From 261d81396b6da9a1af9271aa8c5ef779d6408e5d Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 17 Oct 2025 18:52:57 -0500 Subject: [PATCH 1/2] Decouple partials --- .../policies/gateway/dns-policies/index.mdx | 12 +++++----- .../gateway/egress-policies/index.mdx | 12 +++++----- .../policies/gateway/http-policies/index.mdx | 12 +++++----- .../gateway/network-policies/index.mdx | 8 +++---- .../policies/gateway/resolver-policies.mdx | 10 ++++----- .../gateway/selectors/application-dns.mdx | 10 +++++++++ .../gateway/selectors/application-http.mdx | 10 +++++++++ .../gateway/selectors/domain-dns.mdx | 18 +++++++++++++++ .../gateway/selectors/domain-http.mdx | 18 +++++++++++++++ .../gateway/selectors/host-dns.mdx | 22 +++++++++++++++++++ .../gateway/selectors/host-http.mdx | 22 +++++++++++++++++++ .../selectors/source-continent-dns.mdx | 22 +++++++++++++++++++ .../selectors/source-continent-http.mdx | 22 +++++++++++++++++++ .../gateway/selectors/source-country-dns.mdx | 12 ++++++++++ .../gateway/selectors/source-country-http.mdx | 12 ++++++++++ .../gateway/selectors/users-dns.mdx | 16 ++++++++++++++ .../gateway/selectors/users-http.mdx | 16 ++++++++++++++ 17 files changed, 227 insertions(+), 27 deletions(-) create mode 100644 src/content/partials/cloudflare-one/gateway/selectors/application-dns.mdx create mode 100644 src/content/partials/cloudflare-one/gateway/selectors/application-http.mdx create mode 100644 src/content/partials/cloudflare-one/gateway/selectors/domain-dns.mdx create mode 100644 src/content/partials/cloudflare-one/gateway/selectors/domain-http.mdx create mode 100644 src/content/partials/cloudflare-one/gateway/selectors/host-dns.mdx create mode 100644 src/content/partials/cloudflare-one/gateway/selectors/host-http.mdx create mode 100644 src/content/partials/cloudflare-one/gateway/selectors/source-continent-dns.mdx create mode 100644 src/content/partials/cloudflare-one/gateway/selectors/source-continent-http.mdx create mode 100644 src/content/partials/cloudflare-one/gateway/selectors/source-country-dns.mdx create mode 100644 src/content/partials/cloudflare-one/gateway/selectors/source-country-http.mdx create mode 100644 src/content/partials/cloudflare-one/gateway/selectors/users-dns.mdx create mode 100644 src/content/partials/cloudflare-one/gateway/selectors/users-http.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx index cd8505a5d969031..5840effd2b7c3a2 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx @@ -288,7 +288,7 @@ Gateway matches DNS queries against the following selectors, or criteria: ### Application @@ -358,7 +358,7 @@ Use this selector to filter DNS responses by their `TXT` records. ### Domain @@ -366,7 +366,7 @@ Use this selector to filter DNS responses by their `TXT` records. ### Host @@ -440,11 +440,11 @@ Use this selector to match a dynamic list of [category IDs](/cloudflare-one/poli ### Source Continent -Use this selector to filter based on the continent where the query arrived to Gateway from. +Use this selector to filter based on the continent where the query arrived to Gateway from. ### Source Country -Use this selector to filter based on the country where the query arrived to Gateway from. +Use this selector to filter based on the country where the query arrived to Gateway from. ### Source IP @@ -452,7 +452,7 @@ Use this selector to filter based on the country where the query arrived to Gate ### Users - + ## Comparison operators diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx index 6b9cc2ba3fe36ce..374d6763934156c 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx @@ -69,7 +69,7 @@ Gateway matches egress traffic against the following selectors, or criteria: ### Application @@ -127,7 +127,7 @@ Gateway matches egress traffic against the following selectors, or criteria: ### Domain @@ -140,7 +140,7 @@ Gateway matches egress traffic against the following selectors, or criteria: ### Host @@ -160,11 +160,11 @@ Gateway matches egress traffic against the following selectors, or criteria: ### Source Continent -The continent of the user making the request. +The continent of the user making the request. ### Source Country -The country of the user making the request. +The country of the user making the request. ### Source Internal IP @@ -188,7 +188,7 @@ The country of the user making the request. + ### Virtual Network diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx index 6bf55eebd825e2f..0cb8a18fe889037 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx @@ -411,7 +411,7 @@ The review approval status of an application from [Shadow IT Discovery](/cloudfl ### Application @@ -495,7 +495,7 @@ Only applies to traffic sent through the [WARP client](/cloudflare-one/connectio ### Domain @@ -622,7 +622,7 @@ Use [Cloudflare Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-p ### Host @@ -657,11 +657,11 @@ The HTTP response status code received by the traffic. ### Source Continent -The continent of the user making the request. +The continent of the user making the request. ### Source Country -The country of the user making the request. +The country of the user making the request. ### Source Internal IP @@ -713,7 +713,7 @@ The query of a webpage's URL. ### Users - + ### Virtual Network diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx index 0ce456b9b904244..76e8403eb71defe 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx @@ -260,7 +260,7 @@ Gateway matches network traffic against the following selectors, or criteria. ### Application @@ -355,11 +355,11 @@ By default, this selector only applies to HTTPS traffic on port `443`. To inspec ### Source Continent -The continent of the user making the request. +The continent of the user making the request. ### Source Country -The country of the user making the request. +The country of the user making the request. ### Source Internal IP @@ -383,7 +383,7 @@ The country of the user making the request. + ### Virtual Network diff --git a/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx index 032dc594d76f61a..1af1bddec13c84d 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx @@ -111,7 +111,7 @@ For more information on creating a DNS policy, refer to [DNS policies](/cloudfla ### Domain @@ -119,7 +119,7 @@ For more information on creating a DNS policy, refer to [DNS policies](/cloudfla ### Host @@ -138,11 +138,11 @@ For more information on creating a DNS policy, refer to [DNS policies](/cloudfla ### Source Continent -Use this selector to filter based on the continent where the query arrived to Gateway from. +Use this selector to filter based on the continent where the query arrived to Gateway from. ### Source Country -Use this selector to filter based on the country where the query arrived to Gateway from. +Use this selector to filter based on the country where the query arrived to Gateway from. ### Source IP @@ -150,7 +150,7 @@ Use this selector to filter based on the country where the query arrived to Gate ### Users - + ## Comparison operators diff --git a/src/content/partials/cloudflare-one/gateway/selectors/application-dns.mdx b/src/content/partials/cloudflare-one/gateway/selectors/application-dns.mdx new file mode 100644 index 000000000000000..062901c43f3eda2 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/selectors/application-dns.mdx @@ -0,0 +1,10 @@ +--- +params: + - policyType +--- + +You can apply {props.policyType} policies to a growing list of popular web applications. Refer to [Application and app types](/cloudflare-one/policies/gateway/application-app-types/) for more information. + +| UI name | API example | Evaluation phase | +| ----------- | -------------------------- | --------------------- | +| Application | `any(app.ids[*] in {505})` | Before DNS resolution | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/application-http.mdx b/src/content/partials/cloudflare-one/gateway/selectors/application-http.mdx new file mode 100644 index 000000000000000..37f35f2db289c21 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/selectors/application-http.mdx @@ -0,0 +1,10 @@ +--- +params: + - policyType +--- + +You can apply {props.policyType} policies to a growing list of popular web applications. Refer to [Application and app types](/cloudflare-one/policies/gateway/application-app-types/) for more information. + +| UI name | API example | +| ----------- | -------------------------- | +| Application | `any(app.ids[*] in {505})` | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/domain-dns.mdx b/src/content/partials/cloudflare-one/gateway/selectors/domain-dns.mdx new file mode 100644 index 000000000000000..c4778b53c59f16f --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/selectors/domain-dns.mdx @@ -0,0 +1,18 @@ +--- +params: + - APIendpoint +--- + +import { Render } from "~/components"; + +Use this selector to match against a domain and all subdomains. For example, you can match `example.com` and its subdomains, such as `www.example.com`. + +| UI name | API example | Evaluation phase | +| ------- | --------------------------------------------------------- | --------------------- | +| Domain | any({props.APIendpoint}[*] == "example.com") | Before DNS resolution | + + diff --git a/src/content/partials/cloudflare-one/gateway/selectors/domain-http.mdx b/src/content/partials/cloudflare-one/gateway/selectors/domain-http.mdx new file mode 100644 index 000000000000000..858bc151b7e0cd1 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/selectors/domain-http.mdx @@ -0,0 +1,18 @@ +--- +params: + - APIendpoint +--- + +import { Render } from "~/components"; + +Use this selector to match against a domain and all