From 3990d9a59b1254ed8143b3050e98cd3104dd9276 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 25 Feb 2025 16:36:06 -0600 Subject: [PATCH 01/14] Replace account ID variable --- .../configure-apps/dash-sso-apps.mdx | 10 +- .../agentless/dns/dns-over-https.mdx | 8 +- .../connect-devices/agentless/pac-files.mdx | 2 +- .../warp/configure-warp/device-profiles.mdx | 2 +- .../configure-tunnels/remote-management.mdx | 188 +++++++++-------- .../ssh/ssh-infrastructure-access.mdx | 15 +- .../identity/idp-integration/entra-id.mdx | 55 ++--- .../insights/logs/audit-logs.mdx | 44 ++-- .../policies/access/policy-management.mdx | 19 +- .../browser-isolation/isolation-policies.mdx | 10 +- .../gateway/dns-policies/common-policies.mdx | 26 +-- .../gateway/dns-policies/timed-policies.mdx | 4 +- .../gateway/http-policies/common-policies.mdx | 18 +- .../network-policies/common-policies.mdx | 14 +- .../tutorials/user-selectable-egress-ips.mdx | 8 +- .../access/add-infrastructure-app.mdx | 198 +++++++++--------- .../cloudflare-one/access/add-target.mdx | 84 ++++---- .../cloudflare-one/access/rule-group.mdx | 2 +- .../gateway/get-started/create-dns-policy.mdx | 2 +- .../get-started/create-http-policy.mdx | 4 +- .../get-started/create-network-policy.mdx | 2 +- .../cloudflare-one/ssh/ssh-proxy-ca.mdx | 4 +- 22 files changed, 367 insertions(+), 352 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx index 24574815d79d91a..c96a342b56365b0 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx @@ -73,7 +73,7 @@ If there is an issue with your SSO IdP provider, you can add an alternate IdP us 1. [Add](/api/resources/zero_trust/subresources/identity_providers/methods/create/) one-time PIN login: ```bash title="cURL command" -curl 'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers' \ +curl 'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers' \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ @@ -86,7 +86,7 @@ curl 'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity 2. [Get](/api/resources/zero_trust/subresources/access/subresources/applications/methods/list/) the `id` of the `dash_sso` Access application. You can use [`jq`](https://jqlang.github.io/jq/download/) to quickly find the correct application: ```bash title="cURL command" -curl 'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps' \ +curl 'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps' \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ | jq '.result[] | select(.type == "dash_sso")' @@ -106,7 +106,7 @@ curl 'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps' \ ```bash title="cURL command" curl --request PUT \ -'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/3537a672-e4d8-4d89-aab9-26cb622918a1' \ +'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/3537a672-e4d8-4d89-aab9-26cb622918a1' \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ @@ -127,7 +127,7 @@ The following API calls will disable SSO enforcement for an account. This action 1. Get your SSO `connector_id`: ```bash title="cURL command" -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/sso/v2/connectors \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/sso/v2/connectors \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " ``` @@ -153,7 +153,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/sso/v2/connector ```bash title="cURL command" curl --request PATCH \ -'https://api.cloudflare.com/client/v4/accounts/{account_id}/sso/v2/connectors/2828' \ +'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/sso/v2/connectors/2828' \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx index 3b1b82d07142ff4..11a513dad05e8ea 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx @@ -114,7 +114,7 @@ Currently, authentication tokens can only be generated through the API. You can ### 1. Create a service token for the account ```bash -curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/service_tokens" \ +curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/service_tokens" \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ @@ -148,12 +148,12 @@ Save the service token's `client_id`, `client_secret`, and `id`. ```bash curl --request PUT \ -"https://api.cloudflare.com/client/v4/accounts/{account_id}/access/organizations/doh/{service_token_id}" \ +"https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations/doh/$SERVICE_TOKEN_ID" \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " ``` -If you get an `access.api.error.service_token_not_found` error, check that `{service_token_id}` is the value of `id` and not `client_id`. +If you get an `access.api.error.service_token_not_found` error, check that `$SERVICE_TOKEN_ID` is the value of `id` and not `client_id`.
@@ -181,7 +181,7 @@ If you get an `access.api.error.service_token_not_found` error, check that `{ser Create a new user and optionally add them to a group. ```bash -curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/users" \ +curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users" \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx index 825f92ec9c75261..974bf8f5ad00165 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx @@ -211,7 +211,7 @@ To get the domain of a proxy endpoint: 1. Use the [List proxy endpoints](/api/resources/zero_trust/subresources/gateway/subresources/proxy_endpoints/methods/list/) operation to get a list of your proxy endpoints and their details. For example: ```bash - curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/proxy_endpoints \ + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/proxy_endpoints \ --header "Authorization: Bearer " ``` diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles.mdx index 504e5154d8bcde7..57b2ebc4daf35ef 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles.mdx @@ -35,7 +35,7 @@ Your profile will appear in the **Profile settings** list. You can rearrange the Send a `POST` request to the [Devices endpoint](/api/resources/zero_trust/subresources/devices/subresources/policies/subresources/custom/methods/create/): ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/policy \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx index 1929dbdb45b0ca6..af0003b7d3bca19 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx @@ -49,11 +49,12 @@ On Linux, Cloudflare Tunnel installs itself as a system service using `systemctl 4. To verify the new configuration, check the service status: - ```sh - sudo systemctl status cloudflared - ``` - ```sh output - ● cloudflared.service - cloudflared + ```sh + sudo systemctl status cloudflared + ``` + + ```sh output + ● cloudflared.service - cloudflared Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; preset: enabled) Active: active (running) since Wed 2024-10-09 20:02:59 UTC; 2s ago Main PID: 2157 (cloudflared) @@ -62,7 +63,7 @@ On Linux, Cloudflare Tunnel installs itself as a system service using `systemctl CPU: 136ms CGroup: /system.slice/cloudflared.service └─2157 /usr/bin/cloudflared tunnel --loglevel debug --logfile /var/log/cloudflared/cloudflared.log run --token eyJhIjoi... - ``` + ``` @@ -186,85 +187,88 @@ To rotate a tunnel token: 1. Refresh the token on Cloudflare: - - - 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**. - 2. Select a `cloudflared` tunnel and select **Edit**. - 3. Select **Refresh token**. - 4. Copy the `cloudflared` installation command for your operating system. This command contains the new token. - - - - - 1. Generate a random base64 string (minimum size 32 bytes) to use as a tunnel secret: - - ```sh - openssl rand -base64 32 - ``` - - ```sh output - AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg= - ``` - - 2. Make a `PATCH` request to the [Cloudflare Tunnel](/api/resources/zero_trust/subresources/tunnels/methods/edit/) endpoint: - ```sh - curl --request PATCH \ - https://api.cloudflare.com/client/v4/accounts/{account_id}/cfd_tunnel/{tunnel_id} \ - --header 'Content-Type: application/json' \ - --header "Authorization: Bearer " \ - --data '{ - "name": "Example tunnel", - "tunnel_secret": "AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg=" - }' - ``` - - ```sh output {18} - { - "success": true, - "errors": [], - "messages": [], - "result": { - "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", - "account_tag": "699d98642c564d2e855e9661899b7252", - "created_at": "2024-12-04T22:03:26.291225Z", - "deleted_at": null, - "name": "Example tunnel", - "connections": [], - "conns_active_at": null, - "conns_inactive_at": "2024-12-04T22:03:26.291225Z", - "tun_type": "cfd_tunnel", - "metadata": {}, - "status": "inactive", - "remote_config": true, - "token": "eyJhIjoiNWFiNGU5Z..." - } - } - ``` - 3. Copy the `token` value shown in the output. - - - - - After refreshing the token, `cloudflared` can no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic. + + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**. +2. Select a `cloudflared` tunnel and select **Edit**. +3. Select **Refresh token**. +4. Copy the `cloudflared` installation command for your operating system. This command contains the new token. + + + + + 1. Generate a random base64 string (minimum size 32 bytes) to use as a tunnel secret: + + ```sh + openssl rand -base64 32 + ``` + + ```sh output + AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg= + ``` + + 2. Make a `PATCH` request to the [Cloudflare Tunnel](/api/resources/zero_trust/subresources/tunnels/methods/edit/) endpoint: + + ```sh + curl --request PATCH \ + https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/{tunnel_id} \ + --header 'Content-Type: application/json' \ + --header "Authorization: Bearer " \ + --data '{ + "name": "Example tunnel", + "tunnel_secret": "AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg=" + }' + ``` + + ```sh output {18} + { + "success": true, + "errors": [], + "messages": [], + "result": { + "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", + "account_tag": "699d98642c564d2e855e9661899b7252", + "created_at": "2024-12-04T22:03:26.291225Z", + "deleted_at": null, + "name": "Example tunnel", + "connections": [], + "conns_active_at": null, + "conns_inactive_at": "2024-12-04T22:03:26.291225Z", + "tun_type": "cfd_tunnel", + "metadata": {}, + "status": "inactive", + "remote_config": true, + "token": "eyJhIjoiNWFiNGU5Z..." + } + } + ``` + + 3. Copy the `token` value shown in the output. + + + + + After refreshing the token, `cloudflared` can no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic. 2. On half of your `cloudflared` replicas, update `cloudflared` to use the new token. For example, on a Linux host: - ```sh - sudo cloudflared service install - ``` + ```sh + sudo cloudflared service install + ``` 3. Restart `cloudflared`: - ```sh - sudo systemctl restart cloudflared.service - ``` + ```sh + sudo systemctl restart cloudflared.service + ``` 4. Confirm that the service started correctly: - ```sh - sudo systemctl status cloudflared - ``` - While these replicas are connecting to Cloudflare with the new token, traffic will automatically route through the other replicas. + ```sh + sudo systemctl status cloudflared + ``` + + While these replicas are connecting to Cloudflare with the new token, traffic will automatically route through the other replicas. 5. Wait 10 minutes for traffic to route through the new connectors. @@ -278,29 +282,31 @@ If your tunnel token is compromised, we recommend taking the following steps: 1. Refresh the token using the dashboard or API. Refer to Step 1 of [Rotate a token without service disruption](#rotate-a-token-without-service-disruption). 2. [Delete all connections](/api/resources/zero_trust/subresources/tunnels/subresources/connections/methods/delete/) between `cloudflared` and Cloudflare: - ```sh - curl --request DELETE \ - https://api.cloudflare.com/client/v4/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connections \ - --header "Authorization: Bearer " - ``` - This will clean up any unauthorized connections and prevent users from connecting to your network. + ```sh + curl --request DELETE \ + https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/{tunnel_id}/connections \ + --header "Authorization: Bearer " + ``` + + This will clean up any unauthorized connections and prevent users from connecting to your network. 3. On each `cloudflared` replica, update `cloudflared` to use the new token. For example, on a Linux host: - ```sh - sudo cloudflared service install - ``` + ```sh + sudo cloudflared service install + ``` + 4. Restart `cloudflared`: - ```sh - sudo systemctl restart cloudflared.service - ``` + ```sh + sudo systemctl restart cloudflared.service + ``` 5. Confirm that the service started correctly: - ```sh - sudo systemctl status cloudflared - ``` + ```sh + sudo systemctl status cloudflared + ``` The tunnel token is now fully rotated. The old token is no longer in use. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx index fc5cd97702ebe70..f4373c5981d3e2a 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx @@ -13,7 +13,10 @@ import { Tabs, TabItem, Badge, Render } from "~/components"; [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/) provides granular control over how users can connect to your SSH servers. This feature uses the same deployment model as [WARP-to-Tunnel](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel/) but unlocks more policy options and command logging functionality. - + ## 1. Connect the server to Cloudflare @@ -31,8 +34,7 @@ To connect your devices to Cloudflare: ## 3. Route server IPs through WARP - - + ## 4. Add a target @@ -55,9 +57,11 @@ To generate a Cloudflare SSH CA and get its public key: ### Save the public key + ### Modify your SSHD config + :::note @@ -66,9 +70,11 @@ For certain distributions, such as Amazon Linux 1 (based on RHEL), the certifica ```sh chmod 600 /etc/ssh/ca.pub ``` + ::: ### Restart your SSH server + ## 7. Connect as a user @@ -112,13 +118,14 @@ Cloudflare will stop logging SSH commands to your targets, as well as any comman To delete the SSH encryption public key using the [API](/api/resources/zero_trust/subresources/gateway/subresources/audit_ssh_settings/methods/update/): ```sh -curl --request PUT https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/audit_ssh_settings \ +curl --request PUT https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/audit_ssh_settings \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --data '{ "public_key": "" }' ``` + diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx index 5631cf3814eee16..bb27520fd633594 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx @@ -118,27 +118,27 @@ To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) tha -1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: - | Type | Item | Permission | - | ------- | ---------------- | ---------- | - | Account | Access: Organizations, Identity Providers, and Groups | Edit | - -2. Make a `POST` request to the [Identity Providers](/api/resources/zero_trust/subresources/identity_providers/methods/create/) endpoint: - - ```sh - curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --data '{ - "name": "Entra ID example", - "type": "azureAD", - "config": { - "client_id": "", - "client_secret": "", - "directory_id": "", - "support_groups": true - } - }' - ``` +1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: + | Type | Item | Permission | + | ------- | ---------------- | ---------- | + | Account | Access: Organizations, Identity Providers, and Groups | Edit | + +2. Make a `POST` request to the [Identity Providers](/api/resources/zero_trust/subresources/identity_providers/methods/create/) endpoint: + + ```sh + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ + --data '{ + "name": "Entra ID example", + "type": "azureAD", + "config": { + "client_id": "", + "client_secret": "", + "directory_id": "", + "support_groups": true + } + }' + ``` @@ -146,12 +146,13 @@ To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) tha The following example requires Cloudflare provider version `>=4.40.0`. ::: -1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): - - `Access: Organizations, Identity Providers, and Groups Write` +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): -2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: + - `Access: Organizations, Identity Providers, and Groups Write` - +2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: + + @@ -185,7 +186,7 @@ The Microsoft Entra ID integration allows you to synchronize IdP groups and auto ### 2. Configure SCIM in Entra ID @@ -277,7 +278,7 @@ You can require users to re-enter their credentials into Entra ID whenever they 2. [Update the Entra ID identity provider](/api/resources/zero_trust/subresources/identity_providers/methods/update/) using a `PUT` request. In the request body, include all existing configurations and set the `prompt` parameter to either `login` or `select_account`. For example, ```sh {17} curl --request PUT \ - https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers/{identity_provider_id} \ + https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers/{identity_provider_id} \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ diff --git a/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx index 241ae71f36cd7ec..de1d4218d5c0ddf 100644 --- a/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx @@ -43,7 +43,7 @@ To view logs for identity-based authentication events: The [Access authentication logs](/api/resources/zero_trust/subresources/access/subresources/logs/subresources/access_requests/methods/list/) API endpoint provides a custom URL to export audit log events for your account. ```bash title="Request" -curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/logs/access_requests?limit=25&direction=desc&since=2020-07-01T05:20:00Z&until=2020-10-01T05:20:00Z" \ +curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/logs/access_requests?limit=25&direction=desc&since=2020-07-01T05:20:00Z&until=2020-10-01T05:20:00Z" \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " ``` @@ -77,32 +77,32 @@ Identity-based authentication logs contain the following fields: ##### Basic information -| Field | Description | -| -------------- | --------------------------------------------------------- | -| **App** | Name of the Access application. | -| **User email** | Email address of the authenticating user. | -| **User ID** | UUID of the authenticating user. | -| **IP address** | IP address of the authenticating user. | -| **App UID** | UUID of the Access application. | -| **App domain** | URL of the Access application. | -| **App type** | The type specifies if the Access application is self-hosted, SaaS, or infrastructure. | -| **Event** | Type of authentication event, such as a login attempt. | -| **Connection** | IdP used to authenticate. | -| **Allow** | Result of the authentication event. | -| **Request time** | Timestamp of the authentication event. | -| **Ray ID** | A unique identifier for every request through Cloudflare. | -| **Country** | Country associated with the user's IP address. | +| Field | Description | +| ---------------- | ------------------------------------------------------------------------------------- | +| **App** | Name of the Access application. | +| **User email** | Email address of the authenticating user. | +| **User ID** | UUID of the authenticating user. | +| **IP address** | IP address of the authenticating user. | +| **App UID** | UUID of the Access application. | +| **App domain** | URL of the Access application. | +| **App type** | The type specifies if the Access application is self-hosted, SaaS, or infrastructure. | +| **Event** | Type of authentication event, such as a login attempt. | +| **Connection** | IdP used to authenticate. | +| **Allow** | Result of the authentication event. | +| **Request time** | Timestamp of the authentication event. | +| **Ray ID** | A unique identifier for every request through Cloudflare. | +| **Country** | Country associated with the user's IP address. | ##### Infrastructure applications Cloudflare Access logs the following information when the user authenticates to an [infrastructure application](/cloudflare-one/applications/non-http/infrastructure-apps/): -| Field | Description | -| -------------- | --------------------------------------------------------- | -| **Hostname** | Hostname of the infrastructure target. | -| **Target ID** | UUID of the infrastructure target. | -| **SSH user** | The UNIX user, such as `root`, that the authenticating user specified when connecting to the infrastructure target. | -| **SSH logs** | SSH commands that the user ran on the target. Requires configuring an [SSH encryption key](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#ssh-command-logs) before the session begins. | +| Field | Description | +| ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Hostname** | Hostname of the infrastructure target. | +| **Target ID** | UUID of the infrastructure target. | +| **SSH user** | The UNIX user, such as `root`, that the authenticating user specified when connecting to the infrastructure target. | +| **SSH logs** | SSH commands that the user ran on the target. Requires configuring an [SSH encryption key](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#ssh-command-logs) before the session begins. | ### Non-identity authentication diff --git a/src/content/docs/cloudflare-one/policies/access/policy-management.mdx b/src/content/docs/cloudflare-one/policies/access/policy-management.mdx index f24c4ae0f0295d4..2f756e07ea6b6fb 100644 --- a/src/content/docs/cloudflare-one/policies/access/policy-management.mdx +++ b/src/content/docs/cloudflare-one/policies/access/policy-management.mdx @@ -3,10 +3,9 @@ pcx_content_type: how-to title: Manage Access policies sidebar: order: 2 - --- -import {Tabs, TabItem } from "~/components"; +import { Tabs, TabItem } from "~/components"; Access policies define the users who can log in to your Access applications. You can create, edit, or delete policies at any time and reuse policies across multiple applications. @@ -21,9 +20,9 @@ To create a reusable Access policy: 5. Choose a [**Session duration**](/cloudflare-one/identity/users/session-management/) for the policy. 6. Configure as many [**Rules**](/cloudflare-one/policies/access/#rule-types) as needed. 7. (Optional) Configure additional settings for users who match this policy: - - [Isolate application](/cloudflare-one/policies/access/isolate-application/). - - [Purpose justificaton](/cloudflare-one/policies/access/require-purpose-justification/) - - [Temporary authentication](/cloudflare-one/policies/access/temporary-auth/) + - [Isolate application](/cloudflare-one/policies/access/isolate-application/). + - [Purpose justificaton](/cloudflare-one/policies/access/require-purpose-justification/) + - [Temporary authentication](/cloudflare-one/policies/access/temporary-auth/) 8. Select **Save**. You can now add this policy to an [Access application](/cloudflare-one/applications/). @@ -60,9 +59,9 @@ To check if a user has access to an application: The policy tester reports the following information: -* Whether the user is allowed or denied access to the application based on all configured policies. -* The user's identity from their most recent Access login attempt. -* Whether the user matches individual Allow, Block, or Bypass policies. +- Whether the user is allowed or denied access to the application based on all configured policies. +- The user's identity from their most recent Access login attempt. +- Whether the user matches individual Allow, Block, or Bypass policies. ## Legacy policies @@ -83,8 +82,8 @@ You can use the API to convert a legacy policy into a reusable policy. To conver ```bash curl --request PUT \ -https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/{app_id}/policies/{policy_id}/make_reusable \ +https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/{app_id}/policies/{policy_id}/make_reusable \ --header "Authorization: Bearer " ``` -The policy is now removed from the applications endpoint (`/access/apps/{app_id}/policies`) and managed using the [reusable policies endpoints](/api/resources/zero_trust/subresources/access/subresources/policies/)(`/access/policies/{policy_id}`). \ No newline at end of file +The policy is now removed from the applications endpoint (`/access/apps/{app_id}/policies`) and managed using the [reusable policies endpoints](/api/resources/zero_trust/subresources/access/subresources/policies/)(`/access/policies/{policy_id}`). diff --git a/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx b/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx index bc8feefac6f3590..06a90ec6ea5cdf1 100644 --- a/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx @@ -134,7 +134,7 @@ Isolate security threats such as malware and phishing. ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -168,7 +168,7 @@ Isolate high risk content categories such as newly registered domains. ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -202,7 +202,7 @@ Isolate news and media sites, which are targets for malvertising attacks. ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -236,7 +236,7 @@ Isolate content that has not been categorized by [Cloudflare Radar](/radar/). ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -272,7 +272,7 @@ In **Configure policy settings**, you can customize restrictions for ChatGPT. Fo ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index b822d87d1d2640e..087c3ff6fc2714f 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -29,7 +29,7 @@ This policy allows users to access official corporate domains. By deploying the ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -92,7 +92,7 @@ You can implement policies to block websites hosted in countries categorized as ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -127,7 +127,7 @@ Blocking [frequently misused](https://www.spamhaus.org/statistics/tlds/) top-lev ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -161,7 +161,7 @@ To protect against [sophisticated phishing attacks](https://blog.cloudflare.com/ ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -196,7 +196,7 @@ To safeguard user privacy, some organizations will block tracking domains such a ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -231,7 +231,7 @@ Block specific IP addresses that are known to be malicious or pose a threat to y ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -266,7 +266,7 @@ The CIPA (Children's Internet Protection Act) Filter is a collection of subcateg ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -299,7 +299,7 @@ SafeSearch is a feature of search engines that helps you filter explicit or offe ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -333,7 +333,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -371,7 +371,7 @@ The following example includes two policies. The first policy allows the specifi ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -403,7 +403,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -446,7 +446,7 @@ Force users to connect with IPv4 by blocking IPv6 resolution. ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -480,7 +480,7 @@ Force users to connect with IPv6 by blocking IPv4 resolution. ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/timed-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/timed-policies.mdx index 75a6e0c5754dfc6..7363a5c1eeb3040 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/timed-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/timed-policies.mdx @@ -50,7 +50,7 @@ If you [do not specify a time zone](#example-users-time-zone), Gateway will enab The following command creates a DNS policy to block `facebook.com` only on weekdays from 8:00 AM - 12:30 PM and 1:30 PM - 5:00 PM in the Chicago, USA time zone. ```bash -curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules" \ +curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ @@ -77,7 +77,7 @@ Refer to [this table](https://en.wikipedia.org/wiki/List_of_tz_database_time_zon The following command creates a DNS policy to block `clockin.com` only on weekends in the time zone where the user is currently located. ```bash -curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules" \ +curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 80b2c161bcb151b..c4a6c242d0810da 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -35,7 +35,7 @@ Block all subdomains that use a host. ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -69,7 +69,7 @@ Block a section of a site without blocking the entire site. For example, you can ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -122,7 +122,7 @@ Block content categories which go against your organization's acceptable use pol ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -158,7 +158,7 @@ Gateway [evaluates Do Not Inspect policies first](/cloudflare-one/policies/gatew ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -200,7 +200,7 @@ Perform an [OS version check](/cloudflare-one/identity/devices/warp-client-check ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -239,7 +239,7 @@ Since the file path will be different for each operating system, you can configu ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -283,7 +283,7 @@ When accessing origin servers with certificates not signed by a public certifica ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -328,7 +328,7 @@ Block file downloads from Google Drive. ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -399,7 +399,7 @@ Block file downloads from Gmail. ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx index 0a59858c0af0b48..6d6a2659798f23d 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx @@ -29,7 +29,7 @@ Refer to the [network policies page](/cloudflare-one/policies/gateway/network-po ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -64,7 +64,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -114,7 +114,7 @@ Restrict user access to only the specific sites or applications configured in yo ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -146,7 +146,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -185,7 +185,7 @@ The following example consists of two policies: the first allows specific users ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -217,7 +217,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -256,7 +256,7 @@ Override traffic directed toward a specific IP address with a different IP addre ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ diff --git a/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx b/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx index 5b1087208a10920..1762968372ec04f 100644 --- a/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx +++ b/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx @@ -49,7 +49,7 @@ First, create [virtual networks](/cloudflare-one/connections/connect-networks/pr 1. Create a [virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) corresponding to one of your dedicated egress IPs. We recommend using a name related to the location of the corresponding dedicated egress IP. For example, if your users will egress from the Americas, you can name the virtual network `vnet-AMER`. ```bash - curl https://api.cloudflare.com/client/v4/accounts/{account_id}/teamnet/virtual_networks \ + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ @@ -90,7 +90,7 @@ After creating your virtual networks, route your private network CIDRs over each ```bash curl --request PATCH \ - https://api.cloudflare.com/client/v4/accounts/{account_id}/teamnet/routes/{route_id} \ + https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/{route_id} \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ @@ -106,7 +106,7 @@ After creating your virtual networks, route your private network CIDRs over each ```bash curl --request PATCH \ - https://api.cloudflare.com/client/v4/accounts/{account_id}/teamnet/routes/{route_id} \ + https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/{route_id} \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ @@ -160,7 +160,7 @@ Next, assign your dedicated egress IPs to each virtual network using Gateway egr 1. Add a Gateway egress policy that matches the corresponding virtual network. For example: ```bash - curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ diff --git a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx index 83b1d869e4a587f..df7cff050968e64 100644 --- a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx +++ b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx @@ -1,10 +1,8 @@ --- {} - --- -import { Tabs, TabItem, Render } from "~/components" - +import { Tabs, TabItem, Render } from "~/components"; @@ -26,61 +24,63 @@ import { Tabs, TabItem, Render } from "~/components" - **SSH user**: Enter the UNIX usernames that users can log in as (for example, `root` or `ec2-user`). - **Allow users to log in as their email alias**: (Optional) When selected, users who match your policy definition will be able to access the target using their lowercased email address prefix. For example, `Jdoe@company.com` could log in as `jdoe`. - :::note - Cloudflare will not create new users on the target. UNIX users must already be present on the server. - ::: + :::note + Cloudflare will not create new users on the target. UNIX users must already be present on the server. + ::: + 4. Select **Add application**. - + + 1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: - | Type | Item | Permission | - | ------- | ---------------- | ---------- | - | Account | Access: Apps & Policies | Edit | - -2. Make a `POST` request to the [Access applications](/api/resources/zero_trust/subresources/access/subresources/applications/methods/create/) endpoint: - - ```sh - curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps \ - --header "Authorization: Bearer " \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Example infrastructure app", - "type": "infrastructure", - "target_criteria": [ - { - "target_attributes": { - "hostname": [ - "infra-access-target" - ] - }, - "port": 22, - "protocol": "SSH" - } - ], - "policies": [ - { - "name": "Allow a specific email", - "decision": "allow", - "include": [ - { - "email": { - "email": "jdoe@company.com" - } - } - ], - "connection_rules": { - "ssh": { - "usernames": [ - "root", - "ec2-user" - ] - } - } - } - ] - }' - ``` + | Type | Item | Permission | + | ------- | ---------------- | ---------- | + | Account | Access: Apps & Policies | Edit | + +1. Make a `POST` request to the [Access applications](/api/resources/zero_trust/subresources/access/subresources/applications/methods/create/) endpoint: + + ```sh + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps \ + --header "Authorization: Bearer " \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Example infrastructure app", + "type": "infrastructure", + "target_criteria": [ + { + "target_attributes": { + "hostname": [ + "infra-access-target" + ] + }, + "port": 22, + "protocol": "SSH" + } + ], + "policies": [ + { + "name": "Allow a specific email", + "decision": "allow", + "include": [ + { + "email": { + "email": "jdoe@company.com" + } + } + ], + "connection_rules": { + "ssh": { + "usernames": [ + "root", + "ec2-user" + ] + } + } + } + ] + }' + ``` @@ -89,50 +89,52 @@ import { Tabs, TabItem, Render } from "~/components" The following example requires Cloudflare provider version `>=4.45.0`. ::: -1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/api_token): - - `Access: Apps and Policies Write` - -2. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_application) resource to create an infrastructure application: - - ```tf - resource "cloudflare_zero_trust_access_application" "infra-app" { - account_id = var.cloudflare_account_id - name = "Example infrastructure app" - type = "infrastructure" - - target_criteria { - port = 22 - protocol = "SSH" - target_attributes { - name = "hostname" - values = ["infra-access-target"] - } - } - } - ``` - -3. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_policy) resource to add an infrastructure policy to the application: - - ```tf - resource "cloudflare_zero_trust_access_policy" "infra-app-policy" { - application_id = cloudflare_zero_trust_access_application.infra-app.id - account_id = var.cloudflare_account_id - name = "Allow a specific email" - decision = "allow" - precedence = 1 - - include { - email = ["jdoe@company.com"] - } - - connection_rules { - ssh { - usernames = ["root", "ec2-user"] - } - } - } - ``` - +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/api_token): + + - `Access: Apps and Policies Write` + +2. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_application) resource to create an infrastructure application: + + ```tf + resource "cloudflare_zero_trust_access_application" "infra-app" { + account_id = var.cloudflare_account_id + name = "Example infrastructure app" + type = "infrastructure" + + target_criteria { + port = 22 + protocol = "SSH" + target_attributes { + name = "hostname" + values = ["infra-access-target"] + } + } + } + ``` + +3. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_policy) resource to add an infrastructure policy to the application: + + ```tf + resource "cloudflare_zero_trust_access_policy" "infra-app-policy" { + application_id = cloudflare_zero_trust_access_application.infra-app.id + account_id = var.cloudflare_account_id + name = "Allow a specific email" + decision = "allow" + precedence = 1 + + include { + email = ["jdoe@company.com"] + } + + connection_rules { + ssh { + usernames = ["root", "ec2-user"] + } + } + } + ``` + + The targets in this application are now secured by your infrastructure policies. diff --git a/src/content/partials/cloudflare-one/access/add-target.mdx b/src/content/partials/cloudflare-one/access/add-target.mdx index ef396379b2476d9..b83642f03f7c376 100644 --- a/src/content/partials/cloudflare-one/access/add-target.mdx +++ b/src/content/partials/cloudflare-one/access/add-target.mdx @@ -1,9 +1,8 @@ --- {} - --- -import { Tabs, TabItem, Render, Details } from "~/components" +import { Tabs, TabItem, Render, Details } from "~/components"; A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare. Targets are protocol-agnostic, meaning that you do not need to define a new target for each protocol that runs on the server. @@ -29,30 +28,30 @@ If the target IP does not appear in the dropdown, go to **Networks** > **Routes* -1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: - | Type | Item | Permission | - | ------- | ---------------- | ---------- | - | Account | Zero Trust | Edit | +1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: + | Type | Item | Permission | + | ------- | ---------------- | ---------- | + | Account | Zero Trust | Edit | -2. Make a `POST` request to the [Infrastructure Access Targets](/api/resources/zero_trust/subresources/access/subresources/infrastructure/subresources/targets/methods/create/) endpoint: +2. Make a `POST` request to the [Infrastructure Access Targets](/api/resources/zero_trust/subresources/access/subresources/infrastructure/subresources/targets/methods/create/) endpoint: - ```sh - curl https://api.cloudflare.com/client/v4/accounts/{account_id}/infrastructure/targets \ - --header "Authorization: Bearer " \ - --data '{ - "hostname": "infra-access-target", - "ip": { - "ipv4": { - "ip_addr": "187.26.29.249", - "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" - }, - "ipv6": { - "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", - "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" - } - } - }' - ``` + ```sh + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets \ + --header "Authorization: Bearer " \ + --data '{ + "hostname": "infra-access-target", + "ip": { + "ipv4": { + "ip_addr": "187.26.29.249", + "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" + }, + "ipv6": { + "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", + "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" + } + } + }' + ``` @@ -62,28 +61,29 @@ The following example requires Cloudflare provider version `>=4.45.0`. ::: 1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/api_token): - - `Teams Write` + + - `Teams Write` 2. Configure the [`cloudflare_zero_trust_infrastructure_access_target`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_infrastructure_access_target) resource: - ```tf - resource "cloudflare_zero_trust_infrastructure_access_target" "infra-ssh-target" { - account_id = var.cloudflare_account_id - hostname = "infra-access-target" - ip = { - ipv4 = { - ip_addr = "187.26.29.249" - virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55" - } - ipv6 = { - ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0" - virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55" - } - } - } - ``` + ```tf + resource "cloudflare_zero_trust_infrastructure_access_target" "infra-ssh-target" { + account_id = var.cloudflare_account_id + hostname = "infra-access-target" + ip = { + ipv4 = { + ip_addr = "187.26.29.249" + virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55" + } + ipv6 = { + ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0" + virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55" + } + } + } + ``` -Next, create an infrastructure application to secure the target. \ No newline at end of file +Next, create an infrastructure application to secure the target. diff --git a/src/content/partials/cloudflare-one/access/rule-group.mdx b/src/content/partials/cloudflare-one/access/rule-group.mdx index 1224a4eb3def3d2..63944453fd58e5d 100644 --- a/src/content/partials/cloudflare-one/access/rule-group.mdx +++ b/src/content/partials/cloudflare-one/access/rule-group.mdx @@ -27,7 +27,7 @@ To create an Access rule group: Send a `POST` request to the [`/access/groups`](/api/resources/zero_trust/subresources/access/subresources/groups/methods/create/) endpoint: ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/groups \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/groups \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx index cf7179697a966b6..ed9f740e4171018 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx @@ -33,7 +33,7 @@ To create a new DNS policy: 3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories): ```sh title="curl API DNS policy example" - curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx index a4dbb08eccca755..14d1eead17bd616 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx @@ -42,7 +42,7 @@ To create a new HTTP policy: 3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, if you have configured TLS decryption, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: ```sh title="curl API HTTP policy example" - curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -73,7 +73,7 @@ To create a new HTTP policy: Cloudflare also recommends adding a policy to block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence: ```bash title="Block known risks HTTP policy" - curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx index 7e318cbaadc4e82..25d8dadd3e28209 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx @@ -35,7 +35,7 @@ To create a new network policy: 3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: ```sh title="curl API network policy example" - curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ diff --git a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx index 1ee08d6eb0246ba..40c647fb8d026db 100644 --- a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx +++ b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx @@ -15,14 +15,14 @@ import { Render, Details } from "~/components" ```bash curl --request POST \ - "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \ + "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca" \ --header "Authorization: Bearer " ``` 3. If you have already created a Cloudflare SSH CA or receive the error message `access.api.error.gateway_ca_already_exists`, make a `GET` request instead: ```bash - curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca \ + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca \ --header "Authorization: Bearer " ``` From 481ec430d3d8e4e4e207bffbcff5191eeae3d132 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 25 Feb 2025 16:38:56 -0600 Subject: [PATCH 02/14] Replace other variables --- .../configure-tunnels/remote-management.mdx | 27 ++++++++++--------- .../identity/idp-integration/entra-id.mdx | 2 +- .../policies/access/policy-management.mdx | 4 +-- .../tutorials/user-selectable-egress-ips.mdx | 4 +-- 4 files changed, 19 insertions(+), 18 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx index af0003b7d3bca19..c4655f50ce1f9d0 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx @@ -187,14 +187,15 @@ To rotate a tunnel token: 1. Refresh the token on Cloudflare: - + + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**. -2. Select a `cloudflared` tunnel and select **Edit**. -3. Select **Refresh token**. -4. Copy the `cloudflared` installation command for your operating system. This command contains the new token. +1. Select a `cloudflared` tunnel and select **Edit**. +1. Select **Refresh token**. +1. Copy the `cloudflared` installation command for your operating system. This command contains the new token. - + 1. Generate a random base64 string (minimum size 32 bytes) to use as a tunnel secret: @@ -211,7 +212,7 @@ To rotate a tunnel token: ```sh curl --request PATCH \ - https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/{tunnel_id} \ + https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID \ --header 'Content-Type: application/json' \ --header "Authorization: Bearer " \ --data '{ @@ -245,24 +246,24 @@ To rotate a tunnel token: 3. Copy the `token` value shown in the output. - + After refreshing the token, `cloudflared` can