Update origin-ca and adjust content for SEO (#19315) * Use 'Cloudflare origin CA' more consistently and callout proxied traffic * Create origin-ca folder and add placeholder page for ts * Create partial for pause CF error * Add NET::ERR_CERT_AUTHORITY_INVALID and solutions * Add origin server errors and list necessary root CA files * Fix missing period Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> * Reword troubleshooting steps for proxying on and off --------- Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> --- .../methods/delegated-dcv.mdx | 2 +- .../set-up/zone-level.mdx | 2 +- .../{origin-ca.mdx => origin-ca/index.mdx} | 23 +++++----- .../origin-ca/troubleshooting.mdx | 45 +++++++++++++++++++ .../partials/ssl/origin-ca-pause-error.mdx | 8 ++++ 5 files changed, 68 insertions(+), 12 deletions(-) rename src/content/docs/ssl/origin-configuration/{origin-ca.mdx => origin-ca/index.mdx} (85%) create mode 100644 src/content/docs/ssl/origin-configuration/origin-ca/troubleshooting.mdx create mode 100644 src/content/partials/ssl/origin-ca-pause-error.mdx diff --git a/src/content/docs/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv.mdx b/src/content/docs/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv.mdx index 742626e2f4474d..0128edc487b72d 100644 --- a/src/content/docs/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv.mdx +++ b/src/content/docs/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv.mdx @@ -35,7 +35,7 @@ You should use Delegated DCV when all of the following conditions are true: :::note[Delegated DCV and origin certificates] -As explained in the [announcement blog post](https://blog.cloudflare.com/introducing-dcv-delegation/), currently, you can only delegate DCV to one provider at a time. If you also issue publicly trusted certificates for the same hostname for your [origin server](/ssl/concepts/#origin-certificate), this will no longer be possible. You can use [Cloudflare Origin CA certificates](/ssl/origin-configuration/origin-ca/) instead. +As explained in the [announcement blog post](https://blog.cloudflare.com/introducing-dcv-delegation/), currently, you can only delegate DCV to one provider at a time. If you also issue publicly trusted certificates for the same hostname for your [origin server](/ssl/concepts/#origin-certificate), this will no longer be possible. You can use [Cloudflare origin CA certificates](/ssl/origin-configuration/origin-ca/) instead. ::: ## Setup diff --git a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level.mdx b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level.mdx index e5ca768855d785..966af24685ffb2 100644 --- a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level.mdx +++ b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level.mdx @@ -28,7 +28,7 @@ If you need a different AOP certificate to apply to different custom hostnames, First, upload a certificate to your origin. -To use a Cloudflare certificate (which uses a specific CA), [download the .PEM file](/ssl/static/authenticated_origin_pull_ca.pem) and upload it to your origin. This certificate is **not** the same as the Cloudflare Origin CA certificate and will not appear on your Dashboard. +To use a Cloudflare certificate (which uses a specific CA), [download the .PEM file](/ssl/static/authenticated_origin_pull_ca.pem) and upload it to your origin. This certificate is **not** the same as the [Cloudflare origin CA certificate](/ssl/origin-configuration/origin-ca/) and will not appear on your Dashboard. To use a custom certificate, follow the API instructions to [upload a custom certificate to Cloudflare](/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate), but use the [`origin_tls_client_auth` endpoint](/api/resources/origin_tls_client_auth/methods/create/). Then, upload the certificate to your origin. diff --git a/src/content/docs/ssl/origin-configuration/origin-ca.mdx b/src/content/docs/ssl/origin-configuration/origin-ca/index.mdx similarity index 85% rename from src/content/docs/ssl/origin-configuration/origin-ca.mdx rename to src/content/docs/ssl/origin-configuration/origin-ca/index.mdx index d64ce987c620d2..f0f6f9171b172f 100644 --- a/src/content/docs/ssl/origin-configuration/origin-ca.mdx +++ b/src/content/docs/ssl/origin-configuration/origin-ca/index.mdx @@ -1,24 +1,23 @@ --- -title: Origin CA certificates +title: Cloudflare origin CA pcx_content_type: how-to sidebar: order: 3 + label: Setup head: [] -description: Origin Certificate Authority (CA) certificates allow you to encrypt - traffic between Cloudflare and your origin web server, and reduce origin - bandwidth consumption. +description: Encrypt traffic between Cloudflare and your origin web server and reduce origin bandwidth consumption. --- -import { FeatureTable } from "~/components" +import { FeatureTable, GlossaryTooltip, Render } from "~/components" -Use Origin Certificate Authority (CA) certificates to encrypt traffic between Cloudflare and your origin web server and reduce origin bandwidth consumption. Once deployed, these certificates are compatible with [Strict SSL mode](/ssl/origin-configuration/ssl-modes/full-strict/). +If your origin only receives traffic from proxied records, use Cloudflare origin CA certificates to encrypt traffic between Cloudflare and your origin web server and reduce bandwidth consumption. Once deployed, these certificates are compatible with [Strict SSL mode](/ssl/origin-configuration/ssl-modes/full-strict/). -For more background information on Origin CA certificates, refer to the [introductory blog post](https://blog.cloudflare.com/cloudflare-ca-encryption-origin/). +For more background information on origin CA certificates, refer to the [introductory blog post](https://blog.cloudflare.com/cloudflare-ca-encryption-origin/). :::note -Using Cloudflare Origin CA certificates do not prevent you from using [delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/). +Using Cloudflare origin CA certificates does not prevent you from using [delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/). ::: ## Availability @@ -89,6 +88,10 @@ If all your origin hosts are protected by Origin CA certificates or publicly tru If you have origin hosts that are not protected by certificates, set the **SSL/TLS encryption** mode for a specific application to **Full (strict)** by using a [Page Rule](/rules/page-rules/). +:::caution + +::: + ## Revoke an Origin CA certificate If you misplace your key material or do not want a certificate to be trusted, you may want to revoke your certificate. You cannot undo this process. @@ -114,7 +117,7 @@ Some origin web servers require upload of the Cloudflare Origin CA root certific ### Hostname and wildcard coverage -Certificates may be generated with up to 200 individual Subject Alternative Names (SANs). A SAN can take the form of a fully-qualified domain name (`www.example.com`) or a wildcard (`*.example.com`). You cannot use IP addresses as SANs on Cloudflare Origin CA certificates. +Certificates may be generated with up to 200 individual Subject Alternative Names (SANs). A SAN can take the form of a fully-qualified domain name (`www.example.com`) or a wildcard (`*.example.com`). You cannot use IP addresses as SANs on Cloudflare origin CA certificates. Wildcards may only cover one level, but can be used multiple times on the same certificate for broader coverage (for example, `*.example.com` and `*.secure.example.com` may co-exist). @@ -131,4 +134,4 @@ To automate processes involving Origin CA certificates, use the following API ca ## Troubleshooting -Site visitors may see untrusted certificate errors if you pause or disable Cloudflare on subdomains that use Origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin. +If you find `NET::ERR_CERT_AUTHORITY_INVALID` or other issues after setting up Cloudflare origin CA, refer to [troubleshooting](/ssl/origin-configuration/origin-ca/troubleshooting/). diff --git a/src/content/docs/ssl/origin-configuration/origin-ca/troubleshooting.mdx b/src/content/docs/ssl/origin-configuration/origin-ca/troubleshooting.mdx new file mode 100644 index 00000000000000..c0aa6232c89f68 --- /dev/null +++ b/src/content/docs/ssl/origin-configuration/origin-ca/troubleshooting.mdx @@ -0,0 +1,45 @@ +--- +title: Troubleshooting Cloudflare origin CA +pcx_content_type: troubleshooting +description: Troubleshoot issues like NET::ERR_CERT_AUTHORITY_INVALID when using Cloudflare origin CA. +sidebar: + order: 2 + label: Troubleshooting +--- + +import { GlossaryTooltip, Render } from "~/components"; + +Consider the following common issues and troubleshooting steps when using [Cloudflare origin CA](/ssl/origin-configuration/origin-ca/). + +## NET::ERR_CERT_AUTHORITY_INVALID + +### Cause + + +This also means that SSL Labs or similar SSL validators are expected to flag the certificate as invalid. + +### Solutions + +- Make sure the [proxy status](/dns/manage-dns-records/reference/proxied-dns-records/) of your DNS records and any [page rules](/rules/page-rules/) (if existing) are set up correctly. If so, you can try to turn proxying off and then on again and wait a few minutes. +- If you must have direct connections between clients and your origin server, consider installing a publicly trusted certificate at your origin instead. This process is done outside of Cloudflare, where you should issue the certificate directly from a certificate authority (CA) of your choice. You can still use Full (strict) [encryption mode](/ssl/origin-configuration/ssl-modes/), as long as the CA is listed on the [Cloudflare trust store](https://github.com/cloudflare/cfssl_trust). + +## The issuer of this certificate could not be found + +### Cause +Some origin web servers require that you upload the Cloudflare origin CA root certificate or certificate chain. + +### Solution +Use the following links to download either an ECC or an RSA version and upload to your origin web server: + +* [Cloudflare Origin ECC PEM](/ssl/static/origin_ca_ecc_root.pem) (do not use with Apache cPanel) +* [Cloudflare Origin RSA PEM](/ssl/static/origin_ca_rsa_root.pem) + +## The certificate is not trusted in all web browsers + +### Cause +Apache cPanel requires that you upload the Cloudflare origin CA root certificate or certificate chain. + +### Solution +Use the following link to download an RSA version of the root certificate and upload it to your origin web server: + +* [Cloudflare Origin RSA PEM](/ssl/static/origin_ca_rsa_root.pem) \ No newline at end of file diff --git a/src/content/partials/ssl/origin-ca-pause-error.mdx b/src/content/partials/ssl/origin-ca-pause-error.mdx new file mode 100644 index 00000000000000..7023dad71af4ff --- /dev/null +++ b/src/content/partials/ssl/origin-ca-pause-error.mdx @@ -0,0 +1,8 @@ +--- +{} + +--- + +import { GlossaryTooltip } from "~/components"; + +Site visitors may see untrusted certificate errors if you [pause Cloudflare](/fundamentals/setup/manage-domains/pause-cloudflare/) or disable proxying on subdomains that use Cloudflare origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin. \ No newline at end of file From adff48f997dfdc99ca0fc0f874d89b540cc6c51d Mon Sep 17 00:00:00 2001 From: Garvit Gupta Date: Thu, 23 Jan 2025 14:54:49 -0600 Subject: [PATCH 036/129] [Vectorize] Mark AOT Support (#19351) --- src/content/partials/fundamentals/account-owned-tokens.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/fundamentals/account-owned-tokens.mdx b/src/content/partials/fundamentals/account-owned-tokens.mdx index d0d40ecd816d7f..c35eee4aa19115 100644 --- a/src/content/partials/fundamentals/account-owned-tokens.mdx +++ b/src/content/partials/fundamentals/account-owned-tokens.mdx @@ -72,7 +72,7 @@ Account owned tokens are generally available for all accounts. Some services may | Trace | ✅ | | Tunnels | ✅ | | Turnstile | ❌ | -| Vectorize | ❌ | +| Vectorize | ✅ | | Waiting Room | ✅ | | Workers | ✅ | | Workers AI | ❌ | From d577839c1629bde638762b12fd9c195238ee3184 Mon Sep 17 00:00:00 2001 From: Thomas Gauvin <35609369+thomasgauvin@users.noreply.github.com> Date: Thu, 23 Jan 2025 16:53:22 -0500 Subject: [PATCH 037/129] Feature nodejs compat issues in troubleshooting (#19288) * Feature nodejs compat issues in troubleshooting * thomasgauvin: fix formatting on hyperdrive nodejs errors troubleshooting page * thomasgauvin: nit --- .../docs/hyperdrive/observability/troubleshooting.mdx | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/content/docs/hyperdrive/observability/troubleshooting.mdx b/src/content/docs/hyperdrive/observability/troubleshooting.mdx index 8254816b8ce6d8..fb12ad92baa7aa 100644 --- a/src/content/docs/hyperdrive/observability/troubleshooting.mdx +++ b/src/content/docs/hyperdrive/observability/troubleshooting.mdx @@ -3,7 +3,6 @@ pcx_content_type: concept title: Troubleshoot and debug sidebar: order: 10 - --- Troubleshoot and debug errors commonly associated with connecting to a database with Hyperdrive. @@ -43,6 +42,12 @@ Hyperdrive may also encounter `ErrorResponse` wire protocol messages sent by you | `Failed to acquire a connection from the pool.` | Hyperdrive timed out while waiting for a connection to your database, or cannot connect at all. | If you are seeing this error intermittently, your Hyperdrive pool is being exhausted because too many connections are being held open for too long by your worker. This can be caused by a myriad of different issues, but long-running queries/transactions are a common offender. | | `Server connection attempt failed: connection_refused` | Hyperdrive is unable to create new connections to your origin database. | A network firewall or access control list (ACL) is likely rejecting requests from Hyperdrive. Ensure you have allowed connections from the public Internet. Sometimes, this can be caused by your database host provider refusing incoming connections when you go over your connection limit. | +### Node errors + +| Error Message | Details | Recommended fixes | +| ------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | +| `Uncaught Error: No such module "node:"` | Your Cloudflare Workers project or a library that it imports is trying to access a Node module that is not available. | Enable [Node.js compatibility](/workers/runtime-apis/nodejs/) for your Cloudflare Workers project to maximize compatibility. | + ### Improve performance Having query traffic written as transactions can limit performance. This is because in the case of a transaction, the connection must be held for the duration of the transaction, which limits connection multiplexing. If there are multiple queries per transaction, this can be particularly impactful on connection multiplexing. Where possible, we recommend not wrapping queries in transactions to allow the connections to be shared more aggressively. From e5130504277e5b69e584078b45a0e11efba7d53b Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 23 Jan 2025 15:57:38 -0600 Subject: [PATCH 038/129] [ZT] Update GDrive cert procedure (#19374) --- .../manual-deployment.mdx | 30 +++++++++++-------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment.mdx index 3d87f75d714dcb..2352abb521bbc0 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment.mdx @@ -715,20 +715,22 @@ To trust a Cloudflare root certificate in the Google Drive desktop application, -1. In the Finder menu bar, go to **Go** > **Go to Folder**. Enter `/Applications/Google Drive.app/Contents/Resources`. +1. In a terminal, copy the contents of the Google Drive certificate file to a new certificate file in a permanent location, such as your Documents folder. For example: -2. Find `roots.pem` and copy it to a permanent location, such as your Documents folder. + ```sh + cat /Applications/"Google Drive.app"/Contents/Resources/roots.pem > ~/Documents/gdrivecerts.pem + ``` -3. Append the contents of `cloudflare.pem` to the end of `roots.pem`. +2. Append the contents of the downloaded certificate to the end of the new file. For example: ```sh - cat ~/Downloads/certificate.pem >> path/to/roots.pem + cat ~/Downloads/certificate.pem >> ~/Documents/gdrivecerts.pem ``` -4. Apply the newly created root certificate to your Google Drive application. +3. Apply the newly created root certificate to your Google Drive application. For example: ```sh - sudo defaults write /Library/Preferences/com.google.drivefs.settings TrustedRootCertsFile -string "path/to/roots.pem" + sudo defaults write /Library/Preferences/com.google.drivefs.settings TrustedRootCertsFile "/Users/$(whoami)/Documents/gdrivecerts.pem" ``` You can verify the update with the following command. @@ -741,26 +743,28 @@ defaults read /Library/Preferences/com.google.drivefs.settings -1. In File Explorer, go to `\Program Files\Google\Drive File Stream\\config\`. +1. In an administrator PowerShell terminal, copy the contents of the Google Drive certificate file to a new certificate file in a permanent location, such as your Documents folder. For example: -2. Find `roots.pem` and copy it to a permanent location, such as your Documents folder. + ```powershell + Get-Content "C:\Program Files\Google\Drive File Stream\roots.pem" | Set-Content "$HOME\Documents\gdrivecerts.pem" + ``` -3. Append the contents of `cloudflare.pem` to the end of `roots.pem`. +2. Append the contents of the downloaded certificate to the end of the new file. For example: ```powershell - cat ~\Downloads\certificate.pem >> path\to\roots.pem + Get-Content "$HOME\Downloads\certificate.pem" | Add-Content "$HOME\Documents\gdrivecerts.pem" ``` -4. Update the Google Drive registry key. +3. Apply the newly created root certificate to your Google Drive application. For example: ```powershell - reg ADD "HKEY_LOCAL_MACHINE\Software\Google\DriveFS" /v TrustedRootCertsFile /t REG_SZ /d "path\to\roots.pem" + Set-ItemProperty -Path "HKLM:\SOFTWARE\Google\DriveFS" -Name "TrustedRootCertsFile" -Value "$HOME\Documents\gdrivecerts.pem" ``` You can verify the update with the following command. ```powershell -reg QUERY "HKEY_LOCAL_MACHINE\Software\Google\DriveFS" /v TrustedRootCertsFile" +Get-ItemProperty -Path "HKLM:\SOFTWARE\Google\DriveFS" | Select-Object TrustedRootCertsFile ``` From efb3c65ff29563624f45bdb317a5377a68ffcbb1 Mon Sep 17 00:00:00 2001 From: Thomas Gauvin <35609369+thomasgauvin@users.noreply.github.com> Date: Thu, 23 Jan 2025 17:42:22 -0500 Subject: [PATCH 039/129] Update routing.mdx (#19393) --- src/content/docs/workers/static-assets/routing.