HTTP

You can apply Gateway HTTP and DNS policies at the browser level by configuring a Proxy Auto-Configuration (PAC) file.

A PAC file is a file containing a JavaScript function which can instruct a browser to forward traffic to a proxy server instead of directly to the destination server.

When end users visit a website, their browser will send the request to a Cloudflare proxy server associated with your account to be filtered by Gateway. Note that Gateway cannot filter every type of HTTP traffic proxied using PAC files.

Prerequisites

Install a Cloudflare certificate on your device.

1. Generate a proxy endpoint

You can generate a proxy endpoint on the Zero Trust dashboard or through the Cloudflare API.

Dashboard
API

In Zero Trust ↗, go to Gateway > Proxy endpoints.
Select Create endpoint.
Give your endpoint any name.
Enter the public source IP address of your device(s) in CIDR notation. For example:
- IPv4: 192.0.2.0/8
- IPv6: 2001:0db8:0000:0000:0000:1234:5678:0000/109
Gateway limits the prefix length of source networks for proxy endpoints to /8 for IPv4 networks and /32 for IPv6 networks.
Select Save endpoint and confirm the endpoint creation.

Your Cloudflare proxy server domain is of the form:

https://<SUBDOMAIN>.proxy.cloudflare-gateway.com

Create a proxy endpoint with the following call:
Terminal window
```
curl https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/gateway/proxy_endpoints \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{"name": "any_name", "ips": ["<PUBLIC_IP>", "<PUBLIC_IP2>", "<PUBLIC_IP3>"]}'
```
Replace <PUBLIC_IP> with the source IP address of your device in CIDR notation. For example:
- IPv4: 192.0.2.0/8
- IPv6: 2001:0db8:0000:0000:0000:1234:5678:0000/32
Gateway limits the prefix length of source networks for proxy endpoints to /8 for IPv4 networks and /32 for IPv6 networks.
After running the call, you should see an output similar to
```
{
  "result": {
    "id": "d969d7bf-ec28-4291-9af0-86825f472c21",
    "name": "test",
    "created_at": "2022-03-02T10:57:18.094789Z",
    "updated_at": "2022-03-02T10:57:18.094789Z",
    "ips": ["90.90.241.229/8"],
    "subdomain": "3ele0ss56t"
  },
  "success": true,
  "errors": [],
  "messages": []
}
```
Note the subdomain value returned by the API. Your Cloudflare proxy server domain is of the form:
```
<SUBDOMAIN>.proxy.cloudflare-gateway.com
```
In the example above, the subdomain is 3ele0ss56t and the proxy server domain is 3ele0ss56t.proxy.cloudflare-gateway.com.

2. Test your proxy server

In Zero Trust ↗, create an HTTP policy for testing purposes. For example:

Selector Operator Value Action
Domain in example.com Block

Selector	Operator	Value	Action
Domain	in	`example.com`	Block

Verify that nothing is returned by a curl command:

curl --ipv4 --proxytunnel --proxy https://3ele0ss56t.proxy.cloudflare-gateway.com https://example.com

If curl returns a 403 code, it means the public IP of your device does not match the one used to generate the proxy server. Make sure that WARP is turned off on your device and double-check that curl is not using IPv6 (use the -4 option to force IPv4).

3. Create a PAC file

A PAC file is a text file that specifies which traffic should redirect to the proxy server.

Below is the default PAC file. You can customize the file ↗ and host it somewhere your browser can access, such as on an internal web server or on Cloudflare Workers.

function FindProxyForURL(url, host) {
  // No proxy for private (RFC 1918) IP addresses (intranet sites)
  if (
    isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
    isInNet(dnsResolve(host), "172.16.0.0", "255.240.0.0") ||
    isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0")
  ) {
    return "DIRECT";
  }

  // No proxy for localhost
  if (isInNet(dnsResolve(host), "127.0.0.0", "255.0.0.0")) {
    return "DIRECT";
  }

  // Proxy all
  return "HTTPS 3ele0ss56t.proxy.cloudflare-gateway.com:443";
}

4. Configure your devices

All major browsers support PAC files. You can configure individual browsers, or you can configure system settings that apply to all browsers on the device. Multiple devices can call the same PAC file as long as their source IP addresses were included in the proxy endpoint configuration.

