From a61325814eb710b0bcf8ef6b691c2a00bda19a81 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 15 May 2025 18:52:43 +0100 Subject: [PATCH 01/12] Find occurrences and add placeholder syntax throughout --- .../docs/ssl/client-certificates/byo-ca.mdx | 10 ++++- .../customize-cipher-suites/api.mdx | 44 ++++++++++++++++++- .../additional-options/minimum-tls.mdx | 14 +++++- .../custom-certificates/uploading.mdx | 8 +++- .../geokey-manager/setup.mdx | 14 +++++- .../aws-alb-integration.mdx | 37 +++++++++++++++- .../origin-configuration/ssl-modes/index.mdx | 26 ++++++++++- .../pqc-to-origin.mdx | 8 +++- .../ssl/forward-client-certificate.mdx | 9 ++++ 9 files changed, 161 insertions(+), 9 deletions(-) diff --git a/src/content/docs/ssl/client-certificates/byo-ca.mdx b/src/content/docs/ssl/client-certificates/byo-ca.mdx index a51deb5e6eaea3e..838c7712a704adc 100644 --- a/src/content/docs/ssl/client-certificates/byo-ca.mdx +++ b/src/content/docs/ssl/client-certificates/byo-ca.mdx @@ -10,7 +10,7 @@ description: Cloudflare mTLS now supports client certificates that have not been --- -import { Render } from "~/components" +import { Render, APIRequest } from "~/components" This page explains how you can manage mTLS using client certificates that have not been issued by Cloudflare CA. @@ -99,4 +99,10 @@ You can also use the [API](/api/resources/certificate_authorities/subresources/h curl "https://api.cloudflare.com/client/v4/zones/zone_id/certificate_authorities/hostname_associations?mtls_certificate_id={id_from_step_2}" \ --header "X-Auth-Email: " \ --header "X-Auth-Key: " -``` \ No newline at end of file +``` + + \ No newline at end of file diff --git a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx index 8d64ecfb2e7c26c..0eda9a523c9f317 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx @@ -6,7 +6,7 @@ sidebar: label: Use the API --- -import { Render, TabItem, Tabs } from "~/components"; +import { Render, TabItem, Tabs, APIRequest } from "~/components"; @@ -56,6 +56,13 @@ curl --request PATCH \ --data '{"value": ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384"]}' ``` + + + @@ -73,6 +80,13 @@ curl --request PATCH \ --data '{"value": ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384"]}' ``` + + + @@ -90,6 +104,13 @@ curl --request PATCH \ --data '{"value": ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305"]}' ``` + + + :::caution For compliance with PCI DSS, also [enable TLS 1.3](/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) on your zone and make sure to up your [Minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/) to `1.2`. @@ -112,6 +133,13 @@ curl --request PATCH \ --data '{"value":["AES128-GCM-SHA256", "AES128-SHA", "AES128-SHA256", "AES256-SHA", "AES256-SHA256", "DES-CBC3-SHA", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES128-SHA256", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-SHA", "ECDHE-RSA-AES256-SHA384"]}' ``` + + + ### Reset to default values @@ -129,6 +157,13 @@ curl --request PATCH \ --data '{"value": []}' ``` + + + For specific hostname settings, use the [Delete TLS setting for hostname](/api/resources/hostnames/subresources/settings/subresources/tls/methods/delete/) endpoint. @@ -141,6 +176,13 @@ curl --request DELETE \ --header 'Content-Type: application/json' \ ``` + + + diff --git a/src/content/docs/ssl/edge-certificates/additional-options/minimum-tls.mdx b/src/content/docs/ssl/edge-certificates/additional-options/minimum-tls.mdx index ed9f55563b77a4e..414e67515f704d6 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/minimum-tls.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/minimum-tls.mdx @@ -5,7 +5,7 @@ sidebar: order: 13 --- -import { FeatureTable, TabItem, Tabs } from "~/components"; +import { FeatureTable, TabItem, Tabs, APIRequest } from "~/components"; Minimum TLS Version only allows HTTPS connections from visitors that support the selected TLS protocol version or newer. @@ -65,6 +65,12 @@ curl --request PATCH \ }' ``` + + ### Per-hostname @@ -90,6 +96,12 @@ curl --request PUT \ }' ``` + + ## Test supported TLS versions To test supported TLS versions, attempt a request to your website or application while specifying a TLS version. diff --git a/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx b/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx index b0126693b39e2d0..83f02ed961c4dcb 100644 --- a/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx +++ b/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx @@ -5,7 +5,7 @@ sidebar: order: 2 --- -import { Details, GlossaryTooltip, Render, TabItem, Tabs } from "~/components"; +import { Details, GlossaryTooltip, Render, TabItem, Tabs, APIRequest } from "~/components"; This page lists Cloudflare requirements for custom certificates and explains how to upload and update these certificates using Cloudflare dashboard or API. @@ -149,6 +149,12 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates \ --data "$request_body" ``` + + 3. (Optional) Add a CAA record. diff --git a/src/content/docs/ssl/edge-certificates/geokey-manager/setup.mdx b/src/content/docs/ssl/edge-certificates/geokey-manager/setup.mdx index c42d22320b2b14c..aa399eed4c79d53 100644 --- a/src/content/docs/ssl/edge-certificates/geokey-manager/setup.mdx +++ b/src/content/docs/ssl/edge-certificates/geokey-manager/setup.mdx @@ -10,7 +10,7 @@ description: Learn how to set up Geo Key Manager and choose the geographical boundaries of where your private encryption keys are stored. --- -import { Render, TabItem, Tabs, InlineBadge } from "~/components"; +import { Render, TabItem, Tabs, InlineBadge, APIRequest } from "~/components"; ## Geo Key Manager v2 @@ -49,6 +49,12 @@ curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates" }' ``` + + ```bash title="Store private keys in the E.U., but not in France" curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates" \ --header "X-Auth-Email: " \ @@ -62,6 +68,12 @@ curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates" }' ``` + + :::note For more information on the `policy` field, refer to [Supported options](/ssl/edge-certificates/geokey-manager/supported-options/). diff --git a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx index 0cc2b45139f59a4..efb4f649eb28563 100644 --- a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx +++ b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx @@ -9,7 +9,7 @@ description: Learn how to set up Cloudflare Authenticated Origin Pulls with the --- -import { Render } from "~/components"; +import { Render, APIRequest } from "~/components"; This guide will walk you through how to set up [per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) authenticated origin pulls to securely connect to an AWS Application Load Balancer using [mutual TLS verify](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html). @@ -88,6 +88,13 @@ curl --silent --request PUT \ }' ``` + + + 3. [Enable the Authenticated Origin Pulls](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/#3-enable-authenticated-origin-pulls-globally) feature on your zone. ```bash @@ -101,6 +108,13 @@ curl --request PATCH \ }' ``` + + + :::note Make sure your [encryption mode](/ssl/origin-configuration/ssl-modes/) is set to **Full** or higher. If you only want to adjust this setting for a specific hostname, use [Configuration Rules](/rules/configuration-rules/settings/#ssl). @@ -129,6 +143,13 @@ curl -s --request PUT \ }' ``` + + + 2. (Optional) Use a [`GET` request](/api/resources/origin_tls_client_auth/subresources/hostnames/subresources/certificates/methods/list/) to obtain a list of the client certificate IDs. You will need the ID of the certificate you want to remove for the following step. ```bash @@ -137,6 +158,13 @@ curl "https://api.cloudflare.com/client/v4/zones/$ZONEID/origin_tls_client_auth/ --header "X-Auth-Key: $MYAUTHKEY" ``` + + + 3. Use the [Delete hostname client certificate](/api/resources/origin_tls_client_auth/subresources/hostnames/subresources/certificates/methods/delete/) endpoint to remove the certificate you had uploaded. ```bash @@ -145,3 +173,10 @@ curl --request DELETE \ --header "X-Auth-Email: $MYAUTHEMAIL" \ --header "X-Auth-Key: $MYAUTHKEY" ``` + + + diff --git a/src/content/docs/ssl/origin-configuration/ssl-modes/index.mdx b/src/content/docs/ssl/origin-configuration/ssl-modes/index.mdx index 8f8044e8eac5c2f..1d299dcf843b04c 100644 --- a/src/content/docs/ssl/origin-configuration/ssl-modes/index.mdx +++ b/src/content/docs/ssl/origin-configuration/ssl-modes/index.mdx @@ -9,7 +9,7 @@ description: Encryption modes allow you to control how Cloudflare connects to validated. --- -import { DirectoryListing, Render, TabItem, Tabs } from "~/components"; +import { DirectoryListing, Render, TabItem, Tabs, APIRequest } from "~/components";
