Workshop
- Identity provider
- WARP and device posture
- Cloudflare Tunnel
- Access and Private Network
- Browser isolation and App launcher
- Digital experience monitoring
Gateway policies
Task
Implement 3 types of Gateway policies:
- DNS
- Network
- HTTP
Why
- DNS policies let you block specific domains from resolving on your users’ devices.
- Network policies inspect individual TCP/UDP/GRE packets and let you block access to specific IP addresses or ports on your origin servers or the internet
- HTTP policies operate on layer 7 and let you block not just domains but specific URLs, they also let you apply HTTP-specific actions like RBI
Gateway DNS policy
1. Create a DNS policy
- Navigate to Gateway ‣ Firewall Policies ‣ DNS ‣ Add DNS policy
- Under Build an expression, create a policy that selects streaming services
⚙️ nocopy ⚙️
Selector: Application
Operator: in
Value: Video Streaming
Action: Block
- Create policy
2. Test the policy
Try accessing netflix.com. You should receive a DNS_PROBE_FINISHED_NXOMAIN or ERR_NAME_NOT_RESOLVED error.
Gateway network policy
1. Create a network policy
You have previously configured a Private Network Access Application, allowing direct access to your Linux server’s IP via WARP. This opened up access to all services on that server, including SSH.
- Verify you can SSH to your Linux server from your VM with WARP on. Open PowerShell and type:
ssh 10.x.x.x # Replace with your Linux server's IP[email protected]'s password:Let’s block access to SSH with a network policy.
- Navigate to Gateway ‣ Firewall Policies ‣ Network ‣ Add a policy
- Under Build an expression, create a policy that selects port 22 (SSH) on your origin server
⚙️ nocopy ⚙️
Selector: Destination IP
Operator: is
Value: <IP of your Linux server>
Selector: Destination Port
Operator: is
Value: 22
Action: Block
- Create the policy
This will not work just yet. That’s because when you previously created the Private network Access Application, two default network policies were created for this IP. And since the policies are applied in the order they are defined, the default allow policy will take precedence over the block policy you just created.
- To address this, move the block policy you just created above the allow policy
2. Test the policy
With WARP on, try SSH to your origin server again. This time it should fail:
ssh 10.x.x.x # Replace with your Linux server's IPkex_exchange_identification: Connection closed by remote host
Connection closed by 10.x.x.x port 22Gateway HTTP policy
1. Create an HTTP policy
Let’s now create a policy that will add an HTTP header to certain sites when accessed through Gateway. One use case for this is for example with Google Workspace where you can add X-Googapps-Allowed-Domains header with value of your domain. That will allow access to Google Workspace only for accounts from that specific domain (and block access to any personal accounts your users might have).
We have prepared a test site you can try this with: headers.cflr.workers.dev
- Navigate to Gateway ‣ Firewall Policies, then in the HTTP tab select Add a policy
- Create a policy with the following parameters:
⚙️ nocopy ⚙️
Selector: Domain
Operator: is
Value: headers.cflr.workers.dev
Action: Allow- Under configure policy settings, add a request header
X-Custom-Headerwith some value
2. Test the policy
Try accessing headers.cflr.workers.dev with and without WARP turned on.
With WARP on, you should see your customer header added.