search

Gateway policies

hashtag
Task

Implement 3 types of Gateway policiesarrow-up-right:

  • DNS

  • Network

  • HTTP

hashtag
Why

  • DNS policies let you block specific domains from resolving on your users’ devices.

  • Network policies inspect individual TCP/UDP/GRE packets and let you block access to specific IP addresses or ports on your origin servers or the internet

  • HTTP policies operate on layer 7 and let you block not just domains but specific URLs, they also let you apply HTTP-specific actions like RBI

hashtag
Gateway DNS policy

hashtag
1. Create a DNS policy

  • Navigate to GatewayFirewall PoliciesDNSAdd DNS policy

  • Under Build an expression, create a policy that selects streaming services

Selector: Application
Operator: in
Value: Video Streaming
Action: Block

  • Create policy

hashtag
2. Test the policy

Try accessing netflix.comarrow-up-right. You should receive a DNS_PROBE_FINISHED_NXOMAIN or ERR_NAME_NOT_RESOLVED error.

hashtag
Gateway network policy

hashtag
1. Create a network policy

You have previously configured a Private Network Access Applicationarrow-up-right, allowing direct access to your Linux server’s IP via WARP. This opened up access to all services on that server, including SSH.

  • Verify you can SSH to your Linux server from your VM with WARP on. Open PowerShell and type:

Let’s block access to SSH with a network policy.

  • Navigate to GatewayFirewall PoliciesNetworkAdd a policy

  • Under Build an expression, create a policy that selects port 22 (SSH) on your origin server

  • Create the policy

This will not work just yet. That’s because when you previously created the Private network Access Application, two default network policies were created for this IP. And since the policies are applied in the order they are defined, the default allow policy will take precedence over the block policy you just created.

  • To address this, move the block policy you just created above the allow policy

hashtag
2. Test the policy

With WARP on, try SSH to your origin server again. This time it should fail:

hashtag
Gateway HTTP policy

hashtag
1. Create an HTTP policy

Let’s now create a policy that will add an HTTP header to certain sites when accessed through Gateway. One use case for this is for example with Google Workspace where you can add X-Googapps-Allowed-Domains header with value of your domain. That will allow access to Google Workspace only for accounts from that specific domain (and block access to any personal accounts your users might have).

We have prepared a test site you can try this with: headers.cflr.workers.dev

  • Navigate to Gateway ‣ Firewall Policies, then in the HTTP tab select Add a policy

  • Create a policy with the following parameters:

  • Under configure policy settings, add a request header X-Custom-Header with some value

hashtag
2. Test the policy

Try accessing headers.cflr.workers.devarrow-up-right with and without WARP turned on.

With WARP on, you should see your customer header added.

PreviousTính năng 2 : Cloudflare Tunnel / Access Private and PublicNextBrowser Isolation and App Launcher

Last updated