@@ -60,6 +60,14 @@ If you want to opt a zone out via the API, you can make this API call on or befo --data '{"value":"custom"}' ``` + + + + #### Opt out multiple zones If you wanted to opt out multiple zones: @@ -76,6 +84,14 @@ If you wanted to opt out multiple zones: --header 'Content-Type: application/json' ``` + + + + 3. Create a list of zone IDs you want to opt-out with each zone ID on a separate line (newline separate), stored in a file such as `zones.txt`. 4. Create a bash script for `opt-out-multiple-zones.sh` and add the following. Add `zones.txt` to the same directory or update the path accordingly. @@ -93,6 +109,14 @@ If you wanted to opt out multiple zones: done ``` + + + + 5. Open your command line and run: ```bash diff --git a/src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx b/src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx index 661c0536b2c2aa9..782b53e30c10ea4 100644 --- a/src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx +++ b/src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx @@ -8,7 +8,7 @@ head: [] description: Learn about post-quantum cryptography in connections from Cloudflare to your origin servers. --- -import { Example } from "~/components"; +import { Example, APIRequest } from "~/components"; As explained in [About PQC](/ssl/post-quantum-cryptography/), Cloudflare has deployed support for hybrid key agreements, which includes both the most common key agreement for TLS 1.3, X25519, and the post-quantum secure ML-KEM. @@ -46,6 +46,12 @@ curl --request PUT \ }' ``` + + The possible values are: - `supported` (most compatible): Advertise support for post-quantum key agreement, but send a classical keyshare in the first ClientHello. - `preferred` (most performant): Send a post-quantum keyshare in the first ClientHello. Cloudflare continues to advertise support for classical keyshares as well. diff --git a/src/content/partials/ssl/forward-client-certificate.mdx b/src/content/partials/ssl/forward-client-certificate.mdx index 9a8d1368f1093fb..f80a9c26bf39284 100644 --- a/src/content/partials/ssl/forward-client-certificate.mdx +++ b/src/content/partials/ssl/forward-client-certificate.mdx @@ -3,6 +3,8 @@ --- +import { APIRequest } from "~/components"; + ## Forward a client certificate In addition to enforcing mTLS authentication for your host, you can also forward a client certificate to your origin server as an HTTP header. This setup is often helpful for server logging. @@ -34,6 +36,13 @@ https://api.cloudflare.com/client/v4/zones/{zone_id}/access/certificates/setting }' ``` + + + Once `client_certificate_forwarding` is set to `true`, the first request of an mTLS connection will now include the following headers: * `Cf-Client-Cert-Der-Base64` From 28114219a9806520237c38b76cdda838ea34ed49 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 16 May 2025 07:13:20 +0100 Subject: [PATCH 02/12] Fill APIRequest for ciphers calls --- .../customize-cipher-suites/api.mdx | 65 +++++++++++++------ 1 file changed, 45 insertions(+), 20 deletions(-) diff --git a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx index 0eda9a523c9f317..9e2136319e34491 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx @@ -57,9 +57,14 @@ curl --request PATCH \ ``` @@ -81,12 +86,16 @@ curl --request PATCH \ ``` - @@ -105,12 +114,16 @@ curl --request PATCH \ ``` - :::caution For compliance with PCI DSS, also [enable TLS 1.3](/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) on your zone and make sure to up your [Minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/) to `1.2`. @@ -134,9 +147,14 @@ curl --request PATCH \ ``` @@ -158,9 +176,14 @@ curl --request PATCH \ ``` @@ -177,9 +200,11 @@ curl --request DELETE \ ``` From 7555ac2a6c39b599ff452d3a028b91045f51d76f Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 16 May 2025 07:23:48 +0100 Subject: [PATCH 03/12] Fill in min_tls_version occurrences --- .../additional-options/minimum-tls.mdx | 23 ++++++++++++++----- 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/src/content/docs/ssl/edge-certificates/additional-options/minimum-tls.mdx b/src/content/docs/ssl/edge-certificates/additional-options/minimum-tls.mdx index 414e67515f704d6..8b16d3dd18bb2cc 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/minimum-tls.