From 0c6943592920b75a95b03711ca078c232574cdbb Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 15 Jan 2025 17:07:22 -0600 Subject: [PATCH 1/8] Add firewall config section --- .../connect-devices/agentless/pac-files.mdx | 55 ++++++++++++++++--- 1 file changed, 48 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx index dba1aafe312a45d..b49dfb7ec9c8e58 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx @@ -8,9 +8,7 @@ sidebar: import { Details, GlossaryDefinition, TabItem, Tabs } from "~/components"; :::note - Only available on Enterprise plans. - ::: You can apply Gateway HTTP and DNS policies at the browser level by configuring a Proxy Auto-Configuration (PAC) file. @@ -28,7 +26,6 @@ Install a [Cloudflare certificate](/cloudflare-one/connections/connect-devices/u You can generate a proxy endpoint on the Zero Trust dashboard or through the Cloudflare API. :::caution - All devices you add to the proxy endpoint will be able to access your Cloudflare Tunnel applications and services. If you only want to proxy web traffic, you can build a network policy that blocks those source IPs from connecting to your internal resources. ::: @@ -48,9 +45,7 @@ All devices you add to the proxy endpoint will be able to access your Cloudflare - **IPv6**: `2001:0db8:0000:0000:0000:1234:5678:0000/109` :::note - Gateway limits the prefix length of source networks for proxy endpoints to `/8` for IPv4 networks and `/32` for IPv6 networks. - ::: 5. Select **Save endpoint** and confirm the endpoint creation. @@ -80,9 +75,7 @@ https://.proxy.cloudflare-gateway.com - **IPv6**: `2001:0db8:0000:0000:0000:1234:5678:0000/32` :::note - Gateway limits the prefix length of source networks for proxy endpoints to `/8` for IPv4 networks and `/32` for IPv6 networks. - ::: 2. After running the call, you should see an output similar to @@ -197,6 +190,54 @@ To test your configuration, you can test any [supported HTTP policy](#limitation You can now use the Proxy Endpoint selector in [network](/cloudflare-one/policies/gateway/network-policies/#proxy-endpoint) and [HTTP](/cloudflare-one/policies/gateway/http-policies/#proxy-endpoint) policies to filter traffic proxied via PAC files. +## Configure firewall + +If you want to use PAC files but your firewall only allows config via domain or IP/CIDR, you will need to configure that with your firewall. + +If your firewall only allows config via domain, you will need to create a firewall rule to allow your proxy endpoint domain. + +To get the domain of a proxy endpoint: + + + + + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Proxy endpoints**. +2. Choose the proxy endpoint. Select **Edit**. +3. In **Proxy Endpoint**, copy the domain. + + + + + +1. Use the [List proxy endpoints](/api/resources/zero_trust/subresources/gateway/subresources/proxy_endpoints/methods/list/) endpoint to list your proxy endpoints. For example: + + ```sh + curl https://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/gateway/proxy_endpoints \ + --header "Authorization: Bearer " \ + --header "Content-Type: application/json" + ``` + + ```json {9} output + "success": true, + "result": { + "id": "ed35569b41ce4d1facfe683550f54086", + "created_at": "2014-01-01T05:20:00.12345Z", + "ips": [ + "192.0.2.1/32" + ], + "name": "Devops team", + "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", + "updated_at": "2014-01-01T05:20:00.12345Z" + } + ``` + +2. Copy the result in `subdomain`. + + + + + ## Limitations ### Traffic limitations From b3dbb5e5ab9f3d8429b1150bf7ec7a05ccabdcf1 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 16 Jan 2025 16:12:21 -0600 Subject: [PATCH 2/8] Add API procedure --- .../connect-devices/agentless/pac-files.