[Gateway] Proxy endpoint limitations (#13608)

cloudflare · Mar 26, 2024 · 0868dbe · 0868dbe
1 parent 18dbb3c
commit 0868dbe
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 22 deletions.
diff --git a/content/cloudflare-one/account-limits.md b/content/cloudflare-one/account-limits.md
@@ -34,14 +34,15 @@ This page lists the default account limits for rules, applications, fields, and
 | HTTP policies per account                 | 500   |
 | DNS locations                             | 250   |
 | Concurrent streams for HTTP/2 connections | 256   |
-| Source IP addresses per proxy endpoint    | 2,000 |
+| Proxy endpoints                           | 500   |
+| Source IP CIDRs per proxy endpoint        | 2,000 |
 | Lists                                     | 100   |
 | Entries per list (Standard users)         | 1,000 |
 | Entries per list (Enterprise users)       | 5,000 |
 | DNS Logpush jobs                          | 5     |
 | HTTP Logpush jobs                         | 5     |
 
-## Data Loss Prevention
+## Data Loss Prevention (DLP)
 
 | Feature                                  | Limit   |
 | ---------------------------------------- | ------- |

diff --git a/content/cloudflare-one/connections/connect-devices/agentless/pac-files.md b/content/cloudflare-one/connections/connect-devices/agentless/pac-files.md
@@ -8,15 +8,15 @@ weight: 1
 
 {{<Aside type="note">}}
 
-This feature is only available to Enterprise customers.
+Only available on Enterprise plans.
 
 {{</Aside>}}
 
 You can apply Gateway HTTP and DNS policies at the browser level by configuring a Proxy Auto-Configuration (PAC) file.
 
 {{<glossary-definition term_id="PAC file" prepend="A PAC file is ">}}
 
-When end users visit a website, their browser will send the request to a Cloudflare proxy server associated with your account to be filtered by Gateway.
+When end users visit a website, their browser will send the request to a Cloudflare proxy server associated with your account to be filtered by Gateway. Note that Gateway [cannot filter every type of HTTP traffic](#limitations) proxied using PAC files.
 
 ## Prerequisites
 
@@ -37,9 +37,17 @@ All devices you add to the proxy endpoint will be able to access your Cloudflare
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Proxy Endpoints**.
 2. Select **Create endpoint**.
 3. Give your endpoint any name.
-4. Enter the public source IP address of your device(s) in CIDR notation. For example,
-   - **IPv4**: `90.90.241.229/32` (up to `/26`)
-   - **IPv6**: `2601:645:4500:9c0:a945:f47c:23e9:a35b/128`
+4. Enter the public source IP address of your device(s) in CIDR notation. For example:
+
+   - **IPv4**: `192.0.2.0/8`
+   - **IPv6**: `2001:0db8:0000:0000:0000:1234:5678:0000/109`
+
+   {{<Aside type="note">}}
+
+   Gateway limits the prefix length of source networks for proxy endpoints to `/8` for IPv4 networks and `/109` for IPv6 networks.
+
+   {{</Aside>}}
+
 5. Select **Save endpoint** and confirm the endpoint creation.
 
 Your Cloudflare proxy server domain is of the form:
@@ -52,24 +60,33 @@ https://<SUBDOMAIN>.proxy.cloudflare-gateway.com
 
 {{<tab label="api" no-code="true">}}
 
-1. Run the following command:
+1. [Create a proxy endpoint](/api/operations/zero-trust-gateway-proxy-endpoints-create-proxy-endpoint) with the following call:
 
    ```bash
-   curl --request POST \
-   --url https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/gateway/proxy_endpoints \
-   --header 'X-Auth-Email: <EMAIL>' \
-   --header 'X-Auth-Key: <API_KEY>' \
+   curl https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/gateway/proxy_endpoints \
+   --header "Authorization: Bearer <API_TOKEN>" \
+   --header "Content-Type: application/json" \
    --data '{"name": "any_name", "ips": ["<PUBLIC_IP>", "<PUBLIC_IP2>", "<PUBLIC_IP3>"]}'
    ```
 
-   Replace `<PUBLIC_IP>` with the source IP address of your device in CIDR notation. For example,
+   Replace `<PUBLIC_IP>` with the source IP address of your device in CIDR notation. For example:
+
+   - **IPv4**: `192.0.2.0/8`
+   - **IPv6**: `2001:0db8:0000:0000:0000:1234:5678:0000/109`
+
+   {{<Aside type="note">}}
+
+   Gateway limits the prefix length of source networks for proxy endpoints to `/8` for IPv4 networks and `/109` for IPv6 networks.
 
-   - **IPv4**: `90.90.241.229/32` (up to '/25')
-   - **IPv6**: `2601:645:4500:9c0:a945:f47c:23e9:a35b/128` (up to '/109')
+   {{</Aside>}}
 
-   After running the command, you should see an output similar to
+2. After running the call, you should see an output similar to
 
    ```bash
+   ---
+   header: Example output
+   highlight: 10
+   ---
    {
    "result": {
        "id": "d969d7bf-ec28-4291-9af0-86825f472c21",
@@ -87,7 +104,7 @@ https://<SUBDOMAIN>.proxy.cloudflare-gateway.com
    }
    ```
 
-2. Note the `subdomain` value returned by the API. Your Cloudflare proxy server domain is of the form:
+   Note the `subdomain` value returned by the API. Your Cloudflare proxy server domain is of the form:
 
    ```txt
    <SUBDOMAIN>.proxy.cloudflare-gateway.com
@@ -113,11 +130,7 @@ https://<SUBDOMAIN>.proxy.cloudflare-gateway.com
    $ curl -4 -p -x https://3ele0ss56t.proxy.cloudflare-gateway.com https://example.com
    ```
 
-{{<Aside type="note">}}
-
-If curl returns a `403` code, it means the public IP of your device does not match the one used to generate the proxy server. Make sure that WARP is turned off on your device and double-check that curl is not using IPv6 (use the `-4` option to force IPv4).
-
-{{</Aside>}}
+If `curl` returns a `403` code, it means the public IP of your device does not match the one used to generate the proxy server. Make sure that WARP is turned off on your device and double-check that curl is not using IPv6 (use the `-4` option to force IPv4).
 
 ## 3. Create a PAC file
 
@@ -177,4 +190,10 @@ You can test any [supported HTTP policy](#limitations), such as the example poli
 
 ## Limitations
 
+### HTTP policy proxy endpoint specificity
+
+The Gateway HTTP policy does not have a [Proxy Endpoint selector](/cloudflare-one/policies/gateway/network-policies/#proxy-endpoint) to match specific proxy endpoints. Despite this, Gateway will still apply HTTP policies to traffic sent to Cloudflare proxy servers.
+
+### Traffic limitations
+
 At this time, the agentless HTTP proxy does not support [identity-based policies](/cloudflare-one/policies/gateway/identity-selectors/), mTLS authentication, or UDP traffic. To enforce HTTP policies for UDP traffic, you must [disable QUIC](/cloudflare-one/policies/gateway/http-policies/http3/#prevent-inspection-bypass) in your users' browsers.