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/workers/static-assets/routing.mdx b/src/content/docs/workers/static-assets/routing.mdx index e9318c11cc81a5..75944034736f8f 100644 --- a/src/content/docs/workers/static-assets/routing.mdx +++ b/src/content/docs/workers/static-assets/routing.mdx @@ -33,7 +33,7 @@ In this example, request to `example.com/blog` serves the `blog.html` file. If a Worker is configured, and there are no assets that match the current route requested, the Worker will be invoked. The Worker can then "fall back" to `not_found_handling` asset behavior, by passing the incoming request through to the [asset binding](/workers/static-assets/binding/#runtime-api-reference). -In this example, request to `example.com/api` doesn't match a static asset so the Worker is invoked. +In this example, a request to `example.com/api` doesn't match a static asset so the Worker is invoked. ![A request to `example.com/blog` runs the Worker.](~/assets/images/workers/platform/assets/workers-assets-invoke-worker.png) From 7d6843f33335811c78de308887bf4031de2bcddd Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Thu, 23 Jan 2025 17:50:31 -0500 Subject: [PATCH 040/129] update SaaS apps (#19397) --- .../saas-apps/adobe-sign-saas.mdx | 5 ++-- .../configure-apps/saas-apps/area-1.mdx | 20 +++----------- .../configure-apps/saas-apps/asana-saas.mdx | 5 ++-- .../saas-apps/atlassian-saas.mdx | 17 +++++------- .../configure-apps/saas-apps/aws-sso-saas.mdx | 7 +++-- .../saas-apps/braintree-saas.mdx | 5 ++-- .../configure-apps/saas-apps/coupa-saas.mdx | 5 ++-- .../saas-apps/digicert-saas.mdx | 5 ++-- .../saas-apps/docusign-access.mdx | 15 +++++------ .../configure-apps/saas-apps/dropbox-saas.mdx | 5 ++-- .../saas-apps/generic-oidc-saas.mdx | 18 ++++++------- .../saas-apps/generic-saml-saas.mdx | 14 +++++----- .../configure-apps/saas-apps/github-saas.mdx | 5 ++-- .../saas-apps/google-cloud-saas.mdx | 5 ++-- .../saas-apps/google-workspace-saas.mdx | 6 +++-- .../saas-apps/grafana-cloud-saas-oidc.mdx | 7 +++-- .../saas-apps/grafana-saas-oidc.mdx | 11 +++----- .../saas-apps/greenhouse-saas.mdx | 7 +++-- .../configure-apps/saas-apps/hubspot-saas.mdx | 12 +++++---- .../saas-apps/ironclad-saas.mdx | 7 +++-- .../saas-apps/jamf-pro-saas.mdx | 9 ++----- .../configure-apps/saas-apps/miro-saas.mdx | 9 ++----- .../saas-apps/pagerduty-saml-saas.mdx | 5 ++-- .../saas-apps/pingboard-saas.mdx | 5 ++-- .../saas-apps/salesforce-saas-oidc.mdx | 7 +++-- .../saas-apps/salesforce-saas-saml.mdx | 13 +++------- .../saas-apps/servicenow-saas-oidc.mdx | 8 +++--- .../saas-apps/servicenow-saas-saml.mdx | 5 ++-- .../configure-apps/saas-apps/slack-saas.mdx | 5 ++-- .../saas-apps/smartsheet-saas.mdx | 9 ++----- .../saas-apps/sparkpost-saas.mdx | 7 +++-- .../saas-apps/tableau-saml-saas.mdx | 7 +++-- .../configure-apps/saas-apps/workday-saas.mdx | 9 ++----- .../saas-apps/zendesk-sso-saas.mdx | 26 +++++++++++-------- .../configure-apps/saas-apps/zoom-saas.mdx | 5 ++-- 35 files changed, 121 insertions(+), 189 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/adobe-sign-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/adobe-sign-saas.mdx index a9bc1d27d64562..069e4a022cd5e6 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/adobe-sign-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/adobe-sign-saas.mdx @@ -44,9 +44,8 @@ This guide covers how to configure [Adobe Acrobat Sign](https://helpx.adobe.com/ * **Entity ID**: Entity ID/SAML Audience from Adobe Acrobat Sign SAML SSO configuration. * **Assertion Consumer Service URL**: Assertion Consumer URL from Adobe Acrobat Sign SAML SSO configuration. * **Name ID format**: *Email* -2. Select **Save configuration**. -3. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -4. Select **Done**. +2. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +3. Save the application. ## 4. Test the integration and finalize configuration diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/area-1.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/area-1.mdx index 9eaf8545005737..c1bc57ec8483f3 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/area-1.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/area-1.mdx @@ -32,21 +32,11 @@ sidebar: | **Assertion Consumer Service URL** | `https://horizon.area1security.com/api/users/saml` | | **Name ID Format** | *Email* | -6. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application. +6. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -7. Choose the **Identity providers** you want to enable for your application. +7. Save the application. -8. Turn on **Instant Auth** if you are selecting only one login method for your application, and would like your end users to skip the identity provider selection step. - -9. Select **Next**. - -## 2. Add an Access policy - -1. To control who can access your application, [create an Access policy](/cloudflare-one/policies/access/). - -2. Select **Next**. - -## 3. Configure SSO for Area 1 +## 2. Configure SSO for Area 1 Finally, you will need to configure Area 1 to allow users to log in through Cloudflare Access. @@ -74,6 +64,4 @@ Finally, you will need to configure Area 1 to allow users to log in through Clou 7. Select **Update Settings**. -8. In Zero Trust, select **Done**. - -Your application will appear on the **Applications** page. If you added the application to your App Launcher, you can test the integration by going to `.cloudflareaccess.com`. +If you added the application to your App Launcher, you can test the integration by going to `.cloudflareaccess.com`. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/asana-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/asana-saas.mdx index aeebf64cf0a0e9..9a57671a43568c 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/asana-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/asana-saas.mdx @@ -26,9 +26,8 @@ This guide covers how to configure [Asana](https://help.asana.com/hc/en-us/artic * **Assertion Consumer Service URL**: `https://app.asana.com/-/saml/consume` * **Name ID format**: *Email* 7. Copy the **SSO endpoint** and **Public key**. -8. Select **Save configuration**. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -10. Select **Done**. +8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Save the application. ## 2. Add a SAML SSO provider to Asana diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/atlassian-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/atlassian-saas.mdx index 9d148d90c5e0c4..7f6ea7e1324362 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/atlassian-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/atlassian-saas.mdx @@ -24,7 +24,7 @@ This guide covers how to configure [Atlassian Cloud](https://support.atlassian.c 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Copy the **Access Entity ID or Issuer**, **Public key**, and **SSO endpoint**. -7. Keep this window open without selecting **Select configuration**. You will finish this configuration in step [4. Finish adding a SaaS application to Cloudflare Zero Trust](#4-finish-adding-a-saas-application-to-cloudflare-zero-trust). +7. Keep this window open. You will finish this configuration in step [4. Finish adding a SaaS application to Cloudflare Zero Trust](#4-finish-adding-a-saas-application-to-cloudflare-zero-trust). ## 2. Create a x.509 certificate @@ -38,13 +38,9 @@ This guide covers how to configure [Atlassian Cloud](https://support.atlassian.c 3. For **Directory name**, enter your desired name. For example, you could enter `Cloudflare Access`. 4. Select **Add** > **Set up SAML single sign-on** > **Next**. -:::note - - -This screen will advise you to create an authentication policy before proceeding. You will do this in step [5. Create an application policy to test integration](#5-create-an-authentication-policy-to-test-integration). - - -::: + :::note + This screen will advise you to create an authentication policy before proceeding. You will do this in step [5. Create an application policy to test integration](#5-create-an-authentication-policy-to-test-integration). + ::: 5. Fill in the following fields: * **Identity provider Entity ID**: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust. @@ -62,9 +58,8 @@ This screen will advise you to create an authentication policy before proceeding * **Entity ID**: Service provider entity URL from Atlassian Cloud SAML SSO set-up. * **Assertion Consumer Service URL**: Service provider assertion comsumer service URL from Atlassian Cloud SAML SSO set-up. * **Name ID format**: *Email* -2. Select **Save configuration**. -3. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -4. Select **Done**. +2. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +3. Save the application. ## 5. Create an authentication policy to test integration diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/aws-sso-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/aws-sso-saas.mdx index f988b586729eb1..7fcc3506ce72ad 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/aws-sso-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/aws-sso-saas.mdx @@ -40,9 +40,8 @@ Next, we will obtain **Identity provider metadata** from Zero Trust. 1. Copy the **SAML Metadata endpoint**. 2. In a separate browser window, go to the SAML Metadata endpoint (`https://.cloudflareaccess.com/cdn-cgi/access/sso/saml/xxx/saml-metadata`). 3. Save the page as `access_saml_metadata.xml`. -9. Save your SaaS application configuration. -10. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -11. Select **Done**. +9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +10. Save the application. ## 3. Complete AWS configuration @@ -60,7 +59,7 @@ Access for SaaS does not currently support [SCIM provisioning](/cloudflare-one/i 1. Users are created in both your identity provider and AWS. 2. Users have matching usernames in your identity provider and AWS. -3. Usernames are email addresses. This is the only format AWS supports with third-party SSO providers. +3. Usernames are email addresses. This is the only format AWS supports with third-party SSO providers. ::: ## 4. Test the integration diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/braintree-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/braintree-saas.mdx index 865b76f7000c5c..7e7c6f78c3f590 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/braintree-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/braintree-saas.mdx @@ -26,9 +26,8 @@ This guide covers how to configure [Braintree](https://developer.paypal.com/brai * **Assertion Consumer Service URL**: `https://www.placeholder.com` * **Name ID format**: *Email* 7. Copy the **SSO endpoint** and **Public key**. -8. Select **Save configuration**. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -10. Select **Done**. +8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Save the application. ## 2. Enable SSO Configuration in Braintree diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/coupa-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/coupa-saas.mdx index 371a1c310c04c2..9f8386faf11b65 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/coupa-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/coupa-saas.mdx @@ -28,9 +28,8 @@ This guide covers how to configure [Coupa](https://compass.coupa.com/en-us/produ * **Name ID format**: *Email* 7. Copy the **Access Entity ID or Issuer** and **SAML Metadata Endpoint**. 8. In **Default relay state**, enter `https://.coupahost.com/sessions/saml_post`. -9. Select **Save configuration**. -10. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -11. Select **Done**. +9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +10. Save the application. ## 2. Download the metadata file diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/digicert-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/digicert-saas.mdx index d5986d5bef4214..92ccbb9c8d2567 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/digicert-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/digicert-saas.mdx @@ -27,9 +27,8 @@ This guide covers how to configure [Digicert](https://docs.digicert.com/en/certc * **Assertion Consumer Service URL**: `https://www.digicert.com/account/sso/` * **Name ID format**: *Email* 7. Copy the **SAML Metadata endpoint**. -8. Select **Save configuration**. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -10. Select **Done**. +8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Save the application. ## 2. Add a SAML SSO provider in Digicert diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/docusign-access.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/docusign-access.mdx index ec871675a13d0d..0bab2519bf5390 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/docusign-access.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/docusign-access.mdx @@ -45,20 +45,17 @@ This guide covers how to configure [Docusign](https://support.docusign.com/s/doc 7. Set an Access policy (for example, create a policy based on _Emails ending in @example.com_). -8. Copy and save SSO Endpoint, Entity ID and Public Key. +8. Copy and save the **SSO Endpoint**, **Entity ID** and **Public Key**. - :::note +9. Transform the **Public Key** into a fingerprint: - The Public key must be transformed into a fingerprint. To do that: + 1. Copy the **Public Key** Value. -9. Copy the Public Key Value. + 2. Paste the **Public Key** into VIM or another code editor. -10. Paste the Public Key into VIM or another code editor. + 3. Wrap the value in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. -11. Wrap the value in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. - -12. Set the file extension to `.crt` and save. - ::: + 4. Set the file extension to `.crt` and save. ## 2. Configure your DocuSign SSO instance diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/dropbox-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/dropbox-saas.mdx index 0e86f0db764ff2..209fbcc30cf62b 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/dropbox-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/dropbox-saas.mdx @@ -26,9 +26,8 @@ This guide covers how to configure [Dropbox](https://help.dropbox.com/security/s * **Assertion Consumer Service URL**: `https://www.dropbox.com/saml_login` * **Name ID format**: *Email* 7. Copy the **SSO endpoint** and **Public key**. -8. Select **Save configuration**. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -10. Select **Done**. +8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Save the application. ## 2. Create a certificate file diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas.mdx index 26ab8a83e176ca..947d924f17f740 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas.mdx @@ -62,24 +62,22 @@ Some SaaS applications provide the Redirect URL after you [configure the SSO pro | Key endpoint | Returns the current public keys used to [verify the Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/)
`https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//jwks` | | User info endpoint | Returns all user claims in JSON format
`https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//userinfo` | -11. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering the URL that users should be sent to when they select the tile. +11. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. -12. +12. -13. +13. Select **Next**. -14. Select **Save configuration**. +14. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application. -## 3. Add an Access policy +15. -1. To control who can access the SaaS application, [create an Access policy](/cloudflare-one/policies/access/). +16. Select **Save application**. -2. Select **Done**. - -## 4. Configure SSO in your SaaS application +## 3. Configure SSO in your SaaS application Next, configure your SaaS application to require users to log in through Cloudflare Access. Refer to your SaaS application documentation for instructions on how to configure a third-party OIDC SSO provider. -## 5. Test the integration +## 4. Test the integration Open an incognito browser window and go to the SaaS application's login URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx index 446dfec843ade6..5a207f5178194f 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx @@ -48,19 +48,17 @@ Obtain the following URLs from your SaaS application account: If you are using Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, or GitHub as your IdP, Access will automatically send a SAML attribute titled `groups` with all of the user's associated groups as attribute values. ::: -11. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application. +11. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. -12. +12. -13. +13. Select **Next**. -14. Select **Save configuration**. +14. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application. -## 2. Add an Access policy +15. -1. To control who can access the SaaS application, [create an Access policy](/cloudflare-one/policies/access/). - -2. Select **Done**. +16. Select **Save application**. ## 3. Configure SSO in your SaaS application diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/github-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/github-saas.mdx index dd8ca0ea731c72..18a5682af1ae73 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/github-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/github-saas.mdx @@ -27,9 +27,8 @@ This guide covers how to configure [GitHub Enterprise Cloud](https://docs.github * **Assertion Consumer Service URL**: `https://github.com/orgs//saml/consume` * **Name ID format**: *Email* 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. -8. Select **Save configuration**. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -10. Select **Done**. +8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Save the application. ## 2. Create a x.509 certificate diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-cloud-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-cloud-saas.mdx index f3d0505feb2c46..2032996bce8299 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-cloud-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-cloud-saas.mdx @@ -37,9 +37,8 @@ When configuring Google Cloud with Access, the following limitations apply: - **Assertion Consumer Service URL**: `https://www.google.com/a//acs` - **Name ID format**: _Email_ 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. -8. Select **Save configuration**. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -10. Select **Done**. +8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Save the application. ## 2. Create a x.509 certificate diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx index b25f2a480d568e..59867b67e3a7bc 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx @@ -38,9 +38,11 @@ The integration of Access as a single sign-on provider for your Google Workspace When you put your Google Workspace behind Access, users will not be able to log in using [Google](/cloudflare-one/identity/idp-integration/google/) or [Google Workspace](/cloudflare-one/identity/idp-integration/gsuite/) as an identity provider. ::: -4. On the next page, [create an Access policy](/cloudflare-one/policies/access/) for your application. For example, you could allow users with an `@your_domain.com` email address. +4. [Create an Access policy](/cloudflare-one/policies/access/) for your application. For example, you could allow users with an `@your_domain.com` email address. -5. On the next page, you will see your **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. These values will be used to configure Google Workspace. +5. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. These values will be used to configure Google Workspace. + +6. Save the application. ## 2. Create a certificate from your public key diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-cloud-saas-oidc.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-cloud-saas-oidc.mdx index 11ef1b207a94e4..2fc1b65b3e195e 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-cloud-saas-oidc.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-cloud-saas-oidc.mdx @@ -25,10 +25,9 @@ This guide covers how to configure [Grafana Cloud](https://grafana.com/docs/graf 7. In **Redirect URLs**, enter `https:///login/generic_oauth`. 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. 9. Copy the **Client secret**, **Client ID**, **Token endpoint**, and **Authorization endpoint**. -10. Select **Save configuration**. -11. (Optional) configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https:///login`. -12. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -13. Select **Done**. +10. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https:///login`. +12. Save the application. ## 2. Add a SSO provider to Grafana Cloud diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-saas-oidc.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-saas-oidc.mdx index 89cf2235b94f7a..48b3e8ba1e387e 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-saas-oidc.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-saas-oidc.mdx @@ -15,11 +15,7 @@ This guide covers how to configure [Grafana](https://grafana.com/docs/grafana/la * Admin access to a Grafana account :::note - - You can also configure OIDC SSO for Grafana using a [configuration file](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/#configure-generic-oauth-authentication-client-using-the-grafana-configuration-file) instead of using Grafana's user interface (UI), as documented in this guide. - - ::: ## 1. Add a SaaS application to Cloudflare Zero Trust @@ -33,10 +29,9 @@ You can also configure OIDC SSO for Grafana using a [configuration file](https:/ 7. In **Redirect URLs**, enter `https:///login/generic_oauth`. 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. 9. Copy the **Client secret**, **Client ID**, **Token endpoint**, and **Authorization endpoint**. -10. Select **Save configuration**. -11. (Optional) configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https:///login`. -12. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -13. Select **Done**. +10. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https:///login`. +12. Save the application. ## 2. Add a SSO provider to Grafana diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/greenhouse-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/greenhouse-saas.mdx index d3ea8b77af42be..fb43009202bd5a 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/greenhouse-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/greenhouse-saas.mdx @@ -22,7 +22,7 @@ This guide covers how to configure [Greenhouse Recruiting](https://support.green 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Copy the **SAML Metadata endpoint**. -7. Keep this window open without selecting **Select configuration**. You will finish this configuration in step [4. Finish adding a SaaS application to Cloudflare Zero Trust](#4-finish-adding-a-saas-application-to-cloudflare-zero-trust). +7. Keep this window open. You will finish this configuration in step [4. Finish adding a SaaS application to Cloudflare Zero Trust](#4-finish-adding-a-saas-application-to-cloudflare-zero-trust). ## 2. Download the metadata file @@ -43,9 +43,8 @@ This guide covers how to configure [Greenhouse Recruiting](https://support.green * **Entity ID**: `greenhouse.io` * **Assertion Consumer Service URL**: SSO Assertion Consumer URL from SSO configuration in Greenhouse Recruiting. * **Name ID format**: *Email* -2. Select **Save configuration**. -3. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -4. Select **Done**. +2. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +3. Save the application. ## 5. Test the integration and finalize configuration diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/hubspot-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/hubspot-saas.mdx index 7057d4c0496c5d..7128843f1b69c9 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/hubspot-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/hubspot-saas.mdx @@ -30,19 +30,21 @@ This guide covers how to configure [Hubspot](https://knowledge.hubspot.com/accou | Hubspot values | Cloudflare values | | -------------- | ------------------------------ | - | Audience URI | EntityID | + | Audience URI | Entity ID | | Sign On URL | Assertion Consumer Service URL | 4. Set **NameID** to *Email*. 5. Add any desired [Access policies](/cloudflare-one/policies/access/) to your application. -6. Copy SSO endpoint and Access Entity ID. +6. Copy the **SSO endpoint** and **Access Entity ID**. -## 3. Create the certificate +7. Save the application. -1. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. -2. Paste the certificate contents into the Certificate field. +## 3. Create a x.509 certificate + +1. Paste the **Public key** in a text editor. +2. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. ## 4. Finalize Hubspot configuration diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/ironclad-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/ironclad-saas.mdx index ba4a825556d518..a0319e2ffffdf5 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/ironclad-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/ironclad-saas.mdx @@ -22,7 +22,7 @@ This guide covers how to configure [Ironclad](https://support.ironcladapp.com/hc 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Copy the **SSO Endpoint** and **Public key**. -7. Keep this window open without selecting **Select configuration**. You will finish this configuration in step [3. Finish adding a SaaS application to Cloudflare Zero Trust](#3-finish-adding-a-saas-application-to-cloudflare-zero-trust). +7. Keep this window open. You will finish this configuration in step [3. Finish adding a SaaS application to Cloudflare Zero Trust](#3-finish-adding-a-saas-application-to-cloudflare-zero-trust). ## 2. Add a SAML SSO provider to Ironclad @@ -40,9 +40,8 @@ This guide covers how to configure [Ironclad](https://support.ironcladapp.com/hc * **Entity ID**: `ironcladapp.com` * **Assertion Consumer Service URL**: Callback from Ironclad SAML SSO set-up. * **Name ID format**: *Email* -2. Select **Save configuration**. -3. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -4. Select **Done**. +2. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +3. Save the application. ## 4. Add a test user to Ironclad and test the integration diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/jamf-pro-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/jamf-pro-saas.mdx index 61d857fa2ccef3..55ef40c805ac63 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/jamf-pro-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/jamf-pro-saas.mdx @@ -33,9 +33,8 @@ This guide covers how to configure [Jamf Pro](https://learn.jamf.com/en-US/bundl * **Assertion Consumer Service URL**: Assertion Consumer Service value from Jamf Pro metadata file. * **Name ID format**: *Email* 7. Copy the **SAML Metadata endpoint**. -8. Select **Save configuration**. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -10. Select **Done**. +8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Save the application. ## 3. Edit Access SAML Metadata @@ -57,11 +56,7 @@ This guide covers how to configure [Jamf Pro](https://learn.jamf.com/en-US/bundl 5. Turn on **Single Sign On**. :::note - - The Failover Login URL located on this page can be used to log in if your SSO does not work. - - ::: ## 5. Test the Integration diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/miro-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/miro-saas.mdx index 32dd9de72fd8b9..88d9f890fad49a 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/miro-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/miro-saas.mdx @@ -29,9 +29,8 @@ This guide covers how to configure [Miro](https://help.miro.com/hc/articles/3600 * **Assertion Consumer Service URL**: `https://miro.com/sso/saml` * **Name ID format**: *Email* 7. Copy the **SSO endpoint** and **Public key**. -8. Select **Save configuration**. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -10. Select **Done**. +8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Save the application. ## 2. Add a SAML SSO provider to Miro @@ -52,9 +51,5 @@ This guide covers how to configure [Miro](https://help.miro.com/hc/articles/3600 In the Miro SAML/SSO configuration page, select **Test SSO Configuration**. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. If the login is successful, you will receive a **SSO configuration test was successful** message. :::note - - When testing the integration, you do not have to use an email from a domain you have configured for SSO or a user configured in Miro. The only requirement is that the user is already configured in your identity provider. - - ::: diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pagerduty-saml-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pagerduty-saml-saas.mdx index 5149743a46b4ab..abfa66b10f6760 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pagerduty-saml-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pagerduty-saml-saas.mdx @@ -26,9 +26,8 @@ This guide covers how to configure [PagerDuty](https://support.pagerduty.com/doc * **Assertion Consumer Service URL**: ` https://.pagerduty.com/sso/saml/consume` * **Name ID format**: *Email* 7. Copy the **SSO endpoint** and **Public key**. -8. Select **Save configuration**. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -10. Select **Done**. +8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Save the application. ## 2. Create a x.509 certificate diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pingboard-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pingboard-saas.mdx index b55b2ae5cd90b2..fc202fc9863e9b 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pingboard-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pingboard-saas.mdx @@ -26,9 +26,8 @@ This guide covers how to configure [Pingboard](https://support.pingboard.com/hc/ * **Assertion Consumer Service URL**: `https://sso-demo.pingboard.com/auth/saml/consume` * **Name ID format**: *Email* 7. Copy the **SAML Metadata endpoint**. -8. Select **Save configuration**. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -10. Select **Done**. +8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Save the application. ## 2. Add a SAML SSO provider to Pingboard diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-oidc.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-oidc.mdx index a6c13e2e5bb2dd..4514b2af287171 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-oidc.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-oidc.mdx @@ -32,10 +32,9 @@ This guide covers how to configure [Salesforce](https://help.salesforce.com/s/ar * **Authorization endpoint** * **Token endpoint** * **User info endpoint** -10. (Optional) configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://.my.salesforce.com`. -11. Select **Save configuration**. -12. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -13. Select **Done**. +10. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://.my.salesforce.com`. +12. Save the application. ## 2. Add a SSO provider to Salesforce diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-saml.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-saml.mdx index cf23bc7d0dde6a..4811a20700c52e 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-saml.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-saml.mdx @@ -29,17 +29,12 @@ This guide covers how to configure [Salesforce](https://help.salesforce.com/s/ar * **Name ID format**: *Email* :::note - - If you are unsure of which URL to use in the **Entity ID** and **Assertion Consumer Service URL** fields, you can check your Salesforce account's metadata. In Salesforce, go to the **Single Sign-On Settings** page and select **Download Metadata**. In this file, you will find the correct URLs to use. - - ::: 7. Copy the **SSO endpoint**, **Public key**, and **Access Entity ID or Issuer**. -8. Select **Save configuration**. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -10. Select **Done**. +8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Save the application. ## 2. Create a certificate file @@ -58,11 +53,11 @@ If you are unsure of which URL to use in the **Entity ID** and **Assertion Consu * **Issuer:** Paste the Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust. * **Identity Provider Certificate**: Upload the `.crt` certificate file from [2. Create a certificate file](#2-create-a-certificate-file). * **Entity ID**: `https://.my.salesforce.com` - * **SAML Identity type:** If the user's Salesforce username is their email address, select *Assertion contains the User's Salesforce username*. Otherwise, select *Assertion contains the Federation ID from the User object* and make sure the user's Federation ID matches their email address. + * **SAML Identity type:** If the user's Salesforce username is their email address, select *Assertion contains the User's Salesforce username*. Otherwise, select *Assertion contains the Federation ID from the User object* and make sure the user's Federation ID matches their email address.
1. In the **Quick Find** box, enter `users` and select **Users**. 2. Select the user. - 3. Verify that the user's **Federation ID** matches the email address used to authenticate to Cloudflare Access. + 3. Verify that the user's **Federation ID** matches the email address used to authenticate to Cloudflare Access.
* **Identity Provider Login URL**: SSO endpoint provided in Cloudflare Zero Trust for this application. 5. Select **Save**. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-oidc.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-oidc.mdx index b309ff64f2a757..be4aafe79e4a5c 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-oidc.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-oidc.mdx @@ -25,11 +25,9 @@ This guide covers how to configure [ServiceNow](https://docs.servicenow.com/bund 7. In **Redirect URLs**, enter `https://.service-now.com/navpage.do`. 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. 9. Copy the **Client secret** and **Client ID**. -10. Select **Save configuration**. -11. (Optional) configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://.service-now.com`. -12. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -13. Select **Done**. - +10. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://.service-now.com`. +12. Save the application. ## 2. Add the Multiple Provider Single Sign-On Installer Plugin to ServiceNow 1. In ServiceNow, select **All**. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-saml.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-saml.mdx index bd42669af865b3..aa3f6132d9e871 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-saml.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-saml.mdx @@ -26,9 +26,8 @@ This guide covers how to configure [ServiceNow](https://docs.servicenow.com/bund * **Assertion Consumer Service URL**: `https://.service-now.com/navpage.do` * **Name ID format**: *Email* 7. Copy the **SAML Metadata endpoint**. -8. Select **Save configuration**. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -10. Select **Done**. +8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Save the application. ## 2. Add the Multiple Provider Single Sign-On Installer Plugin to ServiceNow diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/slack-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/slack-saas.mdx index 32ec7f8b6a4e82..1953a1ad2ff80b 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/slack-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/slack-saas.mdx @@ -28,9 +28,8 @@ This guide covers how to configure [Slack](https://slack.com/help/articles/20377 * **Assertion Consumer Service URL**: `https://.slack.com/sso/saml` * **Name ID format**: The format expected by Slack, usually *Email* 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. -8. Select **Save configuration**. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -10. Select **Done**. +8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Save the application. ## 2. Create a x.509 certificate diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/smartsheet-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/smartsheet-saas.mdx index 30dd398d30c41d..d984dba2d6ddeb 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/smartsheet-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/smartsheet-saas.mdx @@ -16,11 +16,7 @@ This guide covers how to configure [Smartsheet](https://help.smartsheet.com/arti * A [domain](https://help.smartsheet.com/articles/2483051-domain-management) verified in Smartsheet :::note - - In Smartsheet, SSO is configured for a domain. If you have multiple plans using the same domain, the SSO configuration will apply to all Smartsheet users in that domain, regardless of their plan type. - - ::: ## 1. Add a SaaS application to Cloudflare Zero Trust @@ -35,9 +31,8 @@ In Smartsheet, SSO is configured for a domain. If you have multiple plans using * **Assertion Consumer Service URL**: `https://saml.authn.smartsheet.com/saml2/idpresponse` * **Name ID format**: *Unique ID* 7. Copy the **SAML Metadata endpoint**. -8. Select **Save configuration**. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -10. Select **Done**. +8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Save the application. ## 2. Create and test a SAML SSO provider in Smartsheet diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/sparkpost-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/sparkpost-saas.mdx index b23d116cbc35aa..ddb29f7fa09262 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/sparkpost-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/sparkpost-saas.mdx @@ -32,9 +32,8 @@ This guide covers how to configure [SparkPost or SparkPost EU](https://support.s * `https:///api/v1/users/saml/consume` for SparkPost accounts with dedicated tenants * **Name ID format**: *Email* 7. Copy the **SAML Metadata endpoint**. -8. Select **Save configuration**. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -10. Select **Done**. +8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Save the application. ## 2. Download the metadata file @@ -57,5 +56,5 @@ This guide covers how to configure [SparkPost or SparkPost EU](https://support.s :::note -The SparkPost SSO login link is `https://app.sparkpost.com/auth/sso`. Alternatively, you can go to the usual sign in page and select **Log in with Single Sign-On**. +The SparkPost SSO login link is `https://app.sparkpost.com/auth/sso`. Alternatively, you can go to the usual sign in page and select **Log in with Single Sign-On**. ::: diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/tableau-saml-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/tableau-saml-saas.mdx index a6a062a938cfab..475989d2f9af12 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/tableau-saml-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/tableau-saml-saas.mdx @@ -22,7 +22,7 @@ This guide covers how to configure [Tableau Cloud](https://help.tableau.com/curr 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Copy the **SAML Metadata endpoint**. -7. Keep this window open without selecting **Select configuration**. You will finish this configuration in step [4. Finish adding a SaaS application to Cloudflare Zero Trust](#4-finish-adding-a-saas-application-to-cloudflare-zero-trust). +7. Keep this window open. You will finish this configuration in step [4. Finish adding a SaaS application to Cloudflare Zero Trust](#4-finish-adding-a-saas-application-to-cloudflare-zero-trust). ## 2. Download the metadata file @@ -45,9 +45,8 @@ This guide covers how to configure [Tableau Cloud](https://help.tableau.com/curr * **Entity ID**: Tableau Cloud entity ID from Tableau Cloud SAML SSO set-up. * **Assertion Consumer Service URL**: Tableau Cloud ACS URL from Tableau Cloud SAML SSO set-up. * **Name ID format**: *Email* -2. Select **Save configuration**. -3. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -4. Select **Done**. +2. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +3. Save the application. ## 5. Test the integration and set default authentication type diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/workday-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/workday-saas.mdx index f4ca54c9e05c94..90cf78c84f459f 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/workday-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/workday-saas.mdx @@ -26,9 +26,8 @@ This guide covers how to configure [Workday](https://doc.workday.com/admin-guide * **Assertion Consumer Service URL**: `https://.myworkday.com//login-saml.flex` for a production account or `https://-impl.myworkday.com//login-saml.flex` for a preview sandbox account * **Name ID format**: *Email* 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. -8. Select **Save configuration**. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -10. Select **Done**. +8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Save the application. ## 2. Download the metadata file @@ -59,11 +58,7 @@ This guide covers how to configure [Workday](https://doc.workday.com/admin-guide ## 4. Test the integration :::note - - If you encounter a situation where one or more users get locked out of Workday, the user can use this backup URL provided by Workday to sign in with their username and password: `https:///login.flex?redirect=n`. - - ::: 1. In Workday, create an [authentication rule](https://doc.workday.com/admin-guide/en-us/authentication-and-security/authentication/authentication-policies/dan1370796466772.html). diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx index 24b4a5d019b150..2173b827f5c507 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx @@ -40,23 +40,27 @@ This guide covers how to configure [Zendesk](https://support.zendesk.com/hc/en-u 6. To determine who can access Zendesk, [create an Access policy](/cloudflare-one/policies/access/). -7. Copy the values from the Cloudflare IdP fields and add them to the following Zendesk fields: +7. Copy the **SSO Endpoint** and **Public Key**. - | Cloudflare IdP field | Zendesk field | - | ------------------------------------------- | --------------------------- | - | **SSO Endpoint** | **SAML SSO URL** | - | **Public Key** (transformed to fingerprint) | **Certificate Fingerprint** | +8. Transform the public key into a fingerprint: + + 1. Open a [fingerprint calculator](https://www.samltool.com/fingerprint.php). - To transform the public key into a fingerprint, use a [fingerprint calculator](https://www.samltool.com/fingerprint.php): + 2. Paste the **Public Key** into **X.509 cert**. - 1. Copy the public key value and paste it into **X.509 cert**. + 3. Wrap the value with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. - 2. Wrap the value with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. + 4. Set **Algorithm** to _SHA256_ and select **Calculate Fingerprint**. - 3. Set **Algorithm** to _SHA256_ and select **Calculate Fingerprint**. + 5. Copy the **Formatted FingerPrint** value. - 4. Copy the **Formatted FingerPrint** value. +9. Add the Cloudflare values to the following Zendesk fields: + + | Cloudflare IdP field | Zendesk field | + | ------------------------------------------- | --------------------------- | + | **SSO Endpoint** | **SAML SSO URL** | + | **Public Key** (transformed to fingerprint) | **Certificate Fingerprint** | -8. Go to `https://.zendesk.com/admin/security/staff_members` and enable **External Authentication** > **Single Sign On**. +10. Go to `https://.zendesk.com/admin/security/staff_members` and enable **External Authentication** > **Single Sign On**. Users should now be able to log in to Zendesk if their Email address exists in the Zendesk user list. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zoom-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zoom-saas.mdx index cbbc5749464a1f..41f72e814d5dc0 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zoom-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zoom-saas.mdx @@ -28,9 +28,8 @@ This guide covers how to configure [Zoom](https://support.zoom.com/hc/en/article * **Assertion Consumer Service URL**: `https://.zoom.us/saml/SSO` * **Name ID format**: *Email* 7. Copy the **Access Entity ID or Issuer**, **Public key**, and **SSO endpoint**. -8. Select **Save configuration**. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. -10. Select **Done**. +8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Save the application. ## 2. Add a SAML SSO provider in Zoom From 1f04cd4845980c340778f398bd8f8d9fd51052ee Mon Sep 17 00:00:00 2001 From: Thomas Gauvin <35609369+thomasgauvin@users.noreply.github.com> Date: Fri, 24 Jan 2025 04:09:37 -0500 Subject: [PATCH 041/129] thomasgauvin: fix db docs to adjust for no default nodejs_compat in c3 (#19395) --- .../configuration/connect-to-postgres.mdx | 20 ++++++++++++------- src/content/docs/hyperdrive/get-started.mdx | 18 +++-------------- .../docs/workers/tutorials/postgres/index.mdx | 20 +++---------------- 3 files changed, 19 insertions(+), 39 deletions(-) diff --git a/src/content/docs/hyperdrive/configuration/connect-to-postgres.mdx b/src/content/docs/hyperdrive/configuration/connect-to-postgres.mdx index ec3c878aac486f..24baf469101b75 100644 --- a/src/content/docs/hyperdrive/configuration/connect-to-postgres.mdx +++ b/src/content/docs/hyperdrive/configuration/connect-to-postgres.mdx @@ -52,18 +52,24 @@ Refer to the [Examples documentation](/hyperdrive/examples/) for step-by-step gu Hyperdrive uses Workers [TCP socket support](/workers/runtime-apis/tcp-sockets/#connect) to support TCP connections to databases. The following table lists the supported database drivers and the minimum version that works with Hyperdrive: -| Driver | Documentation | Minimum Version Required | Notes | -| ----------------------------- | ---------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| Postgres.js (**recommended**) | [Postgres.js documentation](https://github.com/porsager/postgres) | `postgres@3.4.4` | Supported in both Workers & Pages. | -| node-postgres - `pg` | [node-postgres - `pg` documentation](https://node-postgres.com/) | `pg@8.13.0` | `8.11.4` introduced a bug with URL parsing and will not work. `8.11.5` fixes this. Requires `compatibility_flags = ["nodejs_compat"]` and `compatibility_date = "2024-09-23"` - refer to [Node.js compatibility](/workers/runtime-apis/nodejs). Requires wrangler `3.78.7` or later. | -| Drizzle | [Drizzle documentation](https://orm.drizzle.team/) | `0.26.2`^ | | -| Kysely | [Kysely documentation](https://kysely.dev/) | `0.26.3`^ | | -| [rust-postgres](https://github.com/sfackler/rust-postgres) | [rust-postgres documentation](https://docs.rs/postgres/latest/postgres/) | `v0.19.8` | Use the [`query_typed`](https://docs.rs/postgres/latest/postgres/struct.Client.html#method.query_typed) method for best performance. | +| Driver | Documentation | Minimum Version Required | Notes | +| ---------------------------------------------------------- | ------------------------------------------------------------------------ | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Postgres.js (**recommended**) | [Postgres.js documentation](https://github.com/porsager/postgres) | `postgres@3.4.4` | Supported in both Workers & Pages. | +| node-postgres - `pg` | [node-postgres - `pg` documentation](https://node-postgres.com/) | `pg@8.13.0` | `8.11.4` introduced a bug with URL parsing and will not work. `8.11.5` fixes this. Requires `compatibility_flags = ["nodejs_compat"]` and `compatibility_date = "2024-09-23"` - refer to [Node.js compatibility](/workers/runtime-apis/nodejs). Requires wrangler `3.78.7` or later. | +| Drizzle | [Drizzle documentation](https://orm.drizzle.team/) | `0.26.2`^ | | +| Kysely | [Kysely documentation](https://kysely.dev/) | `0.26.3`^ | | +| [rust-postgres](https://github.com/sfackler/rust-postgres) | [rust-postgres documentation](https://docs.rs/postgres/latest/postgres/) | `v0.19.8` | Use the [`query_typed`](https://docs.rs/postgres/latest/postgres/struct.Client.html#method.query_typed) method for best performance. | ^ _The marked libraries use `node-postgres` as a dependency._ Other drivers and ORMs not listed may also be supported: this list is not exhaustive. +### Database drivers and Node.js compatibility + +[Node.js compatibility](/workers/runtime-apis/nodejs/) is required for database drivers, including Postgres.js, and needs to be configured for your Workers project. + + + ## Supported TLS (SSL) modes Hyperdrive supports the following [PostgreSQL TLS (SSL)](https://www.postgresql.org/docs/current/libpq-ssl.html) connection modes when connecting to your origin database: diff --git a/src/content/docs/hyperdrive/get-started.mdx b/src/content/docs/hyperdrive/get-started.mdx index c172656857ce97..720ab34eac42a0 100644 --- a/src/content/docs/hyperdrive/get-started.mdx +++ b/src/content/docs/hyperdrive/get-started.mdx @@ -74,23 +74,11 @@ This will create a new `hyperdrive-tutorial` directory. Your new `hyperdrive-tut - A `"Hello World"` [Worker](/workers/get-started/guide/#3-write-code) at `src/index.ts`. - A [`wrangler.toml`](/workers/wrangler/configuration/) configuration file. `wrangler.toml` is how your `hyperdrive-tutorial` Worker will connect to Hyperdrive. -:::note - -Note that the `wrangler.toml` file contains the following option: - -import { WranglerConfig } from "~/components"; - - +### Enable Node.js compatibility -```toml title="wrangler.toml" -compatibility_flags = [ "nodejs_compat" ] -``` - - +[Node.js compatibility](/workers/runtime-apis/nodejs/) is required for database drivers, including Postgres.js, and needs to be configured for your Workers project. -This enables the Node.js compatibility mode which is required for database drivers, including Postgres.js. - -::: + ## 3. Connect Hyperdrive to a database diff --git a/src/content/docs/workers/tutorials/postgres/index.mdx b/src/content/docs/workers/tutorials/postgres/index.mdx index caac9a4cd70f90..84053c1c725cfb 100644 --- a/src/content/docs/workers/tutorials/postgres/index.mdx +++ b/src/content/docs/workers/tutorials/postgres/index.mdx @@ -13,7 +13,7 @@ languages: - SQL --- -import { Render, PackageManagers } from "~/components"; +import { Render, PackageManagers, WranglerConfig } from "~/components"; In this tutorial, you will learn how to create a Cloudflare Workers application and connect it to a PostgreSQL database using [TCP Sockets](/workers/runtime-apis/tcp-sockets/) and [Hyperdrive](/hyperdrive/). The Workers application you create in this tutorial will interact with a product database inside of PostgreSQL. @@ -58,17 +58,9 @@ cd postgres-tutorial ### Enable Node.js compatibility - +[Node.js compatibility](/workers/runtime-apis/nodejs/) is required for database drivers, including Postgres.js, and needs to be configured for your Workers project. -import { WranglerConfig } from "~/components"; - - - -```toml title="wrangler.toml" -compatibility_flags = ["nodejs_compat_v2"] -``` - - + ## 2. Add the PostgreSQL connection library @@ -112,8 +104,6 @@ npx wrangler secret put DB_URL Set your `DB_URL` secret locally in a `.dev.vars` file as documented in [Local Development with Secrets](/workers/configuration/secrets/). - - ```toml @@ -126,8 +116,6 @@ DB_URL="" Configure each database parameter as an [environment variable](/workers/configuration/environment-variables/) via the [Cloudflare dashboard](/workers/configuration/environment-variables/#add-environment-variables-via-the-dashboard) or in your `wrangler.toml` file. Refer to an example of a`wrangler.toml` file configuration: - - ```toml @@ -329,8 +317,6 @@ You can also use explicit parameters by following the [wrangler documentation fo This command outputs the Hyperdrive configuration `id` that will be used for your Hyperdrive [binding](/workers/runtime-apis/bindings/). Set up your binding by specifying the `id` in the `wrangler.toml` file. - - ```toml {7-9} From 16e1eb01a56f8b5b4363566b451cb7f51e74acdf Mon Sep 17 00:00:00 2001 From: Thomas Gauvin <35609369+thomasgauvin@users.noreply.github.com> Date: Fri, 24 Jan 2025 04:42:28 -0500 Subject: [PATCH 042/129] [Rules] Update capitalization in page-rules-migration.mdx (#19399) --- .../rules/reference/page-rules-migration.mdx | 64 +++++++++---------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/src/content/docs/rules/reference/page-rules-migration.mdx b/src/content/docs/rules/reference/page-rules-migration.mdx index f67d13639cef85..2c4254dde1b964 100644 --- a/src/content/docs/rules/reference/page-rules-migration.mdx +++ b/src/content/docs/rules/reference/page-rules-migration.mdx @@ -145,7 +145,7 @@ You configured a Page Rule to perform an automatic redirect from HTTP to HTTPS f 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a single redirect | | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -188,7 +188,7 @@ You configured a Page Rule turning on Automatic HTTPS Rewrites for all subdomain 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a configuration rule | | -------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -234,7 +234,7 @@ You configured a Page Rule adjusting browser cache TTL to one day for all subdom 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a cache rule | | ------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | @@ -277,7 +277,7 @@ You configured a Page Rule turning on Browser Integrity Check for all subdomains 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a configuration rule | | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -321,7 +321,7 @@ You configured a Page Rule turning on Bypass Cache on Cookie for all subdomains 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a cache rule | | ---------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -367,7 +367,7 @@ You configured a Page Rule turning on Cache By Device Type for all subdomains of 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a cache rule | | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | @@ -412,7 +412,7 @@ You configured a Page Rule turning on Cache Deception Armor for all subdomains o 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a cache rule | | -------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -456,7 +456,7 @@ You configured a Page Rule turning on caching of all assets for all subdomains o 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a cache rule | | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -500,7 +500,7 @@ You configured a Page Rule turning on caching for responses that contained cooki 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a cache rule | | -------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -552,7 +552,7 @@ You configured a Page Rule turning on caching of every response with status code 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a cache rule | | ------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -598,7 +598,7 @@ You configured a Page Rule setting a custom cache key for all query string param 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a cache rule | | -------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -639,7 +639,7 @@ You configured a Page Rule turning off Cloudflare Apps (deprecated) for all subd 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a configuration rule | | -------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -688,7 +688,7 @@ You configured a Page Rule with **Disable Performance** (deprecated) for all sub 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a configuration rule | | ---------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -767,7 +767,7 @@ You configured a Page Rule turning off [Zaraz](/zaraz/) for all subdomains of `e 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a configuration rule | | ---------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | @@ -814,7 +814,7 @@ You configured a Page Rule adjusting Edge Cache TTL for all subdomains of `examp 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a cache rule | | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | @@ -857,7 +857,7 @@ You configured a Page Rule turning off [Email Obfuscation](/waf/tools/scrape-shi 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a configuration rule | | ------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -910,7 +910,7 @@ You configured a Page Rule permanently redirecting `www.example.com` to `example }} /> - + | Page Rules configuration | Migrate to a single redirect | | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -961,7 +961,7 @@ You configured a Page Rule permanently redirecting `example.com/old-path` to `ex }} /> - + | Page Rules configuration | Migrate to a single redirect | | ----------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -1004,7 +1004,7 @@ You configured a Page Rule changing the `Host` HTTP header to `example.saas-prov 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to an origin rule | | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -1030,7 +1030,7 @@ You configured a Page Rule adding a `CF-IPCountry` HTTP header, for all requests 2. Turn off your existing Page Rule and validate the behavior of the Managed Transform. 