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx index b49dfb7ec9c8e58..7dbd9e19689796d 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx @@ -194,7 +194,7 @@ You can now use the Proxy Endpoint selector in [network](/cloudflare-one/policie If you want to use PAC files but your firewall only allows config via domain or IP/CIDR, you will need to configure that with your firewall. -If your firewall only allows config via domain, you will need to create a firewall rule to allow your proxy endpoint domain. +If your organization's firewall only allows config via domain, you will need to create a firewall rule to allow your proxy endpoint domain. To get the domain of a proxy endpoint: @@ -213,9 +213,8 @@ To get the domain of a proxy endpoint: 1. Use the [List proxy endpoints](/api/resources/zero_trust/subresources/gateway/subresources/proxy_endpoints/methods/list/) endpoint to list your proxy endpoints. For example: ```sh - curl https://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/gateway/proxy_endpoints \ - --header "Authorization: Bearer " \ - --header "Content-Type: application/json" + curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/proxy_endpoints \ + --header "Authorization: Bearer " ``` ```json {9} output @@ -226,13 +225,14 @@ To get the domain of a proxy endpoint: "ips": [ "192.0.2.1/32" ], - "name": "Devops team", + "name": "DevOps team", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } ``` -2. Copy the result in `subdomain`. +2. Find the proxy endpoint you want to use. +3. Copy the value of the `subdomain` key. From c831b817e2c6e103573d6c342c7f587212cdb2c4 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 16 Jan 2025 16:46:14 -0600 Subject: [PATCH 3/8] Update syntax highlighting --- .../connections/connect-devices/agentless/pac-files.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx index 7dbd9e19689796d..fc0d14308950a16 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx @@ -212,7 +212,7 @@ To get the domain of a proxy endpoint: 1. Use the [List proxy endpoints](/api/resources/zero_trust/subresources/gateway/subresources/proxy_endpoints/methods/list/) endpoint to list your proxy endpoints. For example: - ```sh + ```bash curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/proxy_endpoints \ --header "Authorization: Bearer " ``` From accb2cf871d946f3c719b0fe32ec279494f54753 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 21 Jan 2025 16:27:48 -0600 Subject: [PATCH 4/8] Add commands for IPs --- .../connect-devices/agentless/pac-files.mdx | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx index fc0d14308950a16..6cbd457f0bf2fa8 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx @@ -238,6 +238,70 @@ To get the domain of a proxy endpoint: +To get the IP addresses associated with your domain: + + + + + +1. Open a terminal. +2. Run `dig` to get the IPv4 addresses. For example: + + ```bash + dig A example.cloudflare-gateway.com +short + ``` + + ```bash output + 162.159.36.5 + 162.159.36.20 + ``` + +3. Run `dig` to get the IPv6 addresses. For example: + + ```bash + dig A example.cloudflare-gateway.com +short + ``` + + ```bash output + 2606:4700:54::a29f:2407 + 2606:4700:5c::a29f:2e07 + ``` + + + + + +1. Open a PowerShell terminal. +2. Run `Resolve-DnsName` to get the IPv4 addresses. For example: + + ```powershell + Resolve-DnsName -Name example.cloudflare-gateway.com -Type A + ``` + + ```powershell output + Name Type TTL Section IPAddress + ---- ---- --- ------- --------- + example.cloudflare-gateway.com A 300 Answer 162.159.36.5 + example.cloudflare-gateway.com A 300 Answer 162.159.36.20 + ``` + +3. Run `Resolve-DnsName` to get the IPv6 addresses. For example: + + ```powershell + Resolve-DnsName -Name example.cloudflare-gateway.com -Type AAAA + ``` + + ```powershell output + Name Type TTL Section IPAddress + ---- ---- --- ------- --------- + example.cloudflare-gateway.com AAAA 300 Answer 2606:4700:5c::a29f:2e07 + example.cloudflare-gateway.com AAAA 300 Answer 2606:4700:54::a29f:2407 + ``` + + + + + ## Limitations ### Traffic limitations From 8ebc0397b3f6a557bba4334b3606d11353093a20 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 21 Jan 2025 16:51:15 -0600 Subject: [PATCH 5/8] Refine steps --- .../connect-devices/agentless/pac-files.mdx | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx index 6cbd457f0bf2fa8..70207c85a8b0786 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx @@ -192,9 +192,7 @@ You can now use the Proxy Endpoint selector in [network](/cloudflare-one/policie ## Configure firewall -If you want to use PAC files but your firewall only allows config via domain or IP/CIDR, you will need to configure that with your firewall. - -If your