Deployment models
Privacy Proxy supports two deployment architectures: single-hop and double-hop. The right choice depends on your privacy requirements and operational preferences.
In a single-hop deployment, Cloudflare operates the entire proxy infrastructure. Clients connect directly to Cloudflare's Privacy Proxy, which handles authentication, proxying, and egress.
┌────────┐ ┌─────────────────┐ ┌─────────────┐│ Client │ ───▶ │ Privacy Proxy │ ───▶ │ Destination ││ │ │ (Cloudflare) │ │ Server │└────────┘ └─────────────────┘ └─────────────┘- The client establishes an HTTP/2 or HTTP/3 connection to the Cloudflare proxy endpoint.
- The client authenticates using Privacy Pass tokens or a pre-shared key.
- The client sends CONNECT requests to establish tunnels to destination servers.
- Cloudflare proxies traffic and selects egress IP addresses based on client geolocation.
Single-hop deployment works well when:
- You want Cloudflare to manage the complete proxy infrastructure.
- Your privacy model requires hiding client IP addresses from destinations, but not from the proxy operator.
- You need a straightforward integration with minimal client-side changes.
Microsoft Edge Secure Network ↗ uses single-hop deployment. The Edge browser connects directly to Cloudflare's Privacy Proxy, which handles authentication via Privacy Pass and proxies traffic to destination servers. Users get protection from network observers and destination servers without needing to configure additional infrastructure.
In a double-hop deployment, you operate the first proxy (Proxy A), and Cloudflare operates the second proxy (Proxy B). This creates stronger privacy separation because no single party sees both user identity and destination.
┌────────┐ ┌─────────────┐ ┌─────────────────┐ ┌─────────────┐│ Client │ ───▶ │ Proxy A │ ───▶ │ Proxy B │ ───▶ │ Destination ││ │ │ (You) │ │ (Cloudflare) │ │ Server │└────────┘ └─────────────┘ └─────────────────┘ └─────────────┘- The client connects to Proxy A, which you operate.
- Proxy A authenticates the user and verifies they can use the service.
- Proxy A establishes a tunnel to Cloudflare's Proxy B, forwarding the client's CONNECT request.
- Proxy B connects to the destination and proxies traffic.
- Proxy B selects egress IPs based on geolocation provided by Proxy A.
The double-hop architecture ensures:
| Information | Proxy A (you) | Proxy B (Cloudflare) |
|---|---|---|
| Client IP address | Yes | No |
| User account | Yes | No |
| Destination server | Encrypted | Yes |
| Request content | Encrypted | Encrypted |
Proxy A knows who the user is but cannot see where they are going (the destination is encrypted). Proxy B knows the destination but not who is making the request. Neither party has the complete picture.
Double-hop deployment works well when:
- You need stronger privacy guarantees where no single operator sees both identity and destination.
- You want to maintain control over user authentication and account management.
- Regulatory or compliance requirements mandate separation of user data.
iCloud Private Relay ↗ uses double-hop deployment. Apple operates the first-hop proxy, which authenticates users with their Apple ID and encrypts the destination. Cloudflare operates the second-hop proxy, which decrypts the destination and connects to the server. Apple knows who the user is but not where they browse. Cloudflare knows the destinations but not who is browsing.
| Aspect | Single-hop | Double-hop |
|---|---|---|
| Infrastructure | Cloudflare only | You + Cloudflare |
| Privacy separation | Proxy sees identity + destination | Split across two parties |
| Operational complexity | Lower | Higher |
| Authentication | Cloudflare-managed | You manage first-hop auth |
| Use case | Browser VPNs, simple privacy | Maximum privacy separation |
Consider these questions when selecting a deployment model:
- Who should manage user authentication?
If you want Cloudflare to handle authentication, use single-hop. If you need control over user accounts, use double-hop.
- What are your privacy requirements?
If your threat model requires that no single party sees both user identity and browsing activity, use double-hop.
- What operational capacity do you have?
Double-hop requires you to operate and maintain a proxy. If you prefer a fully managed solution, use single-hop.
Contact us ↗ to discuss which deployment model fits your use case.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2026 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
