From 0b9c44c8ee6fe448721777a0a749eb92fe3cf4aa Mon Sep 17 00:00:00 2001 From: Ann Ming Samborski Date: Fri, 20 Sep 2024 14:23:22 -0700 Subject: [PATCH 01/54] Update infrastructure-apps.mdx (#16998) * Update infrastructure-apps.mdx Include early access description at top of docs * Update src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx --------- Co-authored-by: ranbel <101146722+ranbel@users.noreply.github.com> --- .../applications/non-http/infrastructure-apps.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx index 8261114db9e56a..ef911298340293 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx @@ -13,7 +13,7 @@ import { Badge, Details, Tabs, TabItem, Render } from "~/components" Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases in your private network. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach. :::note -Access for Infrastructure currently only supports [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/). +Access for Infrastructure is available in early access and currently only supports [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/). ::: ## Prerequisites From 007deb4538b95831aa2c0451e30b2b97ce3b9a1d Mon Sep 17 00:00:00 2001 From: Ann Ming Samborski Date: Fri, 20 Sep 2024 14:25:11 -0700 Subject: [PATCH 02/54] Update ssh-infrastructure-access.mdx (#16999) * Update ssh-infrastructure-access.mdx * Update src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx --------- Co-authored-by: ranbel <101146722+ranbel@users.noreply.github.com> --- .../use-cases/ssh/ssh-infrastructure-access.mdx | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx index 7e2e34bec65edf..6e86b89caccf1e 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx @@ -14,6 +14,10 @@ import { Tabs, TabItem, Badge, Render } from "~/components"; [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/) uses the same deployment model as [WARP-to-Tunnel](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel/) but unlocks more granular policy options and command logging functionality. +:::note +SSH with Access for Infrastructure is currently available in early access. +::: + ## 1. Connect the server to Cloudflare 1. Create a Cloudflare Tunnel for your server by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). You can skip the connect an application step and go straight to connecting a network. @@ -120,4 +124,4 @@ To manually retrieve logs: 3. Select **Download** to download the session's command log. 4. -Enterprise customers can also export command logs using [Logpush](/cloudflare-one/insights/logs/logpush/). \ No newline at end of file +Enterprise customers can also export command logs using [Logpush](/cloudflare-one/insights/logs/logpush/). From 9841940b2a2456b39f9ecb0f2fcdd848e01492af Mon Sep 17 00:00:00 2001 From: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> Date: Fri, 20 Sep 2024 15:28:34 -0700 Subject: [PATCH 03/54] [API Shield] SV2 OAS support map (#16994) * oas support map * space * hl fix * space again * pcx review --- .../security/schema-validation/index.mdx | 87 ++++++++++++++++++- 1 file changed, 86 insertions(+), 1 deletion(-) diff --git a/src/content/docs/api-shield/security/schema-validation/index.mdx b/src/content/docs/api-shield/security/schema-validation/index.mdx index d206ef40b5c3f9..1c34f973e5a2d4 100644 --- a/src/content/docs/api-shield/security/schema-validation/index.mdx +++ b/src/content/docs/api-shield/security/schema-validation/index.mdx @@ -155,10 +155,95 @@ OpenAPI schemas generated by different tooling may not be specific enough to imp ## Limitations -Currently, API Shield cannot validate some features of API schemas, including the following: all responses, external references, non-basic path templating, or unique items. +Schema Validation supports [OpenAPI Version 3.0.x schemas](https://spec.openapis.org/oas/v3.0.3). OpenAPI 3.1 is not supported yet, and we do not plan to expand support for OpenAPI 2.0. + +Currently, API Shield does not support some features of API schemas, including the following: all responses, external references, non-basic path templating, or unique items. There is a limit of 10,000 total operations for enabled schemas. +### Required fields + +Although not strictly required by the OpenAPI specification, Schema Validation strictly requires these fields. + +#### `schema` + +- [`type`](https://spec.openapis.org/oas/v3.0.3#schema-object) + - All schemas require a type to be set. If the specific type is not supported by Schema Validation, it is usually best to simply set the type to `string` instead. + +#### `parameter` + +- [`schema`](https://spec.openapis.org/oas/v3.0.3#schema-object) + - Schema Validation does not support the content field in parameters. For more details, refer to the [notes on validated and supported fields](#notes-on-validated-and-supported-fields) below. Instead, a schema is strictly required on all parameters objects. + +### Notes on validated and supported fields + +Refer to the information below for more details on Schema Validation's current support for various OpenAPI specification (OAS) objects and fields. + +#### `servers` + +- [`url`](https://spec.openapis.org/oas/v3.0.3#server-object) + - Schema Validation does not support relative URLs. +- [`variables`](https://spec.openapis.org/oas/v3.0.3#server-variable-object) + - Server variables are not validated. + +#### `parameter` + +- [`style`](https://spec.openapis.org/oas/v3.0.3#parameter-object) + - Only the default values are supported: `"simple"` (path or header parameters) and `"form"` (query or cookie parameters). +- [`explode`](https://spec.openapis.org/oas/v3.0.3#parameter-object) + - Only the default values are supported: `true` (for form) and `false` (for simple). +- [`content`](https://spec.openapis.org/oas/v3.0.3#parameter-object) + - The content field is not supported in parameters. Use the schema field instead. +- [`type`](https://spec.openapis.org/oas/v3.0.3#parameter-object) + - Cloudflare currently does not validate object type parameters. + +#### `reference` + +- [`$ref`](https://spec.openapis.org/oas/v3.0.3#reference-object) + - External or relative references are not supported. + +#### `requestBody` + +- `content` + - [Request Body Object](https://spec.openapis.org/oas/v3.0.3#request-body-object) + - [Media Type Object](https://spec.openapis.org/oas/v3.0.3#media-type-object) + - Schema Validation is able to validate `application/json` documents. If a given schema allows other content types, Schema Validation will accept those requests without validation. + +#### `parameter/schema` + +- `anyOf` + - [Parameter Object](https://spec.openapis.org/oas/v3.0.3#parameter-object) + - [Schema Object](https://spec.openapis.org/oas/v3.0.3#schema-object) + - `anyOf` schemas are currently not supported in parameter schemas. + +#### `schema` + +- [`format`](https://spec.openapis.org/oas/v3.0.3#schema-object) + - Validated formats: + - `date-time` + - `time` + - `date` + - `email` + - `hostname` + - `ipv4` + - `ipv6` + - `uri` + - `uri-reference` + - `iri` + - `iri-reference` + - `int32` + - `int64` + - `float` + - `double` + - `password` + - `uuid` + - Soon to be validated formats: + - `byte` + - `uint64` + +- [`uniqueItems`](https://spec.openapis.org/oas/v3.0.3#schema-object) + - This field is currently not validated by Schema Validation. + ## Body inspection API Shield has the ability to identify body specifications contained in uploaded schemas and validate that the data of incoming API requests adheres to them. From 26bd13fac44a6403b748dd6f93198f51fee55208 Mon Sep 17 00:00:00 2001 From: Brendan Irvine-Broque Date: Mon, 23 Sep 2024 05:37:03 +0100 Subject: [PATCH 04/54] Link to Sentry docs from Pages Functions Sentry middleware (#17005) For many this is a better path. --- src/content/docs/pages/functions/plugins/sentry.mdx | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/content/docs/pages/functions/plugins/sentry.mdx b/src/content/docs/pages/functions/plugins/sentry.mdx index 8d530d87e43190..deb70780fb34bb 100644 --- a/src/content/docs/pages/functions/plugins/sentry.mdx +++ b/src/content/docs/pages/functions/plugins/sentry.mdx @@ -5,6 +5,12 @@ sidebar: order: 1 --- +:::note + +Sentry now provides official support for Cloudflare Workers and Pages. Refer to the [Sentry documentation](https://docs.sentry.io/platforms/javascript/guides/cloudflare/) for more details. + +::: + The Sentry Pages Plugin captures and logs all exceptions which occur below it in the execution chain of your Pages Functions. It is therefore recommended that you install this Plugin at the root of your application in `functions/_middleware.ts` as the very first Plugin. ## Installation From a162133a6c63c1c3c6a78315e67be08b1bda4356 Mon Sep 17 00:00:00 2001 From: Samuel Rhea <21045301+TownLake@users.noreply.github.com> Date: Mon, 23 Sep 2024 09:32:31 +0100 Subject: [PATCH 05/54] Create sample-terms.mdx (#17002) --- src/content/docs/bots/reference/sample-terms.mdx | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 src/content/docs/bots/reference/sample-terms.mdx diff --git a/src/content/docs/bots/reference/sample-terms.mdx b/src/content/docs/bots/reference/sample-terms.mdx new file mode 100644 index 00000000000000..9ad0095af76ccd --- /dev/null +++ b/src/content/docs/bots/reference/sample-terms.mdx @@ -0,0 +1,16 @@ +--- +pcx_content_type: reference +title: Sample Terms +weight: 0 + +--- + +Cloudflare recommends that customers consider updating their Terms of Service to address bots specifically related to Artificial Intelligence (AI) training and data scraping. The text below provides an informational example of the kind of language that could be added to a website's terms of use. + +``` +**Artificial Intelligence Restriction** +You may not use automated means to access, scan, scrape, data mine, copy, or use the materials or content on this website for developing, training, fine-tuning, or otherwise contributing to or improving a machine learning model or artificial intelligence (AI) system or the operation thereof, unless you are explicitly permitted (i.e., “allowed”) to do so in this website’s robots.txt file. +``` + +**Disclaimer** +This language is provided for informational purposes only. It does not constitute legal advice, nor does it guarantee any specific outcome. This is merely an illustrative example of language that can be included in a website’s terms to put AI providers on notice that they are not authorized to use automated means to scrape content from your website for purposes of training or otherwise contributing to their AI models or systems, unless you have expressly permitted them to do so in your robots.txt file. From dbe87d1a0dc6ab4cf03ebb9c2f5f204515b641cc Mon Sep 17 00:00:00 2001 From: Jun Lee Date: Mon, 23 Sep 2024 09:57:11 +0100 Subject: [PATCH 06/54] [Style Guide] Adding more explanation to the AnchorHeading component style guide. (#16986) * Adding more explanation to the AnchorHeading component style guide. * Update src/content/docs/style-guide/components/anchor-heading.mdx Co-authored-by: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> * Update src/content/docs/style-guide/components/anchor-heading.mdx Co-authored-by: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> * Update src/content/docs/style-guide/components/anchor-heading.mdx Co-authored-by: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> --------- Co-authored-by: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> --- .../style-guide/components/anchor-heading.mdx | 25 +++++++++++++------ 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/src/content/docs/style-guide/components/anchor-heading.mdx b/src/content/docs/style-guide/components/anchor-heading.mdx index ac1efdd7d8aafd..12635a69327c5c 100644 --- a/src/content/docs/style-guide/components/anchor-heading.mdx +++ b/src/content/docs/style-guide/components/anchor-heading.mdx @@ -2,14 +2,25 @@ title: Anchor heading --- -The `AnchorHeading` component emulates the behaviour of the [`rehype-slug`](https://github.com/rehypejs/rehype-slug) and [`rehype-autolink-headings`](https://github.com/rehypejs/rehype-autolink-headings) plugins. +The `AnchorHeading` component defines headings. Specifically, `AnchorHeading` performs the following: -It adds an `id` based on the output of [`github-slugger`](https://github.com/Flet/github-slugger/) to the heading, as well as adding a button to copy a link to that particular heading. - -This is only required when writing headings yourself inside components, Markdown (including partials) will have this applied via the aforementioned rehype plugins. +1. Generates URL fragments corresponding to headings. +2. Formats URL fragments into compatible syntax. For example, a `&` is replaced with a `-`. +3. Creates a button to copy the URL at each fragment. +4. Allows heading fragments to be defined separately from the text of the heading itself. ```mdx live -import { AnchorHeading } from "~/components" +import { AnchorHeading } from "~/components"; + + +``` + +Markdown files (including partials) have this behavior by default, applied via rehype plugins. Therefore, the `AnchorHeading` component is usually only required when writing headings yourself inside components, or when working on non-markdown files. + +Additionally, `AnchorHeading` is useful when rendering partial files into one location where there are duplicate headings (for example, when there are multiple H3 corresponding to `/#create` in one page). `AnchorHeading` allows you to explicitly define fragments, ensuring that each heading can be referred correctly with unique anchors. + +:::note + +The `AnchorHeading` component emulates the behavior of the [`rehype-slug`](https://github.com/rehypejs/rehype-slug) and the [`rehype-autolink-headings`](https://github.com/rehypejs/rehype-autolink-headings). It adds an `id` based on the output of [`github-slugger`](https://github.com/Flet/github-slugger/) to the heading, as well as adding a button to copy a link to that particular heading. - -``` \ No newline at end of file +::: \ No newline at end of file From e0ed0c366d1cf2ccd8ea810ef0ef39a0282a1b49 Mon Sep 17 00:00:00 2001 From: James Ross Date: Mon, 23 Sep 2024 10:04:35 +0100 Subject: [PATCH 07/54] fix: speed brain enable/disable typo (#17009) --- src/content/docs/speed/optimization/content/speed-brain.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/speed/optimization/content/speed-brain.mdx b/src/content/docs/speed/optimization/content/speed-brain.mdx index 3850e441561fee..a4dda4f3393f77 100644 --- a/src/content/docs/speed/optimization/content/speed-brain.mdx +++ b/src/content/docs/speed/optimization/content/speed-brain.mdx @@ -75,7 +75,7 @@ Speed Brain is available in Cloudflare's **Speed** tab of the dashboard and also -To enable or disable **Prefetch URLs** in the dashboard: +To enable or disable **Speed Brain** in the dashboard: 1. Log in to your [Cloudflare account](https://dash.cloudflare.com), select your account and go to a specific domain. 2. Go to **Speed** > **Optimization** > **Content Optimization**. From 0d2d570deb37f6c2a8ca59094a4269c26c12eb5c Mon Sep 17 00:00:00 2001 From: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> Date: Mon, 23 Sep 2024 10:38:02 +0100 Subject: [PATCH 08/54] removed redundant message (#17012) --- .../application-based-policies/breakout-traffic.mdx | 2 +- .../application-based-policies/prioritized-traffic.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/breakout-traffic.mdx b/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/breakout-traffic.mdx index 154fec569e72ff..cac2ac3bcace10 100644 --- a/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/breakout-traffic.mdx +++ b/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/breakout-traffic.mdx @@ -10,7 +10,7 @@ import { Render, TabItem, Tabs } from "~/components"; Breakout traffic allows you to define which applications should bypass Cloudflare’s security filtering, and go directly to the Internet. It works via DNS requests inspection. This means that if your network is caching DNS requests, Breakout traffic will only take effect after you cache entries expire and your client issues a new DNS request that the Magic WAN Connector can detect. This can take several minutes. -:::caution[Warning] +:::caution Breakout traffic will not work for applications that use DNS-over-HTTPs. ::: diff --git a/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/prioritized-traffic.mdx b/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/prioritized-traffic.mdx index c3e1c76bfa1ab5..add7d2edf77879 100644 --- a/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/prioritized-traffic.mdx +++ b/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/prioritized-traffic.mdx @@ -12,7 +12,7 @@ Prioritized traffic allows you to define which applications Magic WAN Connector Similarly to breakout traffic, prioritized traffic also works via DNS requests inspection. -:::caution[Warning] +:::caution Prioritized traffic will not work for applications that use DNS-over-HTTPS. ::: From 060e2098e9edc7a6e56e5eece969c115c2c718d1 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> Date: Mon, 23 Sep 2024 12:15:31 +0100 Subject: [PATCH 09/54] [DNS] Records batched operations (#16984) * Create new page for DNS records batch operations * Adjust pages order within how-to folder * Fill in intro and add more to the outline * Adjust pages order to ascending complexity and specificity * Make Dash h3s more generic and fill in content placeholders * More specific on UI capabilities and add different Free limits * Fix typo * Fill in Dash deletion section * Fill in API intro and operations requirements following PM feedback * Overall review and add execution order and fail API behavior * Fill in Dashboard instructions for editing proxy status * Remove use-cases section and change mixed status callout to Note * Text review * Reference batch option from subdomain setup instructions * Reference batch option from the delete-all-records page * Fix record limit * Mention tags and comments are also supported and cross-link * Process PM feedback * Fix required fields for 'puts' and update example * Update example * More visible and detailed callout around propagation * Update note with Eng feedback * Replace TBDs with actual URL references * Overall review and fix typo * Remove specific blog link - to be added again later * Improve manage DNS records page and link to batched option * Overall review and improve text for clarity --- .../how-to/batch-record-changes.mdx | 162 ++++++++++++++++++ .../how-to/create-dns-records.mdx | 26 ++- .../how-to/create-subdomain.mdx | 2 +- .../how-to/create-zone-apex.mdx | 2 +- .../how-to/email-records.mdx | 2 +- .../how-to/import-and-export.mdx | 2 +- .../how-to/managing-dynamic-ip-addresses.mdx | 2 +- .../how-to/round-robin-dns.mdx | 2 +- .../reference/record-attributes.mdx | 2 +- .../docs/dns/zone-setups/full-setup/setup.mdx | 6 +- .../subdomain-setup/setup/parent-on-full.mdx | 8 +- .../troubleshooting/delete-all-records.mdx | 13 +- src/content/partials/dns/dns-scan-note.mdx | 7 +- .../dns/mix-proxied-and-unproxied.mdx | 4 +- 14 files changed, 209 insertions(+), 31 deletions(-) create mode 100644 src/content/docs/dns/manage-dns-records/how-to/batch-record-changes.mdx diff --git a/src/content/docs/dns/manage-dns-records/how-to/batch-record-changes.mdx b/src/content/docs/dns/manage-dns-records/how-to/batch-record-changes.mdx new file mode 100644 index 00000000000000..37ca1901f4d460 --- /dev/null +++ b/src/content/docs/dns/manage-dns-records/how-to/batch-record-changes.mdx @@ -0,0 +1,162 @@ +--- +pcx_content_type: how-to +title: Batch record changes +sidebar: + order: 7 +--- + +import { GlossaryTooltip, Example, Render } from "~/components"; + +Cloudflare allows you to apply several changes to your zone records in just one action. You can [use the dashboard](#use-the-dashboard) to delete DNS records or update their proxy status in bulk, or [use the API](#use-the-api) to perform further batched operations. + +:::caution[Propagation through the Cloudflare network] +Although Cloudflare will execute the batched operations in a single [database transaction](https://en.wikipedia.org/wiki/Database_transaction), Cloudflare's distributed KV store must treat each record change as a single key-value pair. This means that the propagation of changes is not atomic. Refer to our [blog post](https://blog.cloudflare.com/) for details. +::: + +## Availability and limits + +Batch DNS record changes is available on all plans. + +The number of records that you can operate with in one action depends on your zone plan: + +- Free: 200 +- Pro: 3,500 +- Business: 3,500 +- Enterprise: 3,500 + +--- + +## Use the dashboard + +### Edit proxy status in bulk + +`A`,`AAAA`, and `CNAME` records can be [proxied](/dns/manage-dns-records/reference/proxied-dns-records/). The **Proxy status** of a DNS record affects [how Cloudflare responds to DNS queries](/fundamentals/concepts/how-cloudflare-works/) to that record. + + + +1. Go to [**DNS** > **Records**](https://dash.cloudflare.com/?to=/:account/:zone/dns/records). +2. Select the DNS records you want to set the proxy status for. Note that only `A`, `AAAA`, and `CNAME` records can be proxied. +3. Select **Edit records**. +4. Choose the proxy status you want to apply to the selected records. +5. Select **Save** to confirm. + +You can only set records to either **Proxied** or **DNS only** in bulk. This means that if your selection includes both proxied and DNS-only records, some of them will have the proxy status updated while others will keep their original value: + + + +For example, if you select the following records and then edit their proxy status in bulk, choosing **Proxied** in [step 4 above](#edit-proxy-status-in-bulk), the outcome will be: + +| Selected records | Original proxy status | Resulting proxy status | +| ---------------- | --------------------- | ---------------------- | +| `www` | DNS only | Proxied | +| `blog` | DNS only | Proxied | +| `docs` | Proxied | Proxied | + + + +### Delete records in bulk + +:::caution + +Deleting DNS records can cause downtime and cannot be reverted. Make sure you only select DNS records that you can safely delete. + +::: + +1. Go to [**DNS** > **Records**](https://dash.cloudflare.com/?to=/:account/:zone/dns/records). +2. Select the DNS records you want to delete. +3. Select **Delete records**. +4. In the **Delete DNS records** prompt, type in `DELETE` and select **Delete** to confirm. + +## Use the API + +:::note + +This option requires familiarity with API usage and concepts. For further information about the Cloudflare API, refer to [Fundamentals](/fundamentals/api/get-started/). + +::: + +The [Batched DNS record changes](/api/operations/dns-records-for-a-zone-batch-dns-records) endpoint allows you to trigger the execution of `DELETES`, `PATCHES`, `PUTS`, and `POSTS` in a single request. + +[Tags and comments](/dns/manage-dns-records/reference/record-attributes/) are also supported with batch changes. + +The operations you specify within the `/batch` request body are always executed in the following order: + +1. Deletes +2. Patches +3. Puts +4. Posts + +Within each of these four lists, each individual action is executed following the DNS records order you provide. If any of the individual action fails, no changes are applied and the API returns the first error it encountered. + +### Aspects to consider + +:::caution[Propagation through the Cloudflare network] +Although Cloudflare will execute the batched operations in a single [database transaction](https://en.wikipedia.org/wiki/Database_transaction), Cloudflare's distributed KV store must treat each record change as a single key-value pair. This means that the propagation of changes is not atomic. Refer to our [blog post](https://blog.cloudflare.com/) for details. +::: + +For each operation that you list in the `/batch` request body, consider the required information and how unspecified fields will behave: + +- **`deletes`**: only the `id` is required for each record object. You can keep additional parameters such as `name` for readability, but any other fields aside from `id` will be ignored in this case. +- **`patches`**: aside from each record `id`, you should specify the fields you want to update. All unspecified fields will remain as they are. +- **`puts`**: you must specify each record `id`, `content`, `name`, and `type`. You should also specify any other fields you want to set to a value that is not the default. Any unspecified fields will assume their default value for each [record type](/dns/manage-dns-records/reference/dns-record-types/). This operation works as an overwrite, so all fields in a given record are always affected. +- **`posts`**: since you are creating a new record, `id` is not required. For field definitions, refer to the [Create DNS Record](/api/operations/dns-records-for-a-zone-create-dns-record) endpoint and select the desired record type under the request body specification. + +### Example request + +In this example, the `proxied` field for the first record listed under `"puts"` will assume the default value (`false`). + +```bash +{ + "deletes": [ + { + "id": "2bff0ebc4df64beaa44b0dca93e37a28" + }, + { + "id": "31d1d6e79ce04b8d93cbc5a13401d728" + } + ], + "patches": [ + { + "id": "62276440f783445380480484648c1017", + "content": "192.0.2.46" + }, + { + "id": "c942d948dc2343b9b97aed78479c9fb9", + "name": "update.example.com", + "proxied": true + } + ], + "puts": [ + { + "id": "a50364543094428abde0f14061d42b0e", + "content": "192.0.2.50", + "name": "change.example.com", + "type": "A", + "ttl:": 1 + }, + { + "id": "3bce0920f19d43949498bd067b05dfa9", + "content": "192.0.2.45", + "name": "no-change.example.com", + "type": "A", + "proxied": false, + "ttl:": 3000 + } + ], + "posts": [ + { + "name": "@", + "type": "A", + "content": "192.0.2.41", + "proxied": false, + "ttl": 3000 + }, + { + "name": "a.example.com", + "type": "A", + "content": "192.0.2.42", + "proxied": true + } + ] +} +``` diff --git a/src/content/docs/dns/manage-dns-records/how-to/create-dns-records.mdx b/src/content/docs/dns/manage-dns-records/how-to/create-dns-records.mdx index ef0d815b005ad0..3095f1a426be4e 100644 --- a/src/content/docs/dns/manage-dns-records/how-to/create-dns-records.mdx +++ b/src/content/docs/dns/manage-dns-records/how-to/create-dns-records.mdx @@ -5,11 +5,13 @@ sidebar: order: 1 --- -import { GlossaryTooltip, Render, TabItem, Tabs } from "~/components"; +import { GlossaryTooltip, Render, TabItem, Tabs, Details } from "~/components"; -
+ +
+ @@ -29,13 +31,13 @@ To create a DNS record in the dashboard: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select an account and domain. 2. Go to **DNS** > **Records**. -3. Click **Add record**. +3. Select **Add record**. 4. Choose a record [**Type**](/dns/manage-dns-records/reference/dns-record-types/). 5. Complete the required fields, which vary per record. Particularly important fields (for some records) include: - **Proxy status**: For `A`, `AAAA`, and `CNAME` records, decide whether hostname traffic is proxied through Cloudflare. - **TTL**: Short for [_Time to Live_](/dns/manage-dns-records/reference/ttl/), this field controls how long each record is valid and — as a result — how long it takes for record updates to reach your end users. - **Comment** and **Tag**: [Record attributes](/dns/manage-dns-records/reference/record-attributes/) meant for your reference. -6. Click **Save**. +6. Select **Save**. @@ -57,9 +59,9 @@ To edit DNS records in the dashboard: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select an account and domain. 2. Go to **DNS** > **Records**. -3. On a specific record, click **Edit**. +3. On a specific record, select **Edit**. 4. Make any necessary changes. -5. Click **Save**. +5. Select **Save**. @@ -79,9 +81,9 @@ To delete DNS records in the dashboard: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select an account and domain. 2. Go to **DNS** > **Records**. -3. On a specific record, click **Edit**. -4. Click **Delete**. -5. Click **Delete** again to confirm. +3. On a specific record, select **Edit**. +4. Select **Delete**. +5. Select **Delete** again to confirm. @@ -90,3 +92,9 @@ To delete DNS records in the dashboard: To delete records with the API, use a [DELETE request](/api/operations/dns-records-for-a-zone-delete-dns-record). + +--- + +## Batch record changes + +For guidance on how to apply several changes to your zone records in just one action, refer to [Batch record changes](/dns/manage-dns-records/how-to/batch-record-changes/). \ No newline at end of file diff --git a/src/content/docs/dns/manage-dns-records/how-to/create-subdomain.mdx b/src/content/docs/dns/manage-dns-records/how-to/create-subdomain.mdx index 8ba5f3271360ec..22e0c1cb27492a 100644 --- a/src/content/docs/dns/manage-dns-records/how-to/create-subdomain.mdx +++ b/src/content/docs/dns/manage-dns-records/how-to/create-subdomain.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Create subdomain records sidebar: - order: 4 + order: 3 --- diff --git a/src/content/docs/dns/manage-dns-records/how-to/create-zone-apex.mdx b/src/content/docs/dns/manage-dns-records/how-to/create-zone-apex.mdx index 96bd4fcce0afa0..baa6399fe72da9 100644 --- a/src/content/docs/dns/manage-dns-records/how-to/create-zone-apex.mdx +++ b/src/content/docs/dns/manage-dns-records/how-to/create-zone-apex.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Create zone apex record sidebar: - order: 3 + order: 2 --- diff --git a/src/content/docs/dns/manage-dns-records/how-to/email-records.mdx b/src/content/docs/dns/manage-dns-records/how-to/email-records.mdx index a85cc89bc1d784..fdf77ae22769fb 100644 --- a/src/content/docs/dns/manage-dns-records/how-to/email-records.mdx +++ b/src/content/docs/dns/manage-dns-records/how-to/email-records.mdx @@ -2,7 +2,7 @@ pcx_content_type: how-to title: Set up email records sidebar: - order: 5 + order: 4 --- diff --git a/src/content/docs/dns/manage-dns-records/how-to/import-and-export.mdx b/src/content/docs/dns/manage-dns-records/how-to/import-and-export.mdx index fcc746589f0214..a9cc72d171a763 100644 --- a/src/content/docs/dns/manage-dns-records/how-to/import-and-export.mdx +++ b/src/content/docs/dns/manage-dns-records/how-to/import-and-export.mdx @@ -2,7 +2,7 @@ pcx_content_type: how-to title: Import and export records sidebar: - order: 2 + order: 6 --- import { Render, TabItem, Tabs } from "~/components"; diff --git a/src/content/docs/dns/manage-dns-records/how-to/managing-dynamic-ip-addresses.mdx b/src/content/docs/dns/manage-dns-records/how-to/managing-dynamic-ip-addresses.mdx index ae70f09592df7e..5c7d251f9792a0 100644 --- a/src/content/docs/dns/manage-dns-records/how-to/managing-dynamic-ip-addresses.mdx +++ b/src/content/docs/dns/manage-dns-records/how-to/managing-dynamic-ip-addresses.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Dynamically update DNS records sidebar: - order: 6 + order: 9 --- diff --git a/src/content/docs/dns/manage-dns-records/how-to/round-robin-dns.mdx b/src/content/docs/dns/manage-dns-records/how-to/round-robin-dns.mdx index b4cc410e848e90..f7a9a12ef563e2 100644 --- a/src/content/docs/dns/manage-dns-records/how-to/round-robin-dns.mdx +++ b/src/content/docs/dns/manage-dns-records/how-to/round-robin-dns.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Round-robin DNS sidebar: - order: 7 + order: 10 --- diff --git a/src/content/docs/dns/manage-dns-records/reference/record-attributes.mdx b/src/content/docs/dns/manage-dns-records/reference/record-attributes.mdx index a22ce0c9d4018b..657671538d94ea 100644 --- a/src/content/docs/dns/manage-dns-records/reference/record-attributes.mdx +++ b/src/content/docs/dns/manage-dns-records/reference/record-attributes.mdx @@ -49,7 +49,7 @@ Comments and tags are only supported for [full](/dns/zone-setups/full-setup/) an Create or edit record attributes just like any other aspect of DNS records, whether through the [dashboard](/dns/manage-dns-records/how-to/create-dns-records/) or [API](/api/operations/dns-records-for-a-zone-create-dns-record). -You can also add or edit attributes by [exporting and re-importing](/dns/manage-dns-records/how-to/import-and-export/#dns-record-attributes) your records. +You can also add or edit attributes by [exporting and re-importing](/dns/manage-dns-records/how-to/import-and-export/#dns-record-attributes) your records, or using the [Batch record changes API](/dns/manage-dns-records/how-to/batch-record-changes/#use-the-api). *** diff --git a/src/content/docs/dns/zone-setups/full-setup/setup.mdx b/src/content/docs/dns/zone-setups/full-setup/setup.mdx index ba4e82b4f59b59..a42d4d32bab03f 100644 --- a/src/content/docs/dns/zone-setups/full-setup/setup.mdx +++ b/src/content/docs/dns/zone-setups/full-setup/setup.mdx @@ -52,7 +52,9 @@ When you start using Cloudflare's nameservers for authoritative DNS and your zon