organization's firewall only allows config via domain, you will need to create a firewall rule to allow your proxy endpoint domain. +To configure your organization's firewall to allow your users to connect to a proxy endpoint, you will need to create a firewall rule using either your proxy endpoint's domain or IP addresses. To get the domain of a proxy endpoint: @@ -238,14 +236,14 @@ To get the domain of a proxy endpoint: -To get the IP addresses associated with your domain: +Using your proxy endpoint's domain, you can get the IP addresses assigned to the proxy endpoint: 1. Open a terminal. -2. Run `dig` to get the IPv4 addresses. For example: +2. Run `dig` on your proxy endpoint's `A` records to get its IPv4 addresses. For example: ```bash dig A example.cloudflare-gateway.com +short @@ -256,10 +254,10 @@ To get the IP addresses associated with your domain: 162.159.36.20 ``` -3. Run `dig` to get the IPv6 addresses. For example: +3. Run `dig` on your proxy endpoint's `AAAA` records to get its IPv6 addresses. For example: ```bash - dig A example.cloudflare-gateway.com +short + dig AAAA example.cloudflare-gateway.com +short ``` ```bash output @@ -272,7 +270,7 @@ To get the IP addresses associated with your domain: 1. Open a PowerShell terminal. -2. Run `Resolve-DnsName` to get the IPv4 addresses. For example: +2. Run `Resolve-DnsName` on your proxy endpoint's `A` records to get its IPv4 addresses. For example: ```powershell Resolve-DnsName -Name example.cloudflare-gateway.com -Type A @@ -285,7 +283,7 @@ To get the IP addresses associated with your domain: example.cloudflare-gateway.com A 300 Answer 162.159.36.20 ``` -3. Run `Resolve-DnsName` to get the IPv6 addresses. For example: +3. Run `Resolve-DnsName` on your proxy endpoint's `AAAA` records to get its IPv6 addresses. For example: ```powershell Resolve-DnsName -Name example.cloudflare-gateway.com -Type AAAA From b5b765763a6bcb93c528e2f6e9f286fa7622078b Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 21 Jan 2025 16:57:39 -0600 Subject: [PATCH 6/8] Improve API step --- .../connections/connect-devices/agentless/pac-files.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx index 70207c85a8b0786..c42e3e3cbc77a0e 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx @@ -192,7 +192,7 @@ You can now use the Proxy Endpoint selector in [network](/cloudflare-one/policie ## Configure firewall -To configure your organization's firewall to allow your users to connect to a proxy endpoint, you will need to create a firewall rule using either your proxy endpoint's domain or IP addresses. +You may need to configure your organization's firewall to allow your users to connect to a proxy endpoint. Depending on your firewall, you will need to create a rule using either your proxy endpoint's domain or IP addresses. To get the domain of a proxy endpoint: @@ -208,7 +208,7 @@ To get the domain of a proxy endpoint: -1. Use the [List proxy endpoints](/api/resources/zero_trust/subresources/gateway/subresources/proxy_endpoints/methods/list/) endpoint to list your proxy endpoints. For example: +1. Use the [List proxy endpoints](/api/resources/zero_trust/subresources/gateway/subresources/proxy_endpoints/methods/list/) endpoint to get a list of your proxy endpoints and their details. For example: ```bash curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/proxy_endpoints \ From 5b4ff21bba0f4c5d8d3e5ced18ddd13d11d5b388 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 21 Jan 2025 17:07:47 -0600 Subject: [PATCH 7/8] Improve Windows wording --- .../connections/connect-devices/agentless/pac-files.