diff --git a/public/__redirects b/public/__redirects index 9ae3f191d84218b..eecb918e9592a7e 100644 --- a/public/__redirects +++ b/public/__redirects @@ -2142,6 +2142,7 @@ /cloudflare-one/policies/filtering/enforce-sessions/ /cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/ 301 /cloudflare-one/policies/zero-trust/policy-management/ /cloudflare-one/policies/access/policy-management/ 301 /cloudflare-one/policies/filtering/dns-policies-builder/ /cloudflare-one/policies/gateway/dns-policies/ 301 +/cloudflare-one/policies/gateway/http-policies/websocket/ /cloudflare-one/policies/gateway/http-policies/common-policies/#filter-websocket-traffic 301 /cloudflare-one/cloudflare-teams-roles-permissions/ /cloudflare-one/roles-permissions/ 301 /cloudflare-one/technical-limitations/ /cloudflare-one/account-limits/ 301 /support/traffic/argo-tunnel/ /cloudflare-one/connections/connect-networks/ 301 diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 98c9a9143f7c446..fcf459cd038ad25 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -415,3 +415,37 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ``` + +## Filter WebSocket traffic + +Gateway does not inspect or log [WebSocket](https://datatracker.ietf.org/doc/html/rfc6455) traffic. Instead, Gateway will only log the HTTP details used to make the WebSocket connection, as well as [network session information](/logs/logpush/logpush-job/datasets/account/zero_trust_network_sessions/). To filter your WebSocket traffic, create a policy with the `101` HTTP response code. + + + +| Selector | Operator | Value | Action | +| ------------- | -------- | ------------------------- | ------ | +| HTTP Response | is | _101 SWITCHING_PROTOCOLS_ | Allow | + + + + + +```bash +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ + "name": "Filter WebSocket", + "description": "Filter WebSocket traffic with HTTP response code 101", + "enabled": true, + "action": "allow", + "filters": [ + "http" + ], + "traffic": "http.response.status_code == 101", + "identity": "", + "device_posture": "" +}' +``` + + diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/websocket.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/websocket.mdx deleted file mode 100644 index ac5f2fcb9345f39..000000000000000 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/websocket.mdx +++ /dev/null @@ -1,12 +0,0 @@ ---- -pcx_content_type: how-to -title: WebSocket traffic -sidebar: - order: 7 ---- - -Gateway does not inspect or log [WebSocket](https://datatracker.ietf.org/doc/html/rfc6455) traffic. Instead, Gateway will only log the HTTP details used to make the WebSocket connection, as well as [network session information](/logs/logpush/logpush-job/datasets/account/zero_trust_network_sessions/). To filter your WebSocket traffic, create a policy with the `101` HTTP response code. - -| Selector | Operator | Value | Action | -| ------------- | -------- | ------------------------- | ------ | -| HTTP Response | is | _101 SWITCHING_PROTOCOLS_ | Allow |