+:::note +::: @@ -78,7 +80,7 @@ When you start using Cloudflare's nameservers for authoritative DNS and your zon :::note -Cloudflare automatically assigns nameservers to a domain and these assignments cannot be changed. For more details, refer to [Nameserver assignments](/dns/zone-setups/reference/nameserver-assignment/). +Cloudflare automatically assigns nameservers to a domain and these assignments cannot be changed. For more details, refer to [Nameserver assignments](/dns/zone-setups/reference/nameserver-assignment/). ::: ### Update your registrar @@ -87,7 +89,7 @@ Cloudflare automatically assigns nameservers to a domain and these assignments c :::note -Depending on your use case, you may have to perform this step on the DNS records management of your domain parent zone, or at a domain reseller, instead. Refer to [Nameservers](/dns/nameservers/update-nameservers/#specific-processes) for details. +Depending on your use case, you may have to perform this step on the DNS records management of your domain parent zone, or at a domain reseller, instead. Refer to [Nameservers](/dns/nameservers/update-nameservers/#specific-processes) for details. ::: 2. Remove your existing authoritative nameservers. diff --git a/src/content/docs/dns/zone-setups/subdomain-setup/setup/parent-on-full.mdx b/src/content/docs/dns/zone-setups/subdomain-setup/setup/parent-on-full.mdx index e82fef265c33bc..78f76f784c1342 100644 --- a/src/content/docs/dns/zone-setups/subdomain-setup/setup/parent-on-full.mdx +++ b/src/content/docs/dns/zone-setups/subdomain-setup/setup/parent-on-full.mdx @@ -55,15 +55,19 @@ If you have already created DNS records covering your subdomain in the parent zo 3. In your child zone, make sure you have all DNS records that relate to the subdomain. This includes all DNS records deeper than the delegated subdomain. For example, if you are delegating `www.example.com`, you should also move over records for `api.www.example.com`. :::note - If your child zone is on a full setup, consider [exporting](/dns/manage-dns-records/how-to/import-and-export/#export-records) records from the parent zone, deleting all unnecessary records, and then [importing](/dns/manage-dns-records/how-to/import-and-export/#import-records) the records into your new zone. + If your child zone is on a full setup, consider [exporting](/dns/manage-dns-records/how-to/import-and-export/#export-records) records from the parent zone, deleting all unnecessary records, and then [importing](/dns/manage-dns-records/how-to/import-and-export/#import-records) the records into your new zone. ::: -4. If the parent zone is in Cloudflare, make sure that you migrate over any settings ([WAF custom rules](/waf/custom-rules/), [Rules](/rules/), [Workers](/workers/), and more) that might be needed for the child zone. +4. If the parent zone is on Cloudflare, make sure that you migrate over any settings ([WAF custom rules](/waf/custom-rules/), [Rules](/rules/), [Workers](/workers/), and more) that might be needed for the child zone. 5. In the child zone, [order an advanced SSL certificate](/ssl/edge-certificates/advanced-certificate-manager/) that covers the child subdomain and any deeper subdomains (if present). 6. Get the nameserver names for the subdomain. These can be found within your newly created child zone in [DNS > Records](https://dash.cloudflare.com/?to=/:account/:zone/dns/records), and will **not** be the same nameservers as the ones used in the parent zone. + :::note + If the parent zone is on Cloudflare, steps 7 and 9 below can be achieved via API. Use the [`/batch` endpoint](/api/operations/dns-records-for-a-zone-batch-dns-records) to delete and create or update DNS records within a single request. Refer to [Batch record changes](/dns/manage-dns-records/how-to/batch-record-changes/) for further guidance. + ::: + 7. Within the **DNS** > **Records** of the parent zone, update existing address records (`A/AAAA`) on your subdomain to `NS` records. If you only have one address record, update the existing one and add a new `NS` record. If you have multiple address records, update any two of them. For example, to delegate the subdomain `www.example.com`, the updated records in the parent zone `example.com` should contain `NS` records similar to the following: diff --git a/src/content/docs/dns/zone-setups/troubleshooting/delete-all-records.mdx b/src/content/docs/dns/zone-setups/troubleshooting/delete-all-records.mdx index ac2ed6da2177f7..3948b3bc47403f 100644 --- a/src/content/docs/dns/zone-setups/troubleshooting/delete-all-records.mdx +++ b/src/content/docs/dns/zone-setups/troubleshooting/delete-all-records.mdx @@ -7,17 +7,23 @@ description: Learn how to bulk delete DNS records in Cloudflare with a script so --- +import { Example } from "~/components"; + When you connect your domain to Cloudflare, the [DNS records quick scan](/dns/zone-setups/reference/dns-quick-scan/) may automatically add several records to your zone. If you realize most of them are not applicable and want to bulk delete DNS records, follow the steps below. This method assumes you are familiar with [API calls fundamentals](/fundamentals/api/). +:::note[Bulk deletion available in the dashboard] +You can delete records in bulk via the dashboard, which removes the need for custom scripts as the one below. Refer to [Batch record changes](/dns/manage-dns-records/how-to/batch-record-changes/#delete-records-in-bulk) for details. +::: + 1. Make sure you have [an API token](/fundamentals/api/get-started/create-token/) that allows you to edit DNS for your zone. 2. Get your [zone ID](/fundamentals/setup/find-account-and-zone-ids/). 3. Run the following script, replacing `` and `` with the values you got from the previous steps. -:::caution - -This script uses [jq](https://jqlang.github.io/jq/) to format `JSON` outputs for readability. Refer to [Make API calls](/fundamentals/api/how-to/make-api-calls/) for details. + +:::caution[Warning] +This script uses [jq](https://jqlang.github.io/jq/) to format `JSON` outputs for readability. Refer to [Make API calls](/fundamentals/api/how-to/make-api-calls/) for details. ::: ```bash @@ -31,3 +37,4 @@ do --header "Authorization: Bearer $bearer" done ``` + \ No newline at end of file diff --git a/src/content/partials/dns/dns-scan-note.mdx b/src/content/partials/dns/dns-scan-note.mdx index 4e04c8230a1ea2..ce4cb325538017 100644 --- a/src/content/partials/dns/dns-scan-note.mdx +++ b/src/content/partials/dns/dns-scan-note.mdx @@ -3,8 +3,6 @@ --- -:::note - The [DNS records quick scan](/dns/zone-setups/reference/dns-quick-scan/) is not automatically invoked in the following cases: * If you choose Enterprise plan and, instead of the **Quick Scan**, choose to upload a DNS zone file or add records manually. @@ -12,7 +10,4 @@ The [DNS records quick scan](/dns/zone-setups/reference/dns-quick-scan/) is not You can manually invoke the quick scan via API with the [Scan DNS Records endpoint](/api/operations/dns-records-for-a-zone-scan-dns-records). -Note that the quick scan is a best effort attempt based on a predefined list of commonly used record names and types. You can read more about this in the [reference page](/dns/zone-setups/reference/dns-quick-scan/). - - -::: +Note that the quick scan is a best effort attempt based on a predefined list of commonly used record names and types. You can read more about this in the [reference page](/dns/zone-setups/reference/dns-quick-scan/). \ No newline at end of file diff --git a/src/content/partials/dns/mix-proxied-and-unproxied.mdx b/src/content/partials/dns/mix-proxied-and-unproxied.mdx index 90f90b740f03bf..8b12a1d041c6e5 100644 --- a/src/content/partials/dns/mix-proxied-and-unproxied.mdx +++ b/src/content/partials/dns/mix-proxied-and-unproxied.mdx @@ -3,10 +3,10 @@ --- -:::caution +:::note -Note that if you have multiple `A/AAAA` records on the same name and at least one of them is proxied, Cloudflare will treat all `A/AAAA` records on this name as being proxied. +If you have multiple `A/AAAA` records on the same name and at least one of them is proxied, Cloudflare will treat all `A/AAAA` records on this name as being proxied. ::: From 221fa13d5d9d00bd805d45bb5a84e7ec9f8faad3 Mon Sep 17 00:00:00 2001 From: Kian Date: Mon, 23 Sep 2024 12:18:35 +0100 Subject: [PATCH 10/54] [Docs Site] Support custom IDs in AnchorHeading (#16980) * [Docs Site] Support custom IDs in AnchorHeading * Rename id to slug --- src/components/AnchorHeading.astro | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/components/AnchorHeading.astro b/src/components/AnchorHeading.astro index 06656d5b407357..e33fb6e58e58a7 100644 --- a/src/components/AnchorHeading.astro +++ b/src/components/AnchorHeading.astro @@ -1,23 +1,26 @@ --- import { z } from "astro:schema"; import { marked } from "marked"; -import { slug } from "github-slugger"; +import { slug as GithubSlug } from "github-slugger"; type Props = z.infer; const props = z.object({ title: z.string(), + slug: z.string().optional(), depth: z.number().min(1).max(6), }); -const { title, depth } = props.parse(Astro.props); +const { title, slug, depth } = props.parse(Astro.props); + +const slugified = GithubSlug(slug ?? title); const Heading = `h${depth}` as "h1" | "h2" | "h3" | "h4" | "h5" | "h6"; ---
- - + + Date: Mon, 23 Sep 2024 14:22:53 +0100 Subject: [PATCH 11/54] [D1] Clarifying how individual limits apply to batch statements. (#17015) * Clarifying how individual limits apply to batch statements. * Clarifying the 30 second limit for batch statements. * Update src/content/docs/d1/platform/limits.mdx Co-authored-by: Lambros Petrou * Rewording to change voice away from marketing. --------- Co-authored-by: Lambros Petrou --- src/content/docs/d1/platform/limits.mdx | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/src/content/docs/d1/platform/limits.mdx b/src/content/docs/d1/platform/limits.mdx index 6c1a084848d08c..2eff6b0101a90f 100644 --- a/src/content/docs/d1/platform/limits.mdx +++ b/src/content/docs/d1/platform/limits.mdx @@ -6,7 +6,7 @@ sidebar: --- -import { Render } from "~/components" +import { Render } from "~/components"; | Feature | Limit | | ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- | @@ -24,23 +24,21 @@ import { Render } from "~/components" | Maximum arguments per SQL function | 32 | | Maximum characters (bytes) in a `LIKE` or `GLOB` pattern | 50 bytes | | Maximum bindings per Workers script | Approximately 5,000 [^2] | -| Maximum SQL query duration | 30 seconds | -| Maximum file import (`d1 execute`) size | 5 GiB [^3] | - -:::note - - -If you would like to explore other storage solutions for your application, Cloudflare also offers [Workers KV](/kv/api/), [Durable Objects](/durable-objects/), and [R2](/r2/get-started/). - -Refer to the [Choose a data or storage product](/workers/platform/storage-options/) to review which storage option is right for your use case. - +| Maximum SQL query duration | 30 seconds [^3] | +| Maximum file import (`d1 execute`) size | 5 GiB [^4] | +:::note[Batch limits] +Limits for individual queries (listed above) apply to each individual statement contained within a batch statement. For example, the maximum SQL statement length of 100 KB applies to each statement inside a `db.batch()`. ::: [^1]: The maximum storage per account can be increased by request on Workers Paid and Enterprise plans. See the guidance on limit increases on this page to request an increase. [^2]: A single Worker script can have up to 1 MB of script metadata. A binding is defined as a binding to a resource, such as a D1 database, KV namespace, environmental variable or secret. Each resource binding is approximately 150-bytes, however environmental variables and secrets are controlled by the size of the value you provide. Excluding environmental variables, you can bind up to \~5,000 D1 databases to a single Worker script. -[^3]: The imported file is uploaded to R2. See [R2 upload limit](/r2/platform/limits). +[^3]: Requests to Cloudflare API must resolve in 30 seconds. Therefore, this duration limit also applies to the entire batch call. + +[^4]: The imported file is uploaded to R2. See [R2 upload limit](/r2/platform/limits). + +Cloudflare also offers other storage solutions such as [Workers KV](/kv/api/), [Durable Objects](/durable-objects/), and [R2](/r2/get-started/). Each product has different advantages and limits. Refer to [Choose a data or storage product](/workers/platform/storage-options/) to review which storage option is right for your use case. - + \ No newline at end of file From db70b7650cc48fb6c52c8ccba463d401810679af Mon Sep 17 00:00:00 2001 From: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> Date: Mon, 23 Sep 2024 14:27:03 +0100 Subject: [PATCH 12/54] removed redundant messages (#17018) --- .../tunnels-reference/tunnels-encapsulation-opening.mdx | 4 ++-- src/content/partials/magic-wan/connector/before-you-begin.mdx | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/partials/magic-transit/tunnels-reference/tunnels-encapsulation-opening.mdx b/src/content/partials/magic-transit/tunnels-reference/tunnels-encapsulation-opening.mdx index ac9e4454034ac3..28f4913f65217b 100644 --- a/src/content/partials/magic-transit/tunnels-reference/tunnels-encapsulation-opening.mdx +++ b/src/content/partials/magic-transit/tunnels-reference/tunnels-encapsulation-opening.mdx @@ -117,7 +117,7 @@ IKE SA is sometimes referred to as Phase 1 as per IKEv1 language. Below is a list of all Diffie-Hellman (DH) groups supported by Cloudflare. - :::caution[Warning] + :::caution Cloudflare recommends that you use only one DH group when configuring your device, specifically **DH group 14**. ::: @@ -154,7 +154,7 @@ The Child SA. Sometimes referred to as Phase 2 as per IKEv1 language. Below is a list of all Diffie-Hellman (DH) groups supported by Cloudflare. - :::caution[Warning] + :::caution Cloudflare recommends that you use only one DH group when configuring your device, specifically **DH group 14**. ::: diff --git a/src/content/partials/magic-wan/connector/before-you-begin.mdx b/src/content/partials/magic-wan/connector/before-you-begin.mdx index bb0fec8ae28bfa..61f97351cf076d 100644 --- a/src/content/partials/magic-wan/connector/before-you-begin.mdx +++ b/src/content/partials/magic-wan/connector/before-you-begin.mdx @@ -20,6 +20,6 @@ You must decide the type of configuration you want for your site from the beginn -:::caution[Warning] +:::caution You cannot enable high availability for an existing site. To add high availability to an existing site in the Cloudflare dashboard, you need to delete the site and start again. Plan accordingly to create a high availability configuration from the start if needed. ::: From 1960fa6c9eb43e68f03336f4329e10ad4a4163a3 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> Date: Mon, 23 Sep 2024 14:52:27 +0100 Subject: [PATCH 13/54] [DNS] Add specific blog URL slug (#17020) --- .../dns/manage-dns-records/how-to/batch-record-changes.mdx | 4 ++-- .../dns/zone-setups/subdomain-setup/setup/parent-on-full.mdx | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/dns/manage-dns-records/how-to/batch-record-changes.mdx b/src/content/docs/dns/manage-dns-records/how-to/batch-record-changes.mdx index 37ca1901f4d460..47f73cddfd61bf 100644 --- a/src/content/docs/dns/manage-dns-records/how-to/batch-record-changes.mdx +++ b/src/content/docs/dns/manage-dns-records/how-to/batch-record-changes.mdx @@ -10,7 +10,7 @@ import { GlossaryTooltip, Example, Render } from "~/components"; Cloudflare allows you to apply several changes to your zone records in just one action. You can [use the dashboard](#use-the-dashboard) to delete DNS records or update their proxy status in bulk, or [use the API](#use-the-api) to perform further batched operations. :::caution[Propagation through the Cloudflare network] -Although Cloudflare will execute the batched operations in a single [database transaction](https://en.wikipedia.org/wiki/Database_transaction), Cloudflare's distributed KV store must treat each record change as a single key-value pair. This means that the propagation of changes is not atomic. Refer to our [blog post](https://blog.cloudflare.com/) for details. +Although Cloudflare will execute the batched operations in a single [database transaction](https://en.wikipedia.org/wiki/Database_transaction), Cloudflare's distributed KV store must treat each record change as a single key-value pair. This means that the propagation of changes is not atomic. Refer to our [blog post](https://blog.cloudflare.com/batched-dns-changes/) for details. ::: ## Availability and limits @@ -91,7 +91,7 @@ Within each of these four lists, each individual action is executed following th ### Aspects to consider :::caution[Propagation through the Cloudflare network] -Although Cloudflare will execute the batched operations in a single [database transaction](https://en.wikipedia.org/wiki/Database_transaction), Cloudflare's distributed KV store must treat each record change as a single key-value pair. This means that the propagation of changes is not atomic. Refer to our [blog post](https://blog.cloudflare.com/) for details. +Although Cloudflare will execute the batched operations in a single [database transaction](https://en.wikipedia.org/wiki/Database_transaction), Cloudflare's distributed KV store must treat each record change as a single key-value pair. This means that the propagation of changes is not atomic. Refer to our [blog post](https://blog.cloudflare.com/batched-dns-changes/) for details. ::: For each operation that you list in the `/batch` request body, consider the required information and how unspecified fields will behave: diff --git a/src/content/docs/dns/zone-setups/subdomain-setup/setup/parent-on-full.mdx b/src/content/docs/dns/zone-setups/subdomain-setup/setup/parent-on-full.mdx index 78f76f784c1342..07f624a65d860c 100644 --- a/src/content/docs/dns/zone-setups/subdomain-setup/setup/parent-on-full.mdx +++ b/src/content/docs/dns/zone-setups/subdomain-setup/setup/parent-on-full.mdx @@ -65,7 +65,7 @@ If you have already created DNS records covering your subdomain in the parent zo 6. Get the nameserver names for the subdomain. These can be found within your newly created child zone in [DNS > Records](https://dash.cloudflare.com/?to=/:account/:zone/dns/records), and will **not** be the same nameservers as the ones used in the parent zone. :::note - If the parent zone is on Cloudflare, steps 7 and 9 below can be achieved via API. Use the [`/batch` endpoint](/api/operations/dns-records-for-a-zone-batch-dns-records) to delete and create or update DNS records within a single request. Refer to [Batch record changes](/dns/manage-dns-records/how-to/batch-record-changes/) for further guidance. + If the parent zone is on Cloudflare, steps 7 and 9 below can be achieved via API. Use the [Batch DNS records](/api/operations/dns-records-for-a-zone-batch-dns-records) endpoint to delete and create or update DNS records within a single request. Refer to [Batch record changes](/dns/manage-dns-records/how-to/batch-record-changes/) for further guidance. ::: 7. Within the **DNS** > **Records** of the parent zone, update existing address records (`A/AAAA`) on your subdomain to `NS` records. If you only have one address record, update the existing one and add a new `NS` record. If you have multiple address records, update any two of them. From 8ef65f39a71063900532ecbb0fd0b282c87c284f Mon Sep 17 00:00:00 2001 From: Maddy <130055405+Maddy-Cloudflare@users.noreply.github.com> Date: Mon, 23 Sep 2024 15:32:23 +0100 Subject: [PATCH 14/54] [Security Center] Brand Protection - Export all matches (#17021) --- src/content/docs/security-center/brand-protection.mdx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/content/docs/security-center/brand-protection.mdx b/src/content/docs/security-center/brand-protection.mdx index 1e3c3f2ab1976c..6f30e51286ffbf 100644 --- a/src/content/docs/security-center/brand-protection.mdx +++ b/src/content/docs/security-center/brand-protection.mdx @@ -43,6 +43,8 @@ To start searching for new domains that might be trying to impersonate your bran 7. You can select **Save query** to monitor it in the future and perform other actions, such as delete, clone and set up alerts, according to your paid plan limits. +8. To export all matches from a saved query, select your **Query name** > select the three dots > **Export matches**. + In the section **Monitored queries**, you can check all the queries that you selected to monitor. You can delete, clone, or create notifications for a query. Refer to [Brand Protection Alerts](#brand-protection-alerts) to set up notifications. ## Logo queries @@ -92,4 +94,4 @@ Manage your notifications in the **All notifications** tab. You can disable, edi ## Limitations * While this product is in beta, all Enterprise customers and Cloudforce One subscribers have access to Brand Protection. Enterprise customers are entitled to one saved query per Enterprise zone on their account. -* You may only use the Brand Protection search tools to search for domains that may be attempting to impersonate your brand or a brand that has authorized you to conduct such search on its behalf. +* You may only use the Brand Protection search tools to search for domains that may be attempting to impersonate your brand or a brand that has authorized you to conduct such search on its behalf. \ No newline at end of file From 9e48cc5717bb5a0e533935e04c991acd93c570c0 Mon Sep 17 00:00:00 2001 From: ToriLindsay Date: Mon, 23 Sep 2024 16:14:23 +0100 Subject: [PATCH 15/54] Updated Vitest version (#17022) --- .../get-started/migrate-from-miniflare-2.mdx | 2 +- .../vitest-integration/get-started/write-your-first-test.mdx | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/workers/testing/vitest-integration/get-started/migrate-from-miniflare-2.mdx b/src/content/docs/workers/testing/vitest-integration/get-started/migrate-from-miniflare-2.mdx index 1402e1cefe2451..3d1e31e71e4e2e 100644 --- a/src/content/docs/workers/testing/vitest-integration/get-started/migrate-from-miniflare-2.mdx +++ b/src/content/docs/workers/testing/vitest-integration/get-started/migrate-from-miniflare-2.mdx @@ -30,7 +30,7 @@ First, you will need to uninstall the old environment and install the new pool. ```sh npm uninstall vitest-environment-miniflare -npm install --save-dev --save-exact vitest@1.5.0 +npm install --save-dev --save-exact vitest@2.0.5 npm install --save-dev @cloudflare/vitest-pool-workers ``` diff --git a/src/content/docs/workers/testing/vitest-integration/get-started/write-your-first-test.mdx b/src/content/docs/workers/testing/vitest-integration/get-started/write-your-first-test.mdx index 5a366f1dd6fad9..0c5f2b8360c172 100644 --- a/src/content/docs/workers/testing/vitest-integration/get-started/write-your-first-test.mdx +++ b/src/content/docs/workers/testing/vitest-integration/get-started/write-your-first-test.mdx @@ -24,7 +24,7 @@ This guide will instruct you through installing and setting up the `@cloudflare/ Open a terminal window and make sure you are in your project's root directory. Once you have confirmed that, run: ```sh -npm install vitest@1.5.0 --save-dev --save-exact +npm install vitest@2.0.5 --save-dev --save-exact npm install @cloudflare/vitest-pool-workers --save-dev ``` @@ -32,7 +32,7 @@ The above commands will add the packages to your `package.json` file and install :::note -Currently, the `@cloudflare/vitest-pool-workers` package _only_ works with Vitest 1.5.0. +Currently, the `@cloudflare/vitest-pool-workers` package _only_ works with Vitest 2.0.5. ::: From 70c52e523c3071ab979ef2b3363e200ea58395a2 Mon Sep 17 00:00:00 2001 From: Oliver Payne Date: Mon, 23 Sep 2024 17:20:44 +0200 Subject: [PATCH 16/54] Update widget.mdx (#17010) Clearer wording around managed mode interaction --- src/content/docs/turnstile/concepts/widget.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/turnstile/concepts/widget.mdx b/src/content/docs/turnstile/concepts/widget.mdx index 4f3b3d8987e9b3..bf181251bb7a02 100644 --- a/src/content/docs/turnstile/concepts/widget.mdx +++ b/src/content/docs/turnstile/concepts/widget.mdx @@ -22,7 +22,7 @@ Refer to [widget sizes](/turnstile/get-started/client-side-rendering/#widget-siz ## Managed (recommended) -This mode is fully managed by Cloudflare. It automatically chooses the appropriate action based on various signals and risk levels. Cloudflare will use the information from the visitor to decide if an interactive challenge should be used. Turnstile will only require interaction if a further check is necessary to verify that the visitor is human. When Turnstile shows an interaction, the user will be prompted to check a box (no images or text to decipher). This managed mode is ideal for users who want a simple configuration without needing to fine-tune the behavior. +This mode is fully managed by Cloudflare. It automatically chooses the appropriate action based on various signals and risk levels. Cloudflare will use the information from the visitor to decide if an interactive challenge should be used. Turnstile will only require interaction if a further check is necessary to verify that the visitor is human. When an interaction is required, the user will be prompted to check a box (no images or text to decipher). This managed mode is ideal for users who want a simple configuration without needing to fine-tune the behavior. ### Light mode @@ -92,4 +92,4 @@ The widget expires when a token was issued but the user did not solve the challe ![Unsupported browser](~/assets/images/turnstile/unsupported-browser.png) -Visitors with outdated browsers or unsupported browsers will encouter this widget state. Refer to [Supported browsers](/waf/reference/cloudflare-challenges/#browser-support) for more information regarding supported browsers. \ No newline at end of file +Visitors with outdated browsers or unsupported browsers will encouter this widget state. Refer to [Supported browsers](/waf/reference/cloudflare-challenges/#browser-support) for more information regarding supported browsers. From 149eeab8010945d8dff0cf14262c9166102cbb87 Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Mon, 23 Sep 2024 11:29:56 -0400 Subject: [PATCH 17/54] clarify RHEL support (#16996) --- .../warp/user-side-certificates/install-cert-with-warp.mdx | 5 +++-- .../warp/user-side-certificates/install-cloudflare-cert.mdx | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx index d9839b546a710a..dae4a2807fdcd8 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx @@ -19,14 +19,15 @@ import { Details } from "~/components"; | -------- | ------------ | -------------------- | | Windows | ✅ | 2023.3.381.0 | | macOS | ✅ | 2023.3.381.0 | -| Linux | ✅ | 2023.3.381.0 | +| Linux * | ✅ | 2023.3.381.0 | | iOS | ❌ | | | Android | ❌ | | | ChromeOS | ❌ | | +* Only supported on Debian-based systems.