subdomains. For example, you can match `example.com` and its subdomains, such as `www.example.com`. + +| UI name | API example | +| ------- | --------------------------------------------------------- | +| Domain | any({props.APIendpoint}[*] == "example.com") | + + diff --git a/src/content/partials/cloudflare-one/gateway/selectors/host-dns.mdx b/src/content/partials/cloudflare-one/gateway/selectors/host-dns.mdx new file mode 100644 index 000000000000000..0dc831a4607023b --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/selectors/host-dns.mdx @@ -0,0 +1,22 @@ +--- +params: + - APIendpoint +--- + +import { Render } from "~/components"; + +Use this selector to match against only the hostname specified. For example, you can match `test.example.com` but not `example.com` or `www.test.example.com`. + +| UI name | API example | Evaluation phase | +| ------- | --------------------------------------------------- | --------------------- | +| Host | {props.APIendpoint} == \"example.com\" | Before DNS resolution | + + + +:::note +Some hostnames (`example.com`) will invisibly redirect to the www subdomain (`www.example.com`). To match this type of website, use the [Domain](#domain) selector instead of the Host selector. +::: diff --git a/src/content/partials/cloudflare-one/gateway/selectors/host-http.mdx b/src/content/partials/cloudflare-one/gateway/selectors/host-http.mdx new file mode 100644 index 000000000000000..e0342c853e5ef3e --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/selectors/host-http.mdx @@ -0,0 +1,22 @@ +--- +params: + - APIendpoint +--- + +import { Render } from "~/components"; + +Use this selector to match against only the hostname specified. For example, you can match `test.example.com` but not `example.com` or `www.test.example.com`. + +| UI name | API example | +| ------- | --------------------------------------------------- | +| Host | {props.APIendpoint} == \"example.com\" | + + + +:::note +Some hostnames (`example.com`) will invisibly redirect to the www subdomain (`www.example.com`). To match this type of website, use the [Domain](#domain) selector instead of the Host selector. +::: diff --git a/src/content/partials/cloudflare-one/gateway/selectors/source-continent-dns.mdx b/src/content/partials/cloudflare-one/gateway/selectors/source-continent-dns.mdx new file mode 100644 index 000000000000000..b40ba217f8524fd --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/selectors/source-continent-dns.mdx @@ -0,0 +1,22 @@ +--- +inputParameters: param1 +--- + +import { Markdown } from "~/components"; + +Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a continent, enter its two-letter code into the **Value** field: + +| Continent | Code | +| ------------- | ---- | +| Africa | `AF` | +| Antarctica | `AN` | +| Asia | `AS` | +| Europe | `EU` | +| North America | `NA` | +| Oceania | `OC` | +| South America | `SA` | +| Tor network | `T1` | + +| UI name | API example | Evaluation phase | +| ------------------------------- | --------------------------------------------------------- | --------------------- | +| Source Continent IP Geolocation | {props.one}.geo.continent == "North America" | Before DNS resolution | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/source-continent-http.mdx b/src/content/partials/cloudflare-one/gateway/selectors/source-continent-http.mdx new file mode 100644 index 000000000000000..5bcafbcaf7ee841 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/selectors/source-continent-http.mdx @@ -0,0 +1,22 @@ +--- +inputParameters: param1 +--- + +import { Markdown } from "~/components"; + +Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a continent, enter its two-letter code into the **Value** field: + +| Continent | Code | +| ------------- | ---- | +| Africa | `AF` | +| Antarctica | `AN` | +| Asia | `AS` | +| Europe | `EU` | +| North America | `NA` | +| Oceania | `OC` | +| South America | `SA` | +| Tor network | `T1` | + +| UI name | API example | +| ------------------------------- | --------------------------------------------------------- | +| Source Continent IP Geolocation | {props.one}.geo.continent == "North America" | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/source-country-dns.mdx b/src/content/partials/cloudflare-one/gateway/selectors/source-country-dns.mdx new file mode 100644 index 000000000000000..f770cd8258d370f --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/selectors/source-country-dns.mdx @@ -0,0 +1,12 @@ +--- +inputParameters: param1 + +--- + +import { Markdown } from "~/components" + +Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a country, enter its [ISO 3166-1 Alpha-2 code](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. + +| UI name | API example | Evaluation phase | +| ----------------------------- | ------------------------ | --------------------- | +| Source Country IP Geolocation | {props.one}.geo.country == "RU" | Before DNS resolution | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/source-country-http.mdx b/src/content/partials/cloudflare-one/gateway/selectors/source-country-http.mdx new file mode 100644 index 000000000000000..bea70cb9423860e --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/selectors/source-country-http.mdx @@ -0,0 +1,12 @@ +--- +inputParameters: param1 + +--- + +import { Markdown } from "~/components" + +Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a country, enter its [ISO 3166-1 Alpha-2 code](https://www.iso.org/obp/ui/#search/code/) in the **Value** field. + +| UI name | API example | +| ----------------------------- | ------------------------ | +| Source Country IP Geolocation | {props.one}.geo.country == "RU" | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/users-dns.mdx b/src/content/partials/cloudflare-one/gateway/selectors/users-dns.mdx new file mode 100644 index 000000000000000..bd7de5ffe296634 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/selectors/users-dns.mdx @@ -0,0 +1,16 @@ +--- +{} +--- + +import { Render } from "~/components"; + +Use these selectors to match against identity attributes. + +| UI name | API example | Evaluation phase | +| --------------- | ------------------------------------------------------------------------------------------ | --------------------- | +| User Email | `identity.email == "user@example.com"` | Before DNS resolution | +| User Name | `identity.name == "Test User"` | Before DNS resolution | +| User Group IDs | `any(identity.groups[*].id in {"group_id"})` | Before DNS resolution | +| User Group Names| `any(identity.groups[*].name in {"group_name"})` | Before DNS resolution | +| User Group Emails| `any(identity.groups[*].email in {"group@example.com"})` | Before DNS resolution | +| SAML Attributes | `any(identity.saml_attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"] in {"Test User"})` | Before DNS resolution | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/users-http.mdx b/src/content/partials/cloudflare-one/gateway/selectors/users-http.mdx new file mode 100644 index 000000000000000..e963ab12286d3ee --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/selectors/users-http.mdx @@ -0,0 +1,16 @@ +--- +{} +--- + +import { Render } from "~/components"; + +Use these selectors to match against identity attributes. + +| UI name | API example | +| --------------- | ------------------------------------------------------------------------------------------ | +| User Email | `identity.email == "user@example.com"` | +| User Name | `identity.name == "Test User"` | +| User Group IDs | `any(identity.groups[*].id in {"group_id"})` | +| User Group Names| `any(identity.groups[*].name in {"group_name"})` | +| User Group Emails| `any(identity.groups[*].email in {"group@example.com"})` | +| SAML Attributes | `any(identity.saml_attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"] in {"Test User"})` | From a3cbf199b252ad5a79a51f187427dc2270efd784 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 20 Oct 2025 13:47:01 -0500 Subject: [PATCH 2/2] Rename source ip --- .../policies/gateway/dns-policies/index.mdx | 2 +- .../policies/gateway/resolver-policies.mdx | 2 +- .../gateway/selectors/source-ip-resolver.mdx | 10 ++++++++++ 3 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 src/content/partials/cloudflare-one/gateway/selectors/source-ip-resolver.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx index 5840effd2b7c3a2..8d256f0d32dc2dd 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx @@ -448,7 +448,7 @@ Use this selector to filter based on the country where the query arrived to Gate ### Source IP - + ### Users diff --git a/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx index 1af1bddec13c84d..a990cf6cc57af40 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx @@ -146,7 +146,7 @@ Use this selector to filter based on the country where the query arrived to Gate ### Source IP - + ### Users diff --git a/src/content/partials/cloudflare-one/gateway/selectors/source-ip-resolver.mdx b/src/content/partials/cloudflare-one/gateway/selectors/source-ip-resolver.mdx new file mode 100644 index 000000000000000..135f98ad365bdf1 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/selectors/source-ip-resolver.mdx @@ -0,0 +1,10 @@ +--- +{} + +--- + +Use this selector to apply policies to the source IP address of DNS queries. For example, this could be the WAN IP address of the stub resolver used by your organization to send queries to Gateway. + +| UI name | API example | Evaluation phase | +| --------- | ---------------------------- | --------------------- | +| Source IP | `dns.src_ip == 198.51.100.0` | Before DNS resolution |