Skip to content
Cloudflare Docs

Proxy

You can forward HTTP and network traffic to Gateway for logging and filtering. Gateway can proxy both outbound traffic and traffic directed to resources connected via a Cloudflare Tunnel, GRE tunnel, or IPsec tunnel.

The Gateway proxy is required for filtering HTTP and network traffic via the WARP client in Gateway with WARP mode. To proxy HTTP traffic without deploying the WARP client, you can configure PAC files on your devices.

Proxy algorithm

Gateway uses the Happy Eyeballs algorithm to proxy traffic in the following order:

  1. The user's browser initiates the TCP handshake by sending Gateway a TCP SYN segment.
  2. Gateway sends a SYN segment to the origin server.
  3. If the origin server sends a SYN-ACK segment back, Gateway establishes distinct TCP connections between the user and Gateway and between Gateway and the origin server.
  4. Gateway inspects and filters traffic received from the user.
  5. If the traffic passes inspection, Gateway proxies traffic bidirectionally between the user and the origin server.
flowchart TD
    %% Accessibility
    accTitle: How Gateway proxy works
    accDescr: Flowchart describing how the Gateway proxy uses the Happy Eyeballs algorithm to establish TCP connections and proxy user traffic.

    %% Flowchart
    A[User's device sends TCP SYN to Gateway] --> B[Gateway sends TCP SYN to origin server]
    B --> C{{Origin server responds with TCP SYN-ACK?}}
    C -->|Yes| E[TCP handshakes completed]
    C -->|No| D[Connection fails]
    E --> F{{Connection allowed?}}
    F -->|Yes| G[Gateway proxies traffic bidirectionally]
    F -->|No| H[Connection blocked by firewall policies]

    %% Styling
    style D stroke:#D50000
    style G stroke:#00C853
    style H stroke:#D50000

Supported protocols

Gateway supports proxying TCP, UDP, and ICMP traffic.

TCP

When the proxy is enabled, Gateway will always forward TCP traffic.

By default, TCP connection attempts will timeout after 30 seconds and idle connections will disconnect after 8 hours.

UDP

The UDP proxy forwards UDP traffic such as VoIP, internal DNS requests, and thick client applications.

When the UDP proxy is enabled, Gateway will force all HTTP/3 traffic to HTTP/2 to allow inspection. Otherwise, HTTP/3 traffic will bypass inspection. For more information, refer to HTTP/3 inspection.

ICMP Beta

The ICMP proxy forwards traffic for diagnostic tools such as ping and traceroute.

Turn on the Gateway proxy

  1. In Zero Trust, go to Settings > Network.
  2. In Firewall, turn on Proxy.
  3. Select TCP.
  4. (Optional) Depending on your use case, you can select UDP and/or ICMP.