-The WARP client can automatically install the Cloudflare certificate (or a [custom root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/)) on Windows, macOS, and Linux devices enrolled in your Zero Trust organization. On mobile devices, you will need to [install the certificate manually](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/). +The WARP client can automatically install the Cloudflare certificate (or a [custom root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/)) on Windows, macOS, and Debian/Ubuntu Linux devices. On mobile devices and Red Hat-based systems, you will need to [install the certificate manually](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/). The certificate is required if you want to [apply HTTP policies to encrypted websites](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), display custom block pages, and more. diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx index 8ffb064c2dc0b2..4daa89b6127a5b 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx @@ -165,7 +165,7 @@ sudo dpkg-reconfigure ca-certificates #### Red Hat-based distributions -The following procedure applies to Red Hat-based systems, such as Red Hat Enterprise Linux (RHEL), Fedora, Rocky Linux, and AlmaLinux. +The following procedure applies to Red Hat-based systems, such as CentOS and Red Hat Enterprise Linux (RHEL). 1. Download both the [`.crt` certificate](/cloudflare-one/static/Cloudflare_CA.crt) and the [`.pem` certificate](/cloudflare-one/static/Cloudflare_CA.pem). 2. Install the `ca-certificates` package. From 9c396f3e499487cf56ddec4de52de23c5e4f9e86 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Mon, 23 Sep 2024 18:09:46 +0100 Subject: [PATCH 18/54] [WAF] Detections section (#17027) --------- Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> --- public/_redirects | 10 +- src/content/changelogs/waf-general.yaml | 4 +- .../architectures/security.mdx | 173 +++++++++--------- .../managed-transforms/configure.mdx | 5 + .../transform/managed-transforms/index.mdx | 13 +- .../managed-transforms/reference.mdx | 19 ++ .../rules-language/fields/dynamic-fields.mdx | 62 ++++++- .../content-types/concept.mdx | 5 +- .../docs/waf/analytics/security-analytics.mdx | 6 +- .../waf/{about/index.mdx => concepts.mdx} | 27 +-- src/content/docs/waf/custom-rules/index.mdx | 15 +- .../attack-score.mdx} | 12 +- src/content/docs/waf/detections/index.mdx | 41 +++++ .../leaked-credentials/api-calls.mdx | 123 +++++++++++++ .../leaked-credentials/examples.mdx | 59 ++++++ .../leaked-credentials/get-started.mdx | 171 +++++++++++++++++ .../detections/leaked-credentials/index.mdx | 97 ++++++++++ src/content/docs/waf/detections/link-bots.mdx | 7 + .../malicious-uploads}/api-calls.mdx | 0 .../malicious-uploads}/example-rules.mdx | 23 ++- .../malicious-uploads}/get-started.mdx | 6 +- .../malicious-uploads}/index.mdx | 15 +- src/content/docs/waf/get-started.mdx | 10 +- src/content/docs/waf/index.mdx | 4 +- .../configure-api.mdx | 5 +- .../how-checks-work.mdx | 13 +- .../check-for-exposed-credentials/index.mdx | 43 ++--- .../monitor-events.mdx | 10 +- .../test-configuration.mdx | 5 +- .../reference/exposed-credentials-check.mdx | 10 +- src/content/glossary/waf.yaml | 4 +- .../fundamentals/cloudflare-security.mdx | 3 +- .../product-limitations.mdx | 95 +++++----- ...leaked-credentials-recommend-detection.mdx | 7 + .../partials/waf/waf-managed-rules-intro.mdx | 9 +- src/content/plans/index.json | 58 +++++- src/content/products/exposed-credentials.yaml | 8 - src/content/products/leaked-credentials.yaml | 8 + 38 files changed, 903 insertions(+), 282 deletions(-) rename src/content/docs/waf/{about/index.mdx => concepts.mdx} (53%) rename src/content/docs/waf/{about/waf-attack-score.mdx => detections/attack-score.mdx} (83%) create mode 100644 src/content/docs/waf/detections/index.mdx create mode 100644 src/content/docs/waf/detections/leaked-credentials/api-calls.mdx create mode 100644 src/content/docs/waf/detections/leaked-credentials/examples.mdx create mode 100644 src/content/docs/waf/detections/leaked-credentials/get-started.mdx create mode 100644 src/content/docs/waf/detections/leaked-credentials/index.mdx create mode 100644 src/content/docs/waf/detections/link-bots.mdx rename src/content/docs/waf/{about/content-scanning => detections/malicious-uploads}/api-calls.mdx (100%) rename src/content/docs/waf/{about/content-scanning => detections/malicious-uploads}/example-rules.mdx (77%) rename src/content/docs/waf/{about/content-scanning => detections/malicious-uploads}/get-started.mdx (93%) rename src/content/docs/waf/{about/content-scanning => detections/malicious-uploads}/index.mdx (92%) create mode 100644 src/content/partials/waf/leaked-credentials-recommend-detection.mdx delete mode 100644 src/content/products/exposed-credentials.yaml create mode 100644 src/content/products/leaked-credentials.yaml diff --git a/public/_redirects b/public/_redirects index 70589baf477297..e5247341cf5cea 100644 --- a/public/_redirects +++ b/public/_redirects @@ -1180,8 +1180,14 @@ /turnstile/concepts/widget-types/ /turnstile/concepts/widget/ 301 # waf -/waf/about/file-scanning/ /waf/about/content-scanning/ 301 -/waf/about/waf-ml/ /waf/about/waf-attack-score/ 301 +/waf/about/ /waf/concepts/ 301 +/waf/about/content-scanning/ /waf/detections/malicious-uploads/ 301 +/waf/about/content-scanning/get-started/ /waf/detections/malicious-uploads/get-started/ 301 +/waf/about/content-scanning/example-rules/ /waf/detections/malicious-uploads/example-rules/ 301 +/waf/about/content-scanning/api-calls/ /waf/detections/malicious-uploads/api-calls/ 301 +/waf/about/file-scanning/ /waf/detections/malicious-uploads/ 301 +/waf/about/waf-attack-score/ /waf/detections/attack-score/ 301 +/waf/about/waf-ml/ /waf/detections/attack-score/ 301 /waf/alerts/ /waf/reference/alerts/ 301 /waf/custom-rules/custom-firewall/ /waf/custom-rules/ 301 /waf/custom-rules/custom-firewall/create-api/ /waf/custom-rules/create-api/ 301 diff --git a/src/content/changelogs/waf-general.yaml b/src/content/changelogs/waf-general.yaml index f5d23b15b84818..d4bc9afba385e9 100644 --- a/src/content/changelogs/waf-general.yaml +++ b/src/content/changelogs/waf-general.yaml @@ -10,8 +10,8 @@ entries: - publish_date: "2024-08-29" title: Fixed occasional attack score mismatches description: |- - Fixed an issue causing score mismatches between the global [WAF attack score](/waf/about/waf-attack-score/) and subscores. In certain cases, subscores were higher (not an attack) than expected while the global attack score was lower than expected (attack), leading to false positives. + Fixed an issue causing score mismatches between the global [WAF attack score](/waf/detections/attack-score/) and subscores. In certain cases, subscores were higher (not an attack) than expected while the global attack score was lower than expected (attack), leading to false positives. - publish_date: "2024-05-23" title: Improved detection capabilities description: |- - [WAF attack score](/waf/about/waf-attack-score/) now automatically detects and decodes Base64 and JavaScript (Unicode escape sequences) in HTTP requests. This update is available for all customers with access to WAF attack score (Business customers with access to a single field and Enterprise customers). + [WAF attack score](/waf/detections/attack-score/) now automatically detects and decodes Base64 and JavaScript (Unicode escape sequences) in HTTP requests. This update is available for all customers with access to WAF attack score (Business customers with access to a single field and Enterprise customers). diff --git a/src/content/docs/reference-architecture/architectures/security.mdx b/src/content/docs/reference-architecture/architectures/security.mdx index c2d016513c7b44..a875521e1f89a4 100644 --- a/src/content/docs/reference-architecture/architectures/security.mdx +++ b/src/content/docs/reference-architecture/architectures/security.mdx @@ -13,10 +13,9 @@ description: This document provides insight into how this network and platform are architected from a security perspective, how they are operated, and what services are available for businesses to address their own security challenges. - --- -import { Render } from "~/components" +import { Render } from "~/components"; ## Introduction @@ -26,8 +25,8 @@ However, as Internet bandwidth increased and more people needed to do work outsi Since 2010, Cloudflare has been building a unique, large-scale network on which we run a set of security services that allow organizations to build improved connectivity and better protect their public and private networks, applications, users, and data. This document provides insight into how this network and platform are architected from a security perspective, how they are operated, and what services are available for businesses to address their own security challenges. The document comprises two main sections: -* How Cloudflare builds and operates its secure global network. -* How to protect your business infrastructure and assets using Cloudflare services built on the network. +- How Cloudflare builds and operates its secure global network. +- How to protect your business infrastructure and assets using Cloudflare services built on the network. ### Who is this document for and what will you learn? @@ -37,7 +36,7 @@ To build a stronger baseline understanding of Cloudflare, we recommend the follo -* [How Cloudflare strengthens security everywhere you do business](https://cf-assets.www.cloudflare.com/slt3lc6tev37/is7XGR7xZ8CqW0l9EyHZR/1b4311823f602f72036385a66fb96e8c/Everywhere_Security-Cloudflare-strengthens-security-everywhere-you_do-business.pdf) (10 minutes) +- [How Cloudflare strengthens security everywhere you do business](https://cf-assets.www.cloudflare.com/slt3lc6tev37/is7XGR7xZ8CqW0l9EyHZR/1b4311823f602f72036385a66fb96e8c/Everywhere_Security-Cloudflare-strengthens-security-everywhere-you_do-business.pdf) (10 minutes) ## Secure global network @@ -63,14 +62,14 @@ Every level of the network conforms to strict hardened security controls. Proces Cloudflare designs and owns all the servers in our network. There are two main types. -* **Private core servers**: The control plane where all customer configuration, logging, and other data lives. -* **Public edge servers**: Where Internet and privately tunneled traffic terminates to the Cloudflare network, to be inspected and then routed to its destination. +- **Private core servers**: The control plane where all customer configuration, logging, and other data lives. +- **Public edge servers**: Where Internet and privately tunneled traffic terminates to the Cloudflare network, to be inspected and then routed to its destination. Server hardware is designed by Cloudflare and built by industry-respected manufacturers that complete a comprehensive supply chain and security review. Every server runs an identical software stack, allowing for consistent hardware design. The operating system on edge servers is also a single design and built from a highly modified Linux distribution, tailored for the scale and speed of our platform. Cloudflare is a significant contributor to the Linux kernel, and we regularly share information on how we secure our [servers and services](https://blog.cloudflare.com/the-linux-kernel-key-retention-service-and-why-you-should-use-it-in-your-next-application), helping the Linux community and the rest of the Internet benefit from our [engineering](https://blog.cloudflare.com/linux-kernel-hardening). #### Services -Every server runs all Cloudflare products and services that customers use to secure their networks and applications. Later in this document we provide an overview of these services, but for the moment it's important to provide insight into the development of the software. From the initial design of every product, the engineering team works hand in hand with security, compliance, and risk teams to review all aspects of the service. These teams can be viewed as part of the engineering and product teams, not an external group. They are essential to the development of everything we do at Cloudflare and we have some of the most respected professionals in the industry. Code is reviewed by security teams at every stage of development, and we implement many automated systems to analyze software looking for vulnerabilities. Threat modeling and penetration testing frameworks such as [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/), [STRIDE](https://en.wikipedia.org/wiki/STRIDE_\(security\)), and [DREAD](https://en.wikipedia.org/wiki/DREAD_\(risk_assessment_model\)) are used during design, development, and the release process. +Every server runs all Cloudflare products and services that customers use to secure their networks and applications. Later in this document we provide an overview of these services, but for the moment it's important to provide insight into the development of the software. From the initial design of every product, the engineering team works hand in hand with security, compliance, and risk teams to review all aspects of the service. These teams can be viewed as part of the engineering and product teams, not an external group. They are essential to the development of everything we do at Cloudflare and we have some of the most respected professionals in the industry. Code is reviewed by security teams at every stage of development, and we implement many automated systems to analyze software looking for vulnerabilities. Threat modeling and penetration testing frameworks such as [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/), [STRIDE](), and [DREAD]() are used during design, development, and the release process. Many of our products run on our [serverless runtime](/workers/) environment, which leverages the very latest techniques in service isolation. We anticipated this secure runtime environment could be very valuable to our customers, so we productized it, allowing them to [build](/workers/reference/how-workers-works/) and [run](https://blog.cloudflare.com/cloud-computing-without-containers) their own applications on our network. More about that at the very end of this document. @@ -84,11 +83,11 @@ Not only must the design of the network be secure, but so should how we run and Customers send sensitive information to our products and services. The mission for the Cloudflare compliance team is to ensure the underlying infrastructure that supports these services meets [industry compliance standards](https://www.cloudflare.com/trust-hub/compliance-resources/) such as FedRAMP, SOC II, ISO, PCI certifications, C5, privacy, and regulatory frameworks. The compliance team works with all engineering organizations to help integrate these requirements as part of the way we work. From a compliance perspective, our areas of focus include: -* Privacy and security of customer data -* Maintaining compliance validations -* Helping customers with their own compliance -* Monitoring the changes to the regulatory landscape -* Providing feedback to regulatory bodies on upcoming changes +- Privacy and security of customer data +- Maintaining compliance validations +- Helping customers with their own compliance +- Monitoring the changes to the regulatory landscape +- Providing feedback to regulatory bodies on upcoming changes We also run a [bug bounty program](https://hackerone.com/cloudflare), giving incentives for the community to find and report vulnerabilities to us for financial reward. @@ -144,12 +143,12 @@ The reason the Cloudflare network exists is to provide services to customers to In general, what customers need to effectively combat and protect against the growing breadth and complexity of threats is a unified security solution that provides visibility, analytics, detection, and mitigation in an operationally consistent and efficient manner. Cloudflare addresses these needs in several ways: -* Operational consistency: Cloudflare has a single dashboard/UI for all administrative tasks. -* Operational simplicity: Cloudflare is well-known for minimizing operational complexity with well-designed user interfaces that minimize manual configurations and UI workflows. Additionally, cross-product integrations allow for automating configurations and policies. -* Continuous innovation: Cloudflare continues to innovate across its broad security portfolio with unique differentiating capabilities such as its CAPTCHA replacement product, Turnstile, and the industry-first API Sequence Mitigation capability. -* Workload location agnostic: Cloudflare was built first and foremost around performance and security services. As such, it was built from the ground up to be workload location agnostic with multi-cloud inherently being a top use case. Customers can deploy workloads in multiple clouds and/or on-prem and get the same operational consistency. -* Performance and scale: All Cloudflare services run on every server in every data center on the same global cloud, allowing for maximum performance in terms of global reachability and latency and ability to scale out, leveraging the full capacity of Cloudflare’s global infrastructure. -* API first: Cloudflare is API first. All configurations and capabilities available from the UI/dashboard are also available from the API. Cloudflare can easily be configured with Terraform to support automation for customer workflows/processes. +- Operational consistency: Cloudflare has a single dashboard/UI for all administrative tasks. +- Operational simplicity: Cloudflare is well-known for minimizing operational complexity with well-designed user interfaces that minimize manual configurations and UI workflows. Additionally, cross-product integrations allow for automating configurations and policies. +- Continuous innovation: Cloudflare continues to innovate across its broad security portfolio with unique differentiating capabilities such as its CAPTCHA replacement product, Turnstile, and the industry-first API Sequence Mitigation capability. +- Workload location agnostic: Cloudflare was built first and foremost around performance and security services. As such, it was built from the ground up to be workload location agnostic with multi-cloud inherently being a top use case. Customers can deploy workloads in multiple clouds and/or on-prem and get the same operational consistency. +- Performance and scale: All Cloudflare services run on every server in every data center on the same global cloud, allowing for maximum performance in terms of global reachability and latency and ability to scale out, leveraging the full capacity of Cloudflare’s global infrastructure. +- API first: Cloudflare is API first. All configurations and capabilities available from the UI/dashboard are also available from the API. Cloudflare can easily be configured with Terraform to support automation for customer workflows/processes. Cloudflare’s security services that protect networks, applications, devices, users, and data can be grouped into the following categories. @@ -161,8 +160,8 @@ Note this list is focused on security and doesn't include products such as our c There are two main types of resources our customers are trying to secure: -* **Public resources** are defined as any content, asset, or infrastructure that has an interface available and accessible to the general Internet, such as brand websites, ecommerce sites, and APIs. They can also be defined by the fact they are accessible by anonymous users or people who register themselves to gain access, such as social media websites, video streaming services, and banking services. -* **Private resources** are defined as content, assets, or infrastructure with the intended set of users constrained to a single company, organization, or set of customers. These services typically require accounts and credentials to gain access. Examples of such resources are the company HR system, source code repositories, and a point of sale (POS) system residing on a retail branch network. These resources are typically accessible only by employees, partners, and other trusted, known identities. +- **Public resources** are defined as any content, asset, or infrastructure that has an interface available and accessible to the general Internet, such as brand websites, ecommerce sites, and APIs. They can also be defined by the fact they are accessible by anonymous users or people who register themselves to gain access, such as social media websites, video streaming services, and banking services. +- **Private resources** are defined as content, assets, or infrastructure with the intended set of users constrained to a single company, organization, or set of customers. These services typically require accounts and credentials to gain access. Examples of such resources are the company HR system, source code repositories, and a point of sale (POS) system residing on a retail branch network. These resources are typically accessible only by employees, partners, and other trusted, known identities. Public and private resources can also include both infrastructure-level components like servers and consumed resources like websites and API endpoints. Communication over networks and the Internet happens in different stages and levels as shown in the open systems interconnection (OSI) model diagram below. @@ -170,12 +169,12 @@ Public and private resources can also include both infrastructure-level componen Cloudflare can protect at multiple layers of the OSI model, and in this document we are primarily concerned with protecting resources at layers 3, 4, and 7. -* Layer 3, referred to as the “network layer,” is responsible for facilitating data transfer between two different networks. The network layer breaks up segments from the transport layer into smaller units, called packets, on the sender’s device and reassembles these packets on the receiving device. The network layer is where routing takes place — finding the best physical path for the data to reach its destination. -* Layer 4, referred to as the “transport layer,” is responsible for end-to-end communication between the two devices. This includes taking data from the session layer and breaking it up into chunks called “segments” before sending it to layer 3. +- Layer 3, referred to as the “network layer,” is responsible for facilitating data transfer between two different networks. The network layer breaks up segments from the transport layer into smaller units, called packets, on the sender’s device and reassembles these packets on the receiving device. The network layer is where routing takes place — finding the best physical path for the data to reach its destination. +- Layer 4, referred to as the “transport layer,” is responsible for end-to-end communication between the two devices. This includes taking data from the session layer and breaking it up into chunks called “segments” before sending it to layer 3. Cloudflare security products that can be used for L3 and L4 security include Cloudflare’s network services offerings, including [Magic Transit](/magic-transit/), [Magic Firewall](/magic-firewall/), [Magic WAN](/magic-wan/), [Magic Network Monitoring](/magic-network-monitoring/), and [Spectrum](/spectrum/). -* Layer 7, referred to as the “application layer,” is the top layer of the data processing that occurs just below the surface or behind the scenes of the software applications that users interact with. HTTP and API requests/responses are layer 7 events. +- Layer 7, referred to as the “application layer,” is the top layer of the data processing that occurs just below the surface or behind the scenes of the software applications that users interact with. HTTP and API requests/responses are layer 7 events. Cloudflare has a suite of application security products that includes [Web Application Firewall](/waf/) (WAF), [Rate Limiting](/waf/rate-limiting-rules/), [L7 DDoS](/ddos-protection/managed-rulesets/http/), [API Gateway](/api-shield/api-gateway/), [Bot Management](/bots/), and [Page Shield](/page-shield/). @@ -195,12 +194,12 @@ The diagram below shows a typical request for a public asset going through the C The diagram highlights the following: -* The [world's fastest DNS service](https://www.dnsperf.com/) provides fast resolution of public hostnames -* Ensure data compliance by [choosing geographic locations](https://www.cloudflare.com/data-localization/) for the inspection and storage of data -* Spectrum extends Cloudflare security capabilities to all UDP/TCP applications -* Security services inspect a request in one pass -* Application performance services also act on the request in the same pass -* [Smart routing](/argo-smart-routing/) finds the lowest latency path between Cloudflare and the public destination +- The [world's fastest DNS service](https://www.dnsperf.com/) provides fast resolution of public hostnames +- Ensure data compliance by [choosing geographic locations](https://www.cloudflare.com/data-localization/) for the inspection and storage of data +- Spectrum extends Cloudflare security capabilities to all UDP/TCP applications +- Security services inspect a request in one pass +- Application performance services also act on the request in the same pass +- [Smart routing](/argo-smart-routing/) finds the lowest latency path between Cloudflare and the public destination #### Common attacks and protection @@ -222,14 +221,14 @@ A zero-day exploit (also called a zero-day threat) is an attack that takes advan Web Application Firewall (WAF) [Managed Rules](/waf/managed-rules/) allow you to deploy pre-configured managed rulesets that provide immediate protection against the following: -* Zero-day vulnerabilities -* Top 10 attack techniques -* Use of stolen/exposed credentials -* Extraction of sensitive data +- Zero-day vulnerabilities +- Top 10 attack techniques +- Use of stolen/exposed credentials +- Extraction of sensitive data WAF checks incoming web requests and filters undesired traffic based on sets of rules (rulesets) deployed at the edge. These managed rulesets are maintained and regularly updated by Cloudflare. From the extensive threat intelligence obtained from across our global network, Cloudflare is able to quickly detect and classify threats. As new attacks/threats are identified, Cloudflare will automatically push WAF rules to customers to ensure they are protected against the latest zero-day attacks. -Additionally, Cloudflare provides for [WAF Attack Score](/waf/about/waf-attack-score/), which complements Cloudflare managed rules by detecting attack variations. These variations are typically achieved by malicious actors via fuzzing techniques that are trying to identify ways to bypass existing security policies. WAF classifies each request using a machine learning algorithm, assigning an attack score from 1 to 99 based on the likelihood that the request is malicious. Rules can then be written which use these scores to determine what traffic is permitted to the application. +Additionally, Cloudflare provides for [WAF Attack Score](/waf/detections/attack-score/), which complements Cloudflare managed rules by detecting attack variations. These variations are typically achieved by malicious actors via fuzzing techniques that are trying to identify ways to bypass existing security policies. WAF classifies each request using a machine learning algorithm, assigning an attack score from 1 to 99 based on the likelihood that the request is malicious. Rules can then be written which use these scores to determine what traffic is permitted to the application. ![Machine learning maintains lists of managed rules to determine if the request should be let through the WAF or not.](~/assets/images/reference-architecture/security/security-ref-arch-6.svg) @@ -253,10 +252,10 @@ Page Shield uses threat-feed detections of malicious JavaScript domains and URLs Page Shield [Content Security policies](/page-shield/policies/) can be created and applied to add an additional level of security that helps detect and mitigate certain types of attacks, including: -* Content/code injection -* Cross-site scripting (XSS) -* Embedding malicious resources -* Malicious iframes (clickjacking) +- Content/code injection +- Cross-site scripting (XSS) +- Embedding malicious resources +- Malicious iframes (clickjacking) Products: [Page Shield](/page-shield/) @@ -332,7 +331,7 @@ Malware can refer to viruses, worms, trojans, ransomware, spyware, adware, and o When Uploaded Content Scanning is enabled, content scanning attempts to detect items such as uploaded files, and scans them for malicious signatures like malware. The scan results, along with additional metadata, are exposed as fields available in WAF custom rules, allowing customers to implement fine-grained mitigation rules. -Products: [WAF - Uploaded Content Scanning](/waf/about/content-scanning/) +Products: [WAF - Uploaded Content Scanning](/waf/detections/malicious-uploads/) #### Cloudflare application security products @@ -350,10 +349,10 @@ Using Cloudflare [WAF](/waf/), customers can deploy custom rules based on very g [WAF Managed Rules](/waf/managed-rules/) allow customers to deploy pre-configured managed rulesets that provide immediate protection against: -* Zero-day vulnerabilities -* Top 10 attack techniques -* Use of stolen/exposed credentials -* Extraction of sensitive data +- Zero-day vulnerabilities +- Top 10 attack techniques +- Use of stolen/exposed credentials +- Extraction of sensitive data ##### Rate limiting @@ -395,9 +394,9 @@ Additionally, Cloudflare can take the action of challenging clients if it suspec Depending on the characteristics of a request, Cloudflare will choose an appropriate type of challenge, which may include but is not limited to: -* A non-interactive challenge page (similar to the current JS Challenge). -* A custom interactive challenge (such as clicking a button). -* Private Access Tokens (using recent Apple operating systems). +- A non-interactive challenge page (similar to the current JS Challenge). +- A custom interactive challenge (such as clicking a button). +- Private Access Tokens (using recent Apple operating systems). With [Turnstile](/turnstile/), Cloudflare has completely moved away from CAPTCHA. Turnstile is Cloudflare’s smart CAPTCHA alternative. It can be embedded into any website without sending traffic through Cloudflare and works without showing visitors a CAPTCHA. Turnstile allows you to run challenges anywhere on your site in a less intrusive way and uses APIs to communicate with Cloudflare’s Managed Challenge platform. @@ -427,10 +426,10 @@ Customers can also enable [mutual Transport Layer Security (mTLS)](/ssl/client-c Key capabilities offered: -* Inventory and review IT infrastructure assets like domains, ASNs, and IPs. -* Manage an always up-to-date list of misconfigurations and risks in Cloudflare IT assets. -* Query threat data gathered from the Cloudflare network to investigate and respond to security risks. -* Gain full control over who sends email on your organization's behalf with DMARC Management. +- Inventory and review IT infrastructure assets like domains, ASNs, and IPs. +- Manage an always up-to-date list of misconfigurations and risks in Cloudflare IT assets. +- Query threat data gathered from the Cloudflare network to investigate and respond to security risks. +- Gain full control over who sends email on your organization's behalf with DMARC Management. ##### Cloudflare for SaaS @@ -470,9 +469,9 @@ Private resources typically contain highly sensitive, company confidential infor The following are typical attributes of private resources: -* Users have been pre-authorized and provisioned. They can't just sign up. They need to be given specific access to the resource either directly or via access control mechanisms such as certificates, group membership, or role assignment. -* Network access to a self-hosted resource is typically over-managed, private network routes and not accessible via the general Internet. -* Private resources that live in data centers (physical or virtual) and are connected to networks that are hosted and managed by the business, which are either on-premises or virtual private networks running in public cloud infrastructure. +- Users have been pre-authorized and provisioned. They can't just sign up. They need to be given specific access to the resource either directly or via access control mechanisms such as certificates, group membership, or role assignment. +- Network access to a self-hosted resource is typically over-managed, private network routes and not accessible via the general Internet. +- Private resources that live in data centers (physical or virtual) and are connected to networks that are hosted and managed by the business, which are either on-premises or virtual private networks running