diff --git a/src/content/docs/ssl/client-certificates/byo-ca.mdx b/src/content/docs/ssl/client-certificates/byo-ca.mdx index a51deb5e6eaea3e..e7e92381de555d6 100644 --- a/src/content/docs/ssl/client-certificates/byo-ca.mdx +++ b/src/content/docs/ssl/client-certificates/byo-ca.mdx @@ -10,7 +10,7 @@ description: Cloudflare mTLS now supports client certificates that have not been --- -import { Render } from "~/components" +import { Render, APIRequest } from "~/components" This page explains how you can manage mTLS using client certificates that have not been issued by Cloudflare CA. @@ -95,8 +95,10 @@ If you want to remove a CA that you have previously uploaded, you must first rem You can also use the [API](/api/resources/certificate_authorities/subresources/hostname_associations/methods/get/) to list the hostname associations. Make sure you include the query parameter `mtls_certificate_id`, where `mtls_certificate_id` is the certificate ID of the uploaded CA (step 2 above). -```bash -curl "https://api.cloudflare.com/client/v4/zones/zone_id/certificate_authorities/hostname_associations?mtls_certificate_id={id_from_step_2}" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " -``` \ No newline at end of file + \ No newline at end of file diff --git a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx index 8d64ecfb2e7c26c..99ccfccd2a92c9a 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx @@ -6,7 +6,7 @@ sidebar: label: Use the API --- -import { Render, TabItem, Tabs } from "~/components"; +import { Render, TabItem, Tabs, APIRequest } from "~/components"; @@ -25,6 +25,10 @@ Note that: * If setting up a per-hostname cipher suite customization, make sure that the hostname is specified on the certificate (instead of being covered by a wildcard). * If you use Windows you might need to adjust the `curl` syntax, refer to [Making API calls on Windows](/fundamentals/api/how-to/make-api-calls/#making-api-calls-on-windows) for further guidance. +:::note +Updating the cipher suites will result in certificates being redeployed. +::: + ## Steps and API examples 1. Decide which cipher suites you want to specify and which ones you want to disable (meaning they will not be included in your selection). @@ -35,82 +39,69 @@ Note that: 3. Get the Zone ID from the [Overview page](https://dash.cloudflare.com/?to=/:account/:zone/) of the domain you want to specify cipher suites for. 4. Make an API call to either the [Edit zone setting](/api/resources/zones/subresources/settings/methods/edit/) endpoint or the [Edit TLS setting for hostname](/api/resources/hostnames/subresources/settings/subresources/tls/methods/update/) endpoint, specifying `ciphers` in the URL. List your array of chosen cipher suites in the `value` field. -:::note -Updating the cipher suites will result in certificates being redeployed. -::: - - - -```bash -# To configure cipher suites per hostname, replace the first two lines by the following -# curl --request PUT \ -# "https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \ - -curl --request PATCH \ -"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{"value": ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384"]}' -``` - - + -```bash -# To configure cipher suites per hostname, replace the first two lines by the following -# curl --request PUT \ -# "https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \ - -curl --request PATCH \ -"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{"value": ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384"]}' -``` + - + -```bash -# To configure cipher suites per hostname, replace the first two lines by the following -# curl --request PUT \ -# "https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \ - -curl --request PATCH \ -"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{"value": ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305"]}' -``` - -:::caution + +:::note For compliance with PCI DSS, also [enable TLS 1.3](/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) on your zone and make sure to up your [Minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/) to `1.2`. ::: - + -```bash -# To configure cipher suites per hostname, replace the first two lines by the following -# curl --request PUT \ -# "https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \ + + + -curl --request PATCH \ -"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{"value":["AES128-GCM-SHA256", "AES128-SHA", "AES128-SHA256", "AES256-SHA", "AES256-SHA256", "DES-CBC3-SHA", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES128-SHA256", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-SHA", "ECDHE-RSA-AES256-SHA384"]}' -``` + @@ -120,26 +111,29 @@ curl --request PATCH \ To reset to the default cipher suites at zone level, use the [Edit zone setting](/api/resources/zones/subresources/settings/methods/edit/) endpoint, specifying `ciphers` as the setting name in the URL, and send an empty array in the `value` field. -```bash -curl --request PATCH \ -"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{"value": []}' -``` + + For specific hostname settings, use the [Delete TLS setting for hostname](/api/resources/hostnames/subresources/settings/subresources/tls/methods/delete/) endpoint. -```bash -curl --request DELETE \ -"https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header 'Content-Type: application/json' \ -``` + diff --git a/src/content/docs/ssl/edge-certificates/additional-options/minimum-tls.mdx b/src/content/docs/ssl/edge-certificates/additional-options/minimum-tls.mdx index ed9f55563b77a4e..656dff8cb25c734 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/minimum-tls.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/minimum-tls.mdx @@ -5,7 +5,7 @@ sidebar: order: 13 --- -import { FeatureTable, TabItem, Tabs } from "~/components"; +import { FeatureTable, TabItem, Tabs, APIRequest } from "~/components"; Minimum TLS Version only allows HTTPS connections from visitors that support the selected TLS protocol version or newer. @@ -54,16 +54,17 @@ Use the [Edit zone setting](/api/resources/zones/subresources/settings/methods/e In the following example, the minimum TLS version for the zone will be set to `1.2`. Replace the zone ID and API token placeholders with your information, and adjust the `value` field with your chosen TLS version. -```bash -curl --request PATCH \ -"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/min_tls_version" \ ---header "Authorization: Bearer " \ ---header "Content-Type: application/json" \ ---data '{ - "id": "min_tls_version", - "value": "1.2" - }' -``` + @@ -78,17 +79,18 @@ This is currently only available via the API: Cloudflare uses the [hostname priority logic](/ssl/reference/certificate-and-hostname-priority/) to determine which setting to apply. -In the following example, the minimum TLS version for a specific hostname will be set to `1.2`. Replace the zone ID, hostname, and API token placeholders with your information, and adjust the `value` field with your chosen TLS version. - -```bash -curl --request PUT \ -"https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/min_tls_version/{hostname}" \ ---header "Authorization: Bearer " \ ---header "Content-Type: application/json" \ ---data '{ - "value": "1.2" - }' -``` +In the following example, the minimum TLS version for a specific hostname will be set to `1.2`. Replace the zone ID, hostname, and authentication placeholders with your information, and adjust the `value` field with your chosen TLS version. + + ## Test supported TLS versions diff --git a/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx b/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx index b0126693b39e2d0..f41e6d84b25a37c 100644 --- a/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx +++ b/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx @@ -5,7 +5,7 @@ sidebar: order: 2 --- -import { Details, GlossaryTooltip, Render, TabItem, Tabs } from "~/components"; +import { Details, GlossaryTooltip, Render, TabItem, Tabs, APIRequest } from "~/components"; This page lists Cloudflare requirements for custom certificates and explains how to upload and update these certificates using Cloudflare dashboard or API. @@ -148,7 +148,6 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates \ --header "Content-Type: application/json" \ --data "$request_body" ``` - 3. (Optional) Add a CAA record. diff --git a/src/content/docs/ssl/edge-certificates/geokey-manager/setup.mdx b/src/content/docs/ssl/edge-certificates/geokey-manager/setup.mdx index c42d22320b2b14c..6a303899dfdba30 100644 --- a/src/content/docs/ssl/edge-certificates/geokey-manager/setup.mdx +++ b/src/content/docs/ssl/edge-certificates/geokey-manager/setup.mdx @@ -10,7 +10,7 @@ description: Learn how to set up Geo Key Manager and choose the geographical boundaries of where your private encryption keys are stored. --- -import { Render, TabItem, Tabs, InlineBadge } from "~/components"; +import { Render, TabItem, Tabs, InlineBadge, APIRequest, Example } from "~/components"; ## Geo Key Manager v2 @@ -36,31 +36,38 @@ You also have access to the `geo_restrictions` parameter, which is mutually excl ### Examples -```bash title="Store private keys in the E.U. and the U.S." -curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{ - "certificate":"certificate", - "private_key":"", - "policy":"(country: US) and (region: EU)", - "type": "sni_custom" -}' -``` - -```bash title="Store private keys in the E.U., but not in France" -curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{ - "certificate":"certificate", - "private_key":"", - "policy":"(region: EU) and (not country: FR)", - "type": "sni_custom" -}' -``` + + +Store private keys in the E.U. and the U.S. + +", + "policy":"(country: US) and (region: EU)", + "type": "sni_custom" + }} +/> + + + + +Store private keys in the E.U., but not in France + +", + "policy":"(region: EU) and (not country: FR)", + "type": "sni_custom" + }} +/> + + :::note diff --git a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx index 0cc2b45139f59a4..d8e8c159096730a 100644 --- a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx +++ b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx @@ -9,7 +9,7 @@ description: Learn how to set up Cloudflare Authenticated Origin Pulls with the --- -import { Render } from "~/components"; +import { Render, APIRequest } from "~/components"; This guide will walk you through how to set up [per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) authenticated origin pulls to securely connect to an AWS Application Load Balancer using [mutual TLS verify](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html). @@ -71,35 +71,34 @@ curl --verbose https:// 2.[Associate the certificate with the hostname](/api/resources/origin_tls_client_auth/subresources/hostnames/methods/update/) that should use it. -```bash -curl --silent --request PUT \ -"https://api.cloudflare.com/client/v4/zones/$ZONEID/origin_tls_client_auth/hostnames" \ ---header "Content-Type: application/json" \ ---header "X-Auth-Email: $MYAUTHEMAIL" \ ---header "X-Auth-Key: $MYAUTHKEY" \ ---data '{ - "config": [ +", "hostname": "" } ] -}' -``` + }} +/> + 3. [Enable the Authenticated Origin Pulls](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/#3-enable-authenticated-origin-pulls-globally) feature on your zone. -```bash -curl --request PATCH \ -"https://api.cloudflare.com/client/v4/zones/$ZONEID/settings/tls_client_auth" \ ---header "X-Auth-Email: $MYAUTHEMAIL" \ ---header "X-Auth-Key: $MYAUTHKEY" \ ---header "Content-Type: application/json" \ ---data '{ - "value": "on" -}' -``` + + :::note @@ -112,36 +111,32 @@ Make sure your [encryption mode](/ssl/origin-configuration/ssl-modes/) is set to 1. Use a [`PUT` request](/api/resources/origin_tls_client_auth/subresources/hostnames/methods/update/) to disable Authenticated Origin Pulls on the hostname. -```bash -curl -s --request PUT \ -"https://api.cloudflare.com/client/v4/zones/$ZONEID/origin_tls_client_auth/hostnames" \ ---header "Content-Type: application/json" \ ---header "X-Auth-Email: $MYAUTHEMAIL" \ ---header "X-Auth-Key: $MYAUTHKEY" \ ---data '{ - "config": [ +", "hostname": "" } ] -}' -``` + }} +/> + 2. (Optional) Use a [`GET` request](/api/resources/origin_tls_client_auth/subresources/hostnames/subresources/certificates/methods/list/) to obtain a list of the client certificate IDs. You will need the ID of the certificate you want to remove for the following step. -```bash -curl "https://api.cloudflare.com/client/v4/zones/$ZONEID/origin_tls_client_auth/hostnames/certificates" \ ---header "X-Auth-Email: $MYAUTHEMAIL" \ ---header "X-Auth-Key: $MYAUTHKEY" -``` + 3. Use the [Delete hostname client certificate](/api/resources/origin_tls_client_auth/subresources/hostnames/subresources/certificates/methods/delete/) endpoint to remove the certificate you had uploaded. -```bash -curl --request DELETE \ -"https://api.cloudflare.com/client/v4/zones/$ZONEID/origin_tls_client_auth/hostnames/certificates/$CERTID" \ ---header "X-Auth-Email: $MYAUTHEMAIL" \ ---header "X-Auth-Key: $MYAUTHKEY" -``` + + diff --git a/src/content/docs/ssl/origin-configuration/ssl-modes/index.mdx b/src/content/docs/ssl/origin-configuration/ssl-modes/index.mdx index 8f8044e8eac5c2f..33b333bd0313408 100644 --- a/src/content/docs/ssl/origin-configuration/ssl-modes/index.mdx +++ b/src/content/docs/ssl/origin-configuration/ssl-modes/index.mdx @@ -9,7 +9,7 @@ description: Encryption modes allow you to control how Cloudflare connects to validated. --- -import { DirectoryListing, Render, TabItem, Tabs } from "~/components"; +import { DirectoryListing, Render, TabItem, Tabs, APIRequest } from "~/components";
