From d72bb8125207593bb34cf99efb2fcda4921e990c Mon Sep 17 00:00:00 2001
From: kennyj42 <73258453+kennyj42@users.noreply.github.com>
Date: Mon, 27 Oct 2025 13:37:52 -0500
Subject: [PATCH 1/5] Clarify SNI requirements for private hostnames
---
.../applications/non-http/self-hosted-private-app.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
index c43e25d1ead966a..2676456ccc458f8 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
@@ -32,7 +32,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/acce
6. Add the private IP and/or private hostname that represents the application. You can use [wildcards](/cloudflare-one/access-controls/policies/app-paths/) with private hostnames to protect multiple parts of an application that share a root path.
:::note
- Private hostnames are currently only available over port `443` over HTTPS and the application must have a valid Server Name Indicator (SNI). If you are configuring a private IP on any port other than `443` and plan to use Browser Isolation, note that this [will result in a Gateway block page](/cloudflare-one/remote-browser-isolation/known-limitations/#browser-isolation-is-not-compatible-with-private-ips-on-non-443-ports).
+ Private hostnames on port `443` over HTTPS must have a valid Server Name Indicator (SNI). All other ports do not require a valid SNI value. If you are configuring a private IP on any port other than `443` and plan to use Browser Isolation, note that this [will result in a Gateway block page](/cloudflare-one/remote-browser-isolation/known-limitations/#browser-isolation-is-not-compatible-with-private-ips-on-non-443-ports).
:::
7.
From 407c085f1c6f5641443d4a4c9df785b980cd61ff Mon Sep 17 00:00:00 2001
From: kennyj42 <73258453+kennyj42@users.noreply.github.com>
Date: Mon, 27 Oct 2025 13:44:41 -0500
Subject: [PATCH 2/5] Adding callout for CGNAT ranges
---
.../applications/non-http/self-hosted-private-app.mdx | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
index 2676456ccc458f8..bd310fd9e762e7c 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
@@ -35,6 +35,12 @@ This feature replaces the legacy [private network app type](/cloudflare-one/acce
Private hostnames on port `443` over HTTPS must have a valid Server Name Indicator (SNI). All other ports do not require a valid SNI value. If you are configuring a private IP on any port other than `443` and plan to use Browser Isolation, note that this [will result in a Gateway block page](/cloudflare-one/remote-browser-isolation/known-limitations/#browser-isolation-is-not-compatible-with-private-ips-on-non-443-ports).
:::
+If using a non-443 private hostname, ensure that the following CGNAT IP addresses are not blocked by any firewalls or excluded from Gateway traffic:
+IPv4: 100.80.0.0/16
+IPv6: 2606:4700:0cf1:4000::/64
+
+[More connectivity information](cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/#prerequisites)
+
7.
8. Configure how users will authenticate:
From abdf8eb6568c14a29b3458a6e380de25baceb7ab Mon Sep 17 00:00:00 2001
From: kennyj42 <73258453+kennyj42@users.noreply.github.com>
Date: Mon, 27 Oct 2025 14:17:38 -0500
Subject: [PATCH 3/5] clarify port range vs. explicit 443
---
.../applications/non-http/self-hosted-private-app.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
index bd310fd9e762e7c..d553a89ccc2fe6c 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
@@ -32,7 +32,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/acce
6. Add the private IP and/or private hostname that represents the application. You can use [wildcards](/cloudflare-one/access-controls/policies/app-paths/) with private hostnames to protect multiple parts of an application that share a root path.
:::note
- Private hostnames on port `443` over HTTPS must have a valid Server Name Indicator (SNI). All other ports do not require a valid SNI value. If you are configuring a private IP on any port other than `443` and plan to use Browser Isolation, note that this [will result in a Gateway block page](/cloudflare-one/remote-browser-isolation/known-limitations/#browser-isolation-is-not-compatible-with-private-ips-on-non-443-ports).