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a Managed Transform | | -------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -1073,7 +1073,7 @@ You configured a Page Rule turning off Mirage for all subdomains of `example.com 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a configuration rule | | -------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -1116,7 +1116,7 @@ You configured a Page Rule turning off Opportunistic Encryption for all subdomai 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a configuration rule | | -------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -1162,7 +1162,7 @@ You configured a Page Rule turning off Origin Cache Control for all subdomains o 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a cache rule | | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | @@ -1208,7 +1208,7 @@ You configured a Page Rule turning on Origin Error Page Pass-thru for all subdom 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a cache rule | | -------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -1251,7 +1251,7 @@ You configured a Page Rule turning off [Polish](/images/polish/) for all subdoma 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a configuration rule | | -------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -1297,7 +1297,7 @@ You configured a Page Rule turning on Query String Sort for all subdomains of `e 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a cache rule | | ------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -1339,7 +1339,7 @@ You configured a Page Rule changing the origin to `example.saas-provider.com`, f 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to an origin rule | | ---------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -1385,7 +1385,7 @@ You configured a Page Rule turning on byte-for-byte equivalency checks for all s 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a cache rule | | ------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -1428,7 +1428,7 @@ You configured a Page Rule turning off Rocket Loader for all subdomains of `exam 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a configuration rule | | ---------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | @@ -1471,7 +1471,7 @@ You configured a Page Rule setting Security Level to _I'm Under Attack_ for all 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a configuration rule | | ------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -1497,7 +1497,7 @@ You configured a Page Rule adding a `True-Client-IP` HTTP header for all request 2. Turn off your existing Page Rule and validate the behavior of the Managed Transform. 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a Managed Transform | | -------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -1540,7 +1540,7 @@ You configured a Page Rule setting SSL to _Strict_ for all subdomains of `exampl 3. If your tests succeed, delete the existing Page Rule. - + | Page Rules configuration | Migrate to a configuration rule | | -------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | From 1431c71f33c3dc6c767c5d0eef094771bb916330 Mon Sep 17 00:00:00 2001 From: Thomas Gauvin <35609369+thomasgauvin@users.noreply.github.com> Date: Fri, 24 Jan 2025 06:25:29 -0500 Subject: [PATCH 043/129] =?UTF-8?q?thomasgauvin:=20add=20explanations=20to?= =?UTF-8?q?=20connect=20to=20private=20network=20db=20from=20=E2=80=A6=20(?= =?UTF-8?q?#19394)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * thomasgauvin: add explanations to connect to private network db from hyperdrive with tunnels * Update src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx --------- Co-authored-by: Jun Lee --- ...hyperdrive-private-database-architecture.png | Bin 0 -> 22402 bytes .../connect-to-private-database.mdx | 9 ++++++++- 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 src/assets/images/hyperdrive/configuration/hyperdrive-private-database-architecture.png diff --git a/src/assets/images/hyperdrive/configuration/hyperdrive-private-database-architecture.png b/src/assets/images/hyperdrive/configuration/hyperdrive-private-database-architecture.png new file mode 100644 index 0000000000000000000000000000000000000000..db4f833a25dcc838eac6a792b0d4c9c758c62c06 GIT binary patch literal 22402 zcmdSA^;=Zm7e6XFgmg)_fTV;p2+}E_f;1xC-3%!uT}mqhh_rOKNT+lTF$@g@48y>1 z$M@%Z?|q*8AKV}2%sKm7V1S|@u@XI{C@Ft5heY| zFN~x%1R|YA!6h`kXcsx$i_40Q%aNu;jERpyfR{m$X502~RZ*~DFe@!0T|X-#-Ht?F zIF!Ef@kuOgY74zG@4Uc_Bvr&?jrw;1X{zJ@?+*Rg#z5fx|GdB{ddcbls1XBk5H^Tww@vBWj{;(%!fWG~2O6p&F+nL$W<$(es=7Db_SV$*f9P0aEoqt40 zd$j+!gAEUlVxcfd4To zC8`Jq-Ibc`>;H}6-{A6J0&LSSioXB9td+v}H!}1P8@Tf#(XD})xc@f*bWsX53z`uB zUS7WWRTx+Kg}wJ;$u^hwS8$SKvwp-|LL3p*zmQ&&itazlwxgB&>utFS&0C~ousCZ) zJO^sZeRO4V_M1zaSwucP(q@Qw9X#PgV9@ldYoHKxo=xqCw<@YCTF52QTca{;mw2zA^|k)`3<7m!BhkpyazSHOcph2n$K!+DXFK#j9$gWn%e@1deM>O##O8%^M< z>_U@*_o{cp-R^Y!sdMY{b&AYhe{GhW@u_L+x*e@N^@xv4C$nYFIbU zjelIWl}jg61+1^{Y99lVMHNFpDFl~}H1N&z^0c4>Btma|iVA<8wne{fr{G>3-}b>^ zbzZ#lbaH^+KMc+4@^rCL4)}pKSQlC0AKvtPi`(;uo>2R2J>)LCT7+?3GL7zOs}_Xs*SZm1^F z%=p=@t1aDHm+j?6>lt=n1n=ImPGR%;gkIa6ZBT+d%wsk#N?uK32oDZwx{FX_p65fa zE56Mjp9>`jS(SB*wB_s&tpC#j$&$p$mJ z)r9M3jf3Ie9$839ePZi()%H!?ieQi za&6x#0e0r+B0nEG^?#EK+QJ|*ZX=cjZk304Y+T{Pc2@-F8?A;NV!Rw;H?LViB0a{$ zR^}rmA+-T!1@4w!(a%T1FIwIOA0-EU5jaf*1-+kI_(GR@LctiAOGh|<8RMLxvm!6b z*kd{2)wEp(?PwJLr6~JFMDmE`1Nno-Y*DrOv-Q2=sFZh@v*LF&K!>J>hFOu0t7ZaO z6+GyNh-8bj&A;@V$gy2=zC7F8;&2~x62Y8tqd^gCl&U@!Jnlq+i&i1yj^t@huO8$$ zsVT5m^nBx1{_y(b>iy&dAt$Ka8p&!~jMM3HGy7o0xABmoczIRJc+n*DTE9Jyqx=f@ zZN8z<_Gz@t*l8Bsh2YyYNR_-=hqiAji_=(~rd@PE0OEy*-V@No;p9f)+$X9olDM(= zQ>bN>bV9JtXWB?(%^U(;EZ_BK-pv+GziyT<@8W;H3OqkF;opaPOHG%|wM*Ulg`i;eAe-&MslhV;t!KXV{R#{qvFPTRUz+@x5KApzITS|%s2IE zZ1l(8jwZ9Nx#4r0=?jDbhj~7DSMafyhe0IKh>`_zxBSHDloLFhKo^0z&W>7q)`P8+uA8h`Qi;%^z_&Zn>D&b*^M8+QxKm+9#Ax8jBa(WUXD# z8(RtcoW3?(YP>0`2$D8kOD_s)Y01_3a6Rp%W#>`7^LdcdMJiImu}2Lbtu61GAIS4z z8$msy@heLRRSnz1gpcEqWy{26JE|`%@g0%i@%f8aYS|HOvIqzm5vs@Ge1tTpZiEFu z3AE_qX;-64q>WxIIM;LDY^vkGi#cpvq)9G~d{hT0Z~+>yPo&M+wi}MovB`EW;G``> zm4@XmT+)GEj1z#g`uwAkdQNz-+!PmX$&2M)=asK6LF!+%?X9@@KhwA7>#fp9x-D}6 zZ`l!8Jl9&2m1Zav>)qd-_OrDltC`cqx+}!vhK_$G)${1{`lIys@hj=d8Q%KDA$@Joe&2-l)h>(z_&rhZ^yteQoG zed_(uLQNrQ8s*jq4&@#ZmI1|v2zWI)D}g&F@TB{it38*l#czuV4+clM0+__KK2?lh z!3{nvh#gYFj`x6~@AV_EiOn_{E84~%I#mh8_wNxho^Bibv_{jsMqvE%sJ6~RAEgBq z9aTwJpq3hKnmIt0Ryr6fTmruJDT;cIqlZaEblh%r;6ai}l11thKg;!0K6hTw~MYo-iUB%oD3H( zO}2ay4E}xLUNe+sQE#WU-U6brFRiQJ|g-_!1zv{*|b+s-$IP+bwb2k39X9X=;y1KEZIa>nKgk$cEe?8nJ zv5&|);i!>VwrHjCk#@h!TfvHxI~Is&cIk)&H8Jt?u>b6AOuMSrbm@v&dyNa6NN6&< zhICN=Cg*tuLQuRH)||l;T`2RidF>(R6iPPs) zR^lq<)jqBze&<|t?rEkX)Cv;i{hVlZaqd~DTtM%b5l%S#bjN`9u&145QGvULgr3$GEvd7qXqWlfT59sDYpW)y1$8mqK;b$4^*l1+KsM??3HEoT|W=tYcxF-FByq@P2+dw@v^GscS?N(AJi2{PObB zf2!r&yVO}d&D^}+#%#5oLa_cFV+(v)Wg)m!)yz`LGZV+#5$+a`HuinBHAF}Dx{fHa zsVA$H0NzJ6iWMctUvehjCL|7C0DRhClj{?9)jh#2Y4IA!jg)lfg~`p9MC z>U!j4))$>#X+<^gV$&1}+9{?9^a6Gn;FU%Fr9J4*pJtFs&FD%Q%r+*i3iM;=2p1mt~82{Ru5)M zNzQdt--ePbU$*GCxG0i0fN*4yeOKVgz%KW`;H5F9jkE>_Q)x_a`*F%cmY842TT!Xn zX2-alf*ZeK2FdD_32!-r;!qY8$byOqHf#d!_U{D2@4u1GJl zqMj%eE(MdYa;P8W?8VL{C4maZMmh11f+k3$2M{9qgqZ`a-`VaLt&=lV9vuejHcr9X zsa~^YjqZ;5XA8pi#?!lCd+NM1&2AR$ViBHT)AHdo*UI@;5-#PK`TjAyjT_<5m$)%dZ*@2z{x4;l5M0A{Kew;v(LRM zt0YgJE~zgpdzKHb%T4C_4Yrny8_oIMrtO$B&}0rjc;|r5#u8%)SpQg)S#j%#8^I{oqi>@%2)9k9v=^A2#+6q#%9qoRkK`>)-;rv^u_g zC5l7ibuC^=#5~!)?|~}gZtG?Q;j?%z9EYFks%rd?*Y8PLkIUbIAnO4?{&+nN%e|#O z9*@IVoq}|jGOUI4EBvm7jk9?WTb<;}u#T~>2E7x^-kkMQ8r#z?w2bx+M6$CfBzCae zcnN+^w;Wd0qwb{`FzN4V?nMNl6ckPF=^n1Di; z7z>+%5EY3BhAa?Og3Wj&M192rSVYPuR=0P3uVis~BQlMRZ14jZB3^%}s2Y6R6f5#aNi76>F!DP-?Uc*Mo41++$kn772O;+`8(bV9 zQzOk|fe}1R!{Kp8a9%iAjr>P~bdxG`NQ0sAl(eS@08$7HjhXji&N{lY{C1DDSTLGQ ze3X^2i|`xIuZ`LOmTslhoJ{gB;Q+Tk zH0YC&&8=zuI6gl-SESl1drDXV{3{*E+Y3(qUgZ9T@aq!H`TWI_f)wF^_TJ`0EGEkm zi`pLT5@3>Fr+GLjZTZmI?$|8-Bwd_S93if##(x7F`|;4Bd@UmGrZC;O%C&dLMR=Um zU#6X4?S-0E-s)QV<#yk>FGn)^8i8o-y)l*2#8apAJBDHJ6%~tg>`lymyfQ0WT4c(f zT(leS#*0vXR+}*+3C~MaHF>3uV8SyltMbZ5o3B9VY{@eADeiyaymXRZo*E zhc%;L6r?Vr&VsuTpi^0MQZVtC?rMjW^+H%Y>CDd#34T);!!)?2lMC&jK{Q0Yob2>S z-g$ce8ybrMAG>FOR6|q`IK}J*)sKDkxt%?&wvT`}c{`=6#u)XN`nsa3$e0 z(>b`jg)q{>lKrEfc988uCXKqaOWrq0Dhr4P_&|EQ*PSa&ROn@aVQ$@5h1X)pLa;*s0dMOejyr$+mA6WyFAlhR>> zACn=-ATM1d{VJ6r@;Ro7|z3}h!L53x_L zwxYKXZDX8iK@zh2;eAN5I=rUYCs0mGYH~Sl-8L7ktIoC*+ma%QrT(CZZ`+HCleRh3 z%#faC)oZQ%ymZXe3gx>+FbWti{f zgAVb^w01>ddQ$I9ARolz4d_sgRsBQuvoSZ2gho&!m?5gqwQ?S_@@x-_xk`eQ|q{KEN51%_BJs&Fja$0@9@KH)(FKM~Q}Mk*ehdhKQ! zKBeZk81z%#dtwzl(`&_XrBa-_Y{fYg2>B92Of5iYwxRAIs%EO+3vQc>C=g+6vD{Kk zJrt0Nb14Sqv`7G$vQ{OIAQLjM9yw|0t$46^?gHSvSn8GO90w1s zI%Gq#S0U}!KPjV)zPb)ze!c%%P5KMga> zDb_l6$M#WbXdi^|gV|t!VNL&f?!It%LC}`%upH1JbtNDWZlLwb|EFmDr7s}YE{_2> zobUn`V1dZx8Rb`o3J2vqg_YVVj zVv4*`T!hY~Z5&pzu4cxqOm^1~1ys-iiiLjTnTI!#Y9tZg75*wwO0g0}ogCwbA(j+a zTLf{*wxhg8@6{yQshxm(BFZ77b9?=oZGQ|k54@yfn}?^q_bNW5N8|=+)a+uBBVp^V z*)jZuS@>)r(=lS1;oy!d4`8-RtT)y0i@rb#@v%s^z0H??WhOO|Nr*TnruL5gyheBC zGg$}GulH!z=-4pW0YK&zj|xZxePS}bB>xk<#df|?$bm|GAJD9udUP|2KI{HS6HJgm z&oCJ!a4XGud{RK!)KyMJej-Ac0I7aYi0rHMC)%g^#ndcUWtuDkh~l;V_z>XI5S&T{ z^$Rw;4L(kuw=QR+DRN}}NNO`|CC$B_lvAwNkJ}$vF%YpSvD2a@vxIfl-x~cn!BGxyKddz9M`?h zm{LM-dZGR68Wk8p)s2}`WNp2z9DQQ*HSVwZY#>*KtAxH1q_{?i@waq0XNXQ4`!lSW ztLM;n8>q&+;7j+A%ePP0jCI=dU(b0n|0EM%T7mN#*RM`IuR~5htSZ0Z%%R{KJl#$U zkZ>vmOmvo8*{KEI(CX11%?Q0HzLVK{;*zkye_nKJDSIL}$2LuO%WQ+0rP+ zQ3a3ndo_Jfq0GEdtzEp#{ilY<$Xvtgyy(w6=1HKvBJqs~SL`-7I^7JjmC2?^!KP6Y zQ9>EQto$SE2eN9nxQFoovtPRA{4OzfL9F>uiBj!0v1F7gO6v=;CO{o0{G{zG*z0Vw zSFsK7%++@63t9f?xIy+gxIn=&(lH>(J?@GjexhB!!@7g2kgCvqby-vWass!g0{hSd zUh+ov-Mjl+*p_7qZnctV^YVQtW#A~8)RFf@;s)8_0tXM#0)ET#aeQh*t}PGBnx-EnHB`6aY+5`EzFv0T7o zEukn^U$#CD`4p)ejy-Wz^y5TXQPzEyO5Z-8iif?@ zgE8yUr2AQj4iEoK6(?U{7LQ){9?=f@%=>+?IoA~m=Fk!kl6F@3daplp65z|Ap3l$` zbVF;A-tpBkWitvZI)jyGv~?yp+!fo+F_Qn4_-Js9`#8mdnq$nX+-1awPKQcF=9a$W zElG~#Gg-N9dMz8Ry5M_j!K`^%Yo)+KB8@-} zE2)h6pw(>S_H%u;?!pofH*9x*HRFrLd9+t zqfWNx2>}c~nWYIq@b7bTQGsZugmJFxA=nk-TX@U${vOHBY1D|#Ynqd^sQ*3$wg8%3 zBFQ<-H*xBq_B1$6TdfzTLSblce`UHNQcsrX;$|G7tYh+Hc8sGTwfOa8#tG#Ah$mJl1Q`@x;#V%Cm%Ng{;r@ED zH0#G~@2Yqul{pNKd&Gv0-I1&g7mH13&(8Rc39jHDiNWtBD7Of%k-N%X8>`><;X=0+w9w8$ECF68?1 zwA7@%rC20OZeM0tj$FmFIln8qp2M#4@7I2TEEUY&{E(ZA+U>HCk_I;qdjSjTziu-$-E}1-U(G=H$7*ud z&vT$?<3!W%$Iwzc(0My(QQ@f;kVJ<5ZEKnYpjDiCoCNgA#4$GneQJz>O&$&%G7FgO z?LtOgIyY<9Ly7es9_O}S`#bg!TLl%vCqv3UGX2FoY<}393oaBAJpsiWS+pc|6gxf9 z;v>tLP{|T(u$!4Tbo@5$6CSB z&?-ARKU8eKz)cCcGj9LX04cjj=a6-(^OKIN&4DnrbqK}Hd?X&lgM2 zZHobsb+l(4ypC>qK!Z|Q7wO|@BEq-qzzFNC>lyv!*$#k!e)DTKmC9E#Q1M(;2o-|Cq=>}+(i^xczK2*i^` zLWZWpvW?d#`0n3nfCMef?*k7&9-j7ly26?+1H7a9UFV?-ss$0dKr&<7@pbbg^pYg^p0Jwr&y^cckck~UVkX>y3Af zF)QlQj>Nh6O?EA)> zQVaMy!^*~+sQSj7C!9DtXn`oS=X!<~d~#CLb^G(Eo}@FOjgHS@8E+JEgu}MYL@s%V z2eYdy5XGtVN@`qqE)-^WQfIbBH-NA9~V2V}At z7nEHvgQND{`OxRh^L$`SXylkzw_(NvGcaHKP@ptR5)4*~@O0p!%Xf^=sowqPGi^WZ zGEqrp;=jMWN}m8vCbY-UjBc?QBTW099B@b`X-XytZ9!UYdZrr@OKw!FR~^?1;ErjF zW|KzHAzt86;HnhI+hi*LC%uvQMud}_dTGxi)AL6Ts|#c0cir?UMJF1rTsB&&eqPTN zdiqg1^{TjUoWDjV(-2!Kz_&16v44e}(uRMQTwMywc1vv$8-9{v9S-?EinQtR~y_UDp=`HLi5%FlRp?u#l5kx!Ys+_!h^Q!qqL#Kr5 zqjpPZguPCO_F6a0slEa)iW?;1Msy}^>OHM2?7S!hU1@HD5;9_ZTh&Tk-&j-uUQ)qU zOSZZ$W<=v*8XU5K&QTnxFe>RUS6OwQ8;tL-JasqN)_d|f8j&9Qf=esi^fT+lEMR%p%&L9h)sbhG|&Q#BJ;>G5+@oX_we}Wo4Y5uNI$en0C=zBWq zEL$oui>NtcdY?h(<>I4mwGDIQ8-T)8{nfKVQRj{Q2Tc z4y$%Mq&$+E=qBH$Xa;s0M5UZyVh#R{t8*`|3R6qUiVQxbJ^#e~HskU9#p)ZpOQFo} zOM~6ki39=)lI$I;HU2XmmjfxUS*_us`yIKdc&gTsP&nPoxDMiLJ+=y9L2+Uw0qWJkLc$0X~E&3`=^wZ_ysk-Ye&$M^KR6HuL?)#~k z4-?b!g@{}FQH#M50rn#NC*#LKZxGGt1WDE>n=|sW?`%=tg8C~b?5H_Fp5z{{i>R+# zJ-Bs+^cdBio-nhELdmD0vQJG?iF-eX?BJwYXqlU?e6@=fa;w&Ao)n6Fv>wZzFd$h# zR%xuKw&F)&kj1_dlDxTQr+tf)y4u|8I^T+bfZ%nocWiFKuY+A>*2YY7Kr%ntMB{@P z4rg2kyc*u%m`2!kbE4!!*~KE0)*sBC;6&9UtnROhLya@Wx=(4?2yJ(>FaHP@dYnoA z_2b5OVCjXyTK!rXPORg2={Nw9^I@1?wzBq}p zT^#D3qx{W_i76@yG;qxSV$tJ0<7-BJop+v2i`_r5r-G38lTiJoAK>VCLe)8iJrlMm_PNs~%}F{&pB9S5`zJ?4 z1?)?3oy4R_cmd5rVY9|T*z&S+thc|)Tf%~HBaR=3&)kG95Um{eQ3!{!d}_wRKu6E# zDtLPPU?xnf(5t_OszcU8NmWqPoG+5@@CMWu*E-8_vuT6Y5axNVkUHN2alRwg0apG7@B0emYYJ^0PWj&%Wq=r_2!++gc#~l6M;wh6n2GA(qb~1*oyk z<~kDj>v#B-j8W4|0*Vbx-W~k%=tw^jvt{Nlt5>djq!4Zr(_?jqKrKqRJ}4Pc4rP&Z z!)YR*cqp*Ya5NcHWnSF6N6Ui~-ERm?b<6bk9P7q&_UxqGy}qRvW^)7J5XXU_gD-`6 ztlHMQ`os4}Lg#WOIet(vpQ}9i*ygnY@{ZdUsM^?bE`zOTpLrTLBNs*nMMs=tjtH+? z!F7s!81sFij~5*G1@}u@2C}7E&6@YXwgsLv1<^$3u{4L{DR`yrvPT% zfY%?#N4Oo^C*G6Tb~z8WK;pf}^i%`=92$?Wi?8y$<7KrnH-gzy%Pg`5u*h~;C(!gb zVeqD5SDGoa;6l0SHe>#7gI60pLorXJ&-tNV2M`N<@0Gt;0q^oPt!e5%T&yY5vEO+; zbtCBmB=Sl{J)N9ub|Y8JAvjnwABvSfzrH(MpIeCm3a-OlNqfukfdvn*%C7Q6<1VM= zQ#Y@M`dOka2Zhhw+BFz@(W4tCK-D@vXPBrw=Bv4G%NyBBVUq1me z(LglHlx{J~)Z8aCw~V*#nX<-cfFrNc=zKalnY03Wm>>o;u5ZZhmo(0~X!Ra$vCmoN zV&+L5g02YgOSPL^tZFO$`7iraC4TJ72jqgLvKi>&y*FaL_^S4@hUpQ?tf2bGqSn$} z!RBg$-%9q1+I#f3X)F9h;nXm4d4fT|_beR`?xCUgtL`WcHb9w9M+f)U@qPg_POAn> zJ~JCWNHtO#EfI?}eZ6e$UvF6zEx5F$fup0wy^Y3upnmYtvG7x8 z`U?z$D$C!cVAF@z^QESwx;Li=5)*Fk7UcsfZkivaLUCuGstY|7E4oWQQb_XJ%h5(= z1I59pnr{+*g{7&Zsvl>L-JUSU{eObRf71$EX2Twexc18NkByldDZQd z9iuv<)n`$9H&&GGtHdxMHvuJ0rwLiWn$h6BL;45ZxS9atKhkt=y~Ggt_;K$z*%wYYwtpYmqc%ajS?oEy=Oxc8n86?q&+3##5Pd9`a3kVPbt!d~v<1 zZq1qij}zT4@pu_$`Z*vX$-keW*)sM%rbaNHJh{W+D~DO4-^}EZ)SRR8=L2pPNS)jj z*#>$&Xdf&xn|veYP0g;!HhRx;gFFS92giD)Cudu%|7jY^J^fhtmGbetvKmPbo}1f| zIQr0`r{padsJm?7a;O4k05xrh%QV6I`sJ*OPT!p~oU+tRbvJX zLgilLtqIpig2PT76YAZ+^9xy#Xfv%6l9{CLW$!@Ph7(>l(PDgO5z6UJ-?KU(c>hCU zJYtDl#=F!1#FQEDw0}}SN8}{J{_<^PUjSs4CCXd!x70}pB8Gg`*J1ylx}rAF_5n0% zFUw`7a!bFUanhaC94QsX?cm%{xBvUTGZrd1$c1 zY?*F0D%Xv-GZ7u5`4fhL^>GHI&ROH9lE+KB`A+_oef!QY@D)AFdTFHQhFw%+^SC>2 zgH8RnEmL>v%xtY(huJJju1{aqS3ygNM`#26Svi&tCCQMQ32_FbUwn=06LSy)D^EIr z^>2jah6qE#6@y4Y!=FF7`OR6Sb$?60aSv@Q@2~aYT@VZ)EDFho_Xr@OZ9z}@JJXcC zN>_XZGd12@B~5bJhY$ubxs5GwF81Ml`NH|U1!l-rIKg8ysaH(=;Oo%_sG<2P)e9xf znNAceaG~3HuBfJ2chAH|vw?;@kiUBggsb3JOV1k5xbPAHr~T0OM4Jf5RVV#;k3GPg ziO_bX;pQ@LcP;{jHCPYs@GxiF<%3c}KxCKK+$Ya^wzDn+2U^pFzc0|0TLk{N>8tls z7XoJa?@7%I3&w~~{UEA`3hpFJmszT-qPWbTzO8pG(c>do>eZZtMl72d5KkISqK$)l zKYZm{`n=;ozkZ*op`?sb480QquQ0?u9s`XX{8(xJgq_36IFz_8fv9x%;)W3{8wAt? z`O)6{oL@`+OtD=~Ab(lZJ{=37`vx3X`j;Lq)sYB@1F*Vc`%rRW)TAK11|D|1HO>Z@ zN7oaa)FK=7OcJXeSkwzwj6AAe#=c77rG!L@661N`d2-^TOQP6c=h_)c4i7P2Xs2Jy zf5boOez$Wx{1>tdfy5)DC3oIF-=@Mpxh=u2ks%|N*fYfbRoIRW#ZJ`e6bf;htX47f z`QK4Og-7CG?C`zi{lxDpMpG-{_QxcsnmVw*BSkYc!)X*Vby@3fTJ8C~hqm>5-TaWu ze*gp`|EB@+s08fh`=I@c>Ixgn_-V85w9R6_zOYZvTF8*wO`05Eu7kf!j5hzZY?tNq z$#O_o(DpaGB4~-o1Luhn;Br0ozzINSg`HoEW_c^U0Ya^;ht0zWY5NH^_i{0MR}z=b zt=M-GXO^tq41I;>K>yx3*KcHQ4#phWb#X)^Nyl6_wg*5@t6LXkGiu-=&F?F2@zV!W~c%Rhu z(EW}6IT}Z!Lm_h+lp0e_0xwSghG$4pV%f*sf4v-H*qh)mw!qBuA3$imb8Ve}ze<9$h}OsZ>*~|qD~MDm^!FyL%1J{G>m6dV zF^;XUDkY8gS8xA*tw_J*Q4~jyBJ7~!+T39Gou(#+-!%oX^GV0eJKNuy$s?>W3~W&E z(U(gult|V(3jO-=mV-V8=7FxiJ@t_W9pvnT7jN4eE zpp5>L$B!?HqXkI!v6=~sJKco;Faeq^j58*Xx14MhhVf&<)E5Y5^)Ow$OKuA;`8*RR z##AdnbmXH&E)E4!esr+l9U0UKVs-}bWO&9VFl8ls+DZKncUBdi@9N!&oqjS2xAM_Q z-AV44+SN4VTx=P3`b|2+AsT_q5p%LvI3=*uj(H6{Z2eHfSfrh1xMgY@tO*Esc?8@# zQVs?%Q0;%!dP)va$Gbd{2IQkbQ45h&BA?GxNGCVL z4+l+zxIQDd)O#I6`$&|oWi`;i91gLE6mLxSj4I1@*xBnJ-S>I7CzRU#7zH9JMzIEz z=5?vU7m$v{u;Ruv5~io?#6by<>7GT2(&2&Kg!e2*i(P>F$MXMRS}C{BF;^q;hDPWn zWOZ^kXG=GFoA+WAXAlIA!asW2O8$Ual@F zFidjq)u*_ZUuHA&N%cR0a2@_bo^b$_q^fqKQmTLB`7Bwwo%^mzo7UgWzJK>4sBrAp z(0UpU+bA`4dsEHEhKhCeB&|YHzyV^sn42r=4F>-|R2Cj9f5fLtEBiufY|Nl3-z^n% zfsSz9=6|TRz~^~E|8QlwAYA+Z8|W6Hh^AT~mwMyFfAWHcgrSK@`11e8uKfoc>rCLt zHo}Sn#F_k`ByhBa5OmV2Y95NPY28WF1d*BgF4_DVf3fnXysUsOzkM&q>Epp%xi9mA z%I7DnLkwPM*q)kO*zxmnz&tY=K_u%QmZ6|!4H`_e0T$ErZ1U4?NIz(gY9-aq8 zA+DoQDCFtrUqcI*WHg?xtpEDU9M&NTdN*JK-p&^83{dE1h)hVlN|HL@UZGYDHbf_U zRM$eKH2~%zS8pXxJ76DITRarovXro;%)b}J^G2n|1kQkvZ9Zq zjcm93#mQOc+e0Q8=J=rgFk5thUpg3<4`OkDV0bK|wvZN^fP|J6y2_uk#T?T1j8d|n zx@-1_@(5|v2nM(Of_Cn+Y%VJR7%B7nV`X1wzwl-f`kt)2Ktw#GR#6?GW-vmeGrRSE zKbS@P?!AdyXXDz!FV?EP#M7vY)DsdZ;E(Hy*FM|8-i3^{o`zj~#&(tq!>gkHG~)2kjS%?zI-)mP+jK9eHfsl79aa2M35v#e zWEzt)^pdY~zqZsVloYXujucx>uK8~#zJ0$FM6rC*JjdYOakQGxL6Sluu+1|j{8?WUXiUGAX@0jP*oh4!>p3$|mv`fxx$y8Uo9U7-EY^ioV za=rC8|Ir_qY_1wOr`Ieapmy5!qwnY2>Pir@?