From d6771216bfeac6939b860df6dc2d60ffecc0092c Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 24 Jul 2025 16:59:29 -0500 Subject: [PATCH 1/5] Add WebSocket policy --- .../gateway/http-policies/common-policies.mdx | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 98c9a9143f7c44..2387861fb07cc7 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -415,3 +415,37 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ``` + +## Filter WebSocket traffic + +Gateway does not inspect or log [WebSocket](https://datatracker.ietf.org/doc/html/rfc6455) traffic. Instead, Gateway will only log the HTTP details used to make the WebSocket connection, as well as [network session information](/logs/reference/log-fields/account/zero_trust_network_sessions/). To filter your WebSocket traffic, create a policy with the `101` HTTP response code. + + + +| Selector | Operator | Value | Action | +| ------------- | -------- | ------------------------- | ------ | +| HTTP Response | is | _101 SWITCHING_PROTOCOLS_ | Allow | + + + + + +```bash +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ + "name": "Filter WebSocket", + "description": "Filter WebSocket traffic with HTTP code 101", + "enabled": true, + "action": "allow", + "filters": [ + "http" + ], + "traffic": "http.response.status_code == 101", + "identity": "", + "device_posture": "" +}' +``` + + From 41d99017575f2322481a200961edce3f13efaf56 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 24 Jul 2025 17:01:27 -0500 Subject: [PATCH 2/5] Add redirect --- public/__redirects | 1 + 1 file changed, 1 insertion(+) diff --git a/public/__redirects b/public/__redirects index 0515d5c9b86afb..e5333406fe0523 100644 --- a/public/__redirects +++ b/public/__redirects @@ -2142,6 +2142,7 @@ /cloudflare-one/policies/filtering/enforce-sessions/ /cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/ 301 /cloudflare-one/policies/zero-trust/policy-management/ /cloudflare-one/policies/access/policy-management/ 301 /cloudflare-one/policies/filtering/dns-policies-builder/ /cloudflare-one/policies/gateway/dns-policies/ 301 +/cloudflare-one/policies/gateway/http-policies/websocket/ /cloudflare-one/policies/gateway/http-policies/common-policies/#filter-websocket-traffic 301 /cloudflare-one/cloudflare-teams-roles-permissions/ /cloudflare-one/roles-permissions/ 301 /cloudflare-one/technical-limitations/ /cloudflare-one/account-limits/ 301 /support/traffic/argo-tunnel/ /cloudflare-one/connections/connect-networks/ 301 From ef4d6f50bcc074d022db7d429b21c58bff242ee7 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 24 Jul 2025 17:01:39 -0500 Subject: [PATCH 3/5] Remove page --- .../policies/gateway/http-policies/websocket.mdx | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 src/content/docs/cloudflare-one/policies/gateway/http-policies/websocket.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/websocket.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/websocket.mdx deleted file mode 100644 index e0cba0a7dd2b77..00000000000000 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/websocket.mdx +++ /dev/null @@ -1,12 +0,0 @@ ---- -pcx_content_type: how-to -title: WebSocket traffic -sidebar: - order: 7 ---- - -Gateway does not inspect or log [WebSocket](https://datatracker.ietf.org/doc/html/rfc6455) traffic. Instead, Gateway will only log the HTTP details used to make the WebSocket connection, as well as [network session information](/logs/reference/log-fields/account/zero_trust_network_sessions/). To filter your WebSocket traffic, create a policy with the `101` HTTP response code. - -| Selector | Operator | Value | Action | -| ------------- | -------- | ------------------------- | ------ | -| HTTP Response | is | _101 SWITCHING_PROTOCOLS_ | Allow | From cb960f9748a5c88cbbb280469f271ce3aa0a9d81 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 25 Jul 2025 12:17:31 -0500 Subject: [PATCH 4/5] Elaborate response code --- .../policies/gateway/http-policies/common-policies.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 2387861fb07cc7..a2eca6aa29c8af 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -436,7 +436,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Filter WebSocket", - "description": "Filter WebSocket traffic with HTTP code 101", + "description": "Filter WebSocket traffic with HTTP response code 101", "enabled": true, "action": "allow", "filters": [ From bcb8baf5a131dc5396205521cb35a4f43fb4d003 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 25 Jul 2025 14:02:16 -0500 Subject: [PATCH 5/5] Fix broken link --- .../policies/gateway/http-policies/common-policies.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index a2eca6aa29c8af..fcf459cd038ad2 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -418,7 +418,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ## Filter WebSocket traffic -Gateway does not inspect or log [WebSocket](https://datatracker.ietf.org/doc/html/rfc6455) traffic. Instead, Gateway will only log the HTTP details used to make the WebSocket connection, as well as [network session information](/logs/reference/log-fields/account/zero_trust_network_sessions/). To filter your WebSocket traffic, create a policy with the `101` HTTP response code. +Gateway does not inspect or log [WebSocket](https://datatracker.ietf.org/doc/html/rfc6455) traffic. Instead, Gateway will only log the HTTP details used to make the WebSocket connection, as well as [network session information](/logs/logpush/logpush-job/datasets/account/zero_trust_network_sessions/). To filter your WebSocket traffic, create a policy with the `101` HTTP response code.