From bb67d0b5a588567d73b8ecf3e2566440972eeac2 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 31 Jan 2025 14:16:01 -0600 Subject: [PATCH 1/4] Move third-party filtering warning --- .../policies/gateway/block-page.mdx | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx index d807c1c686b6ae7..124630252c43bdd 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx @@ -15,12 +15,6 @@ Configuring a custom block page in Zero Trust helps avoid this confusion. Your b Gateway supports custom block pages for DNS and HTTP policies. -:::caution[Third-party filtering conflict] - - - -::: - ## Prerequisites In order to display the block page as the URL of the blocked domain, your devices must have a [Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/) installed. Enterprise users can also [deploy their own root CA certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). @@ -63,7 +57,15 @@ You can add a Mailto link to your custom block page, which allows users to direc ## Limitations -If your users receive a security risk warning in their browser when visiting a blocked page, check that you have correctly [installed a Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/) on their devices. +### Third-party filtering conflict + + + +### Certificate warning + +If your users receive a security risk warning in their browser when visiting a blocked page, check that you have correctly [installed a certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/) on their devices. + +### Data center and IP address matching If an HTTP request that matches a block policy does not arrive at the same Cloudflare data center as its DNS query, Gateway will display the default block page instead of your custom block page. From ec4b39c6344f1614cc051318b281c4f91ed12b42 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 31 Jan 2025 14:23:56 -0600 Subject: [PATCH 2/4] Add certificate error section --- .../policies/gateway/block-page.mdx | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx index 124630252c43bdd..2590606d6645449 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx @@ -17,7 +17,7 @@ Gateway supports custom block pages for DNS and HTTP policies. ## Prerequisites -In order to display the block page as the URL of the blocked domain, your devices must have a [Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/) installed. Enterprise users can also [deploy their own root CA certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). +In order to display the block page as the URL of the blocked domain, your devices must have a [Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/) installed. Enterprise users can also [deploy their own root CA certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). If you do not install a certificate, the block page [will not display correctly](#certificate-warning). ## Turn on the block page @@ -57,13 +57,18 @@ You can add a Mailto link to your custom block page, which allows users to direc ## Limitations -### Third-party filtering conflict +### Certificate warning - +If your users receive a security risk warning in their browser when visiting a blocked page, check that you have correctly [installed a certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/) on their devices. If a certificate is not installed or the installed certificate is invalid or expired, your user's browser may: -### Certificate warning +- Display an **HTTP Response Code: 526** error page, indicating an insecure upstream. +- Close the connection and fail to display any pages. -If your users receive a security risk warning in their browser when visiting a blocked page, check that you have correctly [installed a certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/) on their devices. +For more information on fixing certificate issues, refer to [Troubleshooting](/cloudflare-one/faq/troubleshooting/#as-of-february-2-2025-my-end-user-devices-browser-is-returning-a-your-connection-is-not-private-warning). + +### Third-party filtering conflict + + ### Data center and IP address matching From f7ea318b23b04069e2a974d67a3251f2665d171e Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 31 Jan 2025 14:35:00 -0600 Subject: [PATCH 3/4] Add caution --- .../docs/cloudflare-one/policies/gateway/block-page.mdx | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx index 2590606d6645449..b8c2de545997ead 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx @@ -15,6 +15,12 @@ Configuring a custom block page in Zero Trust helps avoid this confusion. Your b Gateway supports custom block pages for DNS and HTTP policies. +:::caution[Default Cloudflare certificate expired] +The default Cloudflare root certificate expired on 2025-02-02. + +If your organization is still using the default Cloudflare certificate, you will need to use a new certificate to display the block page. For more information, refer to [User-side certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/) or [Troubleshooting](/cloudflare-one/faq/troubleshooting/#as-of-february-2-2025-my-end-user-devices-browser-is-returning-a-your-connection-is-not-private-warning). +::: + ## Prerequisites In order to display the block page as the URL of the blocked domain, your devices must have a [Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/) installed. Enterprise users can also [deploy their own root CA certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). If you do not install a certificate, the block page [will not display correctly](#certificate-warning). @@ -57,7 +63,7 @@ You can add a Mailto link to your custom block page, which allows users to direc ## Limitations -### Certificate warning +### Certificate error If your users receive a security risk warning in their browser when visiting a blocked page, check that you have correctly [installed a certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/) on their devices. If a certificate is not installed or the installed certificate is invalid or expired, your user's browser may: From 8d266a0e3d8e02bc18cdc9bcc99cb5ce2480c533 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 31 Jan 2025 14:42:17 -0600 Subject: [PATCH 4/4] Add links --- .../docs/cloudflare-one/policies/gateway/block-page.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx index b8c2de545997ead..89c63caf9103547 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx @@ -15,8 +15,8 @@ Configuring a custom block page in Zero Trust helps avoid this confusion. Your b Gateway supports custom block pages for DNS and HTTP policies. -:::caution[Default Cloudflare certificate expired] -The default Cloudflare root certificate expired on 2025-02-02. +:::caution[Default Cloudflare certificate expiring] +The default Cloudflare root certificate expires on 2025-02-02. If your organization is still using the default Cloudflare certificate, you will need to use a new certificate to display the block page. For more information, refer to [User-side certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/) or [Troubleshooting](/cloudflare-one/faq/troubleshooting/#as-of-february-2-2025-my-end-user-devices-browser-is-returning-a-your-connection-is-not-private-warning). :::