From ecfe5d2b8ae3ae86664308de3c03f01fa326b783 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 17 Jun 2025 14:14:24 -0500 Subject: [PATCH 1/3] Update HTTP policies and partials --- .../policies/gateway/http-policies/index.mdx | 22 +++++++------------ .../gateway/selectors/domain.mdx | 6 ++--- .../cloudflare-one/gateway/selectors/host.mdx | 4 ++++ 3 files changed, 15 insertions(+), 17 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx index 140fc8c50e65920..b5eba9484187e20 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx @@ -446,11 +446,10 @@ Only applies to traffic sent through the [WARP client](/cloudflare-one/connectio ### Domain -Use this selector to match against a domain and all subdomains -- for example, if you want to block `example.com` and subdomains such as `www.example.com`. - -| UI name | API example | -| ------- | -------------------------------------------- | -| Domain | `any(http.conn.domains[*] == "example.com")` | + ### Download and Upload File Size @@ -549,15 +548,10 @@ Scans HTTP traffic for the presence of social security numbers and other PII. Yo ### Host -Use this selector to match only the hostname specified -- for example, if you want to block `test.example.com` but not `example.com` or `www.test.example.com`. - -| UI name | API example | -| ------- | ------------------------------------------ | -| Host | `http.conn.hostname == "test.example.com"` | - -:::note -Some hostnames (`example.com`) will invisibly redirect to the www subdomain (`www.example.com`). To match this type of website, use the [Domain](#domain) selector instead of the Host selector. -::: + ### HTTP Method diff --git a/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx b/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx index c85501f76d238fa..b850d9ee11c0271 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx @@ -5,6 +5,6 @@ params: Use this selector to match against a domain and all subdomains. For example, you can match `example.com` and its subdomains, such as `www.example.com`. -| UI name | API example | Evaluation phase | -| ------- | ------------------------------------------------- | --------------------- | -| Domain | any({props.APIendpoint}[*] in \{1\}) | Before DNS resolution | +| UI name | API example | Evaluation phase | +| ------- | --------------------------------------------------------- | --------------------- | +| Domain | any({props.APIendpoint}[*] == "example.com") | Before DNS resolution | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/host.mdx b/src/content/partials/cloudflare-one/gateway/selectors/host.mdx index ae797bf3d89e340..f8afad9736795f9 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/host.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/host.mdx @@ -8,3 +8,7 @@ Use this selector to match against only the hostname specified. For example, you | UI name | API example | Evaluation phase | | ------- | --------------------------------------------------- | --------------------- | | Host | {props.APIendpoint} == \"example.com\" | Before DNS resolution | + +:::note +Some hostnames (`example.com`) will invisibly redirect to the www subdomain (`www.example.com`). To match this type of website, use the [Domain](#domain) selector instead of the Host selector. +::: From 791ed4b5f574fdf4463e3ffdf9951d7fb60afc07 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 17 Jun 2025 14:26:54 -0500 Subject: [PATCH 2/3] Add non-latin limitation to lists --- src/content/docs/cloudflare-one/policies/gateway/lists.mdx | 6 +++++- .../partials/cloudflare-one/gateway/selectors/host.mdx | 2 ++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/lists.mdx b/src/content/docs/cloudflare-one/policies/gateway/lists.mdx index 6550528bc25a2bc..43f11b68f5b503c 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/lists.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/lists.mdx @@ -47,9 +47,13 @@ Your lists can include up to 1,000 entries for Standard plans and 5,000 for Ente Hostname lists do not support wildcard entries. You will need to add domains as exact matches. Adding a wildcard to lists comprised of hostnames will return an error when you save. +### Non-Latin characters + +Gateway supports non-Latin characters by converting all domains and hostnames to [Punycode](https://www.rfc-editor.org/rfc/rfc3492.txt). Once you save a list with non-Latin characters, Gateway will display the entry as Punycode. + ### Duplicate entries -Lists cannot have duplicate entries. Because hostnames are converted to [Punycode](https://www.rfc-editor.org/rfc/rfc3492.txt), multiple list entries that convert to the same string will count as duplicates. For example, `éxàmple.com` converts to `xn—xmple-rqa5d.com`, so including both `éxàmple.com` and `xn—xmple-rqa5d.com` in a list will result in a duplicate error. +Lists cannot have duplicate entries. Because domains and hostnames are converted to [Punycode](#non-latin-characters), multiple list entries that convert to the same string will count as duplicates. For example, `éxàmple.com` converts to `xn—xmple-rqa5d.com`, so including both `éxàmple.com` and `xn—xmple-rqa5d.com` in a list will result in a duplicate error. ### URL slashes diff --git a/src/content/partials/cloudflare-one/gateway/selectors/host.mdx b/src/content/partials/cloudflare-one/gateway/selectors/host.mdx index f8afad9736795f9..a73067c963c2d9d 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/host.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/host.mdx @@ -9,6 +9,8 @@ Use this selector to match against only the hostname specified. For example, you | ------- | --------------------------------------------------- | --------------------- | | Host | {props.APIendpoint} == \"example.com\" | Before DNS resolution | +Gateway does not support non-Latin characters. To use a hostname with non-Latin characters, add it to a [list](/cloudflare-one/policies/gateway/lists/). + :::note Some hostnames (`example.com`) will invisibly redirect to the www subdomain (`www.example.com`). To match this type of website, use the [Domain](#domain) selector instead of the Host selector. ::: From 8a53c8983cf418075c6a8981e1fbde6529a6295f Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 17 Jun 2025 14:34:23 -0500 Subject: [PATCH 3/3] Add non-latin characters partial to selector entries --- .../partials/cloudflare-one/gateway/selectors/domain.mdx | 7 +++++++ .../partials/cloudflare-one/gateway/selectors/host.mdx | 7 ++++++- .../gateway/selectors/non-latin-characters.mdx | 6 ++++++ 3 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 src/content/partials/cloudflare-one/gateway/selectors/non-latin-characters.mdx diff --git a/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx b/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx index b850d9ee11c0271..e77f437152e517f 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx @@ -3,8 +3,15 @@ params: - APIendpoint --- +import { Render } from "~/components"; + Use this selector to match against a domain and all subdomains. For example, you can match `example.com` and its subdomains, such as `www.example.com`. | UI name | API example | Evaluation phase | | ------- | --------------------------------------------------------- | --------------------- | | Domain | any({props.APIendpoint}[*] == "example.com") | Before DNS resolution | + + diff --git a/src/content/partials/cloudflare-one/gateway/selectors/host.mdx b/src/content/partials/cloudflare-one/gateway/selectors/host.mdx index a73067c963c2d9d..e929c322a6ae67b 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/host.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/host.mdx @@ -3,13 +3,18 @@ params: - APIendpoint --- +import { Render } from "~/components"; + Use this selector to match against only the hostname specified. For example, you can match `test.example.com` but not `example.com` or `www.test.example.com`. | UI name | API example | Evaluation phase | | ------- | --------------------------------------------------- | --------------------- | | Host | {props.APIendpoint} == \"example.com\" | Before DNS resolution | -Gateway does not support non-Latin characters. To use a hostname with non-Latin characters, add it to a [list](/cloudflare-one/policies/gateway/lists/). + :::note Some hostnames (`example.com`) will invisibly redirect to the www subdomain (`www.example.com`). To match this type of website, use the [Domain](#domain) selector instead of the Host selector. diff --git a/src/content/partials/cloudflare-one/gateway/selectors/non-latin-characters.mdx b/src/content/partials/cloudflare-one/gateway/selectors/non-latin-characters.mdx new file mode 100644 index 000000000000000..22ea19575fe4576 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/selectors/non-latin-characters.mdx @@ -0,0 +1,6 @@ +--- +params: + - inputType +--- + +Gateway policies do not support {props.inputType}s with non-Latin characters directly. To use a {props.inputType} with non-Latin characters, add it to a [list](/cloudflare-one/policies/gateway/lists/).