Skip to content
Cloudflare for Teams
Visit Cloudflare for Teams on GitHub
Set theme to dark (⇧+D)

HTTP policies

HTTP policies allow you to filter HTTP traffic on the L7 firewall. Gateway will intercept all HTTP and HTTPS traffic and apply the rules you have configured in your policy to either block, allow, or override specific elements such as websites, IP addresses, and file types.

Gateway flow HTTP

Build an HTTP policy by configuring the following elements:

  • Actions
  • Expressions
  • Selectors
  • Operators

Actions

Just like actions on destinations in DNS policies, actions in HTTP policies allow you to choose what to do with a given set of elements (domains, IP addresses, file types, and so on). You can assign one action per policy.

These are the action types you can choose from:

Allow

Rules with Allow actions allow outbound traffic to reach destinations you specify within the Selectors and Value fields. For example, the following configuration allows traffic to reach all websites we categorize as belonging to the Education content category:

SelectorOperatorValueAction
Content CategoriesinEducationAllow

Block

Rules with Block actions block outbound traffic from reaching destinations you specify within the Selectors and Value fields. For example, the following configuration blocks users from being able to upload any file type to Google Drive:

SelectorOperatorValueAction
ApplicationinGoogle DriveBlock
Upload Mime Typematches regex.*

Isolate

When an HTTP policy applies the Isolate action, the user's web browser is transparently served a HTML compatible remote browser client. Isolation policies can be applied to requests that include Accept: text/html*. This allows Browser Isolation policies to co-exist with API traffic.

If you'd like to isolate all security threats, you can set up a policy with the following configuration:

SelectorOperatorValueAction
Security ThreatsInAll security threatsIsolate

If instead you need to isolate specific hostnames, you can list the domains you'd like to isolate traffic to:

SelectorOperatorValueAction
HostInexample.com, example.netIsolate

Do Not Isolate

You can choose to disable isolation for certain destinations or categories. The following configuration disables isolation for traffic directed to example.com:

SelectorOperatorValueAction
HostInexample.comDo Not Isolate

Do Not Inspect

Do Not Inspect lets administrators bypass certain elements from inspection. Administrators who wish to bypass a site must match against the host in order to prevent HTTP inspection from occuring on both encrypted and plaintext traffic.

The Do Not Inspect action is only available when matching against the host criteria.

The L7 firewall will evaluate Do Not Inspect rules before any subsequent Allow or Block rules. For encrypted traffic, Gateway uses the Server Name Indicator (SNI) in the TLS header to determine whether to decrypt the traffic for further HTTP inspection against Allow or Block rules. All Do Not Inspect rules are evaluated first to determine if decryption should occur. This means regardless of precedence in a customer's list of rules, all Do Not Inspect rules will take precedence over Allow or Block rules.

Selectors

Gateway matches HTTP traffic against the following selectors, or criteria:

  • Host
  • URL
  • URL Query
  • URL Path
  • URL Path and Query
  • HTTP Method
  • HTTP Response
  • Uploaded and Downloaded Mime Type
  • Content categories
  • Applications

Operators

Operators are the way Gateway matches traffic to a selector. Matching happens as follows:

OperatorMeaning
isexact match, equals
is notall except exact match
inin any of defined entries
not innot in defined entries
matches regexregex evaluates to true
does not match regexall except when regex evals to true

Expressions

Expressions are sets of conditions with which you can combine selectors and operators. By configuring one or more expressions, you can define the scope of your HTTP policy.

Example scenarios

ActionSelectorOperator
BlockContent categoriesin: Gaming

Result: this configuration blocks any traffic to domains categorized as Gaming.

FAQ

How can I bypass the L7 firewall for a website?

Cloudflare Gateway uses the hostname in the HTTP CONNECT header to identify the destination of the request. Administrators who wish to bypass a site must match against the host in order to prevent HTTP inspection from occurring on both encrypted and plaintext traffic. The bypass action is only available when matching against the host criteria. Bypassing the L7 firewall results in no HTTP traffic inspection and logging is disabled for that HTTP session.

In what order are rules evaluated?

The L7 firewall evaluates rules starting with the rule containing the lowest precedence (e.g., rule number one). Rules with a higher value precedence are evaluated after those with a lower value.

If you are using the Gateway proxy, you need to disable the QUIC protocol within the Google Chrome settings. This will prevent you from encountering issues such as users who are able to connect to Google-related sites and services (like YouTube) that are explicitly blocked by a Gateway policy.

Google Chrome uses QUIC to connect to all google services by default. This means all requests to google services via the Google Chrome browser use UDP instead of TCP. At this time, Gateway does not support inspection of QUIC traffic and requests using QUIC will bypass Gateway HTTP policies. Gateway does prevent standard HTTP requests from negotiating to using QUIC with the Alt-Svc header by removing this header from HTTP requests.

Gateway will support inspection of QUIC traffic in the future.

Disabling QUIC in Google Chrome

For more information on disabling QUIC on a managed device, see these instructions. You can manually disable QUIC in Google Chrome using the Experimental QUIC protocol (#enable-quic) flag:

  1. In the address bar, type: chrome://flags#enable-quic.
  2. Set the Experimental QUIC protocol flag to Disabled.
  3. Relaunch Chrome for the setting to take effect.

The following Windows registry key (or Mac/Linux preference) can be used to disable QUIC in Chrome, and can be enforced via GPO or equivalent:

  • Data type: Boolean [Windows:REG_DWORD]
  • Windows registry location for Windows clients: Software\Policies\Google\Chrome\QuicAllowed
  • Windows registry location for Google Chrome OS clients: Software\Policies\Google\ChromeOS\QuicAllowed
  • Mac/Linux preference name: QuicAllowed
  • Description: If this policy is set to true (or not set), usage of QUIC is allowed. If the policy is set to false, usage of QUIC is not allowed.
  • Recommended value: Windows: 0x00000000, Linux: false, Mac: <false />