>`CGy%&m?MrRUxqx?-N`!P?<7w!`T z+SE?EA5gwou13p$$w^WZtJs|+E|7>xpumE8P*q;Q-q&j*z+*KG7kIkkL;J_CVpPP{ zy!6-So>BJucz91bOs`P-`EeSXIEmR;;K78dmmU^71Q%}%<%qN*rvoy~lxcsIc7TwP zx1V$vR{u~P6&ny(mh{S13jZinO9-jrs&1E&%Gh`QeuBZUZEh6q&U`>Qv;72`%6x71 z8gLb$R?Nl>d0nGtcmCL@=24OdQEE0uLE>#2t!0J6AHMZ1IVdFaD&0sy4^Ym)fTs zYj+Qpg}E`!Xf;F#L@!9n8IiEpKJ0+@Zm|P;DQ{QC*H*{#%03kXVsp=p%C=sVQ`4Ic zaSg~uiJ88nYH|JkxFso|=tr4a&17PNcNo$qrRVqyn;;cjt(Z|aZ>X!y>*rrQAdoxV zxIzsc{hxv>y#1E&j~{cM#No#TjxD8;j?wkT%YQF)jI))n+jvbcl`Gii{Go%=_fo3V z@D}7rqsEU%Kd*P0Rm~#b-tGV5&ny6(U34G(toRPg50P`w_I5GD>8@GPi!M@DC4EP8 zzqUrqI?<|-*-%`8*vvD|y$oF-TBAb#NOuhwQRWwDo=ZU;m%kh;o8W!RnydplIo!a2 zqW-rkUKwMwfIrN#7^+9IyeH*#)xydPI&NGzl2alrFnPA8z|Q@aNs*Fj)180At}x^~ zES*bNplzM(*~zwIA&06aPMpD31d*Uh$NnWw`MfMm#}gkjgAi7>&bDvmucy5H0}f?G z9vMm)N&OvcnVB&taUV=oDaF~{D`b@&+07!G9C+ub!vHNPGXGuN(#|OBjXEozip z7E-i8G9VdY!Rr2&9s71WS>ClO`IdO7zBY=gL;g%ghFPyVm-EZ^F6#h}z@fXQYOQ!n zYcieK2=UWzYms6d%Qn;3Ykn5=9K`eolDN^Y7t}o)-lRz6W0j6(ZblR7g-tsco^ktQ z9B|9bRM_ZFS~2HiH%hflTU;@jE;Q<;R#SU~3xE4e=i|H87j3h4OBpQh%`}A{{fu(SKJ>`nIFv{Xc3q|}M)ZWf>7av&CUIkICS*KpxYTid&#W0}Ue#HNW6)V4=EkvhlpaLhEi1 z)uKd1{8`=8JAkKc!*c?7-IN5nx8CkvS zX=dOvA$ibg{P#RA>8CVTfj4lGDLv5gzMQCGsMS>G*HWd=d$jwMRq+|tA>*ox)o>*D zJFCa%7!^(QHf^TH4D!gM`uTA~vyjwx*-0~^2P(ugRz{>AjEHTSB&)A7=K~Zr&1=5( zlQE6tskLjrel|{<5gHdpUu-h%Bzv|@4%8jyFm!(^sc4Xi^2Y9v_J-CQE9Ccw{K4{h zqR0p|1fpPt(Q^}@vzanq5lbq~KpQ~%JWdL3v^0L%#unb0Gwt(36Q-xJ6RRetBI9E5+HjwI$^e-L0`7AiFwGBkJ;G?}cUFQ>5fs@5aWDCin_`n#6d&_vH z?y(ND{2zv$`dU?4Sx|3+f#($y^*uv_>T%;d>2aTQh zzp6RUwfPSN5K3cJN&^*npkmg7@V%=X1WXnwz(Ri6(5dN!DJ@h}4c=_NAtStK~*gsmh#|OOm&dA17+BqgMoSB3cP;xUaH~9Am<~;!W6K5rQdT$Qy|?+yyBt7F19;DZr^tFn;^VMbxgAg<9q*9qxQSUMghK>}~d z3jAz!N~{U=8@Og_EIBFR_Pr6_LlY=w=e$z*L}LjnXJt`_MG8pRb}Vr%>;kTOod0K3G0*0Vk$McVUx1=|wN&ExPjBYtx9V0Bv8~p|S&&hj`_l!Yw+ZHgu zFPbM>D(j$hnLx&D!l4(~?-<2J$O;p~e{kTocFRu9?)mm#W1-8&Lc<-=ct;Yi{~$`R zoy(%$B!@Z@swl`KO=5;Db8m29xG=Vy;x#tMG&nG34ji)D@hx=ya-+T7owDzP8&6S5 zAR1Gm^HTgB%*nP5M{ja##3YhMc+}jP0x%-xw!|7@}X79Z3tUWvP7y0+Bqz07D1d$gsI)|th_S~9{9a79p zw%ZcSMYHlrXx?VcUxyM*2jdc<%-)SxDFM?TQjE9e6LgWgLk>cZ!T~~wnH7(h+!x1+ z6gSV_!?hM5gE~WW4#lW8;etpEFLmw^Uci1O$M33#>}JK*y+^e&aNP<^{l7e+?}O`HSBfmGCRuUf)aB%wgr5atXm1&I z4FAhQ(?UlxtktxdOM6-zG3?p_5V}jZJj;5rQq^6vy&z*&4il-(I8G59;01XFIq5kY zO5Kt1I>`ftg-zt*szj+C?xyg+mZEyvFhSmhR36+!FFPM4#vjgl9XWWz_4BO3`l2m= zr%aqx-LjezV(e;%^#U>>fYjUk_EBgkrv^o#=oIscKZ-Z#@)Y5qN-6PM&Drxf%-GiV ziRPtQ6cs8~rkE_I(KpEuC`rmaHocOWtI)M_;QL$Ch@j{x>8x^QSD@*UTgJD0l=hns zn-9@~Ty|siT&P)#>xJoUCj>YQ|Akj_OmG7otLPqj9A8!Wfj4+chawikCz+ji!68{XPD*4{VcUZ}x zE~rKj*g7<26HQURdTtR_0}6mm8jXoLU_!h7tfYXO3#b(dlZ{KfvZ-Q(W;=^uOp5|Qs`N! z`Q1(LXf@-1iMjNJjRdJO^{)KVSV#&Xv5QV7iYc8HW=MSkR%}p2 z9?ssXR|nFBPAHo_ydauwtT$|y0L8#~o*I@GUhiYKtPVHPEaA*rfQkBe+Wp-$d4L@k z7*(TRGOVhD5@0m5DRecNw>Rdr7%#dOX$;bOIy)nqBZ=|WlC)ap3DxTelEcq22ydEdcNAwJ}wqJjB z5S`qG6O%_0J;+TbHSSz0$WtM-keGo3*ZRTGnSz|PBB*Y7#OcH&&ub@vJkzAACL$H` z#jK)v=zGjyz~RH@SMn@8-G`T|x)~Ct9-eAf#hqqTl(Kmhw4G*AN~?_na?tC> zBak4=-c(DciiocWt8(C|niU&|*jkm^rRO|THgQ6PlY@vsb}z1aEm%K_!Z)ci z63n_1p403lEVnJSeoYr1>n@UJ>r9Je0p7G7G;Y&xLIf zGAQQGa7#|bktaYzo<;R2J4yCQ*+N**#5tTl$uwFy?r|Kxes6cX3?rH0i?K6BlIU4h zxLIdqHd%q}qF|U}>7-uf!GZepvmuB<8#JeD{V;ksHZ`Sh~aEPnE zsZ|;C@=U=R3~)8lOz8?rG-SYljzdlLJGvPwx3|HiWIz;M;75M(_q!WJfPHnDUtrzd zTc?`mZ~wBd5L)_7q(i$6cQ9FfS$?yFG2XkQ{lKIQJEq9>FMUhFa9{nT@cq`7;e3?g zvVDHmZ*leh`uQ5K$Cm(^_4jT5$;TCj8vjANl+C1o$!(b`3}hMqevHY5s>W>sQt?pdlx))-)z!wm>W=ghK>N+s&3fy%H=|1Fhwoh)7>ojYspG6i}Q_~}`xZNuw z=V@B1+4Un0uD`Z1>!s$b)3gXWZsDfsR$BWzry6T2lrUe|MPIG9>GZK#9KUwDopy0| zhn3V2sclKHPW|}zw+zdIC6%t)J#bd+zbLhQOIv*HQRu8}j|D;Tq_D?)S}nZ;V=}eP zXqS$(CseGw&8R_Mk*3Wch+%|2%z9SGfwz7Jd3|g0>1BDLB|8-P@B;JP`T??eZe3qP zxFWT3S29f!(&O*Fg>G=lCNRs^eQbzM&~%FRjS<&?G_k$il8#!@yq`X8@Z%sr}l@jCKsj9#jf+@ZQg5Kv1nlSvA2KGSZDxpZ#|2ljUZnyrf+OcK|R@Qf?}4p<^BW%DPL_>Qxy&1A*R~4afI(CH*7GTBAEA z*L#l0;r7RZ9IPEv($1~Jksfn}Y%4O|5pEAj6V$Og-R-x%^49*RC7~TS1n%_nhySFz zMR>RQ-eCqaarPQf^(J%t6tc==S5cmEMCneEU)oR0^mgP!_@YVClzG!fjgVKb*4nvt zir2SopI7y$1@^_AwRzxhVMd9Zj>N}YQWZI8CI7Hse^ld*K~2?WZ)| z$v=60k#1$Fy)gh@E?-ZA_pL4Ks>A1(8&Z`0eg`bfID0IePkUN~C5}(MQV4u;zH%CI z+DjqrO<#kTHKT<7FaXE{5KDg-xwm`n?k8~|KHw-n7JnX)iodP_Og|d0tY}VEyd>`;z|{ zdws@w=f}|fSN!G)ned6wFYW~&wOJ!J7j}+kI^A9_665DelGcVFRzjZ1;$~2Qjbi@0 zuc5j8HU*ZV24H(vdtVQZaD zNk>%gX*ii`yr8P|Nhs8fQq{FOu76+JX?rM>)gM~$*FSy4ZyzM*Kgk-THNOs#e6 zHXyP|GA@nkl)LvM*28vmKIlf2jzfcGl~~&_nJbP9<6Vl+b@&*v`RRB-I{m$NA-G0b zZXIt6XyO*To=EgeZd(DuE%$sCDk~Ix1F0Cg1W~`oSuM`)Gw5EZ?#SHAnd`|DmVyo; z6y9x8+?vVN;n3IYX+=^&hgVzQL827FXQp4j&U*m|cZzgdmu%WOAY53tKGL_N;H$Lv zxa9-gY*FgJg6d}y1?Z!GY1`FU8nm0*Afj`?{rDezq=A`OPE5acoU@(m+bQ=$px^{s z(DnRie5|Kd)SUgrV30NFySbaM#&p52hfD0W=Dpp16|HbQrYxDZp$stL~gS#2o&L4lwevk% zQ&SVfNlJEjD_$}byHRi7`w$>+Eu1A{`Q=+CCXrs*kV%PN>6g#qnVw^(d`1-5s8E4Z zUn71!|2hu!UiD3Jjk?rl?hF2HPeHKJL-fjF(I$Bfm6MW_QXF55%bRZ#GXh^=-Hbzw zEaHvp21Zt`_3l$!-a6m$*p2w^!^YLIxL~%79^|g8}*Rr{dTK8@*^> zyRvxY@2goMeqNa^UX=0+Vk>lWU|-6(VO*_Ag^mllP~+ad*JSGs+!K(G{)JM?M!1g# z8$3&nzsmeQPXH5(YBc9xL3Ab84qy`85RO_O{i3Xc18m#O&*zrjM<4&MMFG>yrzZw% tU;Z7;|IdW)-~L}?uKq6~Vx#s1AAN(Fqu7rL1IS#q%f^;QL<8rT{{bx+91;Kk literal 0 HcmV?d00001 diff --git a/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx b/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx index fc34cd4eec2e6a..94946892870a71 100644 --- a/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx +++ b/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx @@ -18,6 +18,12 @@ When your database is isolated within a private network (such as a [virtual priv - [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/) is used to establish the secure tunnel connection. - [Cloudflare Access](/cloudflare-one/policies/access/) is used to restrict access to your tunnel such that only specific Hyperdrive configurations can access it. +A request from the Cloudflare Worker to the origin database goes through Hyperdrive, Cloudflare Access, and the Cloudflare Tunnel established by `cloudflared`. `cloudflared` must be running in the private network in which your database is accessible. + +The Cloudflare Tunnel will establish an outbound bidirectional connection from your private network to Cloudflare. Cloudflare Access will secure your Cloudflare Tunnel to be only accessible by your Hyperdrive configuration. + +![A request from the Cloudflare Worker to the origin database goes through Hyperdrive, Cloudflare Access and the Cloudflare Tunnel established by `cloudflared`.](~/assets/images/hyperdrive/configuration/hyperdrive-private-database-architecture.png) + :::caution[Warning] @@ -177,4 +183,5 @@ If you successfully receive the list of `pg_tables` from your database when you ## Troubleshooting If you encounter issues when setting up your Hyperdrive configuration with tunnels to a private database, consider these common solutions, in addition to [general troubleshooting steps](/hyperdrive/observability/troubleshooting/) for Hyperdrive: -* Ensure your database is configured to use TLS (SSL). Hyperdrive requires TLS (SSL) to connect. + +- Ensure your database is configured to use TLS (SSL). Hyperdrive requires TLS (SSL) to connect. From 0de7277fc6027a806735994b02045bd5a8462d9f Mon Sep 17 00:00:00 2001 From: Ketan Gupta Date: Fri, 24 Jan 2025 13:58:37 +0000 Subject: [PATCH 044/129] [Workers] Fix broken link in dev-tools/index.mdx (#19406) --- src/content/docs/workers/observability/dev-tools/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/workers/observability/dev-tools/index.mdx b/src/content/docs/workers/observability/dev-tools/index.mdx index 6fd5d91b5d2e61..5db135d0af7d23 100644 --- a/src/content/docs/workers/observability/dev-tools/index.mdx +++ b/src/content/docs/workers/observability/dev-tools/index.mdx @@ -8,7 +8,7 @@ meta: ## Using DevTools -When running your Worker locally using `wrangler dev`, you automatically have access to [Cloudflare's implementation](https://github.com/cloudflare/workers-sdk/tree/main/packages/wrangler-devtools?cf_target_id=115890352C73E75FD7D837D0B8720E96) of [Chrome's DevTools](https://developer.chrome.com/docs/devtools/overview). +When running your Worker locally using `wrangler dev`, you automatically have access to [Cloudflare's implementation](https://github.com/cloudflare/workers-sdk/tree/main/packages/chrome-devtools-patches) of [Chrome's DevTools](https://developer.chrome.com/docs/devtools/overview). DevTools help you debug and optimize your Workers. :::note From 8a4641d26d4373d71de8c5f3964e889077722349 Mon Sep 17 00:00:00 2001 From: "hyperlint-ai[bot]" <154288675+hyperlint-ai[bot]@users.noreply.github.com> Date: Fri, 24 Jan 2025 08:01:58 -0600 Subject: [PATCH 045/129] Hyperlint Automation: Broken Link Fixes (#19353) * Fix issue: WorkspaceTaskSubType.BROKEN_LINK * Fix issue: WorkspaceTaskSubType.BROKEN_LINK * Fix issue: WorkspaceTaskSubType.BROKEN_LINK * Fix issue: WorkspaceTaskSubType.BROKEN_LINK * Fix issue: WorkspaceTaskSubType.BROKEN_LINK * PCX review --------- Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> --- src/content/docs/ai-gateway/providers/workersai.mdx | 4 ++-- .../tutorials/creating-a-recommendation-api.mdx | 2 +- .../reference-architecture/diagrams/ai/ai-asset-creation.mdx | 4 ++-- .../how-to-choose-the-right-text-generation-model.mdx | 4 ++-- src/content/partials/workers-ai/openai-compatibility.mdx | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/content/docs/ai-gateway/providers/workersai.mdx b/src/content/docs/ai-gateway/providers/workersai.mdx index 79422005b577ac..5d8cc4334f4097 100644 --- a/src/content/docs/ai-gateway/providers/workersai.mdx +++ b/src/content/docs/ai-gateway/providers/workersai.mdx @@ -114,6 +114,6 @@ Workers AI supports the following parameters for AI gateways: - `id` string - Name of your existing [AI Gateway](/ai-gateway/get-started/#create-gateway). Must be in the same account as your Worker. - `skipCache` boolean(default: false) - - Controls whether the request should [skip the cache](/ai-gateway/configuration/caching/#skip-cache-cf-skip-cache). + - Controls whether the request should [skip the cache](/ai-gateway/configuration/caching/#skip-cache-cf-aig-skip-cache). - `cacheTtl` number - - Controls the [Cache TTL](/ai-gateway/configuration/caching/#cache-ttl-cf-cache-ttl). + - Controls the [Cache TTL](/ai-gateway/configuration/caching/#cache-ttl-cf-aig-cache-ttl). diff --git a/src/content/docs/developer-spotlight/tutorials/creating-a-recommendation-api.mdx b/src/content/docs/developer-spotlight/tutorials/creating-a-recommendation-api.mdx index 4de7150c02e40b..43287c5a2e1ddb 100644 --- a/src/content/docs/developer-spotlight/tutorials/creating-a-recommendation-api.mdx +++ b/src/content/docs/developer-spotlight/tutorials/creating-a-recommendation-api.mdx @@ -173,7 +173,7 @@ Let's start implementing step-by-step. ### Bind Workers AI and Vectorize to your Worker -This API requires the use of Workers AI and Vectorize. To use these resources from a Worker, you will need to first create the resources then [bind](/workers/runtime-apis/bindings/#what-is-a-binding) them to a Worker. First, let's create a Vectorize index with Wrangler using the command `wrangler vectorize create {index_name} --dimensions={number_of_dimensions} --metric={similarity_metric}`. The values for `dimensions` and `metric` depend on the type of [Text Embedding Model](/workers-ai/models/#text-embeddings) you are using for data vectorization (Embedding). For example, if you are using the `bge-large-en-v1.5` model, the command is: +This API requires the use of Workers AI and Vectorize. To use these resources from a Worker, you will need to first create the resources then [bind](/workers/runtime-apis/bindings/#what-is-a-binding) them to a Worker. First, let's create a Vectorize index with Wrangler using the command `wrangler vectorize create {index_name} --dimensions={number_of_dimensions} --metric={similarity_metric}`. The values for `dimensions` and `metric` depend on the type of [Text Embedding Model](/workers-ai/models/) you are using for data vectorization (Embedding). For example, if you are using the `bge-large-en-v1.5` model, the command is: ```sh npx wrangler vectorize create stripe-products --dimensions=1024 --metric=cosine diff --git a/src/content/docs/reference-architecture/diagrams/ai/ai-asset-creation.mdx b/src/content/docs/reference-architecture/diagrams/ai/ai-asset-creation.mdx index 1223203503a6fc..198999947776b9 100644 --- a/src/content/docs/reference-architecture/diagrams/ai/ai-asset-creation.mdx +++ b/src/content/docs/reference-architecture/diagrams/ai/ai-asset-creation.mdx @@ -34,13 +34,13 @@ Example uses of such compositions of AI models can be employed to generation vis ![Figure 1:Content-based asset generation](~/assets/images/reference-architecture/ai-asset-generation-diagrams/ai-asset-generation.svg "Figure 1: Content-based asset generation") 1. **Client upload**: Send POST request with content to API endpoint. -2. **Prompt generation**: Generate prompt for later-stage text-to-image model by calling [Workers AI](/workers-ai/) [text generation models](/workers-ai/models/#text-generation) with content as input. +2. **Prompt generation**: Generate prompt for later-stage text-to-image model by calling [Workers AI](/workers-ai/) [text generation models](/workers-ai/models/) with content as input. 3. **Safety check**: Check for compliance with safety guidelines by calling [Workers AI](/workers-ai/) [text classification models](/workers-ai/models/#text-classification) with the previously generated prompt as input. 4. **Image generation**: Generate image by calling [Workers AI](/workers-ai/) [text-to-image models](/workers-ai/models/#text-to-image) previously generated prompt. ## Related resources - [Community project: content-based asset creation demo](https://auto-asset.pages.dev/) -- [Workers AI: Text generation models](/workers-ai/models/#text-generation) +- [Workers AI: Text generation models](/workers-ai/models/) - [Workers AI: Text-to-image models](/workers-ai/models/#text-to-image) - [Workers AI: llamaguard-7b-awq](/workers-ai/models/llamaguard-7b-awq/) diff --git a/src/content/docs/workers-ai/tutorials/how-to-choose-the-right-text-generation-model.mdx b/src/content/docs/workers-ai/tutorials/how-to-choose-the-right-text-generation-model.mdx index 7754b72e65121d..f7f9b825b1faa6 100644 --- a/src/content/docs/workers-ai/tutorials/how-to-choose-the-right-text-generation-model.mdx +++ b/src/content/docs/workers-ai/tutorials/how-to-choose-the-right-text-generation-model.mdx @@ -36,7 +36,7 @@ You can [download the Workers AI Text Generation Exploration notebook](/workers- Models come in different shapes and sizes, and choosing the right one for the task, can cause analysis paralysis. -The good news is that on the [Workers AI Text Generation](/workers-ai/models/#text-generation) interface is always the same, no matter which model you choose. +The good news is that on the [Workers AI Text Generation](/workers-ai/models/) interface is always the same, no matter which model you choose. In an effort to aid you in your journey of finding the right model, this notebook will help you get to know your options in a speed dating type of scenario. @@ -130,7 +130,7 @@ def speed_date(models, questions): Who better to tell you about the specific models than themselves?! -The timing here is specific to the entire completion, but remember all Text Generation models on [Workers AI support streaming](/workers-ai/models/#text-generation). +The timing here is specific to the entire completion, but remember all Text Generation models on [Workers AI support streaming](/workers-ai/models/). ```python models = [ diff --git a/src/content/partials/workers-ai/openai-compatibility.mdx b/src/content/partials/workers-ai/openai-compatibility.mdx index 94cc34e116a0f5..64bc69da90146c 100644 --- a/src/content/partials/workers-ai/openai-compatibility.mdx +++ b/src/content/partials/workers-ai/openai-compatibility.mdx @@ -3,4 +3,4 @@ --- -Workers AI supports OpenAI compatible endpoints for [text generation](/workers-ai/models/#text-generation) (`/v1/chat/completions`) and [text embedding models](/workers-ai/models/#text-embeddings) (`/v1/embeddings`). This allows you to use the same code as you would for your OpenAI commands, but swap in Workers AI easily. +Workers AI supports OpenAI compatible endpoints for [text generation](/workers-ai/models/) (`/v1/chat/completions`) and [text embedding models](/workers-ai/models/) (`/v1/embeddings`). This allows you to use the same code as you would for your OpenAI commands, but swap in Workers AI easily. From 978b721b3bb8ff5b9875c60ad102e78e80d30c2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denise=20Pe=C3=B1a?