no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic. -2. On half of your `cloudflared` replicas, update `cloudflared` to use the new token. For example, on a Linux host: +1. On half of your `cloudflared` replicas, update `cloudflared` to use the new token. For example, on a Linux host: ```sh sudo cloudflared service install ``` -3. Restart `cloudflared`: +1. Restart `cloudflared`: ```sh sudo systemctl restart cloudflared.service ``` -4. Confirm that the service started correctly: +1. Confirm that the service started correctly: ```sh sudo systemctl status cloudflared @@ -270,9 +271,9 @@ To rotate a tunnel token: While these replicas are connecting to Cloudflare with the new token, traffic will automatically route through the other replicas. -5. Wait 10 minutes for traffic to route through the new connectors. +1. Wait 10 minutes for traffic to route through the new connectors. -6. Repeat steps 2, 3, and 4 for the second half of the replicas. +1. Repeat steps 2, 3, and 4 for the second half of the replicas. The tunnel token is now fully rotated. The old token is no longer in use. @@ -285,7 +286,7 @@ If your tunnel token is compromised, we recommend taking the following steps: ```sh curl --request DELETE \ - https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/{tunnel_id}/connections \ + https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID/connections \ --header "Authorization: Bearer " ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx index bb27520fd633594..04eb2d55e2238d8 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx @@ -278,7 +278,7 @@ You can require users to re-enter their credentials into Entra ID whenever they 2. [Update the Entra ID identity provider](/api/resources/zero_trust/subresources/identity_providers/methods/update/) using a `PUT` request. In the request body, include all existing configurations and set the `prompt` parameter to either `login` or `select_account`. For example, ```sh {17} curl --request PUT \ - https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers/{identity_provider_id} \ + https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers/$IDENTITY_PROVIDER_ID \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ diff --git a/src/content/docs/cloudflare-one/policies/access/policy-management.mdx b/src/content/docs/cloudflare-one/policies/access/policy-management.mdx index 2f756e07ea6b6fb..f897fb2d93e3693 100644 --- a/src/content/docs/cloudflare-one/policies/access/policy-management.mdx +++ b/src/content/docs/cloudflare-one/policies/access/policy-management.mdx @@ -82,8 +82,8 @@ You can use the API to convert a legacy policy into a reusable policy. To conver ```bash curl --request PUT \ -https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/{app_id}/policies/{policy_id}/make_reusable \ +https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/$APP_ID/policies/$POLICY_ID/make_reusable \ --header "Authorization: Bearer " ``` -The policy is now removed from the applications endpoint (`/access/apps/{app_id}/policies`) and managed using the [reusable policies endpoints](/api/resources/zero_trust/subresources/access/subresources/policies/)(`/access/policies/{policy_id}`). +The policy is now removed from the applications endpoint (`/access/apps/$APP_ID/policies`) and managed using the [reusable policies endpoints](/api/resources/zero_trust/subresources/access/subresources/policies/)(`/access/policies/$POLICY_ID`). diff --git a/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx b/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx index 1762968372ec04f..a2abee784e56607 100644 --- a/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx +++ b/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx @@ -90,7 +90,7 @@ After creating your virtual networks, route your private network CIDRs over each ```bash curl --request PATCH \ - https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/{route_id} \ + https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/$ROUTE_ID \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ @@ -106,7 +106,7 @@ After creating your virtual networks, route your private network CIDRs over each ```bash curl --request PATCH \ - https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/{route_id} \ + https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/$ROUTE_ID \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ From 649f3d0d90f2d474a5346e319f21e18071692c76 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 25 Feb 2025 16:41:07 -0600 Subject: [PATCH 03/14] Replace API token variable --- .../connect-devices/agentless/pac-files.mdx | 4 +- .../configure-tunnels/remote-management.mdx | 155 +++++++++--------- .../identity/idp-integration/entra-id.mdx | 2 +- .../policies/access/policy-management.mdx | 2 +- .../browser-isolation/isolation-policies.mdx | 10 +- .../gateway/dns-policies/common-policies.mdx | 26 +-- .../gateway/http-policies/common-policies.mdx | 18 +- .../network-policies/common-policies.mdx | 14 +- .../tutorials/user-selectable-egress-ips.mdx | 8 +- .../access/add-infrastructure-app.mdx | 49 +++--- .../cloudflare-one/access/add-target.mdx | 2 +- .../gateway/get-started/create-dns-policy.mdx | 2 +- .../get-started/create-http-policy.mdx | 4 +- .../get-started/create-network-policy.mdx | 2 +- .../cloudflare-one/ssh/ssh-proxy-ca.mdx | 35 ++-- 15 files changed, 168 insertions(+), 165 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx index 974bf8f5ad00165..db65b1470756c5b 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx @@ -64,7 +64,7 @@ https://.proxy.cloudflare-gateway.com ```bash curl https://api.cloudflare.com/client/v4/accounts//gateway/proxy_endpoints \ - --header "Authorization: Bearer " \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{"name": "any_name", "ips": ["", "", ""]}' ``` @@ -212,7 +212,7 @@ To get the domain of a proxy endpoint: ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/proxy_endpoints \ - --header "Authorization: Bearer " + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ```json {8} output diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx index c4655f50ce1f9d0..c8d5ea782f0a939 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx @@ -185,95 +185,98 @@ Cloudflare recommends rotating the tunnel token at a regular cadence to reduce t To rotate a tunnel token: -1. Refresh the token on Cloudflare: +1. Refresh the token on Cloudflare: - - + -1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**. -1. Select a `cloudflared` tunnel and select **Edit**. -1. Select **Refresh token**. -1. Copy the `cloudflared` installation command for your operating system. This command contains the new token. + - - +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**. +1. Select a `cloudflared` tunnel and select **Edit**. +1. Select **Refresh token**. +1. Copy the `cloudflared` installation command for your operating system. This command contains the new token. - 1. Generate a random base64 string (minimum size 32 bytes) to use as a tunnel secret: - - ```sh - openssl rand -base64 32 - ``` - - ```sh output - AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg= - ``` - - 2. Make a `PATCH` request to the [Cloudflare Tunnel](/api/resources/zero_trust/subresources/tunnels/methods/edit/) endpoint: - - ```sh - curl --request PATCH \ - https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID \ - --header 'Content-Type: application/json' \ - --header "Authorization: Bearer " \ - --data '{ - "name": "Example tunnel", - "tunnel_secret": "AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg=" - }' - ``` - - ```sh output {18} - { - "success": true, - "errors": [], - "messages": [], - "result": { - "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", - "account_tag": "699d98642c564d2e855e9661899b7252", - "created_at": "2024-12-04T22:03:26.291225Z", - "deleted_at": null, - "name": "Example tunnel", - "connections": [], - "conns_active_at": null, - "conns_inactive_at": "2024-12-04T22:03:26.291225Z", - "tun_type": "cfd_tunnel", - "metadata": {}, - "status": "inactive", - "remote_config": true, - "token": "eyJhIjoiNWFiNGU5Z..." - } - } - ``` - - 3. Copy the `token` value shown in the output. - - - + - After refreshing the token, `cloudflared` can no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic. + -1. On half of your `cloudflared` replicas, update `cloudflared` to use the new token. For example, on a Linux host: + 1. Generate a random base64 string (minimum size 32 bytes) to use as a tunnel secret: - ```sh - sudo cloudflared service install - ``` + ```sh + openssl rand -base64 32 + ``` -1. Restart `cloudflared`: + ```sh output + AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg= + ``` - ```sh - sudo systemctl restart cloudflared.service - ``` + 2. Make a `PATCH` request to the [Cloudflare Tunnel](/api/resources/zero_trust/subresources/tunnels/methods/edit/) endpoint: -1. Confirm that the service started correctly: + ```sh + curl --request PATCH \ + https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID \ + --header 'Content-Type: application/json' \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ + --data '{ + "name": "Example tunnel", + "tunnel_secret": "AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg=" + }' + ``` - ```sh - sudo systemctl status cloudflared - ``` + ```sh output {18} + { + "success": true, + "errors": [], + "messages": [], + "result": { + "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", + "account_tag": "699d98642c564d2e855e9661899b7252", + "created_at": "2024-12-04T22:03:26.291225Z", + "deleted_at": null, + "name": "Example tunnel", + "connections": [], + "conns_active_at": null, + "conns_inactive_at": "2024-12-04T22:03:26.291225Z", + "tun_type": "cfd_tunnel", + "metadata": {}, + "status": "inactive", + "remote_config": true, + "token": "eyJhIjoiNWFiNGU5Z..." + } + } + ``` + + 3. Copy the `token` value shown in the output. + + + + + + After refreshing the token, `cloudflared` can no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic. + +1. On half of your `cloudflared` replicas, update `cloudflared` to use the new token. For example, on a Linux host: + + ```sh + sudo cloudflared service install + ``` + +1. Restart `cloudflared`: + + ```sh + sudo systemctl restart cloudflared.service + ``` + +1. Confirm that the service started correctly: + + ```sh + sudo systemctl status cloudflared + ``` - While these replicas are connecting to Cloudflare with the new token, traffic will automatically route through the other replicas. + While these replicas are connecting to Cloudflare with the new token, traffic will automatically route through the other replicas. -1. Wait 10 minutes for traffic to route through the new connectors. +1. Wait 10 minutes for traffic to route through the new connectors. -1. Repeat steps 2, 3, and 4 for the second half of the replicas. +1. Repeat steps 2, 3, and 4 for the second half of the replicas. The tunnel token is now fully rotated. The old token is no longer in use. @@ -287,7 +290,7 @@ If your tunnel token is compromised, we recommend taking the following steps: ```sh curl --request DELETE \ https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID/connections \ - --header "Authorization: Bearer " + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` This will clean up any unauthorized connections and prevent users from connecting to your network. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx index 04eb2d55e2238d8..fd99904456c5139 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx @@ -279,7 +279,7 @@ You can require users to re-enter their credentials into Entra ID whenever they ```sh {17} curl --request PUT \ https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers/$IDENTITY_PROVIDER_ID \ - --header "Authorization: Bearer " \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", diff --git a/src/content/docs/cloudflare-one/policies/access/policy-management.mdx b/src/content/docs/cloudflare-one/policies/access/policy-management.mdx index f897fb2d93e3693..3f52da1c9039b04 100644 --- a/src/content/docs/cloudflare-one/policies/access/policy-management.mdx +++ b/src/content/docs/cloudflare-one/policies/access/policy-management.mdx @@ -83,7 +83,7 @@ You can use the API to convert a legacy policy into a reusable policy. To conver ```bash curl --request PUT \ https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/$APP_ID/policies/$POLICY_ID/make_reusable \ ---header "Authorization: Bearer " +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` The policy is now removed from the applications endpoint (`/access/apps/$APP_ID/policies`) and managed using the [reusable policies endpoints](/api/resources/zero_trust/subresources/access/subresources/policies/)(`/access/policies/$POLICY_ID`). diff --git a/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx b/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx index 06a90ec6ea5cdf1..9ecaafc85dacd99 100644 --- a/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx @@ -136,7 +136,7 @@ Isolate security threats such as malware and phishing. ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Isolate all security threats", "description": "Isolate security threats such as malware and phishing", @@ -170,7 +170,7 @@ Isolate high risk content categories such as newly registered domains. ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Isolate high risk content", "description": "Isolate high risk content categories such as newly registered domains", @@ -204,7 +204,7 @@ Isolate news and media sites, which are targets for malvertising attacks. ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Isolate news and media", "description": "Isolate news and media sites, which are targets for malvertising attacks", @@ -238,7 +238,7 @@ Isolate content that has not been categorized by [Cloudflare Radar](/radar/). ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Isolate uncategorized content", "description": "Isolate content not categorized by Cloudflare Radar", @@ -274,7 +274,7 @@ In **Configure policy settings**, you can customize restrictions for ChatGPT. Fo ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Isolate ChatGPT", "description": "Isolate the use of ChatGPT", diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index 087c3ff6fc2714f..7779cf13014437e 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -31,7 +31,7 @@ This policy allows users to access official corporate domains. By deploying the ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Allow corporate domains", "description": "Allow any internal corporate domains added to a list", @@ -94,7 +94,7 @@ You can implement policies to block websites hosted in countries categorized as ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block banned countries", "description": "Block access to banned countries", @@ -129,7 +129,7 @@ Blocking [frequently misused](https://www.spamhaus.org/statistics/tlds/) top-lev ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block top-level domains", "description": "Block top-level domains that are frequently used for malicious practices", @@ -163,7 +163,7 @@ To protect against [sophisticated phishing attacks](https://blog.cloudflare.com/ ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block phishing attacks", "description": "Block attempts to phish specific domains targeting your organization", @@ -198,7 +198,7 @@ To safeguard user privacy, some organizations will block tracking domains such a ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block online tracking", "description": "Block domains used for tracking at an OS level", @@ -233,7 +233,7 @@ Block specific IP addresses that are known to be malicious or pose a threat to y ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block malicious IPs", "description": "Block specific IP addresses that are known to be malicious or pose a threat to your organization", @@ -268,7 +268,7 @@ The CIPA (Children's Internet Protection Act) Filter is a collection of subcateg ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Turn on CIPA filter", "description": "Block access to unwanted or harmful online content for children", @@ -301,7 +301,7 @@ SafeSearch is a feature of search engines that helps you filter explicit or offe ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Hide explicit search results", "description": "Force SafeSearch on search engines to filter explicit or offensive content", @@ -335,7 +335,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Check user identity", "description": "Filter traffic based on a user identity group name", @@ -373,7 +373,7 @@ The following example includes two policies. The first policy allows the specifi ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Allow social media for Marketing", "description": "Allow access to social media sites for users in the Marketing group", @@ -405,7 +405,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block social media", "description": "Block social media for all other users", @@ -448,7 +448,7 @@ Force users to connect with IPv4 by blocking IPv6 resolution. ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Force IPv4", "description": "Force users to connect with IPv4 by blocking IPv6 resolution", @@ -482,7 +482,7 @@ Force users to connect with IPv6 by blocking IPv4 resolution. ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Force IPv6", "description": "Force users to connect with IPv6 by blocking IPv4 resolution", diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index c4a6c242d0810da..37af48e56b866a2 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -37,7 +37,7 @@ Block all subdomains that use a host. ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block sites by hostname", "description": "Block all subdomains that use a specific hostname", @@ -71,7 +71,7 @@ Block a section of a site without blocking the entire site. For example, you can ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block sites by URL", "description": "Block specific parts of a site without blocking the hostname", @@ -124,7 +124,7 @@ Block content categories which go against your organization's acceptable use pol ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Check user identity", "description": "Block access to Salesforce by temporary employees and contractors", @@ -160,7 +160,7 @@ Gateway [evaluates Do Not Inspect policies first](/cloudflare-one/policies/gatew ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Bypass incompatible applications", "description": "Skip TLS decryption for applications that are incompatible with Gateway", @@ -202,7 +202,7 @@ Perform an [OS version check](/cloudflare-one/identity/devices/warp-client-check ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Require OS version", "description": "Perform an OS version check for minimum version", @@ -241,7 +241,7 @@ Since the file path will be different for each operating system, you can configu ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Check for specific file", "description": "Ensure users have a specific file on their device regardless of operating system", @@ -285,7 +285,7 @@ When accessing origin servers with certificates not signed by a public certifica ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Bypass internal site inspection", "description": "Bypass TLS decryption for internal sites with self-signed certificates", @@ -330,7 +330,7 @@ Block file downloads from Google Drive. ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block Google Drive downloads", "description": "Block file downloads from Google Drive", @@ -401,7 +401,7 @@ Block file downloads from Gmail. ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block Gmail downloads", "description": "Block file downloads from Gmail", diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx index 6d6a2659798f23d..02282b56b97824f 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx @@ -31,7 +31,7 @@ Refer to the [network policies page](/cloudflare-one/policies/gateway/network-po ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block unauthorized applications", "description": "Block access to unauthorized AI applications", @@ -66,7 +66,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Check user identity", "description": "Block access to Salesforce by temporary employees and contractors", @@ -116,7 +116,7 @@ Restrict user access to only the specific sites or applications configured in yo ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Allow HTTP and HTTPS traffic", "description": "Restrict traffic to HTTP and HTTPS traffic", @@ -148,7 +148,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block all other traffic", "description": "Block all other traffic that is not HTTP or HTTPS", @@ -187,7 +187,7 @@ The following example consists of two policies: the first allows specific users ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Allow company employees", "description": "Allow any users with an organization email to reach the application", @@ -219,7 +219,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block everyone else", "description": "Block any other users from accessing the application", @@ -258,7 +258,7 @@ Override traffic directed toward a specific IP address with a different IP addre ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Override example.com with 1.1.1.1", "description": "Override a site'\''s IP address with another IP", diff --git a/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx b/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx index a2abee784e56607..f02c4aff27e28fc 100644 --- a/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx +++ b/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx @@ -50,7 +50,7 @@ First, create [virtual networks](/cloudflare-one/connections/connect-networks/pr ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks \ - --header "Authorization: Bearer " \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "comment": "Virtual network to egress from the Americas", @@ -91,7 +91,7 @@ After creating your virtual networks, route your private network CIDRs over each ```bash curl --request PATCH \ https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/$ROUTE_ID \ - --header "Authorization: Bearer " \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "network": "10.0.0.0/8", @@ -107,7 +107,7 @@ After creating your virtual networks, route your private network CIDRs over each ```bash curl --request PATCH \ https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/$ROUTE_ID \ - --header "Authorization: Bearer " \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "network": "10.0.0.0/8", @@ -161,7 +161,7 @@ Next, assign your dedicated egress IPs to each virtual network using Gateway egr ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ - --header "Authorization: Bearer " \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "action": "egress", diff --git a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx index df7cff050968e64..effd0698e555733 100644 --- a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx +++ b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx @@ -30,7 +30,7 @@ import { Tabs, TabItem, Render } from "~/components"; 4. Select **Add application**. - + 1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: @@ -42,7 +42,7 @@ import { Tabs, TabItem, Render } from "~/components"; ```sh curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps \ - --header "Authorization: Bearer " \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "name": "Example infrastructure app", @@ -114,28 +114,29 @@ The following example requires Cloudflare provider version `>=4.45.0`. 3. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_policy) resource to add an infrastructure policy to the application: - ```tf - resource "cloudflare_zero_trust_access_policy" "infra-app-policy" { - application_id = cloudflare_zero_trust_access_application.infra-app.id - account_id = var.cloudflare_account_id - name = "Allow a specific email" - decision = "allow" - precedence = 1 - - include { - email = ["jdoe@company.com"] - } - - connection_rules { - ssh { - usernames = ["root", "ec2-user"] - } - } - } - ``` - - - + ```tf + resource "cloudflare_zero_trust_access_policy" "infra-app-policy" { + application_id = cloudflare_zero_trust_access_application.infra-app.id + account_id = var.cloudflare_account_id + name = "Allow a specific email" + decision = "allow" + precedence = 1 + + include { + email = ["jdoe@company.com"] + } + + connection_rules { + ssh { + usernames = ["root", "ec2-user"] + } + } + } + ``` + + + + The targets in this application are now secured by your infrastructure policies. diff --git a/src/content/partials/cloudflare-one/access/add-target.mdx b/src/content/partials/cloudflare-one/access/add-target.mdx index b83642f03f7c376..0c99d5cfa9fc1eb 100644 --- a/src/content/partials/cloudflare-one/access/add-target.mdx +++ b/src/content/partials/cloudflare-one/access/add-target.mdx @@ -37,7 +37,7 @@ If the target IP does not appear in the dropdown, go to **Networks** > **Routes* ```sh curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets \ - --header "Authorization: Bearer " \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "hostname": "infra-access-target", "ip": { diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx index ed9f740e4171018..990f64dd3d6b6af 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx @@ -35,7 +35,7 @@ To create a new DNS policy: ```sh title="curl API DNS policy example" curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ --header "Content-Type: application/json" \ - --header "Authorization: Bearer " \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block security threats", "description": "Block all default Cloudflare DNS security categories", diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx index 14d1eead17bd616..acb2285fb84f1d6 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx @@ -44,7 +44,7 @@ To create a new HTTP policy: ```sh title="curl API HTTP policy example" curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ --header "Content-Type: application/json" \ - --header "Authorization: Bearer " \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Do not inspect applications", "description": "Bypass TLS decryption for unsupported applications", @@ -75,7 +75,7 @@ To create a new HTTP policy: ```bash title="Block known risks HTTP policy" curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ --header "Content-Type: application/json" \ - --header "Authorization: Bearer " \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block known risks", "description": "Block all default Cloudflare HTTP security categories", diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx index 25d8dadd3e28209..0668e3756fb84be 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx @@ -37,7 +37,7 @@ To create a new network policy: ```sh title="curl API network policy example" curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ --header "Content-Type: application/json" \ - --header "Authorization: Bearer " \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Enforce device posture", "description": "Ensure only devices in Zero Trust organization can connect to application", diff --git a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx index 40c647fb8d026db..c64a04dadd94285 100644 --- a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx +++ b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx @@ -1,29 +1,28 @@ --- {} - --- -import { Render, Details } from "~/components" +import { Render, Details } from "~/components"; -1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: +1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: - | Type | Item | Permission | - | ------- | ---------------- | ---------- | - | Account | Access: SSH Auditing | Edit | + | Type | Item | Permission | + | ------- | ---------------- | ---------- | + | Account | Access: SSH Auditing | Edit | -2. If you have not yet generated a Cloudflare SSH CA, make a `POST` request to the Cloudflare API: +2. If you have not yet generated a Cloudflare SSH CA, make a `POST` request to the Cloudflare API: - ```bash - curl --request POST \ - "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca" \ - --header "Authorization: Bearer " - ``` + ```bash + curl --request POST \ + "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca" \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" + ``` -3. If you have already created a Cloudflare SSH CA or receive the error message `access.api.error.gateway_ca_already_exists`, make a `GET` request instead: +3. If you have already created a Cloudflare SSH CA or receive the error message `access.api.error.gateway_ca_already_exists`, make a `GET` request instead: - ```bash - curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca \ - --header "Authorization: Bearer " - ``` + ```bash + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" + ``` -4. Copy the `public_key` value returned in the response. +4. Copy the `public_key` value returned in the response. From 6d4465fa25bc5f86d0de9a49ad2b11767ae1d347 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 25 Feb 2025 16:44:16 -0600 Subject: [PATCH 04/14] Replace API keys with token auth --- .../applications/configure-apps/dash-sso-apps.mdx | 15 +++++---------- .../agentless/dns/dns-over-https.mdx | 9 +++------ .../warp/configure-warp/device-profiles.mdx | 3 +-- .../use-cases/ssh/ssh-infrastructure-access.mdx | 3 +-- .../cloudflare-one/insights/logs/audit-logs.mdx | 3 +-- .../gateway/dns-policies/timed-policies.mdx | 6 ++---- .../partials/cloudflare-one/access/rule-group.mdx | 3 +-- 7 files changed, 14 insertions(+), 28 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx index c96a342b56365b0..a17df8a52b4708d 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx @@ -74,8 +74,7 @@ If there is an issue with your SSO IdP provider, you can add an alternate IdP us ```bash title="cURL command" curl 'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers' \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "type": "onetimepin", @@ -87,8 +86,7 @@ curl 'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_ ```bash title="cURL command" curl 'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps' \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ | jq '.result[] | select(.type == "dash_sso")' ``` @@ -107,8 +105,7 @@ curl 