in public cloud infrastructure. As mentioned, traditional access to private resources required physical access to the network by being in the office connected via Ethernet. As remote access needs increased, companies installed on-premises VPN servers that allowed users and devices to "dial in" to these private networks. Many applications have left these private networks and instead migrated to SaaS applications or are hosted in public cloud infrastructure. This traditional approach has become unmanageable and costly, with a variety of technologies providing network connectivity and access control. @@ -484,12 +483,12 @@ As we describe the following Cloudflare services, you will learn how the Cloudfl Protecting internal resources can be broken down into the following areas. -* Securing connectivity between the user and the application/network. -* Identity systems providing authentication and maintaining user identities and group membership. -* Policies controlling user access to applications/data. -* Data protection controls to identify and protect sensitive and confidential data. -* Protecting users and devices from attacks (malware, phishing, etc.) that originate from access to the Internet. -* Operational visibility to IT and security teams. +- Securing connectivity between the user and the application/network. +- Identity systems providing authentication and maintaining user identities and group membership. +- Policies controlling user access to applications/data. +- Data protection controls to identify and protect sensitive and confidential data. +- Protecting users and devices from attacks (malware, phishing, etc.) that originate from access to the Internet. +- Operational visibility to IT and security teams. #### Securing connectivity to private resources @@ -546,17 +545,17 @@ This centralization of identity into a common access control layer allows you to The focus on this document is about security, and now that applications, devices, identities, and networks are all connected, every request to and from any resource on the network, and also to the Internet, is now subject to Cloudflare's access control and firewall services. There are two services that apply policy-based controls to traffic. -* **Zero Trust Network Access**: Our [Access](/cloudflare-one/policies/access/) product manages access to specific networks or applications that are deemed private. It enforces authentication either for users via an existing identity provider, or for other applications via service tokens or mTLS. -* **Secure Web Gateway**: Our [Gateway](/cloudflare-one/policies/gateway/) product is used to analyze traffic and apply policies, no matter the destination. It is most commonly used to allow, block, or isolate traffic that is destined for the Internet. This can be used to apply access controls to SaaS applications, but any traffic flowing through Cloudflare can be inspected and acted upon by Gateway. Therefore it can also be used to add additional access controls to non-Internet, private tunneled applications. +- **Zero Trust Network Access**: Our [Access](/cloudflare-one/policies/access/) product manages access to specific networks or applications that are deemed private. It enforces authentication either for users via an existing identity provider, or for other applications via service tokens or mTLS. +- **Secure Web Gateway**: Our [Gateway](/cloudflare-one/policies/gateway/) product is used to analyze traffic and apply policies, no matter the destination. It is most commonly used to allow, block, or isolate traffic that is destined for the Internet. This can be used to apply access controls to SaaS applications, but any traffic flowing through Cloudflare can be inspected and acted upon by Gateway. Therefore it can also be used to add additional access controls to non-Internet, private tunneled applications. ![Cloudflare's ZTNA and SWG services can be combined to secure both private and Internet access.](~/assets/images/reference-architecture/security/security-ref-arch-21.svg) Both of these technologies can be combined to ensure appropriate access to private applications. For users with our [device agent](/cloudflare-one/connections/connect-devices/warp/) installed, the policies can also include device-level requirements. When combined with identity data, policies such as the following can be written to control access to, for example, an internal database administration tool. -* User must have authenticated via the company IdP, and used MFA as part of the authentication -* User must be in the "Database Administrators" group in the IdP -* User device must have a Crowdstrike risk score above 70 -* User device must be on the very latest release of the operating system +- User must have authenticated via the company IdP, and used MFA as part of the authentication +- User must be in the "Database Administrators" group in the IdP +- User device must have a Crowdstrike risk score above 70 +- User device must be on the very latest release of the operating system It is possible to define access groups of users that can be applied across multiple policies. This allows IT and security administrators to create a single definition of what a secure administrator looks like, which is then reusable across many policies. @@ -590,31 +589,31 @@ In summary, the following diagram details how Cloudflare's SASE services can con ## Developer platform -Many of Cloudflare's security services are built on a highly optimized serverless compute platform based on [V8 Isolates](https://blog.cloudflare.com/cloud-computing-without-containers) which powers our developer platform. Like all our services, serverless compute workloads run on all servers in our global network. While our security services offer a wide range of features, customers always want the ultimate flexibility of writing their own custom solution. Customers therefore can use Cloudflare Workers and its accompanying services (R2, D1, KV, Queues) to interact with network traffic as it flows to and from their resources, as well as implementing complex security logic. +Many of Cloudflare's security services are built on a highly optimized serverless compute platform based on [V8 Isolates](https://blog.cloudflare.com/cloud-computing-without-containers) which powers our developer platform. Like all our services, serverless compute workloads run on all servers in our global network. While our security services offer a wide range of features, customers always want the ultimate flexibility of writing their own custom solution. Customers therefore can use Cloudflare Workers and its accompanying services (R2, D1, KV, Queues) to interact with network traffic as it flows to and from their resources, as well as implementing complex security logic. The following use cases show how our customers’ security teams have used our [developer platform](https://workers.cloudflare.com/): -* In our ZTNA service, Cloudflare Access, when a request is made to access a private resource, that request can include a call to a Cloudflare Worker, passing in everything known about the user. Custom business logic can then be implemented to determine access. For example: - * Only allow access during employee working hours. Check via API calls to employee systems. - * Allow access only if an incident has been declared in PagerDuty. -* Implement honeypots for bots: Because Workers can be attached to routes of any Cloudflare-protected resource, you can examine the bot score of a request and then redirect or modify the request if you suspect it's not legitimate traffic. For example, execute the request but modify the response to redact information or change values to protect data. -* Write complex web application firewall (WAF) type rules: As described above, our WAF is very powerful for protecting your public-facing applications. But with Workers, you can write incredibly complex rules based on information provided in the [IncomingRequestCfProperties](/workers/runtime-apis/request/#incomingrequestcfproperties), which expose metadata for every request. These properties contain extensive information and can be expressed as code for effective rule implementation. -* Enhance traffic with extra security information: Your downstream application may have other security products in front of it, or maybe provides other security if certain HTTP headers exist. Using Workers, you can enhance any requests to the application and add in headers to help the downstream application implement greater security controls. -* Write your own authentication service: Some customers have extreme requirements, and the power of Workers allows you, as we have with our own product suite, to write entire authentication stacks. One such customer [did just this](https://www.cloudflare.com/case-studies/epam/). While this isn't common, it's an example of the flexibility of using Cloudflare. You can mix complex code that you write with our own products to fine-tune exactly the right security outcome. +- In our ZTNA service, Cloudflare Access, when a request is made to access a private resource, that request can include a call to a Cloudflare Worker, passing in everything known about the user. Custom business logic can then be implemented to determine access. For example: + - Only allow access during employee working hours. Check via API calls to employee systems. + - Allow access only if an incident has been declared in PagerDuty. +- Implement honeypots for bots: Because Workers can be attached to routes of any Cloudflare-protected resource, you can examine the bot score of a request and then redirect or modify the request if you suspect it's not legitimate traffic. For example, execute the request but modify the response to redact information or change values to protect data. +- Write complex web application firewall (WAF) type rules: As described above, our WAF is very powerful for protecting your public-facing applications. But with Workers, you can write incredibly complex rules based on information provided in the [IncomingRequestCfProperties](/workers/runtime-apis/request/#incomingrequestcfproperties), which expose metadata for every request. These properties contain extensive information and can be expressed as code for effective rule implementation. +- Enhance traffic with extra security information: Your downstream application may have other security products in front of it, or maybe provides other security if certain HTTP headers exist. Using Workers, you can enhance any requests to the application and add in headers to help the downstream application implement greater security controls. +- Write your own authentication service: Some customers have extreme requirements, and the power of Workers allows you, as we have with our own product suite, to write entire authentication stacks. One such customer [did just this](https://www.cloudflare.com/case-studies/epam/). While this isn't common, it's an example of the flexibility of using Cloudflare. You can mix complex code that you write with our own products to fine-tune exactly the right security outcome. Using Workers for implementing some of your security controls has the following advantages: -* **Advanced logic and testability**: Enables the implementation of highly sophisticated logic that's easily testable through unit tests. -* **Accessibility to developers**: Security features are accessible to a broader audience due to native support in languages like JavaScript, TypeScript, Rust, and Python, catering to developers' familiarity. -* **Granularity and flexibility**: Offers unparalleled granularity, with support for regex, JSON parsing, and easy access to request/response headers and bodies enriched by Cloudflare. Policies can be designed based on any feature of the request/response. -* **Response modification**: While traditional security stacks often focus solely on requests, Workers empowers effortless modification of responses. For instance, verbose error messages can be obscured to enhance security. -* **Implement DevSecOps lifecycles**: Workers makes it very easy to adhere to DevSecOps best practices like version control, code audits, automated tests, gradual roll-outs, and rollback capabilities. +- **Advanced logic and testability**: Enables the implementation of highly sophisticated logic that's easily testable through unit tests. +- **Accessibility to developers**: Security features are accessible to a broader audience due to native support in languages like JavaScript, TypeScript, Rust, and Python, catering to developers' familiarity. +- **Granularity and flexibility**: Offers unparalleled granularity, with support for regex, JSON parsing, and easy access to request/response headers and bodies enriched by Cloudflare. Policies can be designed based on any feature of the request/response. +- **Response modification**: While traditional security stacks often focus solely on requests, Workers empowers effortless modification of responses. For instance, verbose error messages can be obscured to enhance security. +- **Implement DevSecOps lifecycles**: Workers makes it very easy to adhere to DevSecOps best practices like version control, code audits, automated tests, gradual roll-outs, and rollback capabilities. However, you should also consider the following: -* **Cost**: By adding Workers into the request process, you will incur extra costs. However, this might be acceptable for the scenarios where the significant security outcome is highly beneficial. -* **Latency**: While minimal, there will always be some impact on traffic latency because you are running your own logic on every request. -* **Requires developer skill set**: This is a bit obvious, but worth mentioning. Using Workers requires a development team to create, test, and maintain whatever code is implemented. +- **Cost**: By adding Workers into the request process, you will incur extra costs. However, this might be acceptable for the scenarios where the significant security outcome is highly beneficial. +- **Latency**: While minimal, there will always be some impact on traffic latency because you are running your own logic on every request. +- **Requires developer skill set**: This is a bit obvious, but worth mentioning. Using Workers requires a development team to create, test, and maintain whatever code is implemented. You can review some examples of how our Workers platform can be used for [security](/workers/examples/?tags=Security) or [authentication](/workers/examples/?tags=Authentication) use cases. @@ -624,10 +623,10 @@ You should now have a good understanding of the massive scale of the Cloudflare In summary, the benefits of using Cloudflare for your business’s security are: -* Protect all your business assets, public or private. -* Leverage a comprehensive range of security services on a single platform. -* Rely on a massively scaled network with high performance and reliability. -* Implement security controls once, in a single dashboard, and impact traffic from anywhere. -* Empower DevSecOps teams with full API and Terraform support. +- Protect all your business assets, public or private. +- Leverage a comprehensive range of security services on a single platform. +- Rely on a massively scaled network with high performance and reliability. +- Implement security controls once, in a single dashboard, and impact traffic from anywhere. +- Empower DevSecOps teams with full API and Terraform support. We have a very simple [self-service signup](https://dash.cloudflare.com/sign-up), where many of our services can be evaluated for free. If you wish to work with our expert team to evaluate Cloudflare, please [reach out](https://www.cloudflare.com/plans/enterprise/contact/). diff --git a/src/content/docs/rules/transform/managed-transforms/configure.mdx b/src/content/docs/rules/transform/managed-transforms/configure.mdx index c74d19cdf45dd6..56aae3beeae4b3 100644 --- a/src/content/docs/rules/transform/managed-transforms/configure.mdx +++ b/src/content/docs/rules/transform/managed-transforms/configure.mdx @@ -68,6 +68,11 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/managed_headers \ "enabled": false, "has_conflict": false, "conflicts_with": ["add_true_client_ip_headers"] + }, + { + "id": "add_waf_credential_check_status_header", + "enabled": false, + "has_conflict": false } ], "managed_response_headers": [ diff --git a/src/content/docs/rules/transform/managed-transforms/index.mdx b/src/content/docs/rules/transform/managed-transforms/index.mdx index b9586fc384877a..dc8b30777c5172 100644 --- a/src/content/docs/rules/transform/managed-transforms/index.mdx +++ b/src/content/docs/rules/transform/managed-transforms/index.mdx @@ -3,15 +3,15 @@ title: Managed Transforms pcx_content_type: concept sidebar: order: 4 - --- Managed Transforms allow you to perform common adjustments to HTTP request and response headers with the click of a button. The available adjustments include: -* Add bot protection request headers. -* Remove or add headers related to the visitor's IP address. -* Add security-related response headers. -* Remove "X-Powered-By" response headers. +- Add bot protection request headers. +- Remove or add headers related to the visitor's IP address. +- Add request header when the WAF detects leaked credentials. +- Add security-related response headers. +- Remove "X-Powered-By" response headers. For a complete list, refer to [Available Managed Transforms](/rules/transform/managed-transforms/reference/). @@ -20,8 +20,7 @@ When you enable a Managed Transform, Cloudflare internally deploys one or more T Enabled Managed Transforms will apply to all inbound requests for the zone. :::note - -The generated internal Transform Rules will not appear in the Transform Rules list in the Cloudflare dashboard. +The generated internal Transform Rules will not appear in the Transform Rules list in the Cloudflare dashboard. ::: ## Next steps diff --git a/src/content/docs/rules/transform/managed-transforms/reference.mdx b/src/content/docs/rules/transform/managed-transforms/reference.mdx index a7e2fb7c4508db..4d09d1503920cd 100644 --- a/src/content/docs/rules/transform/managed-transforms/reference.mdx +++ b/src/content/docs/rules/transform/managed-transforms/reference.mdx @@ -106,6 +106,25 @@ For example, consider an incoming request proxied by two CDNs (`CDN_1` and `CDN_ With **Remove visitor IP headers** enabled, the `x-forwarded-for` header sent to the origin server will be:
`x-forwarded-for: ` +### Add Leaked Credentials Checks Header + +Adds an `Exposed-Credential-Check` request header whenever the WAF detects leaked credentials in the incoming request. + +The header can have these values: + +| Header + Value | Description | Availability | +| ----------------------------- | ----------------------------------------------------------------------- | ------------------ | +| `Exposed-Credential-Check: 1` | Previously leaked username and password detected | Pro plan and above | +| `Exposed-Credential-Check: 2` | Previously leaked username detected | Enterprise plan | +| `Exposed-Credential-Check: 3` | Similar combination of previously leaked username and password detected | Enterprise plan | +| `Exposed-Credential-Check: 4` | Previously leaked password detected | All plans | + +You will only receive this managed header at your origin server if: + +- The [leaked credentials detection](/waf/detections/leaked-credentials/) in the WAF is turned on. +- The **Add Leaked Credentials Checks Header** managed transform is turned on. +- Your Cloudflare plan supports the type of credentials detection. For example, Free plans can only know if a password was previously leaked. In this situation, Cloudflare will add an `Exposed-Credential-Check: 4` header to the request. + ## HTTP response headers ### Remove "X-Powered-By" headers diff --git a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx index 2d3fc454c7ba96..f6de4da0e8bb85 100644 --- a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx +++ b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx @@ -16,7 +16,9 @@ Dynamic fields represent computed or derived values, typically related to threat - Access to `cf.bot_management.*` fields requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled. -- Access to `cf.waf.content_scan.*` fields requires a Cloudflare Enterprise plan with [WAF content scanning](/waf/about/content-scanning/) enabled. +- Access to `cf.waf.content_scan.*` fields requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled. + +- Access to fields `cf.waf.auth_detected` and `cf.waf.credential_check.*` depends on your Cloudflare plan and add-ons. For more information, refer to [Leaked credentials detection](/waf/detections/leaked-credentials/). - The `cf.tls_client_auth.*` string fields are only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/). @@ -372,7 +374,7 @@ Example: When `true`, the request contains at least one [content object](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/). -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.has_malicious_obj` @@ -380,7 +382,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni When `true`, the request contains at least one malicious content object. -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.num_malicious_obj` @@ -388,7 +390,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni The number of malicious content objects detected in the request (zero or greater). -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.has_failed` @@ -396,7 +398,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni When `true`, the file scanner was unable to scan all the content objects detected in the request. -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.num_obj` @@ -404,7 +406,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni The number of content objects detected in the request (zero or greater). -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.obj_sizes` @@ -412,7 +414,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni An array of file sizes in bytes, in the order the content objects were detected in the request. -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.obj_types` @@ -420,7 +422,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni An array of file types in the order the content objects were detected in the request. If Cloudflare cannot determine the file type of a content object, the corresponding value in the `obj_types` array will be `application/octet-stream`. -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.obj_results` @@ -428,13 +430,13 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni An array of scan results in the order the content objects were detected in the request. The possible values are: `clean`, `suspicious`, `infected`, and `not scanned`. -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.score` `cf.waf.score` `Number` -A global score from 1 to 99 that combines the score of each WAF attack vector into a single score. This is the standard [WAF attack score](/waf/about/waf-attack-score/) to detect variants of attack patterns. +A global score from 1 to 99 that combines the score of each WAF attack vector into a single score. This is the standard [WAF attack score](/waf/detections/attack-score/) to detect variants of attack patterns. ## `cf.waf.score.sqli` @@ -460,6 +462,46 @@ An attack score from 1 to 99 classifying the command injection or Remote Code Ex The attack score class of the current request, based on the WAF attack score. Can have one of the following values: `attack`, `likely_attack`, `likely_clean`, `clean`. +## `cf.waf.auth_detected` + +`cf.waf.auth_detected` `Boolean` + +When `true`, the Cloudflare WAF detected authentication credentials in the request. + +Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled. + +## `cf.waf.credential_check.password_leaked` + +`cf.waf.credential_check.password_leaked` `Boolean` + +When `true`, the password detected in the request was previously leaked. + +Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled. + +## `cf.waf.credential_check.username_leaked` + +`cf.waf.credential_check.username_leaked` `Boolean` + +When `true`, the username detected in the request was previously leaked. + +Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled. + +## `cf.waf.credential_check.username_and_password_leaked` + +`cf.waf.credential_check.username_and_password_leaked` `Boolean` + +When `true`, the authentication credentials detected in the request (username and password pair) were previously leaked. + +Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled. + +## `cf.waf.credential_check.username_password_similar` + +`cf.waf.credential_check.username_password_similar` `Boolean` + +When `true`, a similar version of the username and password credentials detected in the request were previously leaked. + +Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled. + ## `cf.worker.upstream_zone` `cf.worker.upstream_zone` `String` diff --git a/src/content/docs/style-guide/documentation-content-strategy/content-types/concept.mdx b/src/content/docs/style-guide/documentation-content-strategy/content-types/concept.mdx index aac422db96b8b3..b9fb73cc9d6f54 100644 --- a/src/content/docs/style-guide/documentation-content-strategy/content-types/concept.mdx +++ b/src/content/docs/style-guide/documentation-content-strategy/content-types/concept.mdx @@ -1,7 +1,6 @@ --- pcx_content_type: concept title: Concept - --- ## Purpose @@ -12,7 +11,7 @@ The purpose of a concept is to provide conceptual or descriptive information so instructional, descriptive, approachable, supportive -## content\_type +## content_type `concept` @@ -51,6 +50,6 @@ Do not recreate information that's already available online. Instead, consider w [Load Balancing](/load-balancing/) -[WAF](/waf/about/) +[WAF](/waf/) [Magic Transit](/magic-transit/about/) diff --git a/src/content/docs/waf/analytics/security-analytics.mdx b/src/content/docs/waf/analytics/security-analytics.mdx index 18b2ef76e97cf5..a41edd8eb98ec7 100644 --- a/src/content/docs/waf/analytics/security-analytics.mdx +++ b/src/content/docs/waf/analytics/security-analytics.mdx @@ -18,7 +18,7 @@ Use the Security Analytics dashboard to: - View the traffic distribution for your domain. - Understand which traffic is being mitigated by Cloudflare security products, and where non-mitigated traffic is being served from (Cloudflare global network or origin server). - Analyze suspicious traffic and create tailored WAF custom rules based on applied filters. -- Learn more about Cloudflare’s security scores (attack score, [bot score](/bots/concepts/bot-score/), [uploaded content scanning](/waf/about/content-scanning/) results) with real data. +- Learn more about Cloudflare’s security scores (attack score, [bot score](/bots/concepts/bot-score/), [uploaded content scanning](/waf/detections/malicious-uploads/) results) with real data. - [Find an appropriate rate limit](/waf/rate-limiting-rules/find-rate-limit/) for incoming traffic. If you need to modify existing security-related rules you already configured, consider also using the [Security Events](/waf/analytics/security-events/) dashboard. This dashboard displays information about requests affected by Cloudflare security products. @@ -92,7 +92,7 @@ To apply the filters for an insight to the data displayed in the Security Analyt The **Attack likelihood**, **Bot likelihood**, and **Malicious uploads** sections display statistics related to WAF attack scores, bot scores, and WAF content scanning scores of incoming requests for the selected time frame. -You can examine different traffic segments according to the current metric (attack, bot, or content scanning). To apply score filters for different segments, select the buttons below the traffic chart. For example, select **Likely attack** under **Attack likelihood** to filter requests that are likely an attack (requests with WAF attack score values between 21 and 50). +You can examine different traffic segments according to the current metric (attack score, bot score, or content scanning). To apply score filters for different segments, select the buttons below the traffic chart. For example, select **Likely attack** under **Attack likelihood** to filter requests that are likely an attack (requests with WAF attack score values between 21 and 50). Additionally, you can use the slider tool below the chart to filter incoming requests according to the current metric. This allows you to filter traffic groups outside the predefined segments. @@ -106,7 +106,7 @@ The main chart displays the following data for the selected time frame, accordin - **Served by Cloudflare**: Requests served by the Cloudflare global network such as cached content and redirects. - **Served by origin**: Requests served by your origin server. -- **Attack likelihood**: [WAF attack score](/waf/about/waf-attack-score/) analysis of incoming requests, classifying them as _Clean_, _Likely clean_, _Likely attack_, or _Attack_. +- **Attack likelihood**: [WAF attack score](/waf/detections/attack-score/) analysis of incoming requests, classifying them as _Clean_, _Likely clean_, _Likely attack_, or _Attack_. - **Bot likelihood**: [Bot score](/bots/concepts/bot-score/) analysis of incoming requests, classifying them as _Automated_, _Likely automated_, or _Likely human_. diff --git a/src/content/docs/waf/about/index.mdx b/src/content/docs/waf/concepts.mdx similarity index 53% rename from src/content/docs/waf/about/index.mdx rename to src/content/docs/waf/concepts.mdx index 4064e7005f7369..efec5d9281931e 100644 --- a/src/content/docs/waf/about/index.mdx +++ b/src/content/docs/waf/concepts.mdx @@ -25,18 +25,19 @@ A [ruleset](/ruleset-engine/about/rulesets/) is an ordered set of rules that you The Cloudflare WAF includes: - [Managed Rules](/waf/managed-rules/) (for example, the [Cloudflare Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/)), which are signature-based rules created by Cloudflare that provide immediate protection against known attacks. -- [Traffic detections](#available-traffic-detections) (for example, bot score and attack score) that enrich requests with metadata. +- [Traffic detections](/waf/detections/) (for example, bot score and attack score) that enrich requests with metadata. - User-defined rules for your specific needs, including [custom rules](/waf/custom-rules/) and rate limiting rules. ## Detection versus mitigation The two main roles of the Cloudflare WAF are the following: -- **Detection**: Run incoming requests through one or more [traffic detections](#available-traffic-detections) to find malicious or potentially malicious activity. The scores from enabled detections are available in the [Security Analytics](/waf/analytics/security-analytics/) dashboard, where you can analyze your security posture and determine the most appropriate mitigation rules. +- **Detection**: Run incoming requests through one or more [traffic detections](/waf/detections/) to find malicious or potentially malicious activity. The scores from enabled detections are available in the [Security Analytics](/waf/analytics/security-analytics/) dashboard, where you can analyze your security posture and determine the most appropriate mitigation rules. -- **Mitigation**: Blocks, challenges, or throttles requests through different [mitigation features](#waf-mitigation-features) such as custom rules, WAF Managed Rules, and rate limiting rules. Rules that mitigate traffic can include scores from traffic scans in their expressions to better address possibly malicious requests. +- **Mitigation**: Blocks, challenges, or throttles requests through different mitigation features such as [custom rules](/waf/custom-rules/), [Managed Rules](/waf/managed-rules/), and [rate limiting rules](/waf/rate-limiting-rules/). Rules that mitigate traffic can include scores from traffic scans in their expressions to better address possibly malicious requests. + +:::caution[Warning] -:::caution Enabling traffic detections will not apply any mitigation measures to incoming traffic; detections only provide signals that you can use to define your attack mitigation strategy. ::: @@ -44,26 +45,16 @@ Enabling traffic detections will not apply any mitigation measures to incoming t The WAF currently provides the following detections for finding security threats in incoming requests: -- [**Bots**](/bots/reference/bot-management-variables/#ruleset-engine-fields): Scores traffic on a scale from 1 (likely to be a bot) to 99 (likely to be human). -- [**Attacks**](/waf/about/waf-attack-score/): Checks for known attack variations and malicious payloads. Scores traffic on a scale from 1 (likely to be malicious) to 99 (unlikely to be malicious). -- [**Malicious uploads**](/waf/about/content-scanning/): Scans content objects, such