From 11cfe2bbf11902d3a936c17d29005e77739a9deb Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Thu, 20 Feb 2025 15:59:02 +0000 Subject: [PATCH 1/3] [CF1] KEXalgo support list --- .../applications/non-http/index.mdx | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/non-http/index.mdx b/src/content/docs/cloudflare-one/applications/non-http/index.mdx index c6b5e42ebfd8252..b1572b9747882c3 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/index.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/index.mdx @@ -3,7 +3,6 @@ pcx_content_type: concept title: Non-HTTP applications sidebar: order: 1 - --- Cloudflare offers both client-based and clientless ways to grant secure access to non-HTTP applications. @@ -17,6 +16,7 @@ Non-HTTP applications require [connecting your private network](/cloudflare-one/ Users can connect by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access any private route unless they are protected by an Access policy or Gateway firewall rule. To secure the application, you can [create a self-hosted application](/cloudflare-one/applications/non-http/self-hosted-private-app/) for a private IP range, port range, and/or hostname and build [Access policies](/cloudflare-one/policies/access/) that allow or block specific users. If you would like to define how users access specific infrastructure servers within your network, [create an infrastructure application](/cloudflare-one/applications/non-http/infrastructure-apps/) in Access for Infrastructure. Access for Infrastructure provides an additional layer of control and visibility over how users access non-HTTP applications, including: + - Define fine-grained policies to govern who has access to specific servers and exactly how a user may access that server. - Eliminate SSH keys by using short-lived certificates to authenticate users. - Export SSH command logs to a storage service or SIEM solution using [Logpush](/cloudflare-one/insights/logs/logpush/). @@ -29,6 +29,14 @@ Clientless access methods are suited for organizations that cannot deploy the WA Cloudflare's [browser-based terminal](/cloudflare-one/applications/non-http/browser-rendering/) allows users to connect over SSH and VNC without any configuration. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser. +When connecting over SSH, Cloudflare supports following key exchange algorithms: + +curve25519-sha256@libssh.org +curve25519-sha256 +ecdh-sha2-nistp256 +ecdh-sha2-nistp384 +ecdh-sha2-nistp521 + ### Client-side cloudflared (legacy) :::note @@ -41,6 +49,6 @@ Users can log in to the application by installing `cloudflared` on their device To connect to an application over a specific protocol, refer to these tutorials: -* [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/) -* [SMB](/cloudflare-one/connections/connect-networks/use-cases/smb/) -* [RDP](/cloudflare-one/connections/connect-networks/use-cases/rdp/) +- [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/) +- [SMB](/cloudflare-one/connections/connect-networks/use-cases/smb/) +- [RDP](/cloudflare-one/connections/connect-networks/use-cases/rdp/) From 44d5bdb5aa8994a0059e0a4b60df62912c1d51af Mon Sep 17 00:00:00 2001 From: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> Date: Thu, 20 Feb 2025 16:40:35 +0000 Subject: [PATCH 2/3] Update src/content/docs/cloudflare-one/applications/non-http/index.mdx --- .../cloudflare-one/applications/non-http/index.mdx | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/non-http/index.mdx b/src/content/docs/cloudflare-one/applications/non-http/index.mdx index b1572b9747882c3..b18ac6ae5d86615 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/index.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/index.mdx @@ -31,11 +31,11 @@ Cloudflare's [browser-based terminal](/cloudflare-one/applications/non-http/brow When connecting over SSH, Cloudflare supports following key exchange algorithms: -curve25519-sha256@libssh.org -curve25519-sha256 -ecdh-sha2-nistp256 -ecdh-sha2-nistp384 -ecdh-sha2-nistp521 +- curve25519-sha256@libssh.org +- curve25519-sha256 +- ecdh-sha2-nistp256 +- ecdh-sha2-nistp384 +- ecdh-sha2-nistp521 ### Client-side cloudflared (legacy) From 132a3209c0570f5919d7c618f2cfc5d48c1ec3c4 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Fri, 21 Feb 2025 11:47:38 +0000 Subject: [PATCH 3/3] fixed formatting --- .../non-http/browser-rendering.mdx | 26 ++++++++++++++----- .../applications/non-http/index.mdx | 8 ------ 2 files changed, 19 insertions(+), 15 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx b/src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx index 711c500ad2de66a..d0f7185f1944c1e 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx @@ -3,7 +3,6 @@ pcx_content_type: how-to title: Browser-rendered terminal sidebar: order: 3 - --- Cloudflare can render certain non-web applications in your browser without the need for client software or end-user configuration changes. Cloudflare currently supports rendering a terminal for SSH and VNC connections in a user's browser. @@ -16,11 +15,24 @@ You can only enable browser rendering on domains and subdomains, not for specifi To enable browser rendering: -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. -2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**. -3. In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications. -4. Go to **Advanced settings** > **Browser rendering settings**. -5. For **Browser rendering**, choose _SSH_ or _VNC_. -6. Select **Save application**. +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. +2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**. +3. In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications. +4. Go to **Advanced settings** > **Browser rendering settings**. +5. For **Browser rendering**, choose _SSH_ or _VNC_. + + :::note + + When connecting over SSH, Cloudflare supports following key exchange algorithms: + + - `curve25519-sha256@libssh.org` + - `curve25519-sha256` + - `ecdh-sha2-nistp256` + - `ecdh-sha2-nistp384` + - `ecdh-sha2-nistp521` + + ::: + +6. Select **Save application**. When users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser. diff --git a/src/content/docs/cloudflare-one/applications/non-http/index.mdx b/src/content/docs/cloudflare-one/applications/non-http/index.mdx index b18ac6ae5d86615..3e040b8edadcf76 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/index.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/index.mdx @@ -29,14 +29,6 @@ Clientless access methods are suited for organizations that cannot deploy the WA Cloudflare's [browser-based terminal](/cloudflare-one/applications/non-http/browser-rendering/) allows users to connect over SSH and VNC without any configuration. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser. -When connecting over SSH, Cloudflare supports following key exchange algorithms: - -- curve25519-sha256@libssh.org -- curve25519-sha256 -- ecdh-sha2-nistp256 -- ecdh-sha2-nistp384 -- ecdh-sha2-nistp521 - ### Client-side cloudflared (legacy) :::note