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/minimum-tls.mdx @@ -66,9 +66,15 @@ curl --request PATCH \ ``` @@ -97,9 +103,14 @@ curl --request PUT \ ``` ## Test supported TLS versions From 44c3955c36804cb1975d20b88ac37791fe81b9ef Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 16 May 2025 08:52:34 +0100 Subject: [PATCH 04/12] Fill values in for aws-alb-integration --- .../aws-alb-integration.mdx | 49 +++++++++++++------ 1 file changed, 34 insertions(+), 15 deletions(-) diff --git a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx index efb4f649eb28563..f95923b203011ac 100644 --- a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx +++ b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx @@ -89,9 +89,17 @@ curl --silent --request PUT \ ``` ", + "hostname": "" + } + ] + }} /> @@ -109,9 +117,14 @@ curl --request PATCH \ ``` @@ -144,9 +157,17 @@ curl -s --request PUT \ ``` ", + "hostname": "" + } + ] + }} /> @@ -159,9 +180,8 @@ curl "https://api.cloudflare.com/client/v4/zones/$ZONEID/origin_tls_client_auth/ ``` @@ -175,8 +195,7 @@ curl --request DELETE \ ``` From 8d7717a2f0268868c6abbe17f49d23c16a848cf4 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 16 May 2025 09:20:55 +0100 Subject: [PATCH 05/12] Fill in only for first case in origin-configuration/index --- .../origin-configuration/ssl-modes/index.mdx | 26 ++++++------------- 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/src/content/docs/ssl/origin-configuration/ssl-modes/index.mdx b/src/content/docs/ssl/origin-configuration/ssl-modes/index.mdx index 1d299dcf843b04c..2c567faa4f274c3 100644 --- a/src/content/docs/ssl/origin-configuration/ssl-modes/index.mdx +++ b/src/content/docs/ssl/origin-configuration/ssl-modes/index.mdx @@ -62,9 +62,14 @@ If you want to opt a zone out via the API, you can make this API call on or befo @@ -84,14 +89,6 @@ If you wanted to opt out multiple zones: --header 'Content-Type: application/json' ``` - - - - 3. Create a list of zone IDs you want to opt-out with each zone ID on a separate line (newline separate), stored in a file such as `zones.txt`. 4. Create a bash script for `opt-out-multiple-zones.sh` and add the following. Add `zones.txt` to the same directory or update the path accordingly. @@ -110,13 +107,6 @@ If you wanted to opt out multiple zones: ``` - - - 5. Open your command line and run: ```bash From d7c9fd98ab0a104f953d6cc73d0c7342ab59a809 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 16 May 2025 09:21:48 +0100 Subject: [PATCH 06/12] Fill in pqc and forward-client-cert partial --- .../post-quantum-cryptography/pqc-to-origin.mdx | 8 +++++--- .../partials/ssl/forward-client-certificate.mdx | 17 ++++++++++++++--- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx b/src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx index 782b53e30c10ea4..ec67e59f7585460 100644 --- a/src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx +++ b/src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx @@ -47,9 +47,11 @@ curl --request PUT \ ``` " + }} /> The possible values are: diff --git a/src/content/partials/ssl/forward-client-certificate.mdx b/src/content/partials/ssl/forward-client-certificate.mdx index f80a9c26bf39284..8972f159f503181 100644 --- a/src/content/partials/ssl/forward-client-certificate.mdx +++ b/src/content/partials/ssl/forward-client-certificate.mdx @@ -37,9 +37,20 @@ https://api.cloudflare.com/client/v4/zones/{zone_id}/access/certificates/setting ``` ", + "china_network": false, + "client_certificate_forwarding": true + } + ] + }} + code={{ + mark: [10] + }} /> From a3dd6ccfa690459437028cbed65a7bb6b54a329d Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 16 May 2025 09:28:43 +0100 Subject: [PATCH 07/12] Fill in for byo-ca and remove from uploading --- src/content/docs/ssl/client-certificates/byo-ca.mdx | 8 +++++--- .../edge-certificates/custom-certificates/uploading.mdx | 7 ------- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/src/content/docs/ssl/client-certificates/byo-ca.mdx b/src/content/docs/ssl/client-certificates/byo-ca.mdx index 838c7712a704adc..efa7e1e896f1fc7 100644 --- a/src/content/docs/ssl/client-certificates/byo-ca.mdx +++ b/src/content/docs/ssl/client-certificates/byo-ca.mdx @@ -102,7 +102,9 @@ curl "https://api.cloudflare.com/client/v4/zones/zone_id/certificate_authorities ``` \ No newline at end of file diff --git a/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx b/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx index 83f02ed961c4dcb..f41e6d84b25a37c 100644 --- a/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx +++ b/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx @@ -148,13 +148,6 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates \ --header "Content-Type: application/json" \ --data "$request_body" ``` - - - 3. (Optional) Add a