as uploaded files, for malicious signatures like malware. +- [**Bot score**](/bots/concepts/bot-score/): Scores traffic on a scale from 1 (likely to be a bot) to 99 (likely to be human). +- [**Attack score**](/waf/detections/attack-score/): Checks for known attack variations and malicious payloads. Scores traffic on a scale from 1 (likely to be malicious) to 99 (unlikely to be malicious). +- [**Malicious uploads**](/waf/detections/malicious-uploads/): Scans content objects, such as uploaded files, for malicious signatures like malware. To enable traffic detections in the Cloudflare dashboard, go to your domain > **Security** > **Settings**. :::note -Currently, you cannot manage the [Bots](/bots/reference/bot-management-variables/#ruleset-engine-fields) and [Attacks](/waf/about/waf-attack-score/) detections from the **Security** > **Settings** page. Refer to the documentation of each feature for availability details. +Currently, you cannot manage the [bot score](/bots/concepts/bot-score/) and [attack score](/waf/detections/attack-score/) detections from the **Security** > **Settings** page. Refer to the documentation of each feature for availability details. ::: -### WAF mitigation features - -The WAF provides the following mitigation features for traffic posing as a security threat: - -- [**Custom rules**](/waf/custom-rules/): Allow you to control incoming traffic by filtering requests to a zone. You can perform actions like Block or Managed Challenge on incoming requests according to rules you define. -- [**Rate limiting rules**](/waf/rate-limiting-rules/): Allow you to define rate limits for requests matching an expression, and the action to perform when those rate limits are reached. -- [**Managed rules**](/waf/managed-rules/): Allow you to deploy pre-configured managed rulesets that provide immediate protection against common attacks. - -To configure these mitigation features in the Cloudflare dashboard, go to your domain > **Security** > **WAF**. - --- ## Rule execution order diff --git a/src/content/docs/waf/custom-rules/index.mdx b/src/content/docs/waf/custom-rules/index.mdx index ffd2b83081a050..d446a1cbda7300 100644 --- a/src/content/docs/waf/custom-rules/index.mdx +++ b/src/content/docs/waf/custom-rules/index.mdx @@ -2,27 +2,26 @@ pcx_content_type: concept title: Custom rules sidebar: - order: 4 - + order: 5 --- -Custom rules allow you to control incoming traffic by filtering requests to a zone. You can perform actions like *Block* or *Managed Challenge* on incoming requests according to rules you define. +Custom rules allow you to control incoming traffic by filtering requests to a zone. You can perform actions like _Block_ or _Managed Challenge_ on incoming requests according to rules you define. Like other rules evaluated by Cloudflare's [Ruleset Engine](/ruleset-engine/), custom rules have the following basic parameters: -* An [expression](/ruleset-engine/rules-language/expressions/) that specifies the criteria you are matching traffic on using the [Rules language](/ruleset-engine/rules-language/). -* An [action](/ruleset-engine/rules-language/actions/) that specifies what to perform when there is a match for the rule. +- An [expression](/ruleset-engine/rules-language/expressions/) that specifies the criteria you are matching traffic on using the [Rules language](/ruleset-engine/rules-language/). +- An [action](/ruleset-engine/rules-language/actions/) that specifies what to perform when there is a match for the rule. -Custom rules are evaluated in order, and some actions like *Block* will stop the evaluation of other rules. For more details on actions and their behavior, refer to the [actions reference](/ruleset-engine/rules-language/actions/). +Custom rules are evaluated in order, and some actions like _Block_ will stop the evaluation of other rules. For more details on actions and their behavior, refer to the [actions reference](/ruleset-engine/rules-language/actions/). :::note[Did you migrate from Cloudflare Firewall Rules?] -Refer to the [migration guide](/waf/reference/migration-guides/firewall-rules-to-custom-rules/#main-differences) to learn more about the differences between firewall rules and custom rules. +Refer to the [migration guide](/waf/reference/migration-guides/firewall-rules-to-custom-rules/#main-differences) to learn more about the differences between firewall rules and custom rules. ::: To define sets of custom rules that apply to more than one zone, use [custom rulesets](/waf/custom-rules/custom-rulesets/), which require an Enterprise plan with a paid add-on. -*** +--- ## Next steps diff --git a/src/content/docs/waf/about/waf-attack-score.mdx b/src/content/docs/waf/detections/attack-score.mdx similarity index 83% rename from src/content/docs/waf/about/waf-attack-score.mdx rename to src/content/docs/waf/detections/attack-score.mdx index b52d2df2f66e2f..08fc433ec13c70 100644 --- a/src/content/docs/waf/about/waf-attack-score.mdx +++ b/src/content/docs/waf/detections/attack-score.mdx @@ -3,20 +3,20 @@ title: WAF attack score pcx_content_type: concept sidebar: order: 2 + label: Attack score --- import { GlossaryTooltip } from "~/components"; -WAF attack score is a feature that complements [WAF Managed Rules](/waf/managed-rules/). +The attack score [traffic detection](/waf/concepts/#detection-versus-mitigation) helps identify variations of known attacks and their malicious payloads. This detection complements [WAF Managed Rules](/waf/managed-rules/). WAF's managed rulesets contain rules that are continuously updated to better detect malicious payloads. They target specific patterns of established attack vectors and have a very low rate of false positives. However, managed rulesets are not optimized for attacks based on variations of the original signature introduced, for example, by fuzzing techniques. -WAF attack score allows you to identify these attack variations and their malicious payloads. It classifies each request using a machine learning algorithm, assigning an attack score from 1 to 99 based on the likelihood that the request is malicious. Just like [Bot Management](/bots/plans/bm-subscription/), you can use this score to identify potentially malicious traffic that is not an exact match to any of the rules in WAF Managed Rules. +Attack score allows you to identify these attack variations and their malicious payloads. It classifies each request using a machine learning algorithm, assigning an attack score from 1 to 99 based on the likelihood that the request is malicious. Just like [Bot Management](/bots/plans/bm-subscription/), you can use this score to identify potentially malicious traffic that is not an exact match to any of the rules in WAF Managed Rules. -To maximize protection, Cloudflare recommends that you use both Managed Rules and WAF attack score. +To maximize protection, Cloudflare recommends that you use both Managed Rules and attack score. :::note - This feature is available to Enterprise customers. Business plans have access to a single field (WAF Attack Score Class). ::: @@ -32,7 +32,7 @@ The Cloudflare WAF provides the following attack scores: | WAF RCE Attack Score | Enterprise | Remote Code Execution (RCE) | [`cf.waf.score.rce`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscorerce) | | WAF Attack Score Class | Business | N/A (global classification) | [`cf.waf.score.class`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscoreclass) | -You can use the fields for these scores in expressions of [custom rules](/waf/custom-rules/) and [rate limiting rules](/waf/rate-limiting-rules/) where: +You can use these fields in expressions of [custom rules](/waf/custom-rules/) and [rate limiting rules](/waf/rate-limiting-rules/) where: - A score of `1` indicates that the request is almost certainly malicious. - A score of `99` indicates that the request is likely clean. @@ -55,7 +55,7 @@ Attack score automatically detects and decodes Base64, JavaScript (Unicode escap --- -## Start using the WAF attack score +## Start using WAF attack score ### 1. Create a custom rule diff --git a/src/content/docs/waf/detections/index.mdx b/src/content/docs/waf/detections/index.mdx new file mode 100644 index 00000000000000..f311d6ee355800 --- /dev/null +++ b/src/content/docs/waf/detections/index.mdx @@ -0,0 +1,41 @@ +--- +pcx_content_type: concept +title: Traffic detections +sidebar: + order: 4 +head: + - tag: title + content: Traffic detections +--- + +import { DirectoryListing, FeatureTable } from "~/components"; + +WAF traffic detections check incoming requests for malicious or potentially malicious activity. Each enabled detection provides one or more scores — available in the [Security Analytics](/waf/analytics/security-analytics/) dashboard — that you can use in WAF rule expressions. + +The WAF currently provides the following detections for finding security threats in incoming requests: + + + +## Availability + + + +For more information on bot score, refer to the [Bots documentation](/bots/concepts/bot-score/). + +## Turn on a detection + +To turn on a traffic detection: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. +2. Go to **Security** > **Settings**. +3. Under **Incoming traffic detections**, turn on the desired detections. + +Enabled detections will run for all incoming traffic. + +:::note +Currently, you cannot manage the [bot score](/bots/concepts/bot-score/) and [attack score](/waf/detections/attack-score/) detections from the **Security** > **Settings** page. Refer to the documentation of each feature for availability details. +::: + +## More resources + +For more information on detection versus mitigation, refer to [Concepts](/waf/concepts/#detection-versus-mitigation). diff --git a/src/content/docs/waf/detections/leaked-credentials/api-calls.mdx b/src/content/docs/waf/detections/leaked-credentials/api-calls.mdx new file mode 100644 index 00000000000000..3f20577c6a5f37 --- /dev/null +++ b/src/content/docs/waf/detections/leaked-credentials/api-calls.mdx @@ -0,0 +1,123 @@ +--- +title: Common API calls +pcx_content_type: configuration +sidebar: + order: 3 +head: + - tag: title + content: Common API calls | Leaked credentials detection +--- + +## Required API token permissions + +The API token used in API requests to manage the leaked credentials detection and custom detection locations must have one of the following [permissions](/fundamentals/api/reference/permissions/): + +- Zone WAF Edit +- Account WAF Edit + +--- + +## General operations + +The following API examples cover basic operations such as enabling and disabling the leaked credentials detection. + +### Turn on leaked credentials detection + +To turn on leaked credentials detection, use a `POST` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ "enabled": true }' +``` + +### Turn off leaked credentials detection + +To turn off leaked credentials detection, use a `POST` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ "enabled": false }' +``` + +### Get status of leaked credentials detection + +To obtain the current status of the leaked credentials detection, use a `GET` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " +``` + +```json output +{ + "result": { + "enabled": true + }, + "success": true, + "errors": [], + "messages": [] +} +``` + +## Custom detection location operations + +The following API examples cover operations on custom detection locations for leaked credentials detection. + +### Get existing custom detection locations + +To get a list of existing custom detection locations, use a `GET` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks/detections" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " +``` + +```json output +{ + "result": [ + { + "id": "", + "username": "lookup_json_string(http.request.body.raw, \"user\")", + "password": "lookup_json_string(http.request.body.raw, \"secret\")" + } + // (...) + ], + "success": true, + "errors": [], + "messages": [] +} +``` + +### Add a custom detection location + +Use a `POST` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks/detections" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ + "username": "lookup_json_string(http.request.body.raw, \"user\")", + "password": "lookup_json_string(http.request.body.raw, \"secret\")" +}' +``` + +### Delete a custom detection location + +Use a `DELETE` request similar to the following: + +```bash +curl --request DELETE \ +"https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks/detections/{item_id}" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " +``` diff --git a/src/content/docs/waf/detections/leaked-credentials/examples.mdx b/src/content/docs/waf/detections/leaked-credentials/examples.mdx new file mode 100644 index 00000000000000..e10ac2950f77a6 --- /dev/null +++ b/src/content/docs/waf/detections/leaked-credentials/examples.mdx @@ -0,0 +1,59 @@ +--- +title: Mitigation examples +pcx_content_type: configuration +sidebar: + order: 4 + label: Mitigation examples +head: + - tag: title + content: Leaked credentials mitigation examples +description: Examples of rules for mitigating requests containing leaked credentials. +--- + +import { Example } from "~/components"; + +## Rate limit suspicious logins with leaked credentials + +:::note +Access to the `cf.waf.credential_check.username_and_password_leaked` field requires a Pro plan or above. +::: + +Create a [rate limiting rule](/waf/rate-limiting-rules/) using [account takeover (ATO) detection](/bots/concepts/detection-ids/#account-takeover-detections) and leaked credentials fields to limit volumetric attacks from particular IP addresses, JA4 Fingerprints, or countries. + +The following example rule applies rate limiting to requests with a specific [ATO detection ID](/bots/concepts/detection-ids/#account-takeover-detections) (corresponding to `Observes all login traffic to the zone`) that contain a previously leaked username and password: + + + +**When incoming requests match**:
+`(any(cf.bot_management.detection_ids[*] eq 201326593 and cf.waf.credential_check.username_and_password_leaked))` + +**With the same characteristics**: _IP_ + +When rate exceeds: + +- **Requests**: `5` +- **Period**: _1 minute_ + + + +## Challenge requests containing leaked credentials + +:::note +Access to the _User and Password Leaked_ (`cf.waf.credential_check.username_and_password_leaked`) field requires a Pro plan or above. +::: + +Create a [custom rule](/waf/custom-rules/) that challenges requests containing a previously leaked set of credentials (username and password). + +- **Expression**: If you use the Expression Builder, configure the following expression: + + | Field | Operator | Value | + | ------------------------ | -------- | ----- | + | User and Password Leaked | equals | True | + + If you use the Expression Editor, enter the following expression: + + ```txt + (cf.waf.credential_check.username_and_password_leaked) + ``` + +- **Action**: _Managed Challenge_ diff --git a/src/content/docs/waf/detections/leaked-credentials/get-started.mdx b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx new file mode 100644 index 00000000000000..2eeda618ab7ef7 --- /dev/null +++ b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx @@ -0,0 +1,171 @@ +--- +title: Get started +pcx_content_type: get-started +sidebar: + order: 2 +head: + - tag: title + content: Get started with leaked credentials detection +--- + +import { TabItem, Tabs, Details } from "~/components"; + +## 1. Turn on leaked credentials detection + +On Free plans, the leaked credentials detection is enabled by default, and no action is required. On paid plans, you can turn on the detection in the Cloudflare dashboard or via API. + + + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. +2. Go to **Security** > **Settings**. +3. Under **Incoming traffic detections**, turn on **Leaked credentials**. + + + +Enable the feature using a `POST` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ "enabled": true }' +``` + + + +:::note +To achieve optimal latency performance, Cloudflare recommends that you turn off [Exposed Credentials Checks](/waf/managed-rules/reference/exposed-credentials-check/) (a previous implementation) after turning on leaked credentials detection and setting up your mitigation strategy as described in the next steps. +::: + +## 2. Validate the leaked credentials detection behavior + +Use [Security Analytics](/waf/analytics/security-analytics/) and HTTP logs to validate that the WAF is correctly detecting leaked credentials in incoming requests. + +Refer to [Test your configuration](#test-your-configuration) for more information on the test credentials you can use to validate your configuration. + +Alternatively, create a WAF custom rule like the one described in the next step using a _Log_ action (only available to Enterprise customers). This rule will generate firewall events (available in **Security** > **Events**) that will allow you to validate your configuration. + +## 3. Mitigate requests with leaked credentials + +If you are on a Free plan, deploy the suggested [rate limiting rule](/waf/rate-limiting-rules/) template available in **WAF** > **Rate limiting rules**. When you deploy a rule using this template, you get instant protection against IPs attempting to access your application with a leaked password more than five times per 10 seconds. This rule can delay attacks by blocking them for a period of time. Alternatively, you can create a custom rule. + +Paid plans have access to more granular controls when creating a WAF rule. If you are on a paid plan, create a [custom rule](/waf/custom-rules/) that challenges requests containing leaked credentials: + +| Field | Operator | Value | +| ------------------------ | -------- | ----- | +| User and Password Leaked | equals | True | + +If you use the Expression Editor, enter the following expression: + +```txt +(cf.waf.credential_check.username_and_password_leaked) +``` + +Rule action: _Managed Challenge_ + +This rule will match requests where the WAF detects a previously leaked set of credentials (username and password). For a list of fields provided by leaked credentials detection, refer to [Leaked credentials fields](/waf/detections/leaked-credentials/#leaked-credentials-fields). + +
+ +You can combine the previous expression with other [fields](/ruleset-engine/rules-language/fields/) and [functions](/ruleset-engine/rules-language/functions/) of the Rules language. This allows you to customize the rule scope or combine leaked credential checking with other security features. For example: + +- The following expression will match requests containing leaked credentials addressed at an authentication endpoint: + + | Field | Operator | Value | Logic | + | ------------------------ | -------- | ------------------ | ----- | + | User and Password Leaked | equals | True | And | + | URI Path | contains | `/admin/login.php` | | + + Expression when using the editor:
+ `(cf.waf.credential_check.username_and_password_leaked and http.request.uri.path contains "/admin/login.php")` + +- The following expression will match requests coming from bots that include authentication credentials: + + | Field | Operator | Value | Logic | + | ----------------------- | --------- | ----- | ----- | + | Authentication detected | equals | True | And | + | Bot Score | less than | `10` | | + + Expression when using the editor:
+ `(cf.waf.auth_detected and cf.bot_management.score lt 10)` + +
+ +For additional examples, refer to [Mitigation examples](/waf/detections/leaked-credentials/examples/). + +### Handle detected leaked credentials at the origin server + +Additionally, you may want to handle leaked credentials detected by Cloudflare at your origin server. + +1. Turn on the [**Add Leaked Credentials Checks Header** managed transform](/rules/transform/managed-transforms/reference/#add-leaked-credentials-checks-header). + +2. For requests received at your origin server containing the `Exposed-Credential-Check` header, you could redirect your end users to your reset password page when detecting previously leaked credentials. + +## 4. (Optional) Configure a custom detection location + +To check for leaked credentials in a way that is not covered by the default configuration, add a custom detection location. + + + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. +2. Go to **Security** > **Settings**. +3. Under **Incoming traffic detections**, select **Leaked credentials** and then select the three dots to add a custom detection. +4. In **Username location**, enter an expression for obtaining the username in the HTTP request. For example: + + ```txt + lookup_json_string(http.request.body.raw, "user") + ``` + +5. In **Password location**, enter an expression for obtaining the password in the HTTP request. For example: + + ```txt + lookup_json_string(http.request.body.raw, "secret") + ``` + +6. Select **Save**. + + + +Use a `POST` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks/detections" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ + "username": "lookup_json_string(http.request.body.raw, \"user\")", + "password": "lookup_json_string(http.request.body.raw, \"secret\")" +}' +``` + +This pair of lookup expressions (for username and password) will scan incoming HTTP requests containing a JSON body with a structure similar to the following: + +```js +{"user": "", "secret": ""} +``` + + + +You only need to provide an expression for the username in custom detection locations. + +--- + +## Test your configuration + +Cloudflare provides a special set of case-sensitive credentials for testing the configuration of the leaked credentials detection. + +After enabling and configuring the detection, you can use the credentials mentioned in this section in your test HTTP requests. + +Test credentials for users on a Free plan (will also work in paid plans): + +- Username: `CF_LEAKED_USERNAME_FREE` +- Password: `CF_LEAKED_PASSWORD` + +Test credentials for users on paid plans (will not work on Free plans): + +- Username: `CF_EXPOSED_USERNAME` or `CF_EXPOSED_USERNAME@example.com` +- Password: `CF_EXPOSED_PASSWORD` + +The Cloudflare WAF considers these specific credentials as having been previously leaked. Use them in your tests to check the behavior of your current configuration. diff --git a/src/content/docs/waf/detections/leaked-credentials/index.mdx b/src/content/docs/waf/detections/leaked-credentials/index.mdx new file mode 100644 index 00000000000000..f8330909f10d4c --- /dev/null +++ b/src/content/docs/waf/detections/leaked-credentials/index.mdx @@ -0,0 +1,97 @@ +--- +title: Leaked credentials detection +pcx_content_type: concept +sidebar: + order: 3 + group: + label: Leaked credentials +--- + +The leaked credentials [traffic detection](/waf/detections/) scans incoming requests for previously leaked credentials (usernames and passwords) previously leaked from data breaches. + +## How it works + +Once enabled, leaked credentials detection will scan incoming HTTP requests for known authentication patterns from common web apps and any custom detection locations you configure. + +If Cloudflare detects authentication credentials in the request, those credentials are checked against a list of known leaked credentials. This list of credentials consists of Cloudflare-collected credentials, in addition to the [Have I been Pwned (HIBP)](https://haveibeenpwned.com) matched passwords dataset. + +Cloudflare will populate the existing [leaked credentials fields](#leaked-credentials-fields) based on the scan results. You can check these results in the Security Analytics dashboard, and use these fields in rule expressions ([custom rules](/waf/custom-rules/) or [rate limiting rules](/waf/rate-limiting-rules/)) to protect your application against the usage of compromised credentials by your end users, and also against leaked credential attacks. + +In addition, leaked credentials detection provides a [managed transform](/rules/transform/managed-transforms/reference/#add-leaked-credentials-checks-header) that adds an `Exposed-Credential-Check` request header with a value indicating which field was leaked. For example, if both username and password were previously leaked, the header value will be `1`; if only the password was leaked, the value will be `4`. + +One common approach used in web applications when detecting the use of stolen credentials is to warn end users about the situation and ask them to update their password. You can do this based on the managed header received at your origin server. + +:::note +Cloudflare may detect leaked credentials either because an attacker is performing a credential stuffing attack or because a legitimate end user is reusing a previously leaked password. +::: + +## Availability + +For details on available features per plan, refer to [Availability](/waf/detections/#availability) in the traffic detections page. + +## Default scan locations + +Leaked credentials detection includes rules for identifying credentials in HTTP requests for the following well-known web applications: + +- Drupal +- Joomla +- Ghost +- Magento +- Plone +- WordPress +- Microsoft Exchange OWA + +Additionally, the scan includes generic rules for other common web authentication patterns. + +You can also configure custom detection locations to address the specific authentication mechanism used in your web applications. A custom detection location tells the Cloudflare WAF where to find usernames and passwords in HTTP requests of your web application. + +## Custom detection locations + +:::note +Only available for Enterprise customers. +::: + +Sometimes, you may wish to specify where to find credentials in HTTP requests for the specific case of your web applications. + +For example, if the JSON body of an HTTP authenticating a user looked like the following in your web application: + +```json +{ "user": "", "secret": "" } +``` + +You could configure a custom detection location with the following settings: + +- Custom location for username:
+ `lookup_json_string(http.request.body.raw, "user")` +- Custom location for password:
+ `lookup_json_string(http.request.body.raw, "secret")` + +When specifying a custom detection location, only the location of the username field is required. + +Expressions used to specify custom detection locations can include the following fields and functions: + +- Fields: + - [`http.request.body.raw`](/ruleset-engine/rules-language/fields/http-request-body/#httprequestbodyraw) + - [`http.request.headers`](/ruleset-engine/rules-language/fields/http-request-header/#httprequestheaders) + - [`http.request.uri.query`](/ruleset-engine/rules-language/fields/standard-fields/#httprequesturiquery) +- Functions: + - [`lookup_json_string()`](/ruleset-engine/rules-language/functions/#lookup_json_string) + - [`lower()`](/ruleset-engine/rules-language/functions/#lower) + +For instructions on configuring a custom detection location, refer to [Get started](/waf/detections/leaked-credentials/get-started/#4-optional-configure-a-custom-detection-location). + +## Leaked credentials fields + +| Field name in the dashboard | Field | Availability | +| --------------------------- | ----------------------------------------------------------- | ------------------ | +| Password Leaked | [`cf.waf.credential_check.password_leaked`][1] | All plans | +| User and Password Leaked | [`cf.waf.credential_check.username_and_password_leaked`][2] | Pro plan and above | +| Username Leaked | [`cf.waf.credential_check.username_leaked`][3] | Enterprise plan | +| Similar Password Leaked | [`cf.waf.credential_check.username_password_similar`][4] | Enterprise plan | +| Authentication detected | [`cf.waf.auth_detected`][5] | Enterprise plan | + +[1]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkpassword_leaked +[2]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkusername_and_password_leaked +[3]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkusername_leaked +[4]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkusername_password_similar +[5]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafauth_detected diff --git a/src/content/docs/waf/detections/link-bots.mdx b/src/content/docs/waf/detections/link-bots.mdx new file mode 100644 index 00000000000000..1d032b0984ace5 --- /dev/null +++ b/src/content/docs/waf/detections/link-bots.mdx @@ -0,0 +1,7 @@ +--- +pcx_content_type: navigation +title: Bot score +external_link: /bots/concepts/bot-score/ +sidebar: + order: 4 +--- diff --git a/src/content/docs/waf/about/content-scanning/api-calls.mdx b/src/content/docs/waf/detections/malicious-uploads/api-calls.mdx similarity index 100% rename from src/content/docs/waf/about/content-scanning/api-calls.mdx rename to src/content/docs/waf/detections/malicious-uploads/api-calls.mdx diff --git a/src/content/docs/waf/about/content-scanning/example-rules.mdx b/src/content/docs/waf/detections/malicious-uploads/example-rules.mdx similarity index 77% rename from src/content/docs/waf/about/content-scanning/example-rules.mdx rename to src/content/docs/waf/detections/malicious-uploads/example-rules.mdx index 4602f4c25b57a6..d889c17654f877 100644 --- a/src/content/docs/waf/about/content-scanning/example-rules.mdx +++ b/src/content/docs/waf/detections/malicious-uploads/example-rules.mdx @@ -5,43 +5,42 @@ sidebar: order: 3 head: - tag: title - content: Example rules for content scanning - + content: Example rules checking uploaded content objects --- ## Log requests with an uploaded content object This [custom rule](/waf/custom-rules/) example logs all requests with at least one uploaded content object: -* Expression: `cf.waf.content_scan.has_obj` -* Action: *Log* +- Expression: `cf.waf.content_scan.has_obj` +- Action: _Log_ ## Block requests to URI path with a malicious content object This custom rule example blocks requests addressed at `/upload.php` that contain at least one uploaded content object considered malicious: -* Expression: `cf.waf.content_scan.has_malicious_obj and http.request.uri.path eq "/upload.php"` -* Action: *Block* +- Expression: `cf.waf.content_scan.has_malicious_obj and http.request.uri.path eq "/upload.php"` +- Action: _Block_ ## Block requests with non-PDF file uploads This custom rule example blocks requests addressed at `/upload` with uploaded content objects that are not PDF files: -* Expression: `any(cf.waf.content_scan.obj_types[*] != "application/pdf") and http.request.uri.path eq "/upload"` -* Action: *Block* +- Expression: `any(cf.waf.content_scan.obj_types[*] != "application/pdf") and http.request.uri.path eq "/upload"` +- Action: _Block_ ## Block requests with uploaded files over 500 KB This custom rule example blocks requests addressed at `/upload` with uploaded content objects over 500 KB in size: -* Expression: `any(cf.waf.content_scan.obj_sizes[*] > 500000) and http.request.uri.path eq "/upload"` -* Action: *Block* +- Expression: `any(cf.waf.content_scan.obj_sizes[*] > 500000) and http.request.uri.path eq "/upload"` +- Action: _Block_ ## Block requests with uploaded files over the content scanning limit (15 MB) This custom rule example blocks requests with uploaded content objects over 15 MB in size (the current content scanning limit): -* Expression: `any(cf.waf.content_scan.obj_sizes[*] >= 15000000)` -* Action: *Block* +- Expression: `any(cf.waf.content_scan.obj_sizes[*] >= 15000000)` +- Action: _Block_ In this example, you must also test for equality because currently any file over 15 MB will be handled internally as if it had a size of 15 MB. This means that using the `>` (greater than) [comparison operator](/ruleset-engine/rules-language/operators/#comparison-operators) would not work for this particular rule — you should use `>=` (greater than or equal) instead. diff --git a/src/content/docs/waf/about/content-scanning/get-started.mdx b/src/content/docs/waf/detections/malicious-uploads/get-started.mdx similarity index 93% rename from src/content/docs/waf/about/content-scanning/get-started.mdx rename to src/content/docs/waf/detections/malicious-uploads/get-started.mdx index 873f55e61275fc..2a3f8e881b2c59 100644 --- a/src/content/docs/waf/about/content-scanning/get-started.mdx +++ b/src/content/docs/waf/detections/malicious-uploads/get-started.mdx @@ -60,7 +60,7 @@ If you use the Expression Editor, enter the following expression: (cf.waf.content_scan.has_malicious_obj) ``` -This rule will match requests where the WAF detects a suspicious or malicious content object. For a list of fields provided by WAF content scanning, refer to [Content scanning fields](/waf/about/content-scanning/#content-scanning-fields). +This rule will match requests where the WAF detects a suspicious or malicious content object. For a list of fields provided by WAF content scanning, refer to [Content scanning fields](/waf/detections/malicious-uploads/#content-scanning-fields).
