Workshop
- Identity provider
- WARP and device posture
- Cloudflare Tunnel
- Access and Private Network
- Browser isolation and App launcher
- Digital experience monitoring
Non-identity on-ramp
Task
Configure your browser to forward traffic to a Gateway proxy endpoint using a .pac Proxy Auto Configuration file.
Why?
- Sometimes, you may not be able to use WARP client, but you still may want to enforce Gateway policies.
- You can instruct the user’s browser to send web traffic through Gateway by using Proxy Auto Configuration (PAC) files; they are a common ICT tool for automatically configuring users’ proxy settings and all major web browsers support them
- However, since proxy users don’t use the WARP client, their identity is unknown and as a consequence, identity-based policies are not supported.
Steps
Gateway policies can be applied through an HTTP Proxy server. This can be auto-configured through a PAC file.
We will use the Cloudflare Zero Trust GUI to create the file.
1. Get the public source IP of your workstation
- Turn off WARP
- Get your local IP by running the following command in PowerShell:
curl.exe -L 'http://ip.cfiq.io'
- Alternatively, visit https://ip.cfiq.io/ in your workstation’s web browser
2. Create a Proxy Endpoint
- In your Zero Trust dashboard navigate to Gateway ‣ Proxy Endpoints
- Select Create endpoint
- Input the IP address of your Windows VM you retrieved earlier, with CIDR network mask
/32for IPv4 or/128for IPv6. For example,52.187.164.197/32or2a09:bac5:55fb:15f::23:3f2/128.
- Save your changes
When you select your new proxy, you should see a Proxy endpoint formatted as such: <PAC_PREFIX>.proxy.cloudflare-gateway.com
- Copy the
<PAC_PREFIX>to your clipboard
3. Generate PAC file
To start sending traffic from your workstation through this proxy, you can auto-generate a generic PAC file URI to use here: https://proxy-pac.cflr.workers.dev/<PAC_PREFIX>.pac
4. Apply PAC file to your Windows network settings
All operating systems and most major browsers support PAC files. The following example demonstrates the setup procedure for Windows 11.
- Turn off the WARP
- Open the Windows menu and search for proxy settings and select Open
- In the Proxy settings window, click Set up next to Use setup script
- Turn the setup script on, enter the URL from above
https://proxy-pac.cflr.workers.dev/<PAC_PREFIX>.pacand save the configuration
HTTP traffic from your machine will now be filtered by any matching Gateway policies you’ve set up.
Let’s block a specific site, for example cnn.com, and let’s create a custom block page that will explain to our users what happened.
- Navigate to Settings ‣ Custom Pages
- Customize your block page
- Then head to Gateway ‣ Firewall Policies ‣ HTTP
- Create an HTTP Firewall policy that blocks domain cnn.com
- At the bottom of the page, add block page text that will explain that the domain is getting blocked by this HTTP policy
5. Test the policy
- With WARP still off, open the blocked domain in a browser, confirm it was blocked and the specified block text was shown
6. Disable Proxy
Before proceeding further, make sure to disable Proxy to avoid it interfering with next labs.
- In the Proxy settings on your Windows VM, click Edit next to Use setup script and switch setup script to Off