'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps' \ ```bash title="cURL command" curl --request PUT \ 'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/3537a672-e4d8-4d89-aab9-26cb622918a1' \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "id": "3537a672-e4d8-4d89-aab9-26cb622918a1", @@ -128,8 +125,7 @@ The following API calls will disable SSO enforcement for an account. This action ```bash title="cURL command" curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/sso/v2/connectors \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ```json title="Response" @@ -154,8 +150,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/sso/v2/connectors ```bash title="cURL command" curl --request PATCH \ 'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/sso/v2/connectors/2828' \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "sso_connector_status": "DIS" diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx index 11a513dad05e8ea..3620e268d7a0c2a 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx @@ -115,8 +115,7 @@ Currently, authentication tokens can only be generated through the API. You can ```bash curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/service_tokens" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{"name":"ACME Corporation service token"}' ``` @@ -149,8 +148,7 @@ Save the service token's `client_id`, `client_secret`, and `id`. ```bash curl --request PUT \ "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations/doh/$SERVICE_TOKEN_ID" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` If you get an `access.api.error.service_token_not_found` error, check that `$SERVICE_TOKEN_ID` is the value of `id` and not `client_id`. @@ -182,8 +180,7 @@ Create a new user and optionally add them to a group. ```bash curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "name": "John Doe", diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles.mdx index 57b2ebc4daf35ef..7b4576bf1ecec69 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles.mdx @@ -36,8 +36,7 @@ Send a `POST` request to the [Devices endpoint](/api/resources/zero_trust/subres ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "allow_mode_switch": false, diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx index f4373c5981d3e2a..639d887bd9d861b 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx @@ -119,8 +119,7 @@ To delete the SSH encryption public key using the [API](/api/resources/zero_trus ```sh curl --request PUT https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/audit_ssh_settings \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "public_key": "" }' diff --git a/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx index de1d4218d5c0ddf..9c6e059dbc4379c 100644 --- a/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx @@ -44,8 +44,7 @@ The [Access authentication logs](/api/resources/zero_trust/subresources/access/s ```bash title="Request" curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/logs/access_requests?limit=25&direction=desc&since=2020-07-01T05:20:00Z&until=2020-10-01T05:20:00Z" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ```json title="Response" diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/timed-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/timed-policies.mdx index 7363a5c1eeb3040..c3028eec98b0f81 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/timed-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/timed-policies.mdx @@ -51,8 +51,7 @@ The following command creates a DNS policy to block `facebook.com` only on weekd ```bash curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "name": "office-no-facebook-policy", @@ -78,8 +77,7 @@ The following command creates a DNS policy to block `clockin.com` only on weeken ```bash curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "name": "clock-in-policy", diff --git a/src/content/partials/cloudflare-one/access/rule-group.mdx b/src/content/partials/cloudflare-one/access/rule-group.mdx index 63944453fd58e5d..d13eef831ccb94c 100644 --- a/src/content/partials/cloudflare-one/access/rule-group.mdx +++ b/src/content/partials/cloudflare-one/access/rule-group.mdx @@ -28,8 +28,7 @@ Send a `POST` request to the [`/access/groups`](/api/resources/zero_trust/subres ```bash curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/groups \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "name": "Lisbon-team", From bb1c824cdd98c3fc233e8b9043815c22f4a19c73 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 25 Feb 2025 16:53:15 -0600 Subject: [PATCH 05/14] Discard changes to src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx --- .../identity/idp-integration/entra-id.mdx | 57 +++++++++---------- 1 file changed, 28 insertions(+), 29 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx index fd99904456c5139..5631cf3814eee16 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx @@ -118,27 +118,27 @@ To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) tha -1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: - | Type | Item | Permission | - | ------- | ---------------- | ---------- | - | Account | Access: Organizations, Identity Providers, and Groups | Edit | - -2. Make a `POST` request to the [Identity Providers](/api/resources/zero_trust/subresources/identity_providers/methods/create/) endpoint: - - ```sh - curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --data '{ - "name": "Entra ID example", - "type": "azureAD", - "config": { - "client_id": "", - "client_secret": "", - "directory_id": "", - "support_groups": true - } - }' - ``` +1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: + | Type | Item | Permission | + | ------- | ---------------- | ---------- | + | Account | Access: Organizations, Identity Providers, and Groups | Edit | + +2. Make a `POST` request to the [Identity Providers](/api/resources/zero_trust/subresources/identity_providers/methods/create/) endpoint: + + ```sh + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ + --data '{ + "name": "Entra ID example", + "type": "azureAD", + "config": { + "client_id": "", + "client_secret": "", + "directory_id": "", + "support_groups": true + } + }' + ``` @@ -146,13 +146,12 @@ To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) tha The following example requires Cloudflare provider version `>=4.40.0`. ::: -1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): + - `Access: Organizations, Identity Providers, and Groups Write` - - `Access: Organizations, Identity Providers, and Groups Write` +2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: -2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: - - + @@ -186,7 +185,7 @@ The Microsoft Entra ID integration allows you to synchronize IdP groups and auto ### 2. Configure SCIM in Entra ID @@ -278,8 +277,8 @@ You can require users to re-enter their credentials into Entra ID whenever they 2. [Update the Entra ID identity provider](/api/resources/zero_trust/subresources/identity_providers/methods/update/) using a `PUT` request. In the request body, include all existing configurations and set the `prompt` parameter to either `login` or `select_account`. For example, ```sh {17} curl --request PUT \ - https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers/$IDENTITY_PROVIDER_ID \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ + https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers/{identity_provider_id} \ + --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", From 5584ae49533469a31c3427dc1bf0c884ed64100e Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 25 Feb 2025 16:53:39 -0600 Subject: [PATCH 06/14] Discard changes to src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx --- .../access/add-infrastructure-app.mdx | 201 +++++++++--------- 1 file changed, 99 insertions(+), 102 deletions(-) diff --git a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx index effd0698e555733..83b1d869e4a587f 100644 --- a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx +++ b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx @@ -1,8 +1,10 @@ --- {} + --- -import { Tabs, TabItem, Render } from "~/components"; +import { Tabs, TabItem, Render } from "~/components" + @@ -24,63 +26,61 @@ import { Tabs, TabItem, Render } from "~/components"; - **SSH user**: Enter the UNIX usernames that users can log in as (for example, `root` or `ec2-user`). - **Allow users to log in as their email alias**: (Optional) When selected, users who match your policy definition will be able to access the target using their lowercased email address prefix. For example, `Jdoe@company.com` could log in as `jdoe`. - :::note - Cloudflare will not create new users on the target. UNIX users must already be present on the server. - ::: - + :::note + Cloudflare will not create new users on the target. UNIX users must already be present on the server. + ::: 4. Select **Add application**. - - + 1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: - | Type | Item | Permission | - | ------- | ---------------- | ---------- | - | Account | Access: Apps & Policies | Edit | - -1. Make a `POST` request to the [Access applications](/api/resources/zero_trust/subresources/access/subresources/applications/methods/create/) endpoint: - - ```sh - curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Example infrastructure app", - "type": "infrastructure", - "target_criteria": [ - { - "target_attributes": { - "hostname": [ - "infra-access-target" - ] - }, - "port": 22, - "protocol": "SSH" - } - ], - "policies": [ - { - "name": "Allow a specific email", - "decision": "allow", - "include": [ - { - "email": { - "email": "jdoe@company.com" - } - } - ], - "connection_rules": { - "ssh": { - "usernames": [ - "root", - "ec2-user" - ] - } - } - } - ] - }' - ``` + | Type | Item | Permission | + | ------- | ---------------- | ---------- | + | Account | Access: Apps & Policies | Edit | + +2. Make a `POST` request to the [Access applications](/api/resources/zero_trust/subresources/access/subresources/applications/methods/create/) endpoint: + + ```sh + curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps \ + --header "Authorization: Bearer " \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Example infrastructure app", + "type": "infrastructure", + "target_criteria": [ + { + "target_attributes": { + "hostname": [ + "infra-access-target" + ] + }, + "port": 22, + "protocol": "SSH" + } + ], + "policies": [ + { + "name": "Allow a specific email", + "decision": "allow", + "include": [ + { + "email": { + "email": "jdoe@company.com" + } + } + ], + "connection_rules": { + "ssh": { + "usernames": [ + "root", + "ec2-user" + ] + } + } + } + ] + }' + ``` @@ -89,54 +89,51 @@ import { Tabs, TabItem, Render } from "~/components"; The following example requires Cloudflare provider version `>=4.45.0`. ::: -1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/api_token): - - - `Access: Apps and Policies Write` - -2. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_application) resource to create an infrastructure application: - - ```tf - resource "cloudflare_zero_trust_access_application" "infra-app" { - account_id = var.cloudflare_account_id - name = "Example infrastructure app" - type = "infrastructure" - - target_criteria { - port = 22 - protocol = "SSH" - target_attributes { - name = "hostname" - values = ["infra-access-target"] - } - } - } - ``` - -3. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_policy) resource to add an infrastructure policy to the application: - - ```tf - resource "cloudflare_zero_trust_access_policy" "infra-app-policy" { - application_id = cloudflare_zero_trust_access_application.infra-app.id - account_id = var.cloudflare_account_id - name = "Allow a specific email" - decision = "allow" - precedence = 1 - - include { - email = ["jdoe@company.com"] - } - - connection_rules { - ssh { - usernames = ["root", "ec2-user"] - } - } - } - ``` - - - - +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/api_token): + - `Access: Apps and Policies Write` + +2. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_application) resource to create an infrastructure application: + + ```tf + resource "cloudflare_zero_trust_access_application" "infra-app" { + account_id = var.cloudflare_account_id + name = "Example infrastructure app" + type = "infrastructure" + + target_criteria { + port = 22 + protocol = "SSH" + target_attributes { + name = "hostname" + values = ["infra-access-target"] + } + } + } + ``` + +3. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_policy) resource to add an infrastructure policy to the application: + + ```tf + resource "cloudflare_zero_trust_access_policy" "infra-app-policy" { + application_id = cloudflare_zero_trust_access_application.infra-app.id + account_id = var.cloudflare_account_id + name = "Allow a specific email" + decision = "allow" + precedence = 1 + + include { + email = ["jdoe@company.com"] + } + + connection_rules { + ssh { + usernames = ["root", "ec2-user"] + } + } + } + ``` + + The targets in this application are now secured by your infrastructure policies. From 1e5d5bea1ab3867d6d2e6990f52f82e60569ea9f Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 25 Feb 2025 16:53:52 -0600 Subject: [PATCH 07/14] Discard changes to src/content/partials/cloudflare-one/access/add-target.mdx --- .../cloudflare-one/access/add-target.mdx | 84 +++++++++---------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/src/content/partials/cloudflare-one/access/add-target.mdx b/src/content/partials/cloudflare-one/access/add-target.mdx index 0c99d5cfa9fc1eb..ef396379b2476d9 100644 --- a/src/content/partials/cloudflare-one/access/add-target.mdx +++ b/src/content/partials/cloudflare-one/access/add-target.mdx @@ -1,8 +1,9 @@ --- {} + --- -import { Tabs, TabItem, Render, Details } from "~/components"; +import { Tabs, TabItem, Render, Details } from "~/components" A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare. Targets are protocol-agnostic, meaning that you do not need to define a new target for each protocol that runs on the server. @@ -28,30 +29,30 @@ If the target IP does not appear in the dropdown, go to **Networks** > **Routes* -1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: - | Type | Item | Permission | - | ------- | ---------------- | ---------- | - | Account | Zero Trust | Edit | +1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: + | Type | Item | Permission | + | ------- | ---------------- | ---------- | + | Account | Zero Trust | Edit | -2. Make a `POST` request to the [Infrastructure Access Targets](/api/resources/zero_trust/subresources/access/subresources/infrastructure/subresources/targets/methods/create/) endpoint: +2. Make a `POST` request to the [Infrastructure Access Targets](/api/resources/zero_trust/subresources/access/subresources/infrastructure/subresources/targets/methods/create/) endpoint: - ```sh - curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --data '{ - "hostname": "infra-access-target", - "ip": { - "ipv4": { - "ip_addr": "187.26.29.249", - "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" - }, - "ipv6": { - "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", - "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" - } - } - }' - ``` + ```sh + curl