+ Private hostnames explicitly set to `443` (not including port ranges, e.g. 441-44) over HTTPS must have a valid Server Name Indicator (SNI). All other ports do not require a valid SNI value. If you are configuring a private IP on any port other than `443` and plan to use Browser Isolation, note that this [will result in a Gateway block page](/cloudflare-one/remote-browser-isolation/known-limitations/#browser-isolation-is-not-compatible-with-private-ips-on-non-443-ports).
:::
If using a non-443 private hostname, ensure that the following CGNAT IP addresses are not blocked by any firewalls or excluded from Gateway traffic:
From 40708e3aa7b6e45f9135261cbc76987c0e9f15fc Mon Sep 17 00:00:00 2001
From: kennyj42 <73258453+kennyj42@users.noreply.github.com>
Date: Mon, 27 Oct 2025 14:18:10 -0500
Subject: [PATCH 4/5] cgnat IP callout
---
.../applications/non-http/self-hosted-private-app.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
index d553a89ccc2fe6c..8a9dd885049f67c 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
@@ -32,7 +32,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/acce
6. Add the private IP and/or private hostname that represents the application. You can use [wildcards](/cloudflare-one/access-controls/policies/app-paths/) with private hostnames to protect multiple parts of an application that share a root path.
:::note
- Private hostnames explicitly set to `443` (not including port ranges, e.g. 441-44) over HTTPS must have a valid Server Name Indicator (SNI). All other ports do not require a valid SNI value. If you are configuring a private IP on any port other than `443` and plan to use Browser Isolation, note that this [will result in a Gateway block page](/cloudflare-one/remote-browser-isolation/known-limitations/#browser-isolation-is-not-compatible-with-private-ips-on-non-443-ports).
+ Private hostnames explicitly set to `443` (not including port ranges, e.g. 441-44) over HTTPS must have a valid Server Name Indicator (SNI). All other ports do not require a valid SNI value and will be assigned a CGNAT IP address. If you are configuring a private IP on any port other than `443` and plan to use Browser Isolation, note that this [will result in a Gateway block page](/cloudflare-one/remote-browser-isolation/known-limitations/#browser-isolation-is-not-compatible-with-private-ips-on-non-443-ports).
:::
If using a non-443 private hostname, ensure that the following CGNAT IP addresses are not blocked by any firewalls or excluded from Gateway traffic:
From 583b2c59068668cae515c6b155781d3582056abf Mon Sep 17 00:00:00 2001
From: Ranbel Sun
Date: Mon, 27 Oct 2025 16:48:54 -0400
Subject: [PATCH 5/5] split into IP vs hostname
---
.../non-http/self-hosted-private-app.mdx | 46 ++++++++++++-------
.../known-limitations.mdx | 2 +-
2 files changed, 30 insertions(+), 18 deletions(-)
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
index 8a9dd885049f67c..9194c799e52f156 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
@@ -6,7 +6,7 @@ sidebar:
label: Add a self-hosted private application
---
-import { Render } from "~/components";
+import { Render, GlossaryTooltip, } from "~/components";
You can configure a self-hosted Access application to manage access to specific IPs or hostnames on your private network.
@@ -29,42 +29,50 @@ This feature replaces the legacy [private network app type](/cloudflare-one/acce
params={{ private: true }}
/>
-6. Add the private IP and/or private hostname that represents the application. You can use [wildcards](/cloudflare-one/access-controls/policies/app-paths/) with private hostnames to protect multiple parts of an application that share a root path.
+6. To add an application using its private IP:
+ 1. Select **Add private IP**.
+ 2. In **IP address**, enter the private IP or CIDR range that represents the application (for example, `10.0.0.1` or `172.16.0.0/12`).
+ 3. In **Port**, enter a single port or a port range used by your application (for example, `22` or `8000-8099`).
- :::note
- Private hostnames explicitly set to `443` (not including port ranges, e.g. 441-44) over HTTPS must have a valid Server Name Indicator (SNI). All other ports do not require a valid SNI value and will be assigned a CGNAT IP address. If you are configuring a private IP on any port other than `443` and plan to use Browser Isolation, note that this [will result in a Gateway block page](/cloudflare-one/remote-browser-isolation/known-limitations/#browser-isolation-is-not-compatible-with-private-ips-on-non-443-ports).