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx index c42e3e3cbc77a0e..d090723652f6a21 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx @@ -270,7 +270,7 @@ Using your proxy endpoint's domain, you can get the IP addresses assigned to the 1. Open a PowerShell terminal. -2. Run `Resolve-DnsName` on your proxy endpoint's `A` records to get its IPv4 addresses. For example: +2. Run `Resolve-DnsName` on your proxy endpoint's `A` records. Your proxy endpoint's IPv4 addresses will appear under `IPAddress`. For example: ```powershell Resolve-DnsName -Name example.cloudflare-gateway.com -Type A @@ -283,7 +283,7 @@ Using your proxy endpoint's domain, you can get the IP addresses assigned to the example.cloudflare-gateway.com A 300 Answer 162.159.36.20 ``` -3. Run `Resolve-DnsName` on your proxy endpoint's `AAAA` records to get its IPv6 addresses. For example: +3. Run `Resolve-DnsName` on your proxy endpoint's `AAAA` records. Your proxy endpoint's IPv6 addresses will appear under `IPAddress`. For example: ```powershell Resolve-DnsName -Name example.cloudflare-gateway.com -Type AAAA From 6d77580537225a133fc956bd35e39ed701651197 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 22 Jan 2025 16:05:58 -0500 Subject: [PATCH 8/8] Apply suggestions from code review Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> --- .../connect-devices/agentless/pac-files.mdx | 42 ++++++++++--------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx index d090723652f6a21..d294ca9815035af 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx @@ -208,24 +208,26 @@ To get the domain of a proxy endpoint: -1. Use the [List proxy endpoints](/api/resources/zero_trust/subresources/gateway/subresources/proxy_endpoints/methods/list/) endpoint to get a list of your proxy endpoints and their details. For example: +1. Use the [List proxy endpoints](/api/resources/zero_trust/subresources/gateway/subresources/proxy_endpoints/methods/list/) operation to get a list of your proxy endpoints and their details. For example: ```bash curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/proxy_endpoints \ --header "Authorization: Bearer " ``` - ```json {9} output - "success": true, - "result": { - "id": "ed35569b41ce4d1facfe683550f54086", - "created_at": "2014-01-01T05:20:00.12345Z", - "ips": [ - "192.0.2.1/32" - ], - "name": "DevOps team", - "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", - "updated_at": "2014-01-01T05:20:00.12345Z" + ```json {10} output + { + "success": true, + "result": { + "id": "ed35569b41ce4d1facfe683550f54086", + "created_at": "2014-01-01T05:20:00.12345Z", + "ips": [ + "192.0.2.1/32" + ], + "name": "DevOps team", + "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", + "updated_at": "2014-01-01T05:20:00.12345Z" + } } ``` @@ -243,24 +245,24 @@ Using your proxy endpoint's domain, you can get the IP addresses assigned to the 1. Open a terminal. -2. Run `dig` on your proxy endpoint's `A` records to get its IPv4 addresses. For example: +2. Run `dig` on your proxy endpoint's A records to get its IPv4 addresses. For example: ```bash dig A example.cloudflare-gateway.com +short ``` - ```bash output + ```txt output 162.159.36.5 162.159.36.20 ``` -3. Run `dig` on your proxy endpoint's `AAAA` records to get its IPv6 addresses. For example: +3. Run `dig` on your proxy endpoint's AAAA records to get its IPv6 addresses. For example: ```bash dig AAAA example.cloudflare-gateway.com +short ``` - ```bash output + ```txt output 2606:4700:54::a29f:2407 2606:4700:5c::a29f:2e07 ``` @@ -270,26 +272,26 @@ Using your proxy endpoint's domain, you can get the IP addresses assigned to the 1. Open a PowerShell terminal. -2. Run `Resolve-DnsName` on your proxy endpoint's `A` records. Your proxy endpoint's IPv4 addresses will appear under `IPAddress`. For example: +2. Run `Resolve-DnsName` on your proxy endpoint's A records. Your proxy endpoint's IPv4 addresses will appear under `IPAddress`. For example: ```powershell Resolve-DnsName -Name example.cloudflare-gateway.com -Type A ``` - ```powershell output + ```txt output Name Type TTL Section IPAddress ---- ---- --- ------- --------- example.cloudflare-gateway.com A 300 Answer 162.159.36.5 example.cloudflare-gateway.com A 300 Answer 162.159.36.20 ``` -3. Run `Resolve-DnsName` on your proxy endpoint's `AAAA` records. Your proxy endpoint's IPv6 addresses will appear under `IPAddress`. For example: +3. Run `Resolve-DnsName` on your proxy endpoint's AAAA records. Your proxy endpoint's IPv6 addresses will appear under `IPAddress`. For example: ```powershell Resolve-DnsName -Name example.cloudflare-gateway.com -Type AAAA ``` - ```powershell output + ```txt output Name Type TTL Section IPAddress ---- ---- --- ------- --------- example.cloudflare-gateway.com AAAA 300 Answer 2606:4700:5c::a29f:2e07