Chromium-based browsers

Chromium-based browsers (such as Google Chrome, Microsoft Edge, and Brave) rely on your operating system's proxy server settings. To configure your browser to use Gateway with PAC files, refer to the macOS ↗ or Windows ↗ documentation.

Mozilla Firefox

In Firefox, go to Settings and scroll down to Network Settings.
Select Settings.
Select Automatic proxy configuration URL.
Enter the URL where your PAC file is hosted, for example https://proxy-pac.cflr.workers.dev/3ele0ss56t.pac.
Select OK. HTTP traffic from Firefox is now being filtered by Gateway.

Safari

Safari relies on your operating system's proxy server settings. To configure your browser to use Gateway with PAC files, refer to the macOS documentation ↗.

5. Test your HTTP policy

To test your configuration, you can test any supported HTTP policy, such as the example policy created in Step 2. When you go to https://example.com in your browser, you should see the Gateway block page.

You can now use the Proxy Endpoint selector in network and HTTP policies to filter traffic proxied via PAC files.

Configure firewall

You may need to configure your organization's firewall to allow your users to connect to a proxy endpoint. Depending on your firewall, you will need to create a rule using either your proxy endpoint's domain or IP addresses.

To get the domain of a proxy endpoint:

Dashboard
API

In Zero Trust ↗, go to Gateway > Proxy endpoints.
Choose the proxy endpoint. Select Edit.
In Proxy Endpoint, copy the domain.

Use the List proxy endpoints operation to get a list of your proxy endpoints and their details. For example:

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/proxy_endpoints \
--header "Authorization: Bearer <API_TOKEN>"

{
  "success": true,
  "result": {
    "id": "ed35569b41ce4d1facfe683550f54086",
    "created_at": "2014-01-01T05:20:00.12345Z",
    "ips": ["192.0.2.1/32"],
    "name": "DevOps team",
    "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com",
    "updated_at": "2014-01-01T05:20:00.12345Z"
  }
}

Find the proxy endpoint you want to use.
Copy the value of the subdomain key.

Using your proxy endpoint's domain, you can get the IP addresses assigned to the proxy endpoint:

macOS and Linux
Windows

Open a terminal.
Run dig on your proxy endpoint's A records to get its IPv4 addresses. For example:
Terminal window
```
dig A example.cloudflare-gateway.com +short
```
```
162.159.36.5
162.159.36.20
```
Run dig on your proxy endpoint's AAAA records to get its IPv6 addresses. For example:
Terminal window
```
dig AAAA example.cloudflare-gateway.com +short
```
```
2606:4700:54::a29f:2407
2606:4700:5c::a29f:2e07
```

Open a PowerShell terminal.

Run Resolve-DnsName on your proxy endpoint's A records. Your proxy endpoint's IPv4 addresses will appear under IPAddress. For example:

Resolve-DnsName -Name example.cloudflare-gateway.com -Type A

Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------
example.cloudflare-gateway.com                 A      300   Answer     162.159.36.5
example.cloudflare-gateway.com                 A      300   Answer     162.159.36.20

Run Resolve-DnsName on your proxy endpoint's AAAA records. Your proxy endpoint's IPv6 addresses will appear under IPAddress. For example:

Resolve-DnsName -Name example.cloudflare-gateway.com -Type AAAA

Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------
example.cloudflare-gateway.com                 AAAA   300   Answer     2606:4700:5c::a29f:2e07
example.cloudflare-gateway.com                 AAAA   300   Answer     2606:4700:54::a29f:2407

Limitations

Traffic limitations

The agentless HTTP proxy does not support identity-based policies or mTLS authentication.

To enforce HTTP policies for UDP traffic, you must turn on the Gateway proxy for UDP.

Gateway DNS and resolver policies

Gateway DNS and resolver policies will always apply to traffic proxied via PAC files, regardless of device configuration.