- :::
+ Comma-separated lists of ports (such as `80, 443`) are not supported. To add multiple ports for a specific IP, you can select **Add private IP** and repeat the IP address with the other port. Alternatively, create a new Access application for the other port.
-If using a non-443 private hostname, ensure that the following CGNAT IP addresses are not blocked by any firewalls or excluded from Gateway traffic:
-IPv4: 100.80.0.0/16
-IPv6: 2606:4700:0cf1:4000::/64
+7. To add an application using its private hostname:
+ 1. Select **Add private hostname**.
+ 2. In **Hostname**, enter the private hostname of the application (for example, `wiki.internal.local`). You can use [wildcards](/cloudflare-one/access-controls/policies/app-paths/) with private hostnames to protect multiple parts of an application that share a root path.
+ 3. In **Port**, enter a single port or a port range used by your application (for example, `22` or `8000-8099`).
-[More connectivity information](cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/#prerequisites)
+ :::note
+ - **HTTPS applications**: Private hostnames explicitly set to port `443` (not including port ranges such as `441-444`) must have a valid Server Name Indicator (SNI).
+ - **Non-HTTPS applications**: Private hostnames on non-`443` ports do not require a valid SNI value will be assigned an initial resolved IP in the CGNAT space. Ensure that the following IP addresses are not blocked by any firewalls or excluded from Gateway traffic:
-7.
+
-8. Configure how users will authenticate:
+ For more details on private hostname routing, refer to [Connect a private hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/#prerequisites)
+
+8.
+
+9. Configure how users will authenticate:
1. Select the [**Identity providers**](/cloudflare-one/integrations/identity-providers/) you want to enable for your application.
2. (Recommended) If you plan to only allow access via a single IdP, turn on **Instant Auth**. End users will not be shown the [Cloudflare Access login page](/cloudflare-one/reusable-components/custom-pages/access-login-page/). Instead, Cloudflare will redirect users directly to your SSO login event.
3. (Recommended) Turn on **WARP authentication identity** to allow users to authenticate to the application using their [WARP session identity](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions/). We recommend turning this on if your application is not in the browser and cannot handle a `302` redirect.
-9. Select **Next**.
+10. Select **Next**.
-10. (Optional) Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application.
+11. (Optional) Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application.
-11.
+12.
-12. Select **Next**.
+13. Select **Next**.
-13.
These settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/).
-14. Select **Save**.
+15. Select **Save**.
Users can now connect to your private application after authenticating with Cloudflare Access.
@@ -95,3 +103,7 @@ The WARP client manages sessions for all non-HTTPS applications. Users will rece
### Private hostname vs private IP
An Access application defined by a private hostname takes precedence over an Access application defined by a private IP. For example, assume App-1 points to `wiki.internal.local` and App-2 points to `10.0.0.1`, but `wiki.internal.local` resolves to `10.0.0.1`. Users who go to `wiki.internal.local` will never match App-2; they will be allowed or blocked strictly based on App-1 Access policies (and [Gateway policies](#access-vs-gateway-policies)).
+
+## Limitations
+
+- Browser Isolation is only compatible with self-hosted applications on port `443`. For more information, refer to the [Browser Isolation documentation](/cloudflare-one/remote-browser-isolation/known-limitations/#browser-isolation-is-not-compatible-with-private-ips-on-non-443-ports).
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx
index c2494293c6adbb2..608b78451fec247 100644
--- a/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx
+++ b/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx
@@ -76,6 +76,6 @@ You no longer need to isolate both the Identity Provider (IdP) and Service Provi
## Browser Isolation is not compatible with private IPs on non-`443` ports
-Browser Isolation is not compatible with [self-hosted private applications](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) that use private IP addresses on ports other than `443`. Trying to access self-hosted applications defined by private IPs on ports other than `443` will result in a Gateway block page.
+Browser Isolation is not compatible with [self-hosted private applications](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) that use private IPs or hostnames on ports other than `443`. Trying to access self-hosted applications on non-`443` ports will result in a Gateway block page.
To use Browser Isolation for an application on a private IP address with a non-`443` port, configure a [private network application](/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app/) instead.