https://api.cloudflare.com/client/v4/accounts/{account_id}/infrastructure/targets \ + --header "Authorization: Bearer " \ + --data '{ + "hostname": "infra-access-target", + "ip": { + "ipv4": { + "ip_addr": "187.26.29.249", + "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" + }, + "ipv6": { + "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", + "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" + } + } + }' + ``` @@ -61,29 +62,28 @@ The following example requires Cloudflare provider version `>=4.45.0`. ::: 1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/api_token): - - - `Teams Write` + - `Teams Write` 2. Configure the [`cloudflare_zero_trust_infrastructure_access_target`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_infrastructure_access_target) resource: - ```tf - resource "cloudflare_zero_trust_infrastructure_access_target" "infra-ssh-target" { - account_id = var.cloudflare_account_id - hostname = "infra-access-target" - ip = { - ipv4 = { - ip_addr = "187.26.29.249" - virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55" - } - ipv6 = { - ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0" - virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55" - } - } - } - ``` + ```tf + resource "cloudflare_zero_trust_infrastructure_access_target" "infra-ssh-target" { + account_id = var.cloudflare_account_id + hostname = "infra-access-target" + ip = { + ipv4 = { + ip_addr = "187.26.29.249" + virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55" + } + ipv6 = { + ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0" + virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55" + } + } + } + ``` -Next, create an infrastructure application to secure the target. +Next, create an infrastructure application to secure the target. \ No newline at end of file From fdd7a005fd21fd07c7106d89b8c5c20710c52e09 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 25 Feb 2025 16:54:05 -0600 Subject: [PATCH 08/14] Discard changes to src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx --- .../cloudflare-one/ssh/ssh-proxy-ca.mdx | 35 ++++++++++--------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx index c64a04dadd94285..1ee08d6eb0246ba 100644 --- a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx +++ b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx @@ -1,28 +1,29 @@ --- {} + --- -import { Render, Details } from "~/components"; +import { Render, Details } from "~/components" -1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: +1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: - | Type | Item | Permission | - | ------- | ---------------- | ---------- | - | Account | Access: SSH Auditing | Edit | + | Type | Item | Permission | + | ------- | ---------------- | ---------- | + | Account | Access: SSH Auditing | Edit | -2. If you have not yet generated a Cloudflare SSH CA, make a `POST` request to the Cloudflare API: +2. If you have not yet generated a Cloudflare SSH CA, make a `POST` request to the Cloudflare API: - ```bash - curl --request POST \ - "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" - ``` + ```bash + curl --request POST \ + "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \ + --header "Authorization: Bearer " + ``` -3. If you have already created a Cloudflare SSH CA or receive the error message `access.api.error.gateway_ca_already_exists`, make a `GET` request instead: +3. If you have already created a Cloudflare SSH CA or receive the error message `access.api.error.gateway_ca_already_exists`, make a `GET` request instead: - ```bash - curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" - ``` + ```bash + curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca \ + --header "Authorization: Bearer " + ``` -4. Copy the `public_key` value returned in the response. +4. Copy the `public_key` value returned in the response. From 955d61b8e98916cdae732a7d30d5f277ed279ce8 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 25 Feb 2025 17:01:47 -0600 Subject: [PATCH 09/14] Replace remote-management --- .../configure-tunnels/remote-management.mdx | 222 +++++++++--------- 1 file changed, 106 insertions(+), 116 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx index c8d5ea782f0a939..d6d74356d2a3593 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx @@ -49,12 +49,11 @@ On Linux, Cloudflare Tunnel installs itself as a system service using `systemctl 4. To verify the new configuration, check the service status: - ```sh - sudo systemctl status cloudflared - ``` - - ```sh output - ● cloudflared.service - cloudflared + ```sh + sudo systemctl status cloudflared + ``` + ```sh output + ● cloudflared.service - cloudflared Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; preset: enabled) Active: active (running) since Wed 2024-10-09 20:02:59 UTC; 2s ago Main PID: 2157 (cloudflared) @@ -63,7 +62,7 @@ On Linux, Cloudflare Tunnel installs itself as a system service using `systemctl CPU: 136ms CGroup: /system.slice/cloudflared.service └─2157 /usr/bin/cloudflared tunnel --loglevel debug --logfile /var/log/cloudflared/cloudflared.log run --token eyJhIjoi... - ``` + ``` @@ -185,98 +184,91 @@ Cloudflare recommends rotating the tunnel token at a regular cadence to reduce t To rotate a tunnel token: -1. Refresh the token on Cloudflare: - - - - - -1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**. -1. Select a `cloudflared` tunnel and select **Edit**. -1. Select **Refresh token**. -1. Copy the `cloudflared` installation command for your operating system. This command contains the new token. - - - - - - 1. Generate a random base64 string (minimum size 32 bytes) to use as a tunnel secret: - - ```sh - openssl rand -base64 32 - ``` - - ```sh output - AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg= - ``` - - 2. Make a `PATCH` request to the [Cloudflare Tunnel](/api/resources/zero_trust/subresources/tunnels/methods/edit/) endpoint: - - ```sh - curl --request PATCH \ - https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID \ - --header 'Content-Type: application/json' \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --data '{ - "name": "Example tunnel", - "tunnel_secret": "AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg=" - }' - ``` - - ```sh output {18} - { - "success": true, - "errors": [], - "messages": [], - "result": { - "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", - "account_tag": "699d98642c564d2e855e9661899b7252", - "created_at": "2024-12-04T22:03:26.291225Z", - "deleted_at": null, - "name": "Example tunnel", - "connections": [], - "conns_active_at": null, - "conns_inactive_at": "2024-12-04T22:03:26.291225Z", - "tun_type": "cfd_tunnel", - "metadata": {}, - "status": "inactive", - "remote_config": true, - "token": "eyJhIjoiNWFiNGU5Z..." - } - } - ``` - - 3. Copy the `token` value shown in the output. - - - - - - After refreshing the token, `cloudflared` can no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic. - -1. On half of your `cloudflared` replicas, update `cloudflared` to use the new token. For example, on a Linux host: - - ```sh - sudo cloudflared service install - ``` - -1. Restart `cloudflared`: - - ```sh - sudo systemctl restart cloudflared.service - ``` - -1. Confirm that the service started correctly: - - ```sh - sudo systemctl status cloudflared - ``` - - While these replicas are connecting to Cloudflare with the new token, traffic will automatically route through the other replicas. - -1. Wait 10 minutes for traffic to route through the new connectors. - -1. Repeat steps 2, 3, and 4 for the second half of the replicas. +1. Refresh the token on Cloudflare: + + + + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**. + 2. Select a `cloudflared` tunnel and select **Edit**. + 3. Select **Refresh token**. + 4. Copy the `cloudflared` installation command for your operating system. This command contains the new token. + + + + + 1. Generate a random base64 string (minimum size 32 bytes) to use as a tunnel secret: + + ```sh + openssl rand -base64 32 + ``` + + ```sh output + AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg= + ``` + + 2. Make a `PATCH` request to the [Cloudflare Tunnel](/api/resources/zero_trust/subresources/tunnels/methods/edit/) endpoint: + ```sh + curl --request PATCH \ + https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID \ + --header 'Content-Type: application/json' \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ + --data '{ + "name": "Example tunnel", + "tunnel_secret": "AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg=" + }' + ``` + + ```sh output {18} + { + "success": true, + "errors": [], + "messages": [], + "result": { + "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", + "account_tag": "699d98642c564d2e855e9661899b7252", + "created_at": "2024-12-04T22:03:26.291225Z", + "deleted_at": null, + "name": "Example tunnel", + "connections": [], + "conns_active_at": null, + "conns_inactive_at": "2024-12-04T22:03:26.291225Z", + "tun_type": "cfd_tunnel", + "metadata": {}, + "status": "inactive", + "remote_config": true, + "token": "eyJhIjoiNWFiNGU5Z..." + } + } + ``` + 3. Copy the `token` value shown in the output. + + + + + After refreshing the token, `cloudflared` can no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic. + +2. On half of your `cloudflared` replicas, update `cloudflared` to use the new token. For example, on a Linux host: + + ```sh + sudo cloudflared service install + ``` + +3. Restart `cloudflared`: + + ```sh + sudo systemctl restart cloudflared.service + ``` + +4. Confirm that the service started correctly: + ```sh + sudo systemctl status cloudflared + ``` + + While these replicas are connecting to Cloudflare with the new token, traffic will automatically route through the other replicas. + +5. Wait 10 minutes for traffic to route through the new connectors. + +6. Repeat steps 2, 3, and 4 for the second half of the replicas. The tunnel token is now fully rotated. The old token is no longer in use. @@ -286,31 +278,29 @@ If your tunnel token is compromised, we recommend taking the following steps: 1. Refresh the token using the dashboard or API. Refer to Step 1 of [Rotate a token without service disruption](#rotate-a-token-without-service-disruption). 2. [Delete all connections](/api/resources/zero_trust/subresources/tunnels/subresources/connections/methods/delete/) between `cloudflared` and Cloudflare: + ```sh + curl --request DELETE \ + https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID/connections \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" + ``` - ```sh - curl --request DELETE \ - https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID/connections \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" - ``` - - This will clean up any unauthorized connections and prevent users from connecting to your network. + This will clean up any unauthorized connections and prevent users from connecting to your network. 3. On each `cloudflared` replica, update `cloudflared` to use the new token. For example, on a Linux host: - ```sh - sudo cloudflared service install - ``` - + ```sh + sudo cloudflared service install + ``` 4. Restart `cloudflared`: - ```sh - sudo systemctl restart cloudflared.service - ``` + ```sh + sudo systemctl restart cloudflared.service + ``` 5. Confirm that the service started correctly: - ```sh - sudo systemctl status cloudflared - ``` + ```sh + sudo systemctl status cloudflared + ``` The tunnel token is now fully rotated. The old token is no longer in use. From fd834d0c20585f6d9ec46d470218e392e3c27bea Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 25 Feb 2025 17:05:03 -0600 Subject: [PATCH 10/14] Replace entra-id --- .../identity/idp-integration/entra-id.mdx | 97 ++++++++++--------- 1 file changed, 49 insertions(+), 48 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx index 5631cf3814eee16..0468ee5f1511fa4 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx @@ -19,31 +19,31 @@ The following Entra ID values are required to set up the integration: To retrieve those values: -1. Log in to the [Azure dashboard](https://portal.azure.com/). +1. Log in to the [Azure dashboard](https://portal.azure.com/). -2. Go to **All services** > **Microsoft Entra ID**. +2. Go to **All services** > **Microsoft Entra ID**. -3. In the sidebar, go to **Manage** > **Enterprise applications**. +3. In the sidebar, go to **Manage** > **Enterprise applications**. -4. Select **New application**, then select **Create your own application**. +4. Select **New application**, then select **Create your own application**. -5. Name your application. +5. Name your application. -6. Select **Register an application to integrate with Microsoft Entra ID (App you're developing)** and then select **Create**. +6. Select **Register an application to integrate with Microsoft Entra ID (App you're developing)** and then select **Create**. -7. Under **Redirect URI**, select the _Web_ platform and enter the following URL: +7. Under **Redirect URI**, select the _Web_ platform and enter the following URL: - ```txt - https://.cloudflareaccess.com/cdn-cgi/access/callback - ``` + ```txt + https://.cloudflareaccess.com/cdn-cgi/access/callback + ``` - You can find your team name in Zero Trust under **Settings** > **Custom Pages**. + You can find your team name in Zero Trust under **Settings** > **Custom Pages**. - ![Registering an application in Azure](~/assets/images/cloudflare-one/identity/azure/name-app.png) + ![Registering an application in Azure](~/assets/images/cloudflare-one/identity/azure/name-app.png) -8. Select **Register**. +8. Select **Register**. -9. Next, return to Microsoft Entra ID and go to go to **Manage** > **App registrations**. +9. Next, return to Microsoft Entra ID and go to go to **Manage** > **App registrations**. 10. Select the app you just created. Copy the **Application (client) ID** and **Directory (tenant) ID**. @@ -53,11 +53,9 @@ To retrieve those values: 12. Name the client secret and choose an expiration period. -:::note - -When the client secret expires, users will be unable to log in through Access. Take note of your expiry date to prevent login errors and renew your client secret when necessary. - -::: + :::note + When the client secret expires, users will be unable to log in through Access. Take note of your expiry date to prevent login errors and renew your client secret when necessary. + ::: 13. After the client secret is created, copy its **Value** field. Store the client secret in a safe place, as it can only be viewed immediately after creation. @@ -118,27 +116,28 @@ To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) tha -1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: - | Type | Item | Permission | - | ------- | ---------------- | ---------- | - | Account | Access: Organizations, Identity Providers, and Groups | Edit | - -2. Make a `POST` request to the [Identity Providers](/api/resources/zero_trust/subresources/identity_providers/methods/create/) endpoint: - - ```sh - curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --data '{ - "name": "Entra ID example", - "type": "azureAD", - "config": { - "client_id": "", - "client_secret": "", - "directory_id": "", - "support_groups": true - } - }' - ``` +1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: + + | Type | Item | Permission | + | ------- | ----------------------------------------------------- | ---------- | + | Account | Access: Organizations, Identity Providers, and Groups | Edit | + +2. Make a `POST` request to the [Identity Providers](/api/resources/zero_trust/subresources/identity_providers/methods/create/) endpoint: + + ```sh + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ + --data '{ + "name": "Entra ID example", + "type": "azureAD", + "config": { + "client_id": "", + "client_secret": "", + "directory_id": "", + "support_groups": true + } + }' + ``` @@ -146,12 +145,13 @@ To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) tha The following example requires Cloudflare provider version `>=4.40.0`. ::: -1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): - - `Access: Organizations, Identity Providers, and Groups Write` +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): + + - `Access: Organizations, Identity Providers, and Groups Write` -2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: +2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: - + @@ -185,7 +185,7 @@ The Microsoft Entra ID integration allows you to synchronize IdP groups and auto ### 2. Configure SCIM in Entra ID @@ -274,11 +274,12 @@ Access and Gateway policies for an Entra group will also apply to all [nested gr You can require users to re-enter their credentials into Entra ID whenever they [re-authenticate their WARP session](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). To configure this setting: 1. Make a `GET` request to the [Identity Providers endpoint](/api/resources/zero_trust/subresources/identity_providers/) and copy the response for the Entra ID identity provider. -2. [Update the Entra ID identity provider](/api/resources/zero_trust/subresources/identity_providers/methods/update/) using a `PUT` request. In the request body, include all existing configurations and set the `prompt` parameter to either `login` or `select_account`. For example, +2. [Update the Entra ID identity provider](/api/resources/zero_trust/subresources/identity_providers/methods/update/) using a `PUT` request. In the request body, include all existing configurations and set the `prompt` parameter to either `login` or `select_account`. For example: + ```sh {17} curl --request PUT \ - https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers/{identity_provider_id} \ - --header "Authorization: Bearer " \ + https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers/$IDENTITY_PROVIDER_ID \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", From cea5c6d88b66423cbdd03cbff2fc54820757affe Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 25 Feb 2025 17:07:37 -0600 Subject: [PATCH 11/14] Replace add-infrastructure-app --- .../access/add-infrastructure-app.mdx | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx index 83b1d869e4a587f..8281dece8096e08 100644 --- a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx +++ b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx @@ -1,10 +1,8 @@ --- {} - --- -import { Tabs, TabItem, Render } from "~/components" - +import { Tabs, TabItem, Render } from "~/components"; @@ -34,15 +32,16 @@ import { Tabs, TabItem, Render } from "~/components" 1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: - | Type | Item | Permission | - | ------- | ---------------- | ---------- | - | Account | Access: Apps & Policies | Edit | + + | Type | Item | Permission | + | ------- | ----------------------- | ---------- | + | Account | Access: Apps & Policies | Edit | 2. Make a `POST` request to the [Access applications](/api/resources/zero_trust/subresources/access/subresources/applications/methods/create/) endpoint: ```sh - curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps \ - --header "Authorization: Bearer " \ + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "name": "Example infrastructure app", From 5a13794f7a05f8b66c7d0f213dff205cf9cbd599 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 25 Feb 2025 17:08:25 -0600 Subject: [PATCH 12/14] Replace add-target --- src/content/partials/cloudflare-one/access/add-target.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/content/partials/cloudflare-one/access/add-target.mdx b/src/content/partials/cloudflare-one/access/add-target.mdx index ef396379b2476d9..8f996522e09d6c0 100644 --- a/src/content/partials/cloudflare-one/access/add-target.mdx +++ b/src/content/partials/cloudflare-one/access/add-target.mdx @@ -1,9 +1,8 @@ --- {} - --- -import { Tabs, TabItem, Render, Details } from "~/components" +import { Tabs, TabItem, Render, Details } from "~/components"; A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare. Targets are protocol-agnostic, meaning that you do not need to define a new target for each protocol that runs on the server. @@ -30,6 +29,7 @@ If the target IP does not appear in the dropdown, go to **Networks** > **Routes* 1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: + | Type | Item | Permission | | ------- | ---------------- | ---------- | | Account | Zero Trust | Edit | @@ -37,8 +37,8 @@ If the target IP does not appear in the dropdown, go to **Networks** > **Routes* 2. Make a `POST` request to the [Infrastructure Access Targets](/api/resources/zero_trust/subresources/access/subresources/infrastructure/subresources/targets/methods/create/) endpoint: ```sh - curl https://api.cloudflare.com/client/v4/accounts/{account_id}/infrastructure/targets \ - --header "Authorization: Bearer " \ + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "hostname": "infra-access-target", "ip": { From e845481dfc39013deea72f0657b55c0384aee232 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 25 Feb 2025 17:11:21 -0600 Subject: [PATCH 13/14] Replace ssh-proxy-ca --- .../cloudflare-one/ssh/ssh-proxy-ca.mdx | 27 +++++++++---------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx index 1ee08d6eb0246ba..b65894ac3fc51a0 100644 --- a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx +++ b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx @@ -1,29 +1,28 @@ --- {} - --- -import { Render, Details } from "~/components" +import { Render, Details } from "~/components"; 1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: - | Type | Item | Permission | - | ------- | ---------------- | ---------- | - | Account | Access: SSH Auditing | Edit | + | Type | Item | Permission | + | ------- | -------------------- | ---------- | + | Account | Access: SSH Auditing | Edit | 2. If you have not yet generated a Cloudflare SSH CA, make a `POST` request to the Cloudflare API: - ```bash - curl --request POST \ - "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \ - --header "Authorization: Bearer " - ``` + ```bash + curl --request POST \ + "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca" \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" + ``` 3. If you have already created a Cloudflare SSH CA or receive the error message `access.api.error.gateway_ca_already_exists`, make a `GET` request instead: - ```bash - curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca \ - --header "Authorization: Bearer " - ``` + ```bash + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" + ``` 4. Copy the `public_key` value returned in the response. From b4724c02d102411175206c8438f8e6ba5e6aa58e Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 25 Feb 2025 17:22:28 -0600 Subject: [PATCH 14/14] Update implementation guides --- .../build-policies/create-policy.mdx | 15 ++++++-------- .../build-dns-policies/create-list.mdx | 2 +- .../build-dns-policies/create-policy.mdx | 2 +- .../deploy-egress-ips.mdx | 2 +- .../build-http-policies/browser-isolation.mdx | 20 ++++++++----------- .../data-loss-prevention.mdx | 12 +++++------ .../build-http-policies/tls-inspection.mdx | 9 ++++----- .../isolate-application.mdx | 20 ++++++++----------- .../zero-trust/device-profiles.mdx | 10 ++++------ 9 files changed, 38 insertions(+), 54 deletions(-) diff --git a/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx b/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx index 5536cea49ff6f53..f07eaecfcd88ede 100644 --- a/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx @@ -38,9 +38,8 @@ To create a new policy, open [Zero Trust](https://one.dash.cloudflare.com/) and ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "name": "Company Wiki DNS policy", @@ -101,9 +100,8 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "name": "Company Wiki network policy", @@ -159,9 +157,8 @@ We recommend adding a catch-all policy to the bottom of your network policy list ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "name": "Catch-all block policy", diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx index eee0f7f65f00e66..cc9b9f9e557d62f 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx @@ -28,7 +28,7 @@ The following DNS policy will allow access to all approved corporate domains inc ```sh -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ --header 'Content-Type: application/json' \ --header "Authorization: Bearer " \ --data '{ diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx index 06e523498c23367..b5d707de538362c 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx @@ -37,7 +37,7 @@ For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/d To create a new DNS policy using cURL: ```sh -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ --header 'Content-Type: application/json' \ --header "Authorization: Bearer " \ --data '{ diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/deploy-egress-ips.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/deploy-egress-ips.mdx index 441c47039cdc0e0..fe83882fc826b27 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/deploy-egress-ips.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/deploy-egress-ips.mdx @@ -42,7 +42,7 @@ We recommend building baseline egress policies that can cover a majority of your ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/browser-isolation.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/browser-isolation.mdx index b4e692ad62235be..0c97a3f510fa197 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/browser-isolation.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/browser-isolation.mdx @@ -48,9 +48,8 @@ You can control potential risk and shape user behavior without applying heavy-ha ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "action": "isolate", @@ -117,9 +116,8 @@ In this context, if some traffic is unknown to your organization, Cloudflare wil ```bash title="Allow known applications and websites" -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "action": "isolate", @@ -142,9 +140,8 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ ``` ```bash title="Block security risks" -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "action": "isolate", @@ -167,9 +164,8 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ ``` ```bash title="Isolate all other traffic" -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "action": "isolate", diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/data-loss-prevention.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/data-loss-prevention.mdx index 8f6925cc85dfd6e..26a123ce42441e8 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/data-loss-prevention.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/data-loss-prevention.mdx @@ -46,9 +46,8 @@ To help this better match the needs of your organization, you can also build a c ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "action": "block", @@ -98,9 +97,8 @@ For example, you can use a custom expression to detect when your users share pro ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "action": "block", @@ -158,7 +156,7 @@ Many organizations want to detect and log financial information egressing from u ```bash title="Block financial information shared with AI" -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx index b793700bb0ec3e2..94fe8e71434ba55 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx @@ -77,7 +77,7 @@ For example, if users are issued a corporate-managed iPhone with limited permiss 1. Create a list of device serial numbers that you do not want to inspect. ```bash - curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/lists \ + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/lists \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ @@ -96,7 +96,7 @@ For example, if users are issued a corporate-managed iPhone with limited permiss 2. Create a Do Not Inspect policy that checks the device against the list of serial numbers. ```bash - curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ @@ -141,9 +141,8 @@ If you filter your network-connected devices with Magic WAN tunnels, the WARP Co ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "name": "Do not inspect corporate devices", diff --git a/src/content/docs/learning-paths/zero-trust-web-access/advanced-workflows/isolate-application.mdx b/src/content/docs/learning-paths/zero-trust-web-access/advanced-workflows/isolate-application.mdx index 7d34d4c83455093..c2e871a42912de3 100644 --- a/src/content/docs/learning-paths/zero-trust-web-access/advanced-workflows/isolate-application.mdx +++ b/src/content/docs/learning-paths/zero-trust-web-access/advanced-workflows/isolate-application.mdx @@ -67,9 +67,8 @@ with HTTP policies applied"] ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/{app_uuid}/policies \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/$APP_UUID/policies \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "decision": "allow", @@ -114,9 +113,8 @@ To create a list of serial numbers, refer to [Create Zero Trust list](/api/resou ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/{app_uuid}/policies \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/$APP_UUID/policies \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "decision": "allow", @@ -164,9 +162,8 @@ Prevents users on unmanaged devices from downloading any files from your private ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "name": "Disable file downloads in isolated browser", @@ -250,9 +247,8 @@ Block users on unmanaged devices from downloading files that contain credit card ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "name": "Block credit card numbers", diff --git a/src/content/partials/learning-paths/zero-trust/device-profiles.mdx b/src/content/partials/learning-paths/zero-trust/device-profiles.mdx index 411b106ccc846e2..ae3e49c976d3bdc 100644 --- a/src/content/partials/learning-paths/zero-trust/device-profiles.mdx +++ b/src/content/partials/learning-paths/zero-trust/device-profiles.mdx @@ -48,9 +48,8 @@ To customize the default settings: ```bash curl --request PATCH \ -https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/policy \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "allow_mode_switch": false, @@ -72,9 +71,8 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/policy \ ```bash curl --request PUT \ -https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/settings \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/settings \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "disable_for_time": 3600,