From fa7ccc822a607cfbbce5a4dca20eca43a07b33de Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 31 Mar 2025 13:45:23 -0500 Subject: [PATCH 1/4] Update network policies --- .../applications/non-http/infrastructure-apps.mdx | 8 ++++---- .../policies/gateway/network-policies/index.mdx | 14 ++++++++------ 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx index f27d2cc66be90da..7060160b33bf7ab 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx @@ -37,7 +37,7 @@ Access for Infrastructure currently only supports [SSH](/cloudflare-one/connecti ## 1. Add a target - + ## 2. Add an infrastructure application @@ -122,9 +122,9 @@ The following [Access policy selectors](/cloudflare-one/policies/access/#selecto By default, Cloudflare will evaluate Access infrastructure application policies after evaluating all Gateway network policies. To evaluate Access infrastructure applications before or after specific Gateway policies, create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/): -| Selector | Operator | Value | Action | -| ---------------------- | -------- | ----- | ------ | -| All Access App Targets | is | on | Allow | +| Selector | Operator | Value | Action | +| ---------------------------- | -------- | --------- | ------ | +| Access Infrastructure Target | is | _Present_ | Allow | You can move this policy in the Gateway policy builder to change its [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence). diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx index b38e82eb33bac37..9cb5671c39436f1 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx @@ -40,8 +40,8 @@ API value: `allow` **Traffic** -- [All Access Private Apps](#all-access-private-app-destinations) -- [All Access App Targets](#all-access-app-targets) +- [Access Infrastructure Target](#access-infrastructure-target) +- [Access Private App](#access-private-app) - [Application](#application) - [Content Categories](#content-categories) - [Destination Continent IP Geolocation](#destination-continent) @@ -137,6 +137,8 @@ API value: `block` **Traffic** +- [Access Infrastructure Target](#access-infrastructure-target) +- [Access Private App](#access-private-app) - [Application](#application) - [Content Categories](#content-categories) - [Destination Continent IP Geolocation](#destination-continent) @@ -232,13 +234,13 @@ Gateway will only log successful override connections in your [network logs](/cl Gateway matches network traffic against the following selectors, or criteria. -### All Access Private App Destinations +### Access Infrastructure Target - + -### All Access App Targets +### Access Private App - + ### Application From 48ecd115a5b0aaac4c0f788d9747983a4378e93f Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 31 Mar 2025 13:46:40 -0500 Subject: [PATCH 2/4] Update HTTP policies --- .../policies/gateway/http-policies/index.mdx | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx index b43252245c49afa..38adf05b92023a4 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx @@ -40,6 +40,8 @@ API value: `allow` **Traffic** +- [Access Infrastructure Target](#access-infrastructure-target) +- [Access Private App](#access-private-app) - [Application](#application) - [Content Categories](#content-categories) - [Destination Continent IP Geolocation](#destination-continent) @@ -105,6 +107,8 @@ API value: `block` **Traffic** +- [Access Infrastructure Target](#access-infrastructure-target) +- [Access Private App](#access-private-app) - [Application](#application) - [Content Categories](#content-categories) - [Destination Continent IP Geolocation](#destination-continent) @@ -393,13 +397,13 @@ Policies created using the URL selector are case-sensitive. Gateway matches HTTP traffic against the following selectors, or criteria: -### All Access Private App Destinations +### Access Infrastructure Target - + -### All Access App Targets +### Access Private App - + ### Application From bc99b913a7aa682cb01dc17b5606df8031002606 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 31 Mar 2025 14:00:36 -0500 Subject: [PATCH 3/4] Update partials --- .../non-http/self-hosted-private-app.mdx | 37 +++++++++++-------- .../selectors/all-access-app-targets.mdx | 6 +-- .../all-access-private-app-destinations.mdx | 6 +-- 3 files changed, 28 insertions(+), 21 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx index 04368a06d043fbe..87d402feb6e391b 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx @@ -22,25 +22,29 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl ## Add your application to Access - + -6. Add the private IP and/or private hostname that represents the application. You can use [wildcards](/cloudflare-one/policies/access/app-paths/) with private hostnames to protect multiple parts of an application that share a root path. +6. Add the private IP and/or private hostname that represents the application. You can use [wildcards](/cloudflare-one/policies/access/app-paths/) with private hostnames to protect multiple parts of an application that share a root path. - :::note - Private hostnames are currently only available over port `443` over HTTPS and the application must have a valid Server Name Indicator (SNI). - ::: + :::note + Private hostnames are currently only available over port `443` over HTTPS and the application must have a valid Server Name Indicator (SNI). + ::: 7. -8. Configure how users will authenticate: +8. Configure how users will authenticate: - 1. Select the [**Identity providers**](/cloudflare-one/identity/idp-integration/) you want to enable for your application. + 1. Select the [**Identity providers**](/cloudflare-one/identity/idp-integration/) you want to enable for your application. - 2. (Recommended) If you plan to only allow access via a single IdP, turn on **Instant Auth**. End users will not be shown the [Cloudflare Access login page](/cloudflare-one/applications/login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. + 2. (Recommended) If you plan to only allow access via a single IdP, turn on **Instant Auth**. End users will not be shown the [Cloudflare Access login page](/cloudflare-one/applications/login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. - 3. (Recommended) Turn on **WARP authentication identity** to allow users to authenticate to the application using their [WARP session identity](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). We recommend turning this on if your application is not in the browser and cannot handle a `302` redirect. + 3. (Recommended) Turn on **WARP authentication identity** to allow users to authenticate to the application using their [WARP session identity](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). We recommend turning this on if your application is not in the browser and cannot handle a `302` redirect. -9. Select **Next**. +9. Select **Next**. 10. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application. @@ -48,9 +52,12 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl 12. Select **Next**. -13. +13. - These settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). + These settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). 14. Select **Save**. @@ -74,9 +81,9 @@ The WARP client manages sessions for all non-HTTPS applications. Users will rece By default, Cloudflare will evaluate a private application's Access policies after evaluating all Gateway network policies. To evaluate Access private applications before or after specific Gateway policies, create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/): -| Selector | Operator | Value | Action | -| ----------------------------------- | -------- | ----- | ------ | -| All Access App Private Destinations | is | on | Allow | +| Selector | Operator | Value | Action | +| ------------------ | -------- | --------- | ------ | +| Access Private App | is | _Present_ | Allow | You can move this policy in the Gateway policy builder to change its [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence). diff --git a/src/content/partials/cloudflare-one/gateway/selectors/all-access-app-targets.mdx b/src/content/partials/cloudflare-one/gateway/selectors/all-access-app-targets.mdx index 366713b9fef7a23..8a0208de9684dae 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/all-access-app-targets.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/all-access-app-targets.mdx @@ -4,6 +4,6 @@ All [targets](/cloudflare-one/applications/non-http/infrastructure-apps/#1-add-a-target) secured by an [Access infrastructure application](/cloudflare-one/applications/non-http/infrastructure-apps/). -| UI name | API example | -| ---------------------- | --------------- | -| All Access App Targets | `access.target` | +| UI name | API example | +| ---------------------------- | --------------- | +| Access Infrastructure Target | `access.target` | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/all-access-private-app-destinations.mdx b/src/content/partials/cloudflare-one/gateway/selectors/all-access-private-app-destinations.mdx index 83a5e25248314eb..1f25ee627fa4e07 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/all-access-private-app-destinations.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/all-access-private-app-destinations.mdx @@ -4,6 +4,6 @@ All destination IPs and hostnames secured by an [Access self-hosted private application](/cloudflare-one/applications/non-http/self-hosted-private-app/). -| UI name | API example | -| ----------------------------------- | -------------------- | -| All Access Private App Destinations | `access.private_app` | +| UI name | API example | +| ------------------ | -------------------- | +| Access Private App | `access.private_app` | From bccb71db547d381ec1f60ecfc0e0369e9c005c5f Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 31 Mar 2025 14:05:53 -0500 Subject: [PATCH 4/4] Fix formatting --- .../applications/non-http/self-hosted-private-app.mdx | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx index 87d402feb6e391b..6b32216ee4840f7 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx @@ -39,9 +39,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl 8. Configure how users will authenticate: 1. Select the [**Identity providers**](/cloudflare-one/identity/idp-integration/) you want to enable for your application. - 2. (Recommended) If you plan to only allow access via a single IdP, turn on **Instant Auth**. End users will not be shown the [Cloudflare Access login page](/cloudflare-one/applications/login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. - 3. (Recommended) Turn on **WARP authentication identity** to allow users to authenticate to the application using their [WARP session identity](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). We recommend turning this on if your application is not in the browser and cannot handle a `302` redirect. 9. Select **Next**.