= <75506267+dcpena@users.noreply.github.com> Date: Fri, 24 Jan 2025 08:57:18 -0600 Subject: [PATCH 046/129] [Fundamentals] Added info for account and user tokens (#19372) * Added info for account and user tokens * Edited example URL to be consistent with style guide --- .../api/how-to/create-via-api.mdx | 91 ++++++++++++++++++- 1 file changed, 89 insertions(+), 2 deletions(-) diff --git a/src/content/docs/fundamentals/api/how-to/create-via-api.mdx b/src/content/docs/fundamentals/api/how-to/create-via-api.mdx index 06c1fda17b2428..b3ea27fb775a72 100644 --- a/src/content/docs/fundamentals/api/how-to/create-via-api.mdx +++ b/src/content/docs/fundamentals/api/how-to/create-via-api.mdx @@ -6,7 +6,7 @@ sidebar: --- -import { Render } from "~/components" +import { Render, Tabs, TabItem } from "~/components" Generate new API tokens on the fly via the API. Before you can do this, you must create an API token in the Cloudflare dashboard that can create subsequent tokens. @@ -24,7 +24,7 @@ Cloudflare also recommends limiting the use of the token via client IP address f ## Creating API tokens with the API -Once you create an API token that can create other tokens, you can now use it in the API. Refer to the [API schema docs](/api/resources/user/subresources/tokens/methods/create/) for more information. +You can create a user owned token or account owned token to use with the API. Refer to the [user owned token](/api/resources/user/subresources/tokens/methods/create/) or the [account owned token](/api/resources/accounts/subresources/tokens/methods/create/) API schema docs for more information. To create a token: @@ -130,6 +130,93 @@ Each parameter in the `in` and `not_in` objects must be in CIDR notation. For ex Combine the previous information to create a token as in the following example: + + +```bash +curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/tokens" \ +--header "Authorization: Bearer " \ +--header "Content-Type: application/json" \ +--data '{ + "name": "readonly token", + "policies": [ + { + "effect": "allow", + "resources": { + "com.cloudflare.api.account.zone.eb78d65290b24279ba6f44721b3ea3c4": "*", + "com.cloudflare.api.account.zone.22b1de5f1c0e4b3ea97bb1e963b06a43": "*" + }, + "permission_groups": [ + { + "id": "c8fed203ed3043cba015a93ad1616f1f", + "name": "Zone Read" + }, + { + "id": "82e64a83756745bbbb1c9c2701bf816b", + "name": "DNS Read" + } + ] + } + ], + "not_before": "2020-04-01T05:20:00Z", + "expires_on": "2020-04-10T00:00:00Z", + "condition": { + "request.ip": { + "in": [ + "199.27.128.0/21", + "2400:cb00::/32" + ], + "not_in": [ + "199.27.128.1/32" + ] + } + } +}' +``` + + +```bash +curl "https://api.cloudflare.com/client/v4/user/tokens" \ +--header "Authorization: Bearer " \ +--header "Content-Type: application/json" \ +--data '{ + "name": "readonly token", + "policies": [ + { + "effect": "allow", + "resources": { + "com.cloudflare.api.account.zone.eb78d65290b24279ba6f44721b3ea3c4": "*", + "com.cloudflare.api.account.zone.22b1de5f1c0e4b3ea97bb1e963b06a43": "*" + }, + "permission_groups": [ + { + "id": "c8fed203ed3043cba015a93ad1616f1f", + "name": "Zone Read" + }, + { + "id": "82e64a83756745bbbb1c9c2701bf816b", + "name": "DNS Read" + } + ] + } + ], + "not_before": "2020-04-01T05:20:00Z", + "expires_on": "2020-04-10T00:00:00Z", + "condition": { + "request.ip": { + "in": [ + "199.27.128.0/21", + "2400:cb00::/32" + ], + "not_in": [ + "199.27.128.1/32" + ] + } + } +}' +``` + + + ```bash curl "https://api.cloudflare.com/client/v4/user/tokens" \ --header "Authorization: Bearer " \ From 121ac231963296239f762b00a632e4922cb75f92 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> Date: Fri, 24 Jan 2025 15:49:26 +0000 Subject: [PATCH 047/129] [1.1.1.1] Make troubleshooting prominent on the sidenav (#19407) * Adjust page name, improve links, and make it top-level on the sidenav * Adjust meta title * Rename file for consistency --- src/content/docs/1.1.1.1/faq.mdx | 2 +- src/content/docs/1.1.1.1/terms-of-use.mdx | 2 +- .../reporting-issues.mdx => troubleshooting.mdx} | 12 +++++++----- 3 files changed, 9 insertions(+), 7 deletions(-) rename src/content/docs/1.1.1.1/{setup/reporting-issues.mdx => troubleshooting.mdx} (89%) diff --git a/src/content/docs/1.1.1.1/faq.mdx b/src/content/docs/1.1.1.1/faq.mdx index 34310c8cf34370..57569899c5f734 100644 --- a/src/content/docs/1.1.1.1/faq.mdx +++ b/src/content/docs/1.1.1.1/faq.mdx @@ -3,7 +3,7 @@ pcx_content_type: faq title: FAQ structured_data: true sidebar: - order: 8 + order: 12 slug: 1.1.1.1/faq --- diff --git a/src/content/docs/1.1.1.1/terms-of-use.mdx b/src/content/docs/1.1.1.1/terms-of-use.mdx index 070c4e9c2a07d4..2a9687a7bff29f 100644 --- a/src/content/docs/1.1.1.1/terms-of-use.mdx +++ b/src/content/docs/1.1.1.1/terms-of-use.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Terms of use sidebar: - order: 7 + order: 10 slug: 1.1.1.1/terms-of-use --- diff --git a/src/content/docs/1.1.1.1/setup/reporting-issues.mdx b/src/content/docs/1.1.1.1/troubleshooting.mdx similarity index 89% rename from src/content/docs/1.1.1.1/setup/reporting-issues.mdx rename to src/content/docs/1.1.1.1/troubleshooting.mdx index 2499955ad0b1bf..34405246ec0db1 100644 --- a/src/content/docs/1.1.1.1/setup/reporting-issues.mdx +++ b/src/content/docs/1.1.1.1/troubleshooting.mdx @@ -1,18 +1,19 @@ --- pcx_content_type: troubleshooting -title: Reporting Issues with Cloudflare's DNS Resolver +title: Troubleshooting +description: Learn how to diagnose and report issues with Cloudflare's DNS Resolver sidebar: - order: 3 + order: 8 head: - tag: title - content: Reporting Issues with Cloudflare's DNS Resolver + content: Troubleshooting DNS Resolver slug: 1.1.1.1/troubleshooting --- import { Render } from "~/components" -This guide will help you diagnose and resolve common issues with Cloudflare's DNS Resolver. Before proceeding with manual troubleshooting steps, you can use our [diagnostic tool](https://one.one.one.one/help/) to automatically gather relevant information. +This guide will help you diagnose and resolve common issues with Cloudflare's DNS Resolver. Before proceeding with manual troubleshooting steps, you can [verify your connection](/1.1.1.1/check/) to automatically gather relevant information. ## Name resolution issues @@ -136,4 +137,5 @@ If your traceroute fails at the first hop, the issue is likely hardware-related. ## Additional resources - [1.1.1.1 DNS Resolver homepage](https://1.1.1.1) -- [DNS-over-TLS documentation](/1.1.1.1/encryption/dns-over-tls/) +- [DNS over TLS documentation](/1.1.1.1/encryption/dns-over-tls/) +- [Diagnostic tool](https://one.one.one.one/help/) From 8d6f73b57f15cff8d7b7fa8c88a87ba67aafe7ad Mon Sep 17 00:00:00 2001 From: Paolo Tagliaferri Date: Fri, 24 Jan 2025 16:20:36 +0000 Subject: [PATCH 048/129] ZT User Certificates - banner link not working across all required pages (#19405) * Update automated-deployment.mdx * Update manual-deployment.mdx * Update custom-certificate.mdx --- .../user-side-certificates/automated-deployment.mdx | 2 +- .../user-side-certificates/custom-certificate.mdx | 2 +- .../user-side-certificates/manual-deployment.mdx | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx index 47e4aa6b23a896..bd22817eee97ae 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx @@ -6,7 +6,7 @@ sidebar: head: [] description: Automatically deploy a root certificate on desktop devices. banner: - content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. + content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. --- import { Details } from "~/components"; diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx index 3fdfecc1201967..9cdc0840bac358 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx @@ -7,7 +7,7 @@ head: [] description: Configure WARP to use a custom root certificate instead of the Cloudflare certificate. banner: - content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. + content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. --- import { Render, Tabs, TabItem } from "~/components"; diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment.mdx index 2352abb521bbc0..14e7ca8dc4c527 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment.mdx @@ -7,7 +7,7 @@ head: [] description: Manually add a Cloudflare certificate to mobile devices and individual applications. banner: - content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. + content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. --- import { Details, Render, TabItem, Tabs } from "~/components"; From 5efb3f7c57306bc6d23e14ef023c2539adf93c1b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 24 Jan 2025 16:41:00 +0000 Subject: [PATCH 049/129] [Docs Site] Bump @cloudflare/workers-types (#19365) Bumps [@cloudflare/workers-types](https://github.com/cloudflare/workerd) from 4.20250109.0 to 4.20250121.0. - [Release notes](https://github.com/cloudflare/workerd/releases) - [Changelog](https://github.com/cloudflare/workerd/blob/main/RELEASE.md) - [Commits](https://github.com/cloudflare/workerd/commits) --- updated-dependencies: - dependency-name: "@cloudflare/workers-types" dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index 68a1c9c02feb74..c5f80a8025c378 100644 --- a/package-lock.json +++ b/package-lock.json @@ -17,7 +17,7 @@ "@astrojs/tailwind": "5.1.4", "@cloudflare/puppeteer": "0.0.14", "@cloudflare/vitest-pool-workers": "0.6.0", - "@cloudflare/workers-types": "4.20250109.0", + "@cloudflare/workers-types": "4.20250121.0", "@codingheads/sticky-header": "1.0.2", "@expressive-code/plugin-collapsible-sections": "0.38.3", "@iarna/toml": "2.2.5", @@ -2251,9 +2251,9 @@ } }, "node_modules/@cloudflare/workers-types": { - "version": "4.20250109.0", - "resolved": "https://registry.npmjs.org/@cloudflare/workers-types/-/workers-types-4.20250109.0.tgz", - "integrity": "sha512-Y1zgSaEOOevl9ORpzgMcm4j535p3nK2lrblHHvYM2yxR50SBKGh+wvkRFAIxWRfjUGZEU+Fp6923EGioDBbobA==", + "version": "4.20250121.0", + "resolved": "https://registry.npmjs.org/@cloudflare/workers-types/-/workers-types-4.20250121.0.tgz", + "integrity": "sha512-2bBosmudcwvUOKzuCL/Jum18LDh3QoU0QnTNMXIgcVwuq3LaNzyZnOW14bFXPhLU/84ZjNO3zO5R/U11Zgag2Q==", "dev": true, "license": "MIT OR Apache-2.0" }, diff --git a/package.json b/package.json index f736454641c78a..2ddfed2e2a1396 100644 --- a/package.json +++ b/package.json @@ -36,7 +36,7 @@ "@astrojs/tailwind": "5.1.4", "@cloudflare/puppeteer": "0.0.14", "@cloudflare/vitest-pool-workers": "0.6.0", - "@cloudflare/workers-types": "4.20250109.0", + "@cloudflare/workers-types": "4.20250121.0", "@codingheads/sticky-header": "1.0.2", "@expressive-code/plugin-collapsible-sections": "0.38.3", "@iarna/toml": "2.2.5", From e8fc5ae5f00390030efa513f6f5f29c7cc49a853 Mon Sep 17 00:00:00 2001 From: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> Date: Fri, 24 Jan 2025 17:16:20 +0000 Subject: [PATCH 050/129] [CF1] ip visibility update (#19354) * [CF1] ip visibility update * edits about device event log * final edits * final edits * Apply suggestions from code review Max edits Co-authored-by: Max Phillips --------- Co-authored-by: Max Phillips --- .../insights/dex/ip-visibility.mdx | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 src/content/docs/cloudflare-one/insights/dex/ip-visibility.mdx diff --git a/src/content/docs/cloudflare-one/insights/dex/ip-visibility.mdx b/src/content/docs/cloudflare-one/insights/dex/ip-visibility.mdx new file mode 100644 index 00000000000000..7c2511c7ba6bb8 --- /dev/null +++ b/src/content/docs/cloudflare-one/insights/dex/ip-visibility.mdx @@ -0,0 +1,61 @@ +--- +pcx_content_type: reference +title: IP visibility +sidebar: + order: 7 +--- + +import { Render } from "~/components"; + +DEX's IP visibility gives administrators insight into three different IP types per device: + +1. **Device**: The private IP address of an end-user device. +2. **ISP**: The public IP assigned by the ISP that the end-user device is being routed though. +3. **Gateway**: The router's private IP (the router the end device is connected to.) + +:::note + +The ISP IP is only visible to users with the [Zero Trust PII role](/cloudflare-one/roles-permissions/#cloudflare-zero-trust-pii). + +::: + +DEX's IP visibility supports both IPv6 and IPv4 addresses. + +IP information is crucial for IT administrators to accurately troubleshoot network issues and identify user locations. IT administrators face challenges like: + +- Pinpointing the exact location of a user experiencing issues ("AP 87 is bad.") +- Identifying network access control policy violations ("NAC Policies is not applied properly.") +- Troubleshooting firewall restrictions ("Firewall on VLAN 93 is blocking.") +- Resolving Layer 2 and DHCP related problems. +- Indirectly determining user identity and device location. + +## View a device's IP information + +To view IP information for a user device: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **My team** > **Devices**. +2. Select a device, then select **View details**. +3. Under **Details**, scroll down to **IP details**. +4. Review the IP details for your selected device's most recent session. + +## View a device's IP history + +DEX's IP visibility allows you to review an event log of a device's IP history for the last seven days. To view a device's IP history: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **My team** > **Devices**. +2. Select a device > **View details** > under **Details**, scroll down to **IP details**. +3. Select **View device history**. +4. View the device's IP history and status from the last seven days. +5. Select a time to view more information about the device at that time. + +Refer to [Available metrics](/cloudflare-one/insights/dex/fleet-status/#available-metrics) to review **Status** and **Mode** descriptions. + +## Troubleshoot with IP visbility + +While IP visibility allows you to inspect a device's IP information, use [DEX's live analytics](/cloudflare-one/insights/dex/fleet-status/#available-metrics) to review which Cloudflare data center the device is connected to. When traffic leaves a WARP-connected end-user device, it will hit a [Cloudflare data center](/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#identify-the-cloudflare-data-center-serving-your-request). + +To find which Cloudflare data center a device is connected to: + +1. Follow the steps listed in [View IP information](#view-a-devices-ip-history) to find a device's IP information. +2. Select **Device Monitoring** above **Device event log**. +3. Find **Colo** in the **Device details** table to review which Cloudflare data center your selected device's egress traffic is connected to. From 9924ce3ac3bb29aa9bdbc553d08bd677af400ef3 Mon Sep 17 00:00:00 2001 From: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> Date: Fri, 24 Jan 2025 09:23:37 -0800 Subject: [PATCH 051/129] [Turnstile] Pre-clearance + Hostname Mgmt overhaul (#19373) * preclearance cookies * hostname mgmt * fix * get started hostnames * add link * spacing * sme feedback * revert * Update src/content/docs/turnstile/concepts/pre-clearance-support.mdx * remove space --- .../concepts/hostname-management.mdx | 48 +++++++++++++++---- .../concepts/pre-clearance-support.mdx | 46 +++++++----------- .../docs/turnstile/get-started/index.mdx | 7 +-- .../get-started/mobile-implementation.mdx | 2 +- .../turnstile/get-started/pre-clearance.mdx | 33 +++++++++++++ .../get-started/supported-browsers.mdx | 2 +- .../docs/turnstile/get-started/terraform.mdx | 2 +- 7 files changed, 97 insertions(+), 43 deletions(-) create mode 100644 src/content/docs/turnstile/get-started/pre-clearance.mdx diff --git a/src/content/docs/turnstile/concepts/hostname-management.mdx b/src/content/docs/turnstile/concepts/hostname-management.mdx index afa6ac418dab30..c7318589998bb3 100644 --- a/src/content/docs/turnstile/concepts/hostname-management.mdx +++ b/src/content/docs/turnstile/concepts/hostname-management.mdx @@ -6,31 +6,61 @@ sidebar: --- +You can associate hostnames with your widget to control where it can be used using Hostname Management. Managing your hostnames ensures that Turnstile works seamlessly with your setup, whether you add standalone hostnames or leverage zones registered to your Cloudflare account. + +## Hostname limits + By default, all widgets can have up to 10 hostnames associated with a widget. A widget requires at least one hostname to be entered. Only Enterprise Bot Management and Enterprise Turnstile customers can have this limit increased. Contact your account team to increase your hostname limit. -You must specify a list of hostnames when creating a widget. The widget can only be used on these hostnames and will not work on any other hostnames. You can use subdomains to restrict the widgets further. +## Add a custom hostname + +You can add a hostname to your Turnstile widget even if it is not on the Cloudflare network or registered as a zone. There are no prerequisites for using Turnstile. + +To add a custom hostname: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. +2. Go to **Turnstile**. +3. On an existing widget, select **Settings**. +4. Select **Add Hostnames** under Hostname Management. +5. Add a custom hostname or choose from an existing hostname. +6. Select **Add**. + +## Add hostnames with a registered zone + +If you already have a zone registered with Cloudflare, you can add hostnames during the Turnstile widget setup. You will see all zones registered to your account, where you can select the relevant hostname from the list, and it will be added to your Turnstile widget seamlessly. + +## Hostname requirements + +When associating hostnames with a widget, follow these requirements: -The hostname should not contain a scheme `http://` or `https://`, a port `443`, or a path `/`. +- Hostnames must be fully qualified domain names (FQDNs), such as `example.com` or `subdomain.example.com`. +- Wildcards are not supported. Specify each hostname you want Turnstile to work on. +- The hostname should not include: + - A scheme (for example, `http://` or `https://`) + - A port (for example, `443`) + - A path (for example, `/path`) -Specifying a subdomain is optional. +### Subdomain specification -For example, using the `www.example.com` value will allow widgets on the following hostnames: +Specifying a subdomain is optional, but it can be used to further restrict the widget. For example, adding `www.example.com` as a hostname will allow widgets to work on: - `www.example.com` - `abc.www.example.com:8080` -but not on the following hostnames: +However, it will not work on the following hostnames: - `example.com` - `dash.example.com` - `cloudflare.com` -When the widget is embedded on a hostname not listed, it will show an error message. +:::note +If the widget is embedded on a hostname not listed, it will display an error message. +::: -## Optional hostname validation +## Optional hostname validation (Enterprise only) -Customers with Enterprise Bot Management or Enterprise Turnstile can have the optional `any hostname` validation entitlement. +Customers with Enterprise Bot Management or Enterprise Turnstile can have the optional any hostname validation entitlement. -By default, a widget requires at least one hostname to be entered. With this entitlement, you can create and use a widget without entering any hostnames for the widget. Contact your account team to enable this entitlement. +By default, a widget requires at least one hostname to be entered. With this entitlement, you can create and use a widget without entering any hostnames for the widget. Contact your account team to enable this entitlement. \ No newline at end of file diff --git a/src/content/docs/turnstile/concepts/pre-clearance-support.mdx b/src/content/docs/turnstile/concepts/pre-clearance-support.mdx index 69508684661b80..a6844003101f2a 100644 --- a/src/content/docs/turnstile/concepts/pre-clearance-support.mdx +++ b/src/content/docs/turnstile/concepts/pre-clearance-support.mdx @@ -6,46 +6,36 @@ sidebar: --- -You can integrate Cloudflare challenges on single-page applications (SPAs) by allowing Turnstile to issue a clearance