CAA record. From cc3f3160ca3789c6ba9ebd6bc217bb4c33b50164 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 16 May 2025 09:31:40 +0100 Subject: [PATCH 08/12] Fill in examples in geokey-manager/setup --- .../geokey-manager/setup.mdx | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/src/content/docs/ssl/edge-certificates/geokey-manager/setup.mdx b/src/content/docs/ssl/edge-certificates/geokey-manager/setup.mdx index aa399eed4c79d53..d32b06f555070df 100644 --- a/src/content/docs/ssl/edge-certificates/geokey-manager/setup.mdx +++ b/src/content/docs/ssl/edge-certificates/geokey-manager/setup.mdx @@ -50,9 +50,14 @@ curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates" ``` ", + "policy":"(country: US) and (region: EU)", + "type": "sni_custom" + }} /> ```bash title="Store private keys in the E.U., but not in France" @@ -69,9 +74,14 @@ curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates" ``` ", + "policy":"(region: EU) and (not country: FR)", + "type": "sni_custom" + }} /> :::note From fa43b9074ea1d9ae97b4d40469643327414e20a2 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 16 May 2025 10:13:37 +0100 Subject: [PATCH 09/12] Adjust related content for custom ciphers via API --- .../customize-cipher-suites/api.mdx | 44 ++++++------------- .../ssl/ciphers-api-general-notes.mdx | 8 ++-- 2 files changed, 18 insertions(+), 34 deletions(-) diff --git a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx index 9e2136319e34491..763b077a7dac787 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx @@ -25,6 +25,10 @@ Note that: * If setting up a per-hostname cipher suite customization, make sure that the hostname is specified on the certificate (instead of being covered by a wildcard). * If you use Windows you might need to adjust the `curl` syntax, refer to [Making API calls on Windows](/fundamentals/api/how-to/make-api-calls/#making-api-calls-on-windows) for further guidance. +:::note +Updating the cipher suites will result in certificates being redeployed. +::: + ## Steps and API examples 1. Decide which cipher suites you want to specify and which ones you want to disable (meaning they will not be included in your selection). @@ -35,19 +39,9 @@ Note that: 3. Get the Zone ID from the [Overview page](https://dash.cloudflare.com/?to=/:account/:zone/) of the domain you want to specify cipher suites for. 4. Make an API call to either the [Edit zone setting](/api/resources/zones/subresources/settings/methods/edit/) endpoint or the [Edit TLS setting for hostname](/api/resources/hostnames/subresources/settings/subresources/tls/methods/update/) endpoint, specifying `ciphers` in the URL. List your array of chosen cipher suites in the `value` field. -:::note -Updating the cipher suites will result in certificates being redeployed. -::: - - - ```bash -# To configure cipher suites per hostname, replace the first two lines by the following -# curl --request PUT \ -# "https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \ - curl --request PATCH \ "https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \ --header "X-Auth-Email: " \ @@ -67,16 +61,11 @@ curl --request PATCH \ }} /> + - - ```bash -# To configure cipher suites per hostname, replace the first two lines by the following -# curl --request PUT \ -# "https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \ - curl --request PATCH \ "https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \ --header "X-Auth-Email: " \ @@ -96,15 +85,16 @@ curl --request PATCH \ }} /> - -```bash -# To configure cipher suites per hostname, replace the first two lines by the following -# curl --request PUT \ -# "https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \ + + +:::note +For compliance with PCI DSS, also [enable TLS 1.3](/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) on your zone and make sure to up your [Minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/) to `1.2`. +::: +```bash curl --request PATCH \ "https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \ --header "X-Auth-Email: " \ @@ -124,20 +114,11 @@ curl --request PATCH \ }} /> -:::caution - -For compliance with PCI DSS, also [enable TLS 1.3](/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) on your zone and make sure to up your [Minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/) to `1.2`. -::: + - - ```bash -# To configure cipher suites per hostname, replace the first two lines by the following -# curl --request PUT \ -# "https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \ - curl --request PATCH \ "https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \ --header "X-Auth-Email: " \ @@ -157,6 +138,7 @@ curl --request PATCH \ }} /> + diff --git a/src/content/partials/ssl/ciphers-api-general-notes.mdx b/src/content/partials/ssl/ciphers-api-general-notes.mdx index 46f568890fb3177..431555f3a04bc82 100644 --- a/src/content/partials/ssl/ciphers-api-general-notes.mdx +++ b/src/content/partials/ssl/ciphers-api-general-notes.mdx @@ -2,7 +2,9 @@ {} --- +To configure cipher suites per hostname, replace the first two lines by the following: -Make the following API call with the appropriate `{zone_id}`, ``, and ``. - -If you [choose to use a token](/fundamentals/api/get-started/), you will not need an email nor an API key. You will instead replace the `X-Auth-Email` and `X-Auth-Key` headers by `--header "Authorization: Bearer " \`. +```bash +curl --request PUT \ +"https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \ +``` From 95e07cc235b95fa088c87aee2426ce26df290f7d Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 16 May 2025 10:16:23 +0100 Subject: [PATCH 10/12] Confirm correct cipher strings and remove bash code blocks --- .../customize-cipher-suites/api.mdx | 37 ------------------- 1 file changed, 37 deletions(-) diff --git a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx index 763b077a7dac787..f8e2cab0811f243 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx @@ -41,15 +41,6 @@ Updating the cipher suites will result in certificates being redeployed. -```bash -curl --request PATCH \ -"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{"value": ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384"]}' -``` - -```bash -curl --request PATCH \ -"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{"value": ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384"]}' -``` - - @@ -94,15 +75,6 @@ curl --request PATCH \ For compliance with PCI DSS, also [enable TLS 1.3](/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) on your zone and make sure to up your [Minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/) to `1.2`. ::: -```bash -curl --request PATCH \ -"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{"value": ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305"]}' -``` - -```bash -curl --request PATCH \ -"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{"value":["AES128-GCM-SHA256", "AES128-SHA", "AES128-SHA256", "AES256-SHA", "AES256-SHA256", "DES-CBC3-SHA", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES128-SHA256", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-SHA", "ECDHE-RSA-AES256-SHA384"]}' -``` - Date: Fri, 16 May 2025 10:18:15 +0100 Subject: [PATCH 11/12] Remove remaining bash from custom ciphers api --- .../customize-cipher-suites/api.mdx | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx index f8e2cab0811f243..99ccfccd2a92c9a 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx @@ -111,15 +111,6 @@ For compliance with PCI DSS, also [enable TLS 1.3](/ssl/edge-certificates/additi To reset to the default cipher suites at zone level, use the [Edit zone setting](/api/resources/zones/subresources/settings/methods/edit/) endpoint, specifying `ciphers` as the setting name in the URL, and send an empty array in the `value` field. -```bash -curl --request PATCH \ -"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{"value": []}' -``` - " \ ---header "X-Auth-Key: " \ ---header 'Content-Type: application/json' \ -``` - - From 9f78d3c8aafd695faf3565358e030d766210edd5 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 16 May 2025 10:38:42 +0100 Subject: [PATCH 12/12] Double-check and remove original bash throughout --- .../docs/ssl/client-certificates/byo-ca.mdx | 6 -- .../additional-options/minimum-tls.mdx | 23 +------- .../geokey-manager/setup.mdx | 35 ++++------- .../aws-alb-integration.mdx | 59 ------------------- .../origin-configuration/ssl-modes/index.mdx | 10 ---- .../pqc-to-origin.mdx | 10 ---- .../ssl/forward-client-certificate.mdx | 18 ------ 7 files changed, 11 insertions(+), 150 deletions(-) diff --git a/src/content/docs/ssl/client-certificates/byo-ca.mdx b/src/content/docs/ssl/client-certificates/byo-ca.mdx index efa7e1e896f1fc7..e7e92381de555d6 100644 --- a/src/content/docs/ssl/client-certificates/byo-ca.mdx +++ b/src/content/docs/ssl/client-certificates/byo-ca.mdx @@ -95,12 +95,6 @@ If you want to remove a CA that you have previously