@@ -94,11 +94,11 @@ You can combine the previous expression with other [fields](/ruleset-engine/rule
-For additional examples, refer to [Example rules](/waf/about/content-scanning/example-rules/). +For additional examples, refer to [Example rules](/waf/detections/malicious-uploads/example-rules/). ## 4. (Optional) Configure a custom scan expression -To check uploaded content in a way that is not covered by the default configuration, add a [custom scan expression](/waf/about/content-scanning/#custom-scan-expressions). +To check uploaded content in a way that is not covered by the default configuration, add a [custom scan expression](/waf/detections/malicious-uploads/#custom-scan-expressions). diff --git a/src/content/docs/waf/about/content-scanning/index.mdx b/src/content/docs/waf/detections/malicious-uploads/index.mdx similarity index 92% rename from src/content/docs/waf/about/content-scanning/index.mdx rename to src/content/docs/waf/detections/malicious-uploads/index.mdx index aecb464614b7bf..8058c6fda9434c 100644 --- a/src/content/docs/waf/about/content-scanning/index.mdx +++ b/src/content/docs/waf/detections/malicious-uploads/index.mdx @@ -1,18 +1,19 @@ --- -title: Uploaded content scanning +title: Malicious uploads detection pcx_content_type: concept sidebar: order: 3 + group: + label: Malicious uploads --- import { GlossaryTooltip } from "~/components"; -WAF content scanning is a WAF [traffic detection](/waf/about/#detection-versus-mitigation) that scans content being uploaded to your application. +The malicious uploads detection, also called uploaded content scanning, is a WAF [traffic detection](/waf/concepts/#detection-versus-mitigation) that scans content being uploaded to your application. When enabled, content scanning attempts to detect content objects, such as uploaded files, and scans them for malicious signatures like malware. The scan results, along with additional metadata, are exposed as fields available in WAF [custom rules](/waf/custom-rules/), allowing you to implement fine-grained mitigation rules. :::note - This feature is available to customers on an Enterprise plan with a paid add-on. ::: @@ -28,7 +29,7 @@ Cloudflare uses the same [anti-virus (AV) scanner used in Cloudflare Zero Trust] Content scanning will not apply any mitigation actions to requests with content objects considered malicious. It only provides a signal that you can use to define your attack mitigation strategy. You must create rules — [custom rules](/waf/custom-rules/) or [rate limiting rules](/waf/rate-limiting-rules/) — to perform actions based on detected signals. -For more information on detection versus mitigation, refer to [Concepts](/waf/about/#detection-versus-mitigation). +For more information on detection versus mitigation, refer to [Concepts](/waf/concepts/#detection-versus-mitigation). ::: @@ -68,9 +69,9 @@ Sometimes, you may wish to specify where to find the content objects, such as wh { "file": "" } ``` -In these situations, configure a custom scan expression to tell the content scanner where to find the content objects. For more information, refer to [Configure a custom scan expression](/waf/about/content-scanning/get-started/#4-optional-configure-a-custom-scan-expression). +In these situations, configure a custom scan expression to tell the content scanner where to find the content objects. For more information, refer to [Configure a custom scan expression](/waf/detections/malicious-uploads/get-started/#4-optional-configure-a-custom-scan-expression). -## ​​Content scanning fields +## Content scanning fields When content scanning is enabled, you can use the following fields in WAF rules: @@ -85,4 +86,4 @@ When content scanning is enabled, you can use the following fields in WAF rules: | Content object type | [`cf.waf.content_scan.obj_types`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanobj_types) | | Content object result
Values: `clean`, `suspicious`,
`infected`, and `not scanned` | [`cf.waf.content_scan.obj_results`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanobj_results) | -For examples of rule expressions using these fields, refer to [Example rules](/waf/about/content-scanning/example-rules/). +For examples of rule expressions using these fields, refer to [Example rules](/waf/detections/malicious-uploads/example-rules/). diff --git a/src/content/docs/waf/get-started.mdx b/src/content/docs/waf/get-started.mdx index 2453033d25e4d2..55c4e2fb5937fb 100644 --- a/src/content/docs/waf/get-started.mdx +++ b/src/content/docs/waf/get-started.mdx @@ -11,7 +11,7 @@ The Cloudflare Web Application Firewall (Cloudflare WAF) checks incoming web and This page will guide you through the recommended initial steps for configuring the WAF to get immediate protection against the most common attacks. -Refer to [Concepts](/waf/about/) for more information on WAF concepts, main components, and roles. +Refer to [Concepts](/waf/concepts/) for more information on WAF concepts, main components, and roles. :::note This guide focuses on configuring WAF for individual domains, known as zones. The WAF configuration is also available at the account level for Enterprise customers with a paid add-on. @@ -52,7 +52,7 @@ For more information on configuring the Cloudflare Managed Ruleset in the dashbo WAF attack score is only available to Business customers (limited access to a single field) and Enterprise customers (full access). ::: -[WAF attack score](/waf/about/waf-attack-score/) is a machine-learning layer that complements Cloudflare's managed rulesets, providing additional protection against SQL injection (SQLi), Cross-site scripting (XSS), and many remote code execution (RCE) attacks. It helps identify rule bypasses and potentially new, undiscovered attacks. +[WAF attack score](/waf/detections/attack-score/) is a machine-learning layer that complements Cloudflare's managed rulesets, providing additional protection against SQL injection (SQLi), Cross-site scripting (XSS), and many remote code execution (RCE) attacks. It helps identify rule bypasses and potentially new, undiscovered attacks. If you are an Enterprise customer, do the following: @@ -71,7 +71,7 @@ If you are an Enterprise customer, do the following: - **Choose action**: Block -If you are on a Business plan, create a custom rule as mentioned above but use the [WAF Attack Score Class](/waf/about/waf-attack-score/#available-scores) field instead. For example, you could use the following rule expression: `WAF Attack Score Class equals Attack`. +If you are on a Business plan, create a custom rule as mentioned above but use the [WAF Attack Score Class](/waf/detections/attack-score/#available-scores) field instead. For example, you could use the following rule expression: `WAF Attack Score Class equals Attack`. ## 3. Create custom rule based on bot score @@ -133,7 +133,7 @@ Users on the Free plan only have access to Security Events. After setting up your WAF configuration, review how incoming traffic is being affected by your current settings using the following dashboards: -- Use [Security Analytics](/waf/analytics/security-analytics/) to explore all traffic, including traffic not affected by WAF mitigation measures. All data provided by [traffic detections](/waf/about/#available-traffic-detections) is available in this dashboard. +- Use [Security Analytics](/waf/analytics/security-analytics/) to explore all traffic, including traffic not affected by WAF mitigation measures. All data provided by [traffic detections](/waf/concepts/#available-traffic-detections) is available in this dashboard. - Use [Security Events](/waf/analytics/security-events/) to get more information about requests that are being mitigated by Cloudflare security products. Enterprise customers can also obtain data about HTTP requests and security events using [Cloudflare Logs](/logs/). @@ -166,7 +166,7 @@ Use [leaked credential checks](/waf/managed-rules/check-for-exposed-credentials/ Available to Enterprise customers with a paid add-on. ::: -[Use WAF content scanning](/waf/about/content-scanning/get-started/) to scan content being uploaded to your application, searching for malicious content. +[Use WAF content scanning](/waf/detections/malicious-uploads/get-started/) to scan content being uploaded to your application, searching for malicious content. ### Get additional security for your APIs diff --git a/src/content/docs/waf/index.mdx b/src/content/docs/waf/index.mdx index 9568506056b0cb..89eddcc7a21c9b 100644 --- a/src/content/docs/waf/index.mdx +++ b/src/content/docs/waf/index.mdx @@ -37,8 +37,8 @@ Learn how to [get started](/waf/get-started/). Create your own custom rules to protect your website and your APIs from malicious incoming traffic. Use advanced features like [WAF attack - score](/waf/about/waf-attack-score/) and [uploaded content - scanning](/waf/about/content-scanning/) in your custom rules. + score](/waf/detections/attack-score/) and [malicious uploads + detection](/waf/detections/malicious-uploads/) in your custom rules. diff --git a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/configure-api.mdx b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/configure-api.mdx index 5e0d9c24669cd4..bc94af87c7a72f 100644 --- a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/configure-api.mdx +++ b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/configure-api.mdx @@ -8,15 +8,18 @@ head: content: Configure exposed credentials checks via API --- +import { Render } from "~/components"; + Configure exposed credentials checks using the [Rulesets API](/ruleset-engine/rulesets-api/). You can do the following: - [Deploy the Cloudflare Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/exposed-credentials-check/#configure-via-api). - Create custom rules that check for exposed credentials. + + ## Create a custom rule checking for exposed credentials :::note - This feature requires account-level WAF, which is available to Enterprise customers with a paid add-on. ::: diff --git a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/how-checks-work.mdx b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/how-checks-work.mdx index 9f86497bf49b7d..e549742c162237 100644 --- a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/how-checks-work.mdx +++ b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/how-checks-work.mdx @@ -6,15 +6,18 @@ sidebar: head: - tag: title content: How exposed credentials checks work - --- -import { Example } from "~/components" +import { Render, Example } from "~/components"; WAF rules can include a check for exposed credentials. When enabled in a given rule, exposed credentials checking happens when there is a match for the rule expression (that is, the rule expression evaluates to `true`). At this point, the WAF looks up the username/password pair in the request against a database of publicly available stolen credentials. When both the rule expression and the exposed credentials check are true, there is a rule match, and Cloudflare performs the action configured in the rule. + + +## Example + For example, the following rule matches `POST` requests to the `/login.php` URI when Cloudflare identifies the submitted credentials as previously exposed: @@ -26,10 +29,10 @@ Rule expression:
Exposed credentials check with the following configuration: -* Username expression: `http.request.body.form["user_id"]` -* Password expression: `http.request.body.form["password"]` +- Username expression: `http.request.body.form["user_id"]` +- Password expression: `http.request.body.form["password"]` -Action: *Interactive Challenge* +Action: _Interactive Challenge_ diff --git a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/index.mdx b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/index.mdx index 117115ed494bc5..4ce562356b69d5 100644 --- a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/index.mdx +++ b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/index.mdx @@ -3,53 +3,50 @@ pcx_content_type: concept title: Check for exposed credentials sidebar: order: 12 - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip, Render } from "~/components"; -Many web applications have suffered credential stuffing attacks in the recent past. In these attacks there is a massive number of login attempts using username/password pairs from databases of exposed credentials. +Many web applications have suffered credential stuffing attacks in the recent past. In these attacks there is a massive number of login attempts using username/password pairs from databases of exposed credentials. Cloudflare offers you automated checks for exposed credentials using Cloudflare Web Application Firewall (WAF). -:::note - - -This feature is available to all paid plans. - - -::: + The WAF provides two mechanisms for this check: -* The [Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/exposed-credentials-check/), which contains predefined rules for popular CMS applications. By enabling this ruleset for a given zone, you immediately enable checks for exposed credentials for these well-known applications. +- The [Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/exposed-credentials-check/), which contains predefined rules for popular CMS applications. By enabling this ruleset for a given zone, you immediately enable checks for exposed credentials for these well-known applications. The managed ruleset is available to all paid plans. -* The ability to [write custom rules](#exposed-credentials-checks-in-custom-rules) at the account level that check for exposed credentials according to your criteria. +- The ability to [write custom rules](#exposed-credentials-checks-in-custom-rules) at the account level that check for exposed credentials according to your criteria. This configuration option is available to Enterprise customers with a paid add-on. Cloudflare updates the databases of exposed credentials supporting the exposed credentials check feature on a regular basis. -The username and password credentials in clear text never leave the Cloudflare network. The WAF only uses an anonymized version of the username and password when determining if there are previously exposed credentials. Cloudflare follows the approach based on the *k*-Anonymity mathematical property described in the following blog post: [Validating Leaked Passwords with k-Anonymity](https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/). +The username and password credentials in clear text never leave the Cloudflare network. The WAF only uses an anonymized version of the username and password when determining if there are previously exposed credentials. Cloudflare follows the approach based on the _k_-Anonymity mathematical property described in the following blog post: [Validating Leaked Passwords with k-Anonymity](https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/). ## Available actions The WAF can perform one of the following actions when it detects exposed credentials: -* **Exposed-Credential-Check Header**: Adds a new HTTP header to HTTP requests with exposed credentials. Your application at the origin can then force a password reset, start a two-factor authentication process, or perform any other action. The name of the added HTTP header is `Exposed-Credential-Check` and its value is `1`. -* **Managed Challenge**: Helps reduce the lifetimes of human time spent solving CAPTCHAs across the Internet. Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge based on specific criteria. -* **Block**: Blocks HTTP requests containing exposed credentials. -* **JS Challenge**: Presents a non-interactive challenge to the clients making HTTP requests with exposed credentials. -* **Log**: Only available on Enterprise plans. Logs requests with exposed credentials in the Cloudflare logs. Recommended for validating a rule before committing to a more severe action. -* **Interactive Challenge**: Presents an interactive challenge to the clients making HTTP requests with exposed credentials. +- **Exposed-Credential-Check Header**: Adds a new HTTP header to HTTP requests with exposed credentials. Your application at the origin can then force a password reset, start a two-factor authentication process, or perform any other action. The name of the added HTTP header is `Exposed-Credential-Check` and its value is `1`. + + :::caution + While the header name is the same as when using the [**Add Leaked Credentials Checks Header** managed transform](/rules/transform/managed-transforms/reference/#add-leaked-credentials-checks-header), the header can have different values when using the managed transform (from `1` to `4`), depending on your Cloudflare plan. + ::: -The default action for the rules in the Exposed Credentials Check Managed Ruleset is *Exposed-Credential-Check Header* (named `rewrite` in the API). +- **Managed Challenge**: Helps reduce the lifetimes of human time spent solving CAPTCHAs across the Internet. Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge based on specific criteria. +- **Block**: Blocks HTTP requests containing exposed credentials. +- **JS Challenge**: Presents a non-interactive challenge to the clients making HTTP requests with exposed credentials. +- **Log**: Only available on Enterprise plans. Logs requests with exposed credentials in the Cloudflare logs. Recommended for validating a rule before committing to a more severe action. +- **Interactive Challenge**: Presents an interactive challenge to the clients making HTTP requests with exposed credentials. -Cloudflare recommends that you only use the following actions: *Exposed-Credential-Check Header* (named `rewrite` in the API) and *Log* (`log`). +The default action for the rules in the Exposed Credentials Check Managed Ruleset is _Exposed-Credential-Check Header_ (named `rewrite` in the API). + +Cloudflare recommends that you only use the following actions: _Exposed-Credential-Check Header_ (named `rewrite` in the API) and _Log_ (`log`). ## Exposed credentials checks in custom rules :::note - -Exposed credentials checks in custom rules are only available via API and require account-level WAF, which is available to Enterprise customers with a paid add-on. +Exposed credentials checks in custom rules are only available via API and require account-level WAF, which is available to Enterprise customers with a paid add-on. ::: Besides enabling the [Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/exposed-credentials-check/), you can also check for exposed credentials in [custom rules](/waf/custom-rules/). One common use case is to create custom rules on the end user authentication endpoints of your application to check for exposed credentials. Rules that check for exposed credentials run before rate limiting rules. diff --git a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/monitor-events.mdx b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/monitor-events.mdx index da899973534576..f8b69196be6e4d 100644 --- a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/monitor-events.mdx +++ b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/monitor-events.mdx @@ -5,14 +5,16 @@ sidebar: order: 6 --- +import { Render } from "~/components"; + The **Activity log** in Security Events shows entries for requests with exposed credentials identified by rules with the _Log_ action. Check for exposed credentials events in the Security Events dashboard (**Security** > **Events** tab), filtering by a specific Rule ID. For more information on filtering security events, refer to [Adjusting displayed data](/waf/analytics/security-events/paid-plans/#adjusting-displayed-data). -:::caution + -- Exposed credentials events are only logged after you activate the Exposed Credentials Check Managed Ruleset or create a custom rule checking for exposed credentials. +## Important notes -- The log entries will not contain the values of the exposed credentials (username, email, or password). However, if [matched payload logging](/waf/managed-rules/payload-logging/) is enabled, the log entries will contain the values of the fields in the rule expression that triggered the rule. These values might be the values of credential fields, depending on your rule configuration. +Exposed credentials events are only logged after you activate the Exposed Credentials Check Managed Ruleset or create a custom rule checking for exposed credentials. -::: +The log entries will not contain the values of the exposed credentials (username, email, or password). However, if [matched payload logging](/waf/managed-rules/payload-logging/) is enabled, the log entries will contain the values of the fields in the rule expression that triggered the rule. These values might be the values of credential fields, depending on your rule configuration. diff --git a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/test-configuration.mdx b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/test-configuration.mdx index 03bea1308b05d6..2cfc7fb72110ac 100644 --- a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/test-configuration.mdx +++ b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/test-configuration.mdx @@ -6,13 +6,14 @@ sidebar: head: - tag: title content: Test your exposed credentials checks configuration - --- -import { Render } from "~/components" +import { Render } from "~/components"; After enabling and configuring exposed credentials checks, you may want to test if the checks are working properly. + + Cloudflare provides a special set of case-sensitive credentials for this purpose: diff --git a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx index a10ea4c291dd87..904f7edd0431f9 100644 --- a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx +++ b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx @@ -5,11 +5,11 @@ sidebar: order: 4 --- +import { Render } from "~/components"; + The Cloudflare Exposed Credentials Check Managed Ruleset is a set of pre-configured rules for well-known CMS applications that perform a lookup against a public database of stolen credentials. -:::note -The Cloudflare Exposed Credentials Check Managed Ruleset is only available in the Cloudflare WAF announced on March 2021. -::: + The managed ruleset includes rules for the following CMS applications: @@ -28,9 +28,7 @@ Additionally, this managed ruleset also includes generic rules for other common The default action for the rules in managed ruleset is _Exposed-Credential-Check Header_ (named `rewrite` in the API). -:::note[Note] -The managed ruleset contains an additional rule that blocks HTTP requests already containing the `Exposed-Credential-Check` HTTP header used by the _Exposed-Credential-Check Header_ action. These requests could be used to trick the origin into believing that a request contained (or did not contain) exposed credentials. -::: +The managed ruleset also contains a rule that blocks HTTP requests already containing the `Exposed-Credential-Check` HTTP header used by the _Exposed-Credential-Check Header_ action. These requests could be used to trick the origin into believing that a request contained (or did not contain) exposed credentials. For more information on exposed credential checks, refer to [Check for exposed credentials](/waf/managed-rules/check-for-exposed-credentials/). diff --git a/src/content/glossary/waf.yaml b/src/content/glossary/waf.yaml index fd470e78de8b9f..a1bb4f6832d775 100644 --- a/src/content/glossary/waf.yaml +++ b/src/content/glossary/waf.yaml @@ -23,9 +23,9 @@ entries: general_definition: |- credential stuffing is the automated injection of stolen username and password pairs (known as "credentials") into website login forms, trying to gain access to user accounts. - - term: exposed credentials + - term: leaked credentials general_definition: |- - exposed credentials refers to sensitive authentication information disclosed in some way (for example, due to misconfigurations, data breaches, or simple human error), allowing other parties to gain access to digital resources. + leaked credentials refers to sensitive authentication information disclosed in some way (for example, due to misconfigurations, data breaches, or simple human error), allowing other parties to gain access to digital resources. Credentials may include usernames, passwords, API keys, authentication tokens, or private keys. diff --git a/src/content/partials/fundamentals/cloudflare-security.mdx b/src/content/partials/fundamentals/cloudflare-security.mdx index 7892588ac12f9e..4953a86fc31c1f 100644 --- a/src/content/partials/fundamentals/cloudflare-security.mdx +++ b/src/content/partials/fundamentals/cloudflare-security.mdx @@ -1,10 +1,9 @@ --- {} - --- Beyond hiding your origin's IP address from potential attackers, Cloudflare also stops malicious traffic before it reaches your origin web server. -Cloudflare automatically mitigates security risks using our [WAF](/waf/about/) and [DDoS protection](/ddos-protection/). +Cloudflare automatically mitigates security risks using our [WAF](/waf/) and [DDoS protection](/ddos-protection/). For additional details on security, refer to our guide on how to [Secure your website](/learning-paths/application-security/). diff --git a/src/content/partials/version-management/product-limitations.mdx b/src/content/partials/version-management/product-limitations.mdx index b3f03ac931d16e..2c91147ea04f6d 100644 --- a/src/content/partials/version-management/product-limitations.mdx +++ b/src/content/partials/version-management/product-limitations.mdx @@ -1,118 +1,117 @@ --- {} - --- -import { Details } from "~/components" +import { Details } from "~/components"; Version Management does not currently support or have limited support for the following products or features: -
-* Some [API Shield](/api-shield/) configurations are not cloned when a new zone version is created. -* Customers are allowed to opt-in to remove the UI block that prevents enabling Version Management. -
+- Some [API Shield](/api-shield/) configurations are not cloned when a new zone version is created. +- Customers are allowed to opt-in to remove the UI block that prevents enabling Version Management. +
-* [Authenticated Origin Pull](/ssl/origin-configuration/authenticated-origin-pull/) does not work with Zone Versioning. -* Accessing your domain from an allowlisted IP returns a Cloudflare 520 error. -
+- [Authenticated Origin Pull](/ssl/origin-configuration/authenticated-origin-pull/) does not work with Zone Versioning. +- Accessing your domain from an allowlisted IP returns a Cloudflare 520 error. +
-* [Cache](/workers/runtime-apis/cache/) configurations are versioned, but cache keys are not. -* Caching a new URL on staging would cache it for production as well. -* Purging cache on staging would purge it on production too. -* Promoting a new version to production would wipe all exiting cache. -
+- [Cache](/workers/runtime-apis/cache/) configurations are versioned, but cache keys are not. +- Caching a new URL on staging would cache it for production as well. +- Purging cache on staging would purge it on production too. +- Promoting a new version to production would wipe all exiting cache. +
-* [Image Resizing](/images/) does not work with the `additional_cacheable_ports` [Cache Rule](/cache/how-to/cache-rules/) setting and Zone Versioning. -* If you use `additional_cacheable_ports` with Image Resizing, the image will be resized every time it is requested and will result in low performance. -
+- [Image Resizing](/images/) does not work with the `additional_cacheable_ports` [Cache Rule](/cache/how-to/cache-rules/) setting and Zone Versioning. +- If you use `additional_cacheable_ports` with Image Resizing, the image will be resized every time it is requested and will result in low performance. +
-* [Workers Cache API](/workers/runtime-apis/cache/) does not work with Version Management. -* If you use the Workers Cache API with Zone Versioning, you might encounter unexpected caching behaviours. -
+- [Workers Cache API](/workers/runtime-apis/cache/) does not work with Version Management. +- If you use the Workers Cache API with Zone Versioning, you might encounter unexpected caching behaviours. +
-* Regardless of the version deployed to production, traffic in China will always target the root zone. -* Other incompatibility issues with Access and ICP licenses. -
+- Regardless of the version deployed to production, traffic in China will always target the root zone. +- Other incompatibility issues with Access and ICP licenses. +
-* Zone Version Management does not currently expose a public [API](/api/). -* Customers can only use Version Management through the [Cloudflare dashboard](https://dash.cloudflare.com/). -
+- Zone Version Management does not currently expose a public [API](/api/). +- Customers can only use Version Management through the [Cloudflare dashboard](https://dash.cloudflare.com/). +
-* [Domain-scoped Roles](/fundamentals/setup/manage-members/roles/#domain-scoped-roles) apply only to your root zone. -* Once a new version is created, these roles do not copy over and they lose access to versions. -
+- [Domain-scoped Roles](/fundamentals/setup/manage-members/roles/#domain-scoped-roles) apply only to your root zone. +- Once a new version is created, these roles do not copy over and they lose access to versions. +
-* Changes made to [Image Transformations](/images/transform-images/#transform-images) are not cloned when a new zone version is created. -
+- Changes made to [Image Transformations](/images/transform-images/#transform-images) are not cloned when a new zone version is created. +
-* [Network Error Logging](/network-error-logging/) configurations are not cloned when a new version is created. -
+- [Network Error Logging](/network-error-logging/) configurations are not cloned when a new version is created. +
-* [Page Shield](/page-shield/) is not available for versioning and is only configurable under your Global Configuration. -
+- [Page Shield](/page-shield/) is not available for versioning and is only configurable under your Global Configuration. +
-* [Security Insights](/security-center/security-insights/) are not shown when Zone Versioning is enabled and the first version is deployed to production. -
+- [Security Insights](/security-center/security-insights/) are not shown when Zone Versioning is enabled and the first version is deployed to production. +
-* Zone Version Management does not currently support [Terraform](/terraform/). -* Customers should either use Terraform or Version Management. -
+- Zone Version Management does not currently support [Terraform](/terraform/). +- Customers should either use Terraform or Version Management. +
-* [WAF Attack Score](/waf/about/waf-attack-score/) configurations are not cloned when a new zone version is created. -
+- [WAF Attack Score](/waf/detections/attack-score/) configurations are not cloned when a new zone version is created. +
-* [Waiting Room](/waiting-room/) users active on the site may be placed back in the queue. -* Waiting Room users in the queue may lose their place in line. -* Traffic may exceed limits. -
+- [Waiting Room](/waiting-room/) users active on the site may be placed back in the queue. +- Waiting Room users in the queue may lose their place in line. +- Traffic may exceed limits. +