cookie. The clearance level is set upon widget creation or widget modification using the Turnstile API's `clearance_level`. Possible values for the configuration are `no_clearance`, `jschallenge`, `managed`, or `interactive`. All widgets are set to `no_clearance` by default. +Pre-clearance in Turnstile allows websites to streamline user experiences by using clearance cookies. These cookies enable visitors to bypass WAF challenges downstream, based on the security clearance level set by the customer. This can be particularly useful for trusted visitors, enhancing usability while maintaining security. -For Enterprise customers eligible to toggle off domain checks, Cloudflare recommends issuing clearance cookies on widgets where at least one domain is specified. +You can integrate Cloudflare challenges by allowing Turnstile to issue a pre-clearance cookie. The pre-clearance level is set upon widget creation or widget modification using the Turnstile API's `clearance_level`. Possible values for the configuration are: + +- `no_clearance` +- `jschallenge` +- `managed` +- `interactive` + +All widgets are set to `no_clearance` by default. + +For Enterprise customers eligible to toggle off domain checks, Cloudflare recommends issuing pre-clearance cookies on widgets where at least one domain is specified. :::note Clearance cookies only support zones that are orange-clouded. ::: -Refer to the [blog post](https://blog.cloudflare.com/integrating-turnstile-with-the-cloudflare-waf-to-challenge-fetch-requests) for an example of pre-clearance implementation. +Refer to the [blog post](https://blog.cloudflare.com/integrating-turnstile-with-the-cloudflare-waf-to-challenge-fetch-requests) for more details on how pre-clearance works with WAF. ## Pre-clearance level options -- **Interactive**: Interactive Pre-clearance allows a user with a clearance cookie to not be challenged by Interactive, Managed Challenge, or JavaScript Challenge Firewall Rules -- **Managed**: Managed allows a user with a clearance cookie to not be challenged by Managed Challenge or JavaScript Challenge Firewall Rules -- **Non-interactive**: Non-interactive allows a user with a clearance cookie to not be challenged by JavaScript Challenge Firewall Rules +- **Interactive (High)**: Allows a user with a clearance cookie to not be challenged by Interactive, Managed Challenge, or JavaScript Challenge Firewall Rules +- **Managed (Medium)**: Allows a user with a clearance cookie to not be challenged by Managed Challenge or JavaScript Challenge Firewall Rules +- **Non-interactive (Low)**: Allows a user with a clearance cookie to not be challenged by JavaScript Challenge Firewall Rules -### Duration +## Clearance cookie duration Clearance cookies generated by the Turnstile widget will be valid for the time specified by the zone-level Challenge Passage value. To configure the Challenge Passage setting, refer to the [WAF documentation](/waf/tools/challenge-passage/). -## Enable pre-clearance on a new site - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account. -2. Go to **Turnstile** > **Add widget**. -3. Under **Would you like to opt for pre-clearance for this site?** select **Yes**. -4. Choose the pre-clearance level from the select box. -5. Select **Create**. - -## Enable pre-clearance on an existing site - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account. -2. Go to **Turnstile**. -3. Go to the existing widget or site and select **Settings**. -4. Under **Would you like to opt for pre-clearance for this site?** select **Yes**. -5. Choose the pre-clearance level from the select box. -6. Select **Update**. - -## Verified bots - -If a [verified bot](/bots/concepts/bot/#verified-bots) encounters a page where a Turnstile widget is implemented, the challenge will fail and the verified bot will see a `403` error from the Turnstile endpoint. +## Setup -However, if a verified bot is excluded from the rule which pre-clearance will grant clearance for, it will pass. Users can create a [WAF custom rule](/waf/custom-rules/) to exclude verified bots. +To set up pre-clearance cookies, refer to [Enable pre-clearance cookies](/turnstile/get-started/pre-clearance/). \ No newline at end of file diff --git a/src/content/docs/turnstile/get-started/index.mdx b/src/content/docs/turnstile/get-started/index.mdx index ca1c99c1c83e3a..5f8aecec8e8f37 100644 --- a/src/content/docs/turnstile/get-started/index.mdx +++ b/src/content/docs/turnstile/get-started/index.mdx @@ -31,7 +31,7 @@ You can find special sitekeys to be used for testing in the [testing](/turnstile 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/?to=/:account/turnstile) and select your account. 2. Go to **Turnstile**. -3. Select **Add widget** and fill out the site name and your website's hostname or select from your existing websites on Cloudflare. +3. Select **Add widget** and fill out the site name and [your website's hostname or select from your existing websites](/turnstile/concepts/hostname-management/) on Cloudflare. 4. Select the widget mode. 5. (Optional) Opt in for [pre-clearance support](/turnstile/concepts/pre-clearance-support/). 6. Copy your sitekey and secret key. @@ -41,8 +41,9 @@ You can find special sitekeys to be used for testing in the [testing](/turnstile 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/?to=/:account/turnstile) and select your account. 2. Go to **Turnstile**. 3. In the widget overview, select **Settings**. -4. (Optional) Opt in for [pre-clearance support](/turnstile/concepts/pre-clearance-support/). -5. Copy your sitekey and secret key. +4. Confirm the [hostnames](/turnstile/concepts/hostname-management/) configured. +5. (Optional) Opt in for [pre-clearance support](/turnstile/concepts/pre-clearance-support/). +6. Copy your sitekey and secret key. ## Add the Turnstile widget to your site diff --git a/src/content/docs/turnstile/get-started/mobile-implementation.mdx b/src/content/docs/turnstile/get-started/mobile-implementation.mdx index 490754c87e9b70..99196efb9d7478 100644 --- a/src/content/docs/turnstile/get-started/mobile-implementation.mdx +++ b/src/content/docs/turnstile/get-started/mobile-implementation.mdx @@ -2,7 +2,7 @@ title: Mobile implementation pcx_content_type: concept sidebar: - order: 5 + order: 6 --- diff --git a/src/content/docs/turnstile/get-started/pre-clearance.mdx b/src/content/docs/turnstile/get-started/pre-clearance.mdx new file mode 100644 index 00000000000000..da8960ed7ad2a7 --- /dev/null +++ b/src/content/docs/turnstile/get-started/pre-clearance.mdx @@ -0,0 +1,33 @@ +--- +title: Enable pre-clearance cookies +pcx_content_type: get-started +sidebar: + order: 3 + label: Pre-clearance cookies + +--- + +## Prerequisites + +To enable pre-clearance, you must ensure that the hostname of the Turnstile widget matches the zone with the WAF rules. During the Turnstile configuration setup in the Cloudflare dashboard, you can see the registered zones. Select the appropriate hostname from this list. + +The prerequisite is crucial for pre-clearance to function properly. If set up correctly, visitors who successfully solve Turnstile will receive a cookie with the security clearance level set by the customer. When encountering a WAF challenge on the same zone, they will bypass additional challenges for the configured clearance level and below. + +For more details on managing hostnames, refer to the [Hostname Management documentation](/turnstile/concepts/hostname-management/). + +## Enable pre-clearance on a new site + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account. +2. Go to **Turnstile** > **Add widget**. +3. Under **Would you like to opt for pre-clearance for this site?** select **Yes**. +4. Choose the pre-clearance level from the select box. +5. Select **Create**. + +## Enable pre-clearance on an existing site + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account. +2. Go to **Turnstile**. +3. Go to the existing widget or site and select **Settings**. +4. Under **Would you like to opt for pre-clearance for this site?** select **Yes**. +5. Choose the pre-clearance level from the select box. +6. Select **Update**. \ No newline at end of file diff --git a/src/content/docs/turnstile/get-started/supported-browsers.mdx b/src/content/docs/turnstile/get-started/supported-browsers.mdx index 9c76e244028f7b..ab5003e17935d1 100644 --- a/src/content/docs/turnstile/get-started/supported-browsers.mdx +++ b/src/content/docs/turnstile/get-started/supported-browsers.mdx @@ -3,6 +3,6 @@ pcx_content_type: concept title: Supported browsers external_link: /waf/reference/cloudflare-challenges/#browser-support sidebar: - order: 4 + order: 5 --- diff --git a/src/content/docs/turnstile/get-started/terraform.mdx b/src/content/docs/turnstile/get-started/terraform.mdx index 8562bdf165ee0e..a0077458d31a99 100644 --- a/src/content/docs/turnstile/get-started/terraform.mdx +++ b/src/content/docs/turnstile/get-started/terraform.mdx @@ -2,7 +2,7 @@ pcx_content_type: how-to title: Terraform sidebar: - order: 3 + order: 4 --- :::note[Requirements] From aa85897c1a6a554bae8fcc8ce71e87e3d0b66a8a Mon Sep 17 00:00:00 2001 From: Chris Martinelli <56095825+chris-martinelli@users.noreply.github.com> Date: Fri, 24 Jan 2025 11:28:39 -0600 Subject: [PATCH 052/129] Update custom-cache-key.mdx (#19410) * Update custom-cache-key.mdx add link to full documentation on cache keys * Update src/content/docs/cache/how-to/cache-rules/examples/custom-cache-key.mdx --------- Co-authored-by: angelampcosta <92738954+angelampcosta@users.noreply.github.com> --- .../docs/cache/how-to/cache-rules/examples/custom-cache-key.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/content/docs/cache/how-to/cache-rules/examples/custom-cache-key.mdx b/src/content/docs/cache/how-to/cache-rules/examples/custom-cache-key.mdx index 748e3d400b267b..103f8469d5ae39 100644 --- a/src/content/docs/cache/how-to/cache-rules/examples/custom-cache-key.mdx +++ b/src/content/docs/cache/how-to/cache-rules/examples/custom-cache-key.mdx @@ -27,3 +27,5 @@ import { Example, Render } from "~/components" * **Query string**: All query string parameters + +Refer to [cache keys](/cache/how-to/cache-keys/) for more information on possible settings when configuring a custom cache key. From ce942b588a166ff2578497ce682062bf69fbdc2f Mon Sep 17 00:00:00 2001 From: Chris Martinelli <56095825+chris-martinelli@users.noreply.github.com> Date: Fri, 24 Jan 2025 11:31:18 -0600 Subject: [PATCH 053/129] Update cache-keys.mdx (#19408) added more description to host settings specific to UI vs API --- src/content/docs/cache/how-to/cache-keys.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cache/how-to/cache-keys.mdx b/src/content/docs/cache/how-to/cache-keys.mdx index d8c13121cbceb6..2552b4433ee294 100644 --- a/src/content/docs/cache/how-to/cache-keys.mdx +++ b/src/content/docs/cache/how-to/cache-keys.mdx @@ -119,8 +119,8 @@ Additionally, you cannot include the following headers: Host determines which host header to include in the Cache Key. -* If `resolved: false`, Cloudflare includes the `Host` header in the HTTP request sent to the origin. -* If `resolved: true`, Cloudflare includes the `Host` header that was resolved to get the `origin IP` for the request. In this scenario, the `Host` header may be different from the header actually sent if the [Cloudflare Resolve Override](/rules/page-rules/how-to/override-url-or-ip-address/) feature is used. +* If `Use original host` (`resolved: false` in the API), Cloudflare includes the `Host` header in the HTTP request sent to the origin. +* If `Resolved host` (`resolved: true` in the API), Cloudflare includes the `Host` header that was resolved to get the `origin IP` for the request. In this scenario, the `Host` header may be different from the header actually sent if the [Cloudflare Resolve Override](/rules/page-rules/how-to/override-url-or-ip-address/) feature is used. ### Cookie From ebfa7fb7ee139aec3a67b82948adc1dfa1ce1a7e Mon Sep 17 00:00:00 2001 From: Diretnan Domnan Date: Fri, 24 Jan 2025 18:43:42 +0100 Subject: [PATCH 054/129] Free transformation as 9422 (#19075) --- src/content/docs/images/pricing.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/images/pricing.mdx b/src/content/docs/images/pricing.mdx index 997e060f1470ae..a1323da7e132c1 100644 --- a/src/content/docs/images/pricing.mdx +++ b/src/content/docs/images/pricing.mdx @@ -24,7 +24,7 @@ On the Free plan, you can request up to 5,000 unique transformations each month Once you exceed 5,000 unique transformations: - Existing transformations in cache will continue to be served as expected. -- New transformations will return a `9423` error. If your source image is from the same domain where the transformation is served, then you can use the [`onerror` parameter](/images/transform-images/transform-via-url/#onerror) to redirect to the original image. +- New transformations will return a `9422` error. If your source image is from the same domain where the transformation is served, then you can use the [`onerror` parameter](/images/transform-images/transform-via-url/#onerror) to redirect to the original image. - You will not be charged for exceeding the limits in the Free plan. To request more than 5,000 unique transformations each month, you can purchase an Images Paid plan. From 23f5fe6d4d6d4d614edeba19257e809aecdfc9d5 Mon Sep 17 00:00:00 2001 From: Kian Date: Fri, 24 Jan 2025 18:12:47 +0000 Subject: [PATCH 055/129] [Docs Site] Adopt Cloudflare styling for badge component (#19390) * [Docs Site] Adopt Cloudflare styling for badge component * add variant styling * remove variant note * remove gray class in inline badge docs * add caution variant to workers ai beta badge --- astro.config.ts | 1 + src/badges.css | 85 ++++++++++++ src/components/InlineBadge.astro | 2 +- src/components/ModelCatalog.tsx | 6 +- src/components/Type.astro | 1 - .../changelog-next/ProductPills.astro | 6 +- src/components/fields/FieldBadges.tsx | 9 +- src/components/models/ModelBadges.tsx | 9 +- src/components/overrides/PageTitle.astro | 3 - src/components/overrides/Sidebar.astro | 32 ++++- .../docs/style-guide/components/badges.mdx | 18 ++- .../style-guide/components/inline-badge.mdx | 6 +- src/pages/workers-ai/models/[name].astro | 24 ++-- src/pages/workers/ai.astro | 8 +- tailwind.config.mjs | 129 ++++++++++++++++++ 15 files changed, 281 insertions(+), 58 deletions(-) create mode 100644 src/badges.css diff --git a/astro.config.ts b/astro.config.ts index f0d9bf393ee5e1..fcf13e786ff74b 100644 --- a/astro.config.ts +++ b/astro.config.ts @@ -82,6 +82,7 @@ export default defineConfig({ sidebar, customCss: [ "./src/asides.css", + "./src/badges.css", "./src/code.css", "./src/footnotes.css", "./src/headings.css", diff --git a/src/badges.css b/src/badges.css new file mode 100644 index 00000000000000..001beab380fc96 --- /dev/null +++ b/src/badges.css @@ -0,0 +1,85 @@ +.sl-badge { + /* Unset Starlight styling */ + border: none; + font-family: var(--__sl-font); + overflow-wrap: unset; + + /* Apply styling from https://www.npmjs.com/package/@cloudflare/component-label */ + align-items: center; + border-radius: 50px; + display: inline-flex; + font-size: 12px; + font-weight: 400; + line-height: 1; + user-select: none; + white-space: nowrap; + padding: 4px 8px; +} + +:root { + .sl-badge { + &.note { + background-color: theme("colors.cl1.blue.8") !important; + color: theme("colors.cl1.blue.2") !important; + } + + &.danger { + background-color: theme("colors.cl1.red.8") !important; + color: theme("colors.cl1.red.2") !important; + } + + &.success { + background-color: theme("colors.cl1.green.8") !important; + color: theme("colors.cl1.green.2") !important; + } + + &.caution { + background-color: theme("colors.cl1.orange.8") !important; + color: theme("colors.cl1.orange.2") !important; + } + + &.tip { + background-color: theme("colors.cl1.violet.8") !important; + color: theme("colors.cl1.violet.1") !important; + } + + &.default { + background-color: theme("colors.cl1.gray.9") !important; + color: theme("colors.cl1.gray.2") !important; + } + } +} + +:root[data-theme="dark"] { + .sl-badge { + &.note { + background-color: theme("colors.cl1.blue.7") !important; + color: theme("colors.cl1.blue.0") !important; + } + + &.danger { + background-color: theme("colors.cl1.red.8") !important; + color: theme("colors.cl1.red.0") !important; + } + + &.success { + background-color: theme("colors.cl1.green.7") !important; + color: theme("colors.cl1.green.0") !important; + } + + &.caution { + background-color: theme("colors.cl1.orange.8") !important; + color: theme("colors.cl1.orange.0") !important; + } + + &.tip { + background-color: theme("colors.cl1.violet.8") !important; + color: theme("colors.cl1.violet.0") !important; + } + + &.default { + background-color: theme("colors.cl1.gray.8") !important; + color: theme("colors.cl1.gray.3") !important; + } + } +} diff --git a/src/components/InlineBadge.astro b/src/components/InlineBadge.astro index 430296e96f013c..67705395d6e4f2 100644 --- a/src/components/InlineBadge.astro +++ b/src/components/InlineBadge.astro @@ -23,7 +23,7 @@ if (preset) { } case "beta": { text = "Beta"; - variant = "default"; + variant = "caution"; break; } case "deprecated": { diff --git a/src/components/ModelCatalog.tsx b/src/components/ModelCatalog.tsx index 6d5ed3ba90a7b9..e65eb0f4144643 100644 --- a/src/components/ModelCatalog.tsx +++ b/src/components/ModelCatalog.tsx @@ -240,11 +240,7 @@ const ModelCatalog = ({ models }: { models: WorkersAIModelsSchema[] }) => { {model.model_display_name} - {isBeta && ( - - Beta - - )} + {isBeta && Beta}
diff --git a/src/components/Type.astro b/src/components/Type.astro index 1f18743c5f0b0a..9f36a01f8c6650 100644 --- a/src/components/Type.astro +++ b/src/components/Type.astro @@ -15,7 +15,6 @@ const { text } = props.parse(Astro.props); ; const props = z.object({ @@ -18,9 +20,7 @@ const data = await getEntries(products); { data.map((product) => ( - - {product.data.product.title} - + )) } diff --git a/src/components/fields/FieldBadges.tsx b/src/components/fields/FieldBadges.tsx index 4739f088cde421..16cc2c0c5036fb 100644 --- a/src/components/fields/FieldBadges.tsx +++ b/src/components/fields/FieldBadges.tsx @@ -1,12 +1,9 @@ const FieldBadges = ({ badges }: { badges: string[] }) => { return ( -