uploaded, you must first rem You can also use the [API](/api/resources/certificate_authorities/subresources/hostname_associations/methods/get/) to list the hostname associations. Make sure you include the query parameter `mtls_certificate_id`, where `mtls_certificate_id` is the certificate ID of the uploaded CA (step 2 above). -```bash -curl "https://api.cloudflare.com/client/v4/zones/zone_id/certificate_authorities/hostname_associations?mtls_certificate_id={id_from_step_2}" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " -``` - " \ ---header "Content-Type: application/json" \ ---data '{ - "id": "min_tls_version", - "value": "1.2" - }' -``` - " \ ---header "Content-Type: application/json" \ ---data '{ - "value": "1.2" - }' -``` +In the following example, the minimum TLS version for a specific hostname will be set to `1.2`. Replace the zone ID, hostname, and authentication placeholders with your information, and adjust the `value` field with your chosen TLS version. @@ -36,18 +36,9 @@ You also have access to the `geo_restrictions` parameter, which is mutually excl ### Examples -```bash title="Store private keys in the E.U. and the U.S." -curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{ - "certificate":"certificate", - "private_key":"", - "policy":"(country: US) and (region: EU)", - "type": "sni_custom" -}' -``` + + +Store private keys in the E.U. and the U.S. -```bash title="Store private keys in the E.U., but not in France" -curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{ - "certificate":"certificate", - "private_key":"", - "policy":"(region: EU) and (not country: FR)", - "type": "sni_custom" -}' -``` + + + +Store private keys in the E.U., but not in France + + :::note For more information on the `policy` field, refer to [Supported options](/ssl/edge-certificates/geokey-manager/supported-options/). diff --git a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx index f95923b203011ac..d8e8c159096730a 100644 --- a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx +++ b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx @@ -71,23 +71,6 @@ curl --verbose https:// 2.[Associate the certificate with the hostname](/api/resources/origin_tls_client_auth/subresources/hostnames/methods/update/) that should use it. -```bash -curl --silent --request PUT \ -"https://api.cloudflare.com/client/v4/zones/$ZONEID/origin_tls_client_auth/hostnames" \ ---header "Content-Type: application/json" \ ---header "X-Auth-Email: $MYAUTHEMAIL" \ ---header "X-Auth-Key: $MYAUTHKEY" \ ---data '{ - "config": [ - { - "enabled": true, - "cert_id": "", - "hostname": "" - } - ] -}' -``` - ", - "hostname": "" - } - ] -}' -``` - - 3. Use the [Delete hostname client certificate](/api/resources/origin_tls_client_auth/subresources/hostnames/subresources/certificates/methods/delete/) endpoint to remove the certificate you had uploaded. -```bash -curl --request DELETE \ -"https://api.cloudflare.com/client/v4/zones/$ZONEID/origin_tls_client_auth/hostnames/certificates/$CERTID" \ ---header "X-Auth-Email: $MYAUTHEMAIL" \ ---header "X-Auth-Key: $MYAUTHKEY" -``` - /settings/ssl_automatic_mode \ - --header 'Authorization: Bearer ' \ - --header 'Content-Type: application/json' \ - --data '{"value":"custom"}' -``` - - - #### Opt out multiple zones If you wanted to opt out multiple zones: diff --git a/src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx b/src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx index ec67e59f7585460..c1e5b75d9c70a82 100644 --- a/src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx +++ b/src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx @@ -36,16 +36,6 @@ It is also possible to opt out of PQC using the same API endpoint. This setting affects all outbound connections from the zone you specify in the API call, including `fetch()` requests made by [Workers](/workers/) on your zone. ::: -```bash -curl --request PUT \ -"https://api.cloudflare.com/client/v4/zones/{zone_id}/cache/origin_post_quantum_encryption" \ ---header "Authorization: Bearer " \ ---header "Content-Type: application/json" \ ---data '{ - "value": "" -}' -``` - " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{ - "settings": [ - { - "hostname": "", - "china_network": false, - "client_certificate_forwarding": true - } - ] -}' -``` - - Once `client_certificate_forwarding` is set to `true`, the first request of an mTLS connection will now include the following headers: * `Cf-Client-Cert-Der-Base64`