-* If a version has a Worker route, it might disappear when a Worker is deployed via [Wrangler](/workers/wrangler/). -* If two versions have the same custom domains, the Worker might randomly choose between them. +- If a version has a Worker route, it might disappear when a Worker is deployed via [Wrangler](/workers/wrangler/). +- If two versions have the same custom domains, the Worker might randomly choose between them. +
diff --git a/src/content/partials/waf/leaked-credentials-recommend-detection.mdx b/src/content/partials/waf/leaked-credentials-recommend-detection.mdx new file mode 100644 index 00000000000000..5c70ec5bb26e88 --- /dev/null +++ b/src/content/partials/waf/leaked-credentials-recommend-detection.mdx @@ -0,0 +1,7 @@ +--- +{} +--- + +:::note[Recommendation: Use leaked credentials detection instead] +Cloudflare recommends that you use [leaked credentials detection](/waf/detections/leaked-credentials/) instead of Cloudflare Exposed Credentials Check, which refers to a previous implementation. +::: diff --git a/src/content/partials/waf/waf-managed-rules-intro.mdx b/src/content/partials/waf/waf-managed-rules-intro.mdx index 72d85027a855e7..35bcde0c0eb321 100644 --- a/src/content/partials/waf/waf-managed-rules-intro.mdx +++ b/src/content/partials/waf/waf-managed-rules-intro.mdx @@ -1,14 +1,13 @@ --- {} - --- WAF Managed Rules allow you to deploy pre-configured managed rulesets that provide immediate protection against: -* Zero-day vulnerabilities -* Top-10 attack techniques -* Use of stolen/exposed credentials -* Extraction of sensitive data +- Zero-day vulnerabilities +- Top-10 attack techniques +- Use of stolen/leaked credentials +- Extraction of sensitive data These managed rulesets are regularly updated. Each rule has a default action that varies according to the severity of the rule. You can adjust the behavior of specific rules, choosing from several possible actions. diff --git a/src/content/plans/index.json b/src/content/plans/index.json index b267bff7e5b62c..adcd16c4a43033 100644 --- a/src/content/plans/index.json +++ b/src/content/plans/index.json @@ -1622,7 +1622,63 @@ } } }, - "waf_b_custom_rules": { + "waf_b_detections": { + "title": "WAF detections", + "link": "/waf/detections/", + "properties": { + "availability": { + "title": "Availability", + "summary": "Available on all plans", + "free": "Yes", + "pro": "Yes", + "biz": "Yes", + "ent": "Yes" + }, + "b_malicious_uploads": { + "title": "Malicious uploads detection", + "summary": "Enterprise with add-on", + "link": "/waf/detections/malicious-uploads/", + "free": "No", + "pro": "No", + "biz": "No", + "ent": "Paid add-on" + }, + "c_leaked_creds": { + "title": "Leaked credentials detection", + "link": "/waf/detections/leaked-credentials/", + "free": "Yes", + "pro": "Yes", + "biz": "Yes", + "ent": "Yes" + }, + "d_leaked_creds_fields": { + "title": "Leaked credentials fields", + "link": "/waf/detections/leaked-credentials/", + "free": "Password Leaked", + "pro": "Password Leaked, User and Password Leaked", + "biz": "Password Leaked, User and Password Leaked", + "ent": "All leaked credentials fields" + }, + "e_leaked_creds_locations": { + "title": "Number of custom detection locations", + "summary": "Enterprise-only", + "free": "0", + "pro": "0", + "biz": "0", + "ent": "10" + }, + "f_attack_score": { + "title": "Attack score", + "summary": "Business and Enterprise plans", + "link": "/waf/detections/attack-score/", + "free": "No", + "pro": "No", + "biz": "One field only", + "ent": "Yes" + } + } + }, + "waf_c_custom_rules": { "title": "WAF custom rules", "link": "/waf/custom-rules/", "properties": { diff --git a/src/content/products/exposed-credentials.yaml b/src/content/products/exposed-credentials.yaml deleted file mode 100644 index 5348d068e1b41b..00000000000000 --- a/src/content/products/exposed-credentials.yaml +++ /dev/null @@ -1,8 +0,0 @@ -name: Exposed credential checks - -product: - title: Exposed credential checks - group: Application security - url: /waf/managed-rules/check-for-exposed-credentials/ - wrap: true - grid_placeholder: true diff --git a/src/content/products/leaked-credentials.yaml b/src/content/products/leaked-credentials.yaml new file mode 100644 index 00000000000000..f5772c55877bfb --- /dev/null +++ b/src/content/products/leaked-credentials.yaml @@ -0,0 +1,8 @@ +name: Leaked credentials checks + +product: + title: Leaked credentials checks + group: Application security + url: /waf/detections/leaked-credentials/ + wrap: true + grid_placeholder: true From c400afbee66dfb33c5f896767dfa5bab3aed7a43 Mon Sep 17 00:00:00 2001 From: Kian Date: Mon, 23 Sep 2024 18:21:06 +0100 Subject: [PATCH 19/54] [Docs Site] Overhaul sidebar styling (#17026) * [Docs Site] Overhaul sidebar styling * Shrink caret size, move to native nesting --- src/components/overrides/Sidebar.astro | 46 ++++++++++++++++++++------ 1 file changed, 36 insertions(+), 10 deletions(-) diff --git a/src/components/overrides/Sidebar.astro b/src/components/overrides/Sidebar.astro index 48e454c9cc34b6..ebde3772e957a6 100644 --- a/src/components/overrides/Sidebar.astro +++ b/src/components/overrides/Sidebar.astro @@ -205,20 +205,46 @@ const lookupProductTitle = async (slug: string) => { From a5d3b364f4fa2c4fa2ebeb4af09012ff32a13b5b Mon Sep 17 00:00:00 2001 From: Daniel Walsh Date: Mon, 23 Sep 2024 18:31:44 +0100 Subject: [PATCH 20/54] Update CODEOWNERS to help support dev reviews (#17033) --- .github/CODEOWNERS | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index f11224200aaa7f..0a9205b3217cc4 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -4,17 +4,17 @@ # More dev-specific files -/.github/ @kodster28 @pedrosousa @haleycode @kristianfreeman @GregBrimble @KianNH @maxvp @marciocloudflare +/.github/ @kodster28 @pedrosousa @haleycode @kristianfreeman @GregBrimble @KianNH @maxvp @marciocloudflare @WalshyDev /.github/CODEOWNERS @cloudflare/pcx-technical-writing /.github/actions/assign-issue/index.js @cloudflare/pcx-technical-writing /.github/actions/assign-pr/index.js @cloudflare/pcx-technical-writing /.github/styles/cloudflare/spelling-exceptions.txt @cloudflare/pcx-technical-writing -/src/components/ @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @marciocloudflare @haleycode @maxvp @GregBrimble @KianNH -/functions/ @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @marciocloudflare @maxvp @GregBrimble @KianNH -*.js @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @maxvp @marciocloudflare @GregBrimble @KianNH -*.ts @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @maxvp @marciocloudflare @GregBrimble @KianNH +/src/components/ @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @marciocloudflare @haleycode @maxvp @GregBrimble @KianNH @WalshyDev +/functions/ @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @marciocloudflare @maxvp @GregBrimble @KianNH @WalshyDev +*.js @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @maxvp @marciocloudflare @GregBrimble @KianNH @WalshyDev +*.ts @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @maxvp @marciocloudflare @GregBrimble @KianNH @WalshyDev /src/content/workers-ai-models/ @kodster28 @craigsdennis @pedrosousa @cloudflare/pcx-technical-writing -/public/_redirects @GregBrimble @KianNH @kodster28 @pedrosousa @cloudflare/pcx-technical-writing +/public/_redirects @GregBrimble @KianNH @kodster28 @pedrosousa @WalshyDev @cloudflare/pcx-technical-writing # AI From 081c2daff2f1f050e18e81a429b82710d05261a4 Mon Sep 17 00:00:00 2001 From: angelampcosta <92738954+angelampcosta@users.noreply.github.com> Date: Mon, 23 Sep 2024 18:43:37 +0100 Subject: [PATCH 21/54] [WAF] Updates Security Analytics (#17013) * Updates Security Analytics * Update src/content/docs/waf/analytics/security-analytics.mdx Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> * Corrects links --------- Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> --- .../docs/waf/analytics/security-analytics.mdx | 22 ++++++++++--------- src/content/plans/index.json | 20 ++++++++++++++--- 2 files changed, 29 insertions(+), 13 deletions(-) diff --git a/src/content/docs/waf/analytics/security-analytics.mdx b/src/content/docs/waf/analytics/security-analytics.mdx index a41edd8eb98ec7..6a139a202d902c 100644 --- a/src/content/docs/waf/analytics/security-analytics.mdx +++ b/src/content/docs/waf/analytics/security-analytics.mdx @@ -5,33 +5,35 @@ sidebar: order: 1 --- -import { GlossaryTooltip, Badge } from "~/components"; +import { FeatureTable, GlossaryTooltip, Badge } from "~/components"; Security Analytics displays information about all incoming HTTP requests for your domain, including requests not handled by Cloudflare security products. -:::note -Available to customers on Business and Enterprise plans. -::: - Use the Security Analytics dashboard to: - View the traffic distribution for your domain. - Understand which traffic is being mitigated by Cloudflare security products, and where non-mitigated traffic is being served from (Cloudflare global network or origin server). - Analyze suspicious traffic and create tailored WAF custom rules based on applied filters. -- Learn more about Cloudflare’s security scores (attack score, [bot score](/bots/concepts/bot-score/), [uploaded content scanning](/waf/detections/malicious-uploads/) results) with real data. +- Learn more about Cloudflare's security scores (attack score, [bot score](/bots/concepts/bot-score/), [malicious uploads](/waf/detections/malicious-uploads/), and [leaked credentials](/waf/detections/leaked-credentials/) results) with real data. - [Find an appropriate rate limit](/waf/rate-limiting-rules/find-rate-limit/) for incoming traffic. If you need to modify existing security-related rules you already configured, consider also using the [Security Events](/waf/analytics/security-events/) dashboard. This dashboard displays information about requests affected by Cloudflare security products. +## Availability + +Zone/domain-level analytics are included with all plans, though the retention period, query window, displayed statistics, and filter options vary by plan. Account-level analytics are only available to customers on Business and Enterprise domain plans. + + + ## Access To use Security Analytics: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. -2. Go to the account or zone dashboard: +2. Go to the account or zone/domain dashboard: - - For the zone dashboard, select your domain and go to **Security** > **Analytics**. + - For the zone/domain dashboard, select your domain and go to **Security** > **Analytics**. - For the account dashboard, go to **Security Center** > **Security Analytics**. ## Adjusting displayed data @@ -90,7 +92,7 @@ To apply the filters for an insight to the data displayed in the Security Analyt ### Score-based analyses -The **Attack likelihood**, **Bot likelihood**, and **Malicious uploads** sections display statistics related to WAF attack scores, bot scores, and WAF content scanning scores of incoming requests for the selected time frame. +The **Attack likelihood**, **Bot likelihood**, **Malicious uploads**, and **Account abuse likelihood** sections display statistics related to WAF attack scores, bot scores, WAF content scanning scores, and leaked credentials scanning of incoming requests for the selected time frame. All plans include access to the **Leaked Credentials Check** under **Account Abuse Likelihood**. This feature detects login attempts using credentials that have been exposed online. For more information on what to do if you have credentials that have been leaked, refer to the [mitigation examples page](/waf/detections/leaked-credentials/examples/). You can examine different traffic segments according to the current metric (attack score, bot score, or content scanning). To apply score filters for different segments, select the buttons below the traffic chart. For example, select **Likely attack** under **Attack likelihood** to filter requests that are likely an attack (requests with WAF attack score values between 21 and 50). @@ -159,6 +161,6 @@ You can switch to [Log Explorer](/logs/log-explorer/) to dive deeper on your ana Currently, changing the time frame or the applied filters while showing raw logs may cause the Cloudflare dashboard to switch automatically to sampled logs. This happens if the total number of request logs for the selected time frame is high. ::: -## Final remarks +## Sampling The Security Analytics dashboard uses [sampled data](/analytics/graphql-api/sampling/), except when showing raw logs. Most information in the dashboard is obtained from `httpRequestsAdaptiveGroups` and `httpRequestsAdaptive` GraphQL nodes. For more information on working directly with GraphQL datasets, refer to [Datasets (tables)](/analytics/graphql-api/features/data-sets/). diff --git a/src/content/plans/index.json b/src/content/plans/index.json index adcd16c4a43033..6b0dfcd32a3e8b 100644 --- a/src/content/plans/index.json +++ b/src/content/plans/index.json @@ -1490,11 +1490,25 @@ "properties": { "availability": { "title": "Availability", - "summary": "Business and above", - "free": "No", - "pro": "No", + "summary": "Available on all plans", + "free": "Yes", + "pro": "Yes", "biz": "Yes", "ent": "Yes" + }, + "retention": { + "title": "Retention", + "free": "7", + "pro": "31", + "biz": "31", + "ent": "90" + }, + "query_window": { + "title": "Query window", + "free": "1", + "pro": "7", + "biz": "31", + "ent": "31" } } }, From 82b6e09160de73849d8d6ac1e7e29cdfba2a2ff1 Mon Sep 17 00:00:00 2001 From: Maddy <130055405+Maddy-Cloudflare@users.noreply.github.com> Date: Mon, 23 Sep 2024 18:44:17 +0100 Subject: [PATCH 22/54] [Changelog] Add export matches feature security center (#17024) * [Changelog] Add export matches feature security center * Fixing identation * Fixing identation 2 --- src/content/changelogs/security-center.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/content/changelogs/security-center.yaml b/src/content/changelogs/security-center.yaml index b4d2f471d08f63..28c72f8e378124 100644 --- a/src/content/changelogs/security-center.yaml +++ b/src/content/changelogs/security-center.yaml @@ -12,3 +12,7 @@ entries: - publish_date: "2024-09-19" description: |- - Customers can now create a `security.txt` file file to provide the security research team with a standardized way to report vulnerabilities. + + - publish_date: "2024-09-23" + description: |- + - Customers can now export all matches from a saved query. Select your **Query name** > select the three dots > **Export matches**. \ No newline at end of file From e0e9f1045d7af5b5a5d4dfe6024352b4467f0ad4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denise=20Pe=C3=B1a?= <75506267+dcpena@users.noreply.github.com> Date: Mon, 23 Sep 2024 13:16:43 -0500 Subject: [PATCH 23/54] Updated name to Cloudflare Images (#17029) --- src/content/docs/images/index.mdx | 2 +- src/content/docs/rules/transform/url-rewrite/index.mdx | 2 +- src/content/products/images.yaml | 9 ++++----- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/src/content/docs/images/index.mdx b/src/content/docs/images/index.mdx index 042ab0613ccc72..0507445c738d29 100644 --- a/src/content/docs/images/index.mdx +++ b/src/content/docs/images/index.mdx @@ -5,7 +5,7 @@ sidebar: order: 1 head: - tag: title - content: Cloudflare Image Optimization + content: Cloudflare Images --- diff --git a/src/content/docs/rules/transform/url-rewrite/index.mdx b/src/content/docs/rules/transform/url-rewrite/index.mdx index b70649a9d5a4a1..4bba00ec4d74a7 100644 --- a/src/content/docs/rules/transform/url-rewrite/index.mdx +++ b/src/content/docs/rules/transform/url-rewrite/index.mdx @@ -37,6 +37,6 @@ Create rewrite URL rules [in the dashboard](/rules/transform/url-rewrite/create- ## Serve images from custom paths -When using Cloudflare Image Optimization, you can use URL rewrites to serve images from a custom path. For more information, refer to [Serve images from custom domains](/images/manage-images/serve-images/serve-from-custom-domains/). +When using Cloudflare Images, you can use URL rewrites to serve images from a custom path. For more information, refer to [Serve images from custom domains](/images/manage-images/serve-images/serve-from-custom-domains/). diff --git a/src/content/products/images.yaml b/src/content/products/images.yaml index 1e998f019bde80..35ef23265409ee 100644 --- a/src/content/products/images.yaml +++ b/src/content/products/images.yaml @@ -1,7 +1,7 @@ -name: Cloudflare Image Optimization +name: Cloudflare Images product: - title: Cloudflare Image Optimization + title: Cloudflare Images url: /images/ group: Developer platform additional_groups: [Media] @@ -9,10 +9,9 @@ product: preview_tryout: true meta: - title: Cloudflare Image Optimization docs + title: Cloudflare Images docs description: - Choose between Cloudflare Images and Cloudflare Image Resizing, two - products tailored to your different needs. + Store, transform, optimize, and deliver images at scale. author: "@cloudflare" resources: From 97c2e9ef32a2c19391db94f6752bcdf00ef3ed56 Mon Sep 17 00:00:00 2001 From: Kian Date: Mon, 23 Sep 2024 20:23:41 +0100 Subject: [PATCH 24/54] [Docs Site] Support group badges with new frontmatter property (#17032) * [Docs Site] Support group badges with new frontmatter property * Style guide changes --- src/components/overrides/Sidebar.astro | 1 + .../docs/style-guide/frontmatter/index.mdx | 8 +--- .../docs/style-guide/frontmatter/sidebar.mdx | 37 +++++++++++++++++ src/schemas/base.ts | 2 + src/schemas/types/badge.ts | 40 +++++++++++++++++++ 5 files changed, 81 insertions(+), 7 deletions(-) create mode 100644 src/schemas/types/badge.ts diff --git a/src/components/overrides/Sidebar.astro b/src/components/overrides/Sidebar.astro index ebde3772e957a6..a614b80a2c8ec9 100644 --- a/src/components/overrides/Sidebar.astro +++ b/src/components/overrides/Sidebar.astro @@ -86,6 +86,7 @@ async function handleGroup(group: Group): Promise { group.label = frontmatter.sidebar.group?.label ?? frontmatter.title; group.order = frontmatter.sidebar.order ?? Number.MAX_VALUE; + group.badge = frontmatter.sidebar.group?.badge; if (frontmatter.hideChildren) { return { diff --git a/src/content/docs/style-guide/frontmatter/index.mdx b/src/content/docs/style-guide/frontmatter/index.mdx index 0d0676ce78ae7b..5841b7a844333e 100644 --- a/src/content/docs/style-guide/frontmatter/index.mdx +++ b/src/content/docs/style-guide/frontmatter/index.mdx @@ -4,9 +4,6 @@ description: | You can customize individual Markdown and MDX pages in Starlight by setting values in their frontmatter. For example, a regular page might set title and description fields. sidebar: - badge: - variant: tip - text: New! order: 3 banner: content: | @@ -25,10 +22,7 @@ description: | You can customize individual Markdown and MDX pages in Starlight by setting values in their frontmatter. For example, a regular page might set title and description fields. sidebar: - label: Overview - badge: - variant: tip - text: New! + order: 3 banner: content: |

Hello, world!

diff --git a/src/content/docs/style-guide/frontmatter/sidebar.mdx b/src/content/docs/style-guide/frontmatter/sidebar.mdx index 029f62c5fb6e7f..2624754b08b001 100644 --- a/src/content/docs/style-guide/frontmatter/sidebar.mdx +++ b/src/content/docs/style-guide/frontmatter/sidebar.mdx @@ -157,3 +157,40 @@ Since these pages are still accessible via other links and directly navigating t ### Hiding child pages of a group To make a group render as if it was a single page, which links to the index page, use the top-level `hideChildren` property. + +## Badges + +### Links + +To specify a badge next to the link, use the `sidebar.badge` property. + +```mdx title="/src/content/docs/examples/example.mdx" +--- +title: Example +sidebar: + badge: New! +--- +``` + + +- Examples + - Example [New!] + + +### Groups + +To specify a badge next to the group label, use the `sidebar.group.badge` inside the group's `index.mdx` frontmatter. + +```mdx title="/src/content/docs/examples/index.mdx" +--- +title: Examples +sidebar: + group: + badge: New! +--- +``` + + +- Examples [New!] + - Example + \ No newline at end of file diff --git a/src/schemas/base.ts b/src/schemas/base.ts index 5a1a476a028d2c..8cb4f5558566e2 100644 --- a/src/schemas/base.ts +++ b/src/schemas/base.ts @@ -1,4 +1,5 @@ import { z } from "astro:schema"; +import { BadgeConfigSchema } from "./types/badge"; const spotlightAuthorDetails = z .object({ @@ -89,6 +90,7 @@ export const baseSchema = z.object({ .describe( "Hides the index page from the sidebar. Refer to https://developers.cloudflare.com/style-guide/frontmatter/sidebar/.", ), + badge: BadgeConfigSchema(), }) .optional(), }) diff --git a/src/schemas/types/badge.ts b/src/schemas/types/badge.ts new file mode 100644 index 00000000000000..31967cf0805ddd --- /dev/null +++ b/src/schemas/types/badge.ts @@ -0,0 +1,40 @@ +// Vendored from https://github.com/withastro/starlight/blob/a171a996b842f1fdb37a0bdbb2c9d86e1073e1a4/packages/starlight/schemas/badge.ts# +import { z } from 'astro:schema'; + +const badgeBaseSchema = z.object({ + variant: z.enum(['note', 'danger', 'success', 'caution', 'tip', 'default']).default('default'), + class: z.string().optional(), +}); + +const badgeSchema = badgeBaseSchema.extend({ + text: z.string(), +}); + +const i18nBadgeSchema = badgeBaseSchema.extend({ + text: z.union([z.string(), z.record(z.string())]), +}); + +export const BadgeComponentSchema = badgeSchema + .extend({ + size: z.enum(['small', 'medium', 'large']).default('small'), + }) + .passthrough(); + +export type BadgeComponentProps = z.input; + +export const BadgeConfigSchema = () => + z + .union([z.string(), badgeSchema]) + .transform((badge) => { + if (typeof badge === 'string') { + return { variant: 'default' as const, text: badge }; + } + return badge; + }) + .optional(); + +export const I18nBadgeConfigSchema = () => z.union([z.string(), i18nBadgeSchema]).optional(); + +export type Badge = z.output; +export type I18nBadge = z.output; +export type I18nBadgeConfig = z.output>; From e2abff372c15f7c5720912b496482305a2bbcfeb Mon Sep 17 00:00:00 2001 From: Kian Date: Mon, 23 Sep 2024 21:06:05 +0100 Subject: [PATCH 25/54] [Docs Site] Overhaul aside styling (#17036) --- astro.config.mjs | 1 + src/asides.css | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 src/asides.css diff --git a/astro.config.mjs b/astro.config.mjs index 3369fe654bc1d1..e42e3b55e64186 100644 --- a/astro.config.mjs +++ b/astro.config.mjs @@ -146,6 +146,7 @@ export default defineConfig({ }, sidebar: await autogenSections(), customCss: [ + "./src/asides.css", "./src/headings.css", "./src/input.css", "./src/kbd.css", diff --git a/src/asides.css b/src/asides.css new file mode 100644 index 00000000000000..71751b68cc447f --- /dev/null +++ b/src/asides.css @@ -0,0 +1,36 @@ +.starlight-aside { + border: unset; + border-radius: 4px; + + &.starlight-aside--note { + background-color: rgb(236, 244, 255); + } + + &.starlight-aside--caution { + background-color: rgb(255, 248, 228); + + } + + .starlight-aside__title { + margin-left: 30px; + + svg { + margin-left: -30px; + } + } + + .starlight-aside__content { + margin-top: unset; + margin-left: 30px; + } +} + +:root[data-theme="dark"] { + .starlight-aside--note { + background-color: rgb(0, 28, 67); + } + + .starlight-aside--caution { + background-color: rgb(98, 73, 10); + } +} \ No newline at end of file From 0202885c8f4dfb90633c13e966a6c081b29515d9 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 23 Sep 2024 15:50:19 -0500 Subject: [PATCH 26/54] [ZT] Rename Azure AD to Entra ID (#16997) --- public/_redirects | 4 + .../access-api-examples/azure-group.mdx | 23 -- .../access-api-examples/entra-group.mdx | 22 ++ .../access-api-examples/github-org.mdx | 11 +- .../access-api-examples/gsuite-group.mdx | 13 +- .../access-api-examples/okta-group.mdx | 13 +- .../saas-apps/generic-saml-saas.mdx | 2 +- .../non-http/infrastructure-apps.mdx | 7 +- .../warp/configure-warp/warp-sessions.mdx | 11 +- .../mdm-deployment/windows-prelogin.mdx | 23 +- .../cloudflare-one/faq/teams-general-faq.mdx | 11 +- .../application-token.mdx | 2 +- .../devices/access-integrations/index.mdx | 11 +- .../warp-client-checks/domain-joined.mdx | 11 +- .../identity/idp-integration/adfs.mdx | 34 +-- .../identity/idp-integration/aws-saml.mdx | 33 +-- .../idp-integration/awscognito-oidc.mdx | 43 ++- .../idp-integration/centrify-saml.mdx | 23 +- .../identity/idp-integration/centrify.mdx | 2 - .../idp-integration/citrixadc-saml.mdx | 9 +- .../{azuread.mdx => entra-id.mdx} | 136 +++++----- .../idp-integration/facebook-login.mdx | 15 +- .../identity/idp-integration/github.mdx | 19 +- .../identity/idp-integration/google.mdx | 18 +- .../identity/idp-integration/gsuite.mdx | 26 +- .../identity/idp-integration/index.mdx | 7 +- .../idp-integration/jumpcloud-saml.mdx | 4 +- .../identity/idp-integration/keycloak.mdx | 3 - .../identity/idp-integration/linkedin.mdx | 15 +- .../identity/idp-integration/okta-saml.mdx | 2 - .../identity/idp-integration/okta.mdx | 5 +- .../idp-integration/onelogin-oidc.mdx | 26 +- .../idp-integration/onelogin-saml.mdx | 23 +- .../idp-integration/pingfederate-saml.mdx | 49 ++-- .../identity/idp-integration/pingone-oidc.mdx | 22 +- .../identity/idp-integration/pingone-saml.mdx | 9 +- .../identity/idp-integration/signed_authn.mdx | 15 +- .../identity/idp-integration/yandex.mdx | 15 +- .../cloudflare-one/identity/one-time-pin.mdx | 19 +- .../cloudflare-one/policies/access/index.mdx | 64 +++-- .../policies/access/mfa-requirements.mdx | 17 +- .../dlp-profiles/predefined-profiles.mdx | 47 ++-- .../policies/gateway/identity-selectors.mdx | 6 +- ...ss.mdx => entra-id-conditional-access.mdx} | 37 ++- ...sky-users.mdx => entra-id-risky-users.mdx} | 46 ++-- .../docs/cloudflare-one/tutorials/gitlab.mdx | 2 +- .../cloudflare-sase-with-microsoft.mdx | 39 ++- .../architectures/sase.mdx | 252 +++++++++--------- .../3rd-party-integration-guide.mdx | 25 +- .../cloudflare-one/access/idp-integration.mdx | 1 - .../access/scim-supported-idps.mdx | 5 +- 51 files changed, 589 insertions(+), 688 deletions(-) delete mode 100644 src/content/docs/cloudflare-one/api-terraform/access-api-examples/azure-group.mdx create mode 100644 src/content/docs/cloudflare-one/api-terraform/access-api-examples/entra-group.mdx rename src/content/docs/cloudflare-one/identity/idp-integration/{azuread.mdx => entra-id.mdx} (55%) rename src/content/docs/cloudflare-one/tutorials/{azuread-conditional-access.mdx => entra-id-conditional-access.mdx} (65%) rename src/content/docs/cloudflare-one/tutorials/{azuread-risky-users.mdx => entra-id-risky-users.mdx} (70%) diff --git a/public/_redirects b/public/_redirects index e5247341cf5cea..2ca453ce37cd6a 100644 --- a/public/_redirects +++ b/public/_redirects @@ -1529,6 +1529,7 @@ /cloudflare-one/analytics/access/ /cloudflare-one/insights/analytics/access/ 301 /cloudflare-one/analytics/gateway/ /cloudflare-one/insights/analytics/gateway/ 301 /cloudflare-one/analytics/users/ /cloudflare-one/insights/logs/users/ 301 +/cloudflare-one/api-terraform/access-api-examples/azure-group/ /cloudflare-one/api-terraform/access-api-examples/entra-group/ 301 /cloudflare-one/applications/non-http/arbitrary-tcp/ /cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/ 301 /cloudflare-one/connections/connect-apps/configuration/ /cloudflare-one/connections/connect-networks/configure-tunnels/ 301 /cloudflare-one/connections/connect-apps/install-and-setup/setup/ /cloudflare-one/connections/connect-networks/get-started/ 301 @@ -1607,6 +1608,7 @@ /cloudflare-one/identity/devices/require-gateway/ /cloudflare-one/identity/devices/warp-client-checks/require-gateway/ 301 /cloudflare-one/identity/devices/require-warp/ /cloudflare-one/identity/devices/warp-client-checks/require-warp/ 301 /cloudflare-one/identity/devices/sentinel-one/ /cloudflare-one/identity/devices/warp-client-checks/sentinel-one/ 301 +/cloudflare-one/identity/idp-integration/azuread/ /cloudflare-one/identity/entra-id/ 301 /cloudflare-one/identity/idp-integration/one-time-pin/ /cloudflare-one/identity/one-time-pin/ 301 /cloudflare-one/identity/idp-integration/saml-centrify/ /cloudflare-one/identity/idp-integration/centrify-saml/ 301 /cloudflare-one/identity/idp-integration/ping-saml/ /cloudflare-one/identity/idp-integration/pingfederate-saml/ 301 @@ -1636,6 +1638,8 @@ /support/traffic/argo-tunnel/ /cloudflare-one/connections/connect-networks/ 301 /support/traffic/argo-tunnel/exposing-applications-running-on-microsoft-azure-with-cloudflare-argo-tunnel/ /cloudflare-one/connections/connect-apps/deployment-guides/azure/ 301 /cloudflare-docs/content/cloudflare-one/tutorials/area-1/ /cloudflare-one/applications/configure-apps/saas-apps/area-1/ 301 +/cloudflare-docs/content/cloudflare-one/tutorials/azuread-conditional-access/ /cloudflare-docs/content/cloudflare-one/tutorials/entra-id-conditional-access/ 301 +/cloudflare-docs/content/cloudflare-one/tutorials/azuread-risky-users/ /cloudflare-docs/content/cloudflare-one/tutorials/entra-id-risky-users/ 301 /cloudflare-one/tutorials/zendesk-sso-saas/ /cloudflare-one/applications/configure-apps/saas-apps/zendesk-sso-saas/ 301 /cloudflare-one/tutorials/docusign-access/ /cloudflare-one/applications/configure-apps/saas-apps/docusign-access/ 301 /cloudflare-one/tutorials/hubspot-saas/ /cloudflare-one/applications/configure-apps/saas-apps/hubspot-saas/ 301 diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/azure-group.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/azure-group.mdx deleted file mode 100644 index 8c7d5cd90e3af3..00000000000000 --- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/azure-group.mdx +++ /dev/null @@ -1,23 +0,0 @@ ---- -type: example -summary: Allow members of an Azure Group. The ID is the group UUID (`id`) in Azure. -tags: - - Azure® Group -title: Azure® Group -pcx_content_type: example -sidebar: - order: 4 -description: Allow members of an Azure Group. The ID is the group UUID (`id`) in Azure. - ---- - -Allow members of an Azure Group. The ID is the group UUID (*`id`*) in Azure: - -```json -{ - "azureAD": { - "id": "86773093-5feb-48dd-814b-7ccd3676ff50", - "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761" - } -} -``` diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/entra-group.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/entra-group.mdx new file mode 100644 index 00000000000000..0bfd23afa61a5f --- /dev/null +++ b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/entra-group.mdx @@ -0,0 +1,22 @@ +--- +type: example +summary: Allow members of a Microsoft Entra group. The ID is the group UUID (`id`) in Microsoft Entra ID. +tags: + - Microsoft Entra Group +title: Microsoft Entra Group +pcx_content_type: example +sidebar: + order: 4 +description: Allow members of a Microsoft Entra group. The ID is the group UUID (`id`) in Microsoft Entra ID. +--- + +Allow members of a Microsoft Entra group. The ID is the group UUID (`id`) in Microsoft Entra ID: + +```json +{ + "azureAD": { + "id": "86773093-5feb-48dd-814b-7ccd3676ff50", + "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761" + } +} +``` diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/github-org.