@@ -52,13 +52,16 @@ Automatic SSL/TLS will not change your setting to a less secure encryption mode. If you want to opt a zone out via the API, you can make this API call on or before the grace period expiration date. -```bash - curl --request PATCH \ - --url https://api.cloudflare.com/client/v4/zones//settings/ssl_automatic_mode \ - --header 'Authorization: Bearer ' \ - --header 'Content-Type: application/json' \ - --data '{"value":"custom"}' -``` + #### Opt out multiple zones @@ -93,6 +96,7 @@ If you wanted to opt out multiple zones: done ``` + 5. Open your command line and run: ```bash diff --git a/src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx b/src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx index 661c0536b2c2aa9..c1e5b75d9c70a82 100644 --- a/src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx +++ b/src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx @@ -8,7 +8,7 @@ head: [] description: Learn about post-quantum cryptography in connections from Cloudflare to your origin servers. --- -import { Example } from "~/components"; +import { Example, APIRequest } from "~/components"; As explained in [About PQC](/ssl/post-quantum-cryptography/), Cloudflare has deployed support for hybrid key agreements, which includes both the most common key agreement for TLS 1.3, X25519, and the post-quantum secure ML-KEM. @@ -36,15 +36,13 @@ It is also possible to opt out of PQC using the same API endpoint. This setting affects all outbound connections from the zone you specify in the API call, including `fetch()` requests made by [Workers](/workers/) on your zone. ::: -```bash -curl --request PUT \ -"https://api.cloudflare.com/client/v4/zones/{zone_id}/cache/origin_post_quantum_encryption" \ ---header "Authorization: Bearer " \ ---header "Content-Type: application/json" \ ---data '{ - "value": "" -}' -``` +" + }} +/> The possible values are: - `supported` (most compatible): Advertise support for post-quantum key agreement, but send a classical keyshare in the first ClientHello. diff --git a/src/content/partials/ssl/ciphers-api-general-notes.mdx b/src/content/partials/ssl/ciphers-api-general-notes.mdx index 46f568890fb3177..431555f3a04bc82 100644 --- a/src/content/partials/ssl/ciphers-api-general-notes.mdx +++ b/src/content/partials/ssl/ciphers-api-general-notes.mdx @@ -2,7 +2,9 @@ {} --- +To configure cipher suites per hostname, replace the first two lines by the following: -Make the following API call with the appropriate `{zone_id}`, ``, and ``. - -If you [choose to use a token](/fundamentals/api/get-started/), you will not need an email nor an API key. You will instead replace the `X-Auth-Email` and `X-Auth-Key` headers by `--header "Authorization: Bearer " \`. +```bash +curl --request PUT \ +"https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \ +``` diff --git a/src/content/partials/ssl/forward-client-certificate.mdx b/src/content/partials/ssl/forward-client-certificate.mdx index 9a8d1368f1093fb..d9f5687fccee5a3 100644 --- a/src/content/partials/ssl/forward-client-certificate.mdx +++ b/src/content/partials/ssl/forward-client-certificate.mdx @@ -3,6 +3,8 @@ --- +import { APIRequest } from "~/components"; + ## Forward a client certificate In addition to enforcing mTLS authentication for your host, you can also forward a client certificate to your origin server as an HTTP header. This setup is often helpful for server logging. @@ -17,22 +19,22 @@ This process is only available on accounts with [Cloudflare Access](/cloudflare- The most common approach to forwarding a certificate is to use the Cloudflare API to [update an mTLS certificate's hostname settings](/api/resources/zero_trust/subresources/access/subresources/certificates/subresources/settings/methods/update/). -```bash title="Request" {11} -curl --request PUT \ -https://api.cloudflare.com/client/v4/zones/{zone_id}/access/certificates/settings \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{ - "settings": [ +", "china_network": false, "client_certificate_forwarding": true } ] -}' -``` + }} + code={{ + mark: [10] + }} +/> Once `client_certificate_forwarding` is set to `true`, the first request of an mTLS connection will now include the following headers: