Skip to content

[CF1] private IP and BISO limit #22244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
May 7, 2025
Merged

[CF1] private IP and BISO limit #22244

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0a5a6e3
[CF1] private IP and BISO limit
deadlypants1973 May 6, 2025
ceab3f1
Update src/content/docs/cloudflare-one/policies/browser-isolation/kno…
deadlypants1973 May 7, 2025
55c9c4e
Update src/content/docs/cloudflare-one/policies/browser-isolation/kno…
deadlypants1973 May 7, 2025
1ae500f
Update src/content/docs/cloudflare-one/applications/non-http/self-hos…
deadlypants1973 May 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl
6. Add the private IP and/or private hostname that represents the application. You can use [wildcards](/cloudflare-one/policies/access/app-paths/) with private hostnames to protect multiple parts of an application that share a root path.

:::note
Private hostnames are currently only available over port `443` over HTTPS and the application must have a valid Server Name Indicator (SNI).
Private hostnames are currently only available over port `443` over HTTPS and the application must have a valid Server Name Indicator (SNI). If you are configuring a private IP on any port other than `443` and plan to use Browser Isolation, note that this [will result in a Gateway block page](/cloudflare-one/policies/browser-isolation/known-limitations/#browser-isolation-is-not-compatible-with-private-ips-on-non-443-ports).
:::

7. <Render file="access/add-access-policies" product="cloudflare-one" />
Expand Down
6 changes: 6 additions & 0 deletions src/content/docs/cloudflare-one/policies/browser-isolation/known-limitations.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,3 +119,9 @@ Some applications that use HTTP-POST bindings (such as Salesforce) complete SSO
| Precedence | Selector | Operator | Value | Action |
| ---------- | -------- | -------- | ------------------------------------ | ------- |
| 2 | Host | in | `your-salesforce-domain.example.com` | Isolate |

## Browser Isolation is not compatible with private IPs on non-`443` ports

Browser Isolation is not compatible with [self-hosted private applications](/cloudflare-one/applications/non-http/self-hosted-private-app/) that use private IP addresses on ports other than `443`. Trying to access self-hosted applications defined by private IPs on ports other than `443` will result in a Gateway block page.

To use Browser Isolation for an application on a private IP address with a non-`443` port, configure a [private network application](/cloudflare-one/applications/non-http/legacy-private-network-app/) instead.
Loading