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/github-org.mdx index 8fd28e126f0605..ee43dba8acc0e2 100644 --- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/github-org.mdx +++ b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/github-org.mdx @@ -2,20 +2,19 @@ type: example summary: Allow members of a specific GitHub organization. tags: - - GitHub™ Organization + - GitHub Organization title: GitHub™ Organization pcx_content_type: example sidebar: order: 4 description: Allow members of a specific GitHub organization. - --- ```json { - "github-organization": { - "name": "cloudflare", - "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761" - } + "github-organization": { + "name": "cloudflare", + "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761" + } } ``` diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/gsuite-group.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/gsuite-group.mdx index 2f8a06b1324605..6879330cf99b38 100644 --- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/gsuite-group.mdx +++ b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/gsuite-group.mdx @@ -2,20 +2,19 @@ type: example summary: Allow members of a specific G Suite group. tags: - - G Suite® Group -title: G Suite® Group + - G Suite Group +title: G Suite Group pcx_content_type: example sidebar: order: 4 description: Allow members of a specific G Suite group. - --- ```json { - "gsuite": { - "email": "admins@mycompanygsuite.com", - "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761" - } + "gsuite": { + "email": "admins@mycompanygsuite.com", + "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761" + } } ``` diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/okta-group.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/okta-group.mdx index b5a52d27cff686..d51cd6ca3cea3a 100644 --- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/okta-group.mdx +++ b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/okta-group.mdx @@ -2,20 +2,19 @@ type: example summary: Allow members of an Okta Group. tags: - - Okta® Group -title: Okta® Group + - Okta Group +title: Okta Group pcx_content_type: example sidebar: order: 4 description: Allow members of an Okta Group. - --- ```json { - "okta": { - "name": "admins", - "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761" - } + "okta": { + "name": "admins", + "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761" + } } ``` diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx index 71bd68b59da52b..446dfec843ade6 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx @@ -45,7 +45,7 @@ Obtain the following URLs from your SaaS application account: :::note[IdP groups] -If you are using Okta, AzureAD, Google Workspace, or GitHub as your IdP, Access will automatically send a SAML attribute titled `groups` with all of the user's associated groups as attribute values. +If you are using Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, or GitHub as your IdP, Access will automatically send a SAML attribute titled `groups` with all of the user's associated groups as attribute values. ::: 11. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application. diff --git a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx index ef911298340293..2e025556381d13 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx @@ -8,7 +8,7 @@ sidebar: text: New --- -import { Badge, Details, Tabs, TabItem, Render } from "~/components" +import { Badge, Details, Tabs, TabItem, Render } from "~/components"; Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases in your private network. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach. @@ -37,13 +37,14 @@ Access for Infrastructure is available in early access and currently only suppor ### Selectors The following [Access policy selectors](/cloudflare-one/policies/access/#selectors) are available for securing infrastructure applications: + - Email - Emails ending in - SAML group - Country - Authentication method - Device posture -- Azure group, GitHub organization, Google Workspace group, Okta group +- Entra group, GitHub organization, Google Workspace group, Okta group ## 4. Configure the server @@ -63,8 +64,6 @@ To connect to targets that are in different VNETS, users will need to [switch th If a user is connected to a target in VNET-A and needs to connect to a target in VNET-B, switching their VNET will not break any existing connections to targets within VNET-A. At present, connections are maintained between VNETs. ::: - ## Revoke a user's session To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/identity/users/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target. - diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions.mdx index 72079539bbcd2f..c8d2f2b1559d59 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions.mdx @@ -3,10 +3,9 @@ pcx_content_type: how-to title: WARP sessions sidebar: order: 12 - --- -import { Render, Badge } from "~/components" +import { Render, Badge } from "~/components"; Cloudflare Zero Trust enforces WARP client reauthentication on a per-application basis, unlike legacy VPNs which treat it as a global setting. You can configure WARP session timeouts for your [Access applications](#configure-warp-sessions-in-access) or as part of your [Gateway policies](#configure-warp-sessions-in-gateway). @@ -52,10 +51,10 @@ If the user has an active browser session with the IdP, WARP will use the existi ### Supported IdPs -* [Azure AD](/cloudflare-one/identity/idp-integration/azuread/#force-user-interaction-during-warp-reauthentication) +- [Microsoft Entra ID](/cloudflare-one/identity/idp-integration/entra-id/#force-user-interaction-during-warp-reauthentication) ## Limitations -* **Only one user per device** — If a device is already registered with User A, User B will not be able to log in on that device through the re-authentication flow. To switch the device registration to a different user, User A must first log out from Zero Trust (if [Allow device to leave organization](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#allow-device-to-leave-organization) is enabled), or an admin can revoke the registration from **My Team** > **Devices**. User B can then properly [enroll](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/). -* **Active connections are not terminated** — Active sessions such as SSH and RDP will remain connected beyond the timeout limit. -* **Binding Cookie is not supported** - WARP authentication will not work for Access applications that have the [Binding Cookie](/cloudflare-one/identity/authorization-cookie/#binding-cookie) enabled. +- **Only one user per device** — If a device is already registered with User A, User B will not be able to log in on that device through the re-authentication flow. To switch the device registration to a different user, User A must first log out from Zero Trust (if [Allow device to leave organization](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#allow-device-to-leave-organization) is enabled), or an admin can revoke the registration from **My Team** > **Devices**. User B can then properly [enroll](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/). +- **Active connections are not terminated** — Active sessions such as SSH and RDP will remain connected beyond the timeout limit. +- **Binding Cookie is not supported** - WARP authentication will not work for Access applications that have the [Binding Cookie](/cloudflare-one/identity/authorization-cookie/#binding-cookie) enabled. diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-prelogin.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-prelogin.mdx index fa334e791f3dcb..150e80d2d61625 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-prelogin.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-prelogin.mdx @@ -3,11 +3,9 @@ pcx_content_type: how-to title: Connect WARP before Windows login sidebar: order: 3 - --- - -import { Details, Render } from "~/components" +import { Details, Render } from "~/components";
@@ -17,13 +15,12 @@ import { Details, Render } from "~/components" | System | Availability | Minimum WARP version | | -------- | ------------ | -------------------- | -| Windows | ✅ | 2024.6.415.0 | -| macOS | ❌ | | -| Linux | ❌ | | -| iOS | ❌ | | -| Android | ❌ | | -| ChromeOS | ❌ | | - +| Windows | ✅ | 2024.6.415.0 | +| macOS | ❌ | | +| Linux | ❌ | | +| iOS | ❌ | | +| Android | ❌ | | +| ChromeOS | ❌ | |
@@ -31,7 +28,7 @@ With Cloudflare Zero Trust, you can use an on-premise Active Directory (or simil ## Prerequisites -* Active Directory resources are [connected to Cloudflare](/cloudflare-one/connections/connect-networks/private-net/). +- Active Directory resources are [connected to Cloudflare](/cloudflare-one/connections/connect-networks/private-net/). ## 1. Create a service token @@ -49,7 +46,6 @@ In your [device enrollment permissions](/cloudflare-one/connections/connect-devi Devices enrolled via a service token are identified by the email address `non_identity@.cloudflareaccess.com`. Using this email address, you can apply specific [device profile settings](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) and [Gateway network policies](/cloudflare-one/policies/gateway/network-policies/) during the pre-login state. For example, you could provide access to only those resources necessary to complete the Windows login and/or device management activities. -
| Selector | Operator | Value | Logic | @@ -57,10 +53,8 @@ Devices enrolled via a service token are identified by the email address `non_id | User email | in | `non_identity@.cloudflareaccess.com` | And | | Operating system | is | Windows | | -
-
| Selector | Operator | Value | Logic | @@ -73,7 +67,6 @@ Devices enrolled via a service token are identified by the email address `non_id | ------ | | Allow | -
## 3. Configure the MDM file diff --git a/src/content/docs/cloudflare-one/faq/teams-general-faq.mdx b/src/content/docs/cloudflare-one/faq/teams-general-faq.mdx index 1ba7f4018e2765..24ca17331b2511 100644 --- a/src/content/docs/cloudflare-one/faq/teams-general-faq.mdx +++ b/src/content/docs/cloudflare-one/faq/teams-general-faq.mdx @@ -5,7 +5,6 @@ sidebar: order: 3 head: [] description: Review frequently asked questions about Cloudflare Zero Trust. - --- [❮ Back to FAQ](/cloudflare-one/faq/) @@ -26,11 +25,11 @@ Access does not have an independent or out-of-band MFA feature. These browsers are supported: -* Internet Explorer® 11 -* Edge® (current release, last release) -* Firefox® (current release, last release) -* Chrome® (current release, last release) -* Safari® (current release, last release) +- Internet Explorer 11 +- Edge (current release, last release) +- Firefox (current release, last release) +- Chrome (current release, last release) +- Safari (current release, last release) ## What data localization services are supported? diff --git a/src/content/docs/cloudflare-one/identity/authorization-cookie/application-token.mdx b/src/content/docs/cloudflare-one/identity/authorization-cookie/application-token.mdx index efbf699117fce7..8d0f8af84942ee 100644 --- a/src/content/docs/cloudflare-one/identity/authorization-cookie/application-token.mdx +++ b/src/content/docs/cloudflare-one/identity/authorization-cookie/application-token.mdx @@ -71,7 +71,7 @@ Access allows you to add custom SAML attributes and OIDC claims to your JWT for #### User identity -User identity is useful for checking application permissions. For example, your application can validate that a given user is a member of an Okta or AzureAD group such as `Finance-Team`. +User identity is useful for checking application permissions. For example, your application can validate that a given user is a member of an Okta or Microsoft Entra ID group such as `Finance-Team`. Due to cookie size limits and bandwidth considerations, the application token only contains a subset of the user's identity. To get the user's full identity, send the `CF_Authorization` cookie to `https://.cloudflareaccess.com/cdn-cgi/access/get-identity`. Your request should be structured as follows: diff --git a/src/content/docs/cloudflare-one/identity/devices/access-integrations/index.mdx b/src/content/docs/cloudflare-one/identity/devices/access-integrations/index.mdx index af92057a7fecf7..d8fa38b6ad4fe9 100644 --- a/src/content/docs/cloudflare-one/identity/devices/access-integrations/index.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/access-integrations/index.mdx @@ -3,13 +3,12 @@ pcx_content_type: navigation title: Access integrations sidebar: order: 4 - --- These device posture checks can only be enforced for Cloudflare Access applications. They cannot be used in Gateway network policies. -| Device posture check | macOS | Windows | Linux | iOS | Android/ChromeOS | [WARP mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | -| --------------------------------------------------------------------------------------------- | ----- | ------- | ----- | --- | ---------------- | ---------------------------------------------------------------------------------------- | -| [Azure AD Conditional Access](/cloudflare-one/tutorials/azuread-conditional-access/) | ✅ | ✅ | ❌ | ❌ | ❌ | WARP not required | -| [Mutual TLS](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/) | ✅ | ✅ | ✅ | ✅ | ✅ | WARP not required | -| [Tanium](/cloudflare-one/identity/devices/access-integrations/tanium/) | ✅ | ✅ | ✅ | ❌ | ❌ | Gateway with WARP, Secure Web Gateway without DNS filtering, or Device Information Only | +| Device posture check | macOS | Windows | Linux | iOS | Android/ChromeOS | [WARP mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | +| ----------------------------------------------------------------------------------------------- | ----- | ------- | ----- | --- | ---------------- | ---------------------------------------------------------------------------------------- | +| [Microsoft Entra ID Conditional Access](/cloudflare-one/tutorials/entra-id-conditional-access/) | ✅ | ✅ | ❌ | ❌ | ❌ | WARP not required | +| [Mutual TLS](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/) | ✅ | ✅ | ✅ | ✅ | ✅ | WARP not required | +| [Tanium](/cloudflare-one/identity/devices/access-integrations/tanium/) | ✅ | ✅ | ✅ | ❌ | ❌ | Gateway with WARP, Secure Web Gateway without DNS filtering, or Device Information Only | diff --git a/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/domain-joined.mdx b/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/domain-joined.mdx index 0406db71a9a1e6..37660af5c32eba 100644 --- a/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/domain-joined.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/domain-joined.mdx @@ -6,16 +6,21 @@ sidebar: head: - tag: title content: Domain joined - --- -import { Render } from "~/components" +import { Render } from "~/components"; The Domain Joined device posture attribute ensures that a user is a member of a specific Windows Active Directory domain. ## Prerequisites -* +- ## Enable the Domain Joined check diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/adfs.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/adfs.mdx index 7cdeb74c4c7b1a..2c6ad37646b41f 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/adfs.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/adfs.mdx @@ -1,12 +1,16 @@ --- pcx_content_type: how-to -title: Active Directory® (SAML) -sidebar: - order: 3 +title: Active Directory (SAML) --- import { GlossaryTooltip } from "~/components"; +:::caution +Microsoft recommends migrating your Active Directory Federation Service (AD FS) SSO to Microsoft Entra ID. For more information, refer to [Microsoft Learn](https://learn.microsoft.com/windows-server/identity/ad-fs/ad-fs-overview). + +To set up the Microsoft Entra ID IdP integration with Zero Trust, refer to [Microsoft Entra ID](/cloudflare-one/identity/idp-integration/entra-id/). +::: + Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Active Directory integrates with Cloudflare Access using Security Assertion Markup Language (SAML). ## Before you start @@ -15,12 +19,12 @@ To get started, you need: - An Active Directory Domain Controller where all users have an email attribute - Generic SAML enabled for your Access Identity Provider (IdP) -- A Microsoft server running with Active Directory Federation Services (ADFS) installed. All screenshots in these instructions are for Server 2012R2. Similar steps will work for newer versions. -- A browser safe certificate for Active Directory Federation Services (ADFS) +- A Microsoft server running with Active Directory Federation Services (AD FS) installed. All screenshots in these instructions are for Server 2012R2. Similar steps will work for newer versions. +- A browser safe certificate for Active Directory Federation Services (AD FS) -Once you fulfill the requirements above, you are ready to begin. Installation and basic configuration of Active Directory Federation Services (ADFS) is outside the scope of this guide. A detailed guide can be found in a [Microsoft KB](). +Once you fulfill the requirements above, you are ready to begin. Installation and basic configuration of Active Directory Federation Services (AD FS) is outside the scope of this guide. A detailed guide can be found in a [Microsoft KB](). -Then to begin the connection between Cloudflare Access and ADFS create a Relying Party Trust in ADFS. +Then to begin the connection between Cloudflare Access and AD FS create a Relying Party Trust in AD FS. ## Create a Relying Party Trust @@ -78,13 +82,13 @@ To create a Relying Party Trust: 21. Review your settings. -22. Select **Next**. Cloudflare now relies on ADFS for user-identity authorization. +22. Select **Next**. Cloudflare now relies on AD FS for user-identity authorization. The **Edit Claim Rules for CF Login** screen automatically displays. ## Create claim rules -Now create 2 Claim Rules so that ADFS can take information from Cloudflare and return it to create [Access policies](/cloudflare-one/policies/access/). +Now create 2 Claim Rules so that AD FS can take information from Cloudflare and return it to create [Access policies](/cloudflare-one/policies/access/). If you closed the Add Relying Trust wizard, use Explorer to find the **Relying Party Trusts** folder, select the newly created RPT file, and select **Edit Claim Rules** in the **Action** sidebar. @@ -124,11 +128,11 @@ Both Claim Rules are now available to export to your Cloudflare Access account. ## Export the certificate -Now you'll configure Cloudflare to recognize ADFS by extracting the _token-signing certificate_ from ADFS. +Now you'll configure Cloudflare to recognize AD FS by extracting the _token-signing certificate_ from AD FS. To export the certificate: -1. Within the ADFS management console, select the **Service** under AD FS and choose the **Certificates** folder which contains the certificate to export. +1. Within the AD FS management console, select the **Service** under AD FS and choose the **Certificates** folder which contains the certificate to export. 2. In the **Certificates** card, right-click on the entry under **Token-signing**, and select **View certificate**. The **Certificates** window displays. @@ -152,9 +156,9 @@ To export the certificate: Note the file path for later. -## Configure ADFS to sign SAML responses +## Configure AD FS to sign SAML responses -To ensure that ADFS signs the full response when communicating with Cloudflare, open your local **PowerShell** and enter the following command: +To ensure that AD FS signs the full response when communicating with Cloudflare, open your local **PowerShell** and enter the following command: ```bash Set-ADFSRelyingPartyTrust -TargetName "Name of RPT Display Name" -SamlResponseSignature "MessageAndAssertion" @@ -162,7 +166,7 @@ Set-ADFSRelyingPartyTrust -TargetName "Name of RPT Display Name" -SamlResponseSi ## Configure Cloudflare Zero Trust -To enable Cloudflare Zero Trust to accept the claims and assertions sent from ADFS, follow these steps: +To enable Cloudflare Zero Trust to accept the claims and assertions sent from AD FS, follow these steps: 1. In Zero Trust, go to **Settings** > **Authentication**. @@ -178,7 +182,7 @@ To enable Cloudflare Zero Trust to accept the claims and assertions sent from AD https://hostnameOfADFS/adfs/ls/ ``` - This is the default location. You can find your federation service identifier in ADFS. + This is the default location. You can find your federation service identifier in AD FS. 6. In the **IdP Entity ID or Issuer URL** field, enter your Zero Trust team domain and include this callback at the end of the path: `/cdn-cgi/access/callback`. For example: diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/aws-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/aws-saml.mdx index 8ca9cd84894da4..d067d7c5705ee7 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/aws-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/aws-saml.mdx @@ -1,16 +1,13 @@ --- pcx_content_type: how-to title: AWS IAM (SAML) -sidebar: - order: 5 - --- AWS IAM Identity Center provides SSO identity management for users who interact with AWS resources (such as EC2 instances or S3 buckets). You can integrate AWS IAM with Cloudflare Zero Trust as a SAML identity provider, which allows users to authenticate to Zero Trust using their AWS credentials. ## Prerequisites -* Admin access to an IAM Identity Center [organization instance](https://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-instances.html) +- Admin access to an IAM Identity Center [organization instance](https://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-instances.html) ## Set up AWS IAM as a SAML provider @@ -44,7 +41,7 @@ You can find your team name in Zero Trust under **Settings** > **Custom Pages**. 11. Select **Submit**. -12. Next, select the **Actions** dropdown menu and select *Edit attribute mappings*. +12. Next, select the **Actions** dropdown menu and select _Edit attribute mappings_. 13. For the `Subject` user attribute, enter `${user:email}`. @@ -82,19 +79,17 @@ To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) tha ```json { - "config": { - "issuer_url": "https://portal.sso.eu-central-1.amazonaws.com/saml/assertion/b2yJrC4kjy3ZAS0a2SeDJj74ebEAxozPfiURId0aQsal3", - "sso_target_url": "https://portal.sso.eu-central-1.amazonaws.com/saml/assertion/b2yJrC4kjy3ZAS0a2SeDJj74ebEAxozPfiURId0aQsal3", - "attributes": [ - "email" - ], - "email_attribute_name": "email", - "sign_request": true, - "idp_public_certs": [ - "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" - ] - }, - "type": "saml", - "name": "AWS IAM SAML example" + "config": { + "issuer_url": "https://portal.sso.eu-central-1.amazonaws.com/saml/assertion/b2yJrC4kjy3ZAS0a2SeDJj74ebEAxozPfiURId0aQsal3", + "sso_target_url": "https://portal.sso.eu-central-1.amazonaws.com/saml/assertion/b2yJrC4kjy3ZAS0a2SeDJj74ebEAxozPfiURId0aQsal3", + "attributes": ["email"], + "email_attribute_name": "email", + "sign_request": true, + "idp_public_certs": [ + "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" + ] + }, + "type": "saml", + "name": "AWS IAM SAML example" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/awscognito-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/awscognito-oidc.mdx index 13e7e9701d75d0..fea281e2d38a0a 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/awscognito-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/awscognito-oidc.mdx @@ -1,16 +1,13 @@ --- pcx_content_type: how-to title: Amazon Cognito -sidebar: - order: 4 - --- Amazon Cognito provides SSO identity management for end users of web and mobile apps. You can integrate Amazon Cognito as an OIDC identity provider for Cloudflare Zero Trust. ## Prerequisites -* An Amazon Cognito [user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/tutorial-create-user-pool.html) +- An Amazon Cognito [user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/tutorial-create-user-pool.html) ## Set up Amazon Cognito (OIDC) @@ -18,11 +15,11 @@ Amazon Cognito provides SSO identity management for end users of web and mobile The following Amazon Cognito values are required to set up the integration: -* App (client) ID -* Client secret -* Auth URL -* Token URL -* Certificate (key) URL +- App (client) ID +- Client secret +- Auth URL +- Token URL +- Certificate (key) URL To retrieve those values: @@ -36,9 +33,9 @@ To retrieve those values: 5. Make note of the following [Amazon Cognito OIDC endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints.html): - * **Auth URL**: `https:///oauth2/authorize` - * **Token URL**: `https:///oauth2/token` - * **Certificate (key) URL**: `https://cognito-idp..amazonaws.com//.well-known/jwks.json` (This is the **Token signing key URL** shown in **User pool overview**.) + - **Auth URL**: `https:///oauth2/authorize` + - **Token URL**: `https:///oauth2/token` + - **Certificate (key) URL**: `https://cognito-idp..amazonaws.com//.well-known/jwks.json` (This is the **Token signing key URL** shown in **User pool overview**.) 6. Under **App client list**, select **Create app client**. @@ -92,16 +89,16 @@ To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) tha ```json { - "config": { - "client_id": "", - "client_secret": "", - "auth_url": "https:///oauth2/authorize", - "token_url": "https:///oauth2/token", - "certs_url": "https://cognito-idp..amazonaws.com//.well-known/jwks.json", - "scopes": ["openid", "email", "profile"], - "claims": ["sub", "cognito:username", "name", "cognito:groups"] - }, - "type": "oidc", - "name": "Amazon Cognito example" + "config": { + "client_id": "", + "client_secret": "", + "auth_url": "https:///oauth2/authorize", + "token_url": "https:///oauth2/token", + "certs_url": "https://cognito-idp..amazonaws.com//.well-known/jwks.json", + "scopes": ["openid", "email", "profile"], + "claims": ["sub", "cognito:username", "name", "cognito:groups"] + }, + "type": "oidc", + "name": "Amazon Cognito example" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx index b7cbf2ff1e299b..1250f499a95a00 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: Centrify (SAML) -sidebar: - order: 8 - --- Centrify secures access to infrastructure, DevOps, cloud, and other modern enterprise so you can prevent the #1 cause of breaches – privileged access abuse. @@ -94,15 +91,15 @@ To get your Cloudflare metadata file: ```json { - "config": { - "issuer_url": "https://abc123.my.centrify.com/baaa2117-0ec0-4d76-84cc-abccb551a123", - "sso_target_url": "https://abc123.my.centrify.com/applogin/appKey/baaa2117-0ec0-4d76-84cc-abccb551a123/customerId/abc123", - "attributes": ["email"], - "email_attribute_name": "", - "sign_request": false, - "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" - }, - "type": "saml", - "name": "centrify saml example" + "config": { + "issuer_url": "https://abc123.my.centrify.com/baaa2117-0ec0-4d76-84cc-abccb551a123", + "sso_target_url": "https://abc123.my.centrify.com/applogin/appKey/baaa2117-0ec0-4d76-84cc-abccb551a123/customerId/abc123", + "attributes": ["email"], + "email_attribute_name": "", + "sign_request": false, + "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" + }, + "type": "saml", + "name": "centrify saml example" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx index 58a92d54d6ce67..dcd6b705decc82 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx @@ -1,8 +1,6 @@ --- pcx_content_type: how-to title: Centrify -sidebar: - order: 7 --- Centrify secures access to infrastructure, DevOps, cloud, and other modern enterprise so you can prevent the number one cause of breaches: privileged access abuse. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/citrixadc-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/citrixadc-saml.mdx index 8aca79ecd82205..c6aaa613f55952 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/citrixadc-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/citrixadc-saml.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: Citrix ADC (SAML) -sidebar: - order: 9 - --- Cloudflare Zero Trust can integrate with Citrix ADC (formerly Citrix NetScaler ADC) as a SAML IdP. Documentation from Citrix shows you [how to configure Citrix ADC as a SAML IdP](https://docs.citrix.com/en-us/citrix-adc/12-1/aaa-tm/saml-authentication/citrix-adc-saml-idp.html). These steps are specific to Cloudflare Zero Trust. @@ -14,8 +11,8 @@ To set up Citrix ADC (SAML) as your identity provider: 1. First, you'll need to configure 2 SAML certificates: - * A certificate to **terminate TLS at the vServer**. Ensure that the certificate is issued by a publicly trusted CA. - * A certificate for **signing SAML assertions**. + - A certificate to **terminate TLS at the vServer**. Ensure that the certificate is issued by a publicly trusted CA. + - A certificate for **signing SAML assertions**. If you do not already have a certificate for signing SAML assertions, you can use a self-signed certificate generated on Citrix ADC by following these steps: @@ -46,7 +43,7 @@ To set up Citrix ADC (SAML) as your identity provider: | **Name ID Format** | EmailAddress | | **Attribute 1** | `email = AAA.USER.ATTRIBUTE("email")` | - Cloudflare Access currently sends the IdP address in place of the *Service Provider ID* for the AuthN request. + Cloudflare Access currently sends the IdP address in place of the _Service Provider ID_ for the AuthN request. 2. Create an Authentication Policy that refers to the Profile just created, and bind it to the authentication vServer mentioned above. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/azuread.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx similarity index 55% rename from src/content/docs/cloudflare-one/identity/idp-integration/azuread.mdx rename to src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx index 7de7e6aee7d602..373ccdfea8d331 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/azuread.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx @@ -1,40 +1,37 @@ --- pcx_content_type: how-to -title: Azure AD® -sidebar: - order: 6 - +title: Microsoft Entra ID --- -import { Render } from "~/components" +import { Render } from "~/components"; -You can integrate Microsoft Azure AD® (Active Directory) with Cloudflare Zero Trust and build policies based on user identity and group membership. Users will authenticate to Zero Trust using their Azure AD credentials. +You can integrate Microsoft Entra ID (formerly Azure Active Directory) with Cloudflare Zero Trust and build policies based on user identity and group membership. Users will authenticate to Zero Trust using their Entra ID credentials. -## Set up Azure AD as an identity provider +## Set up Entra ID as an identity provider -### 1. Obtain Azure AD settings +### 1. Obtain Entra ID settings -The following Azure AD values are required to set up the integration: +The following Entra ID values are required to set up the integration: -* Application (client) ID -* Directory (tenant) ID -* Client secret +- Application (client) ID +- Directory (tenant) ID +- Client secret To retrieve those values: 1. Log in to the [Azure dashboard](https://portal.azure.com/). -2. Go to **All services** > **Azure Active Directory**. +2. Go to **All services** > **Microsoft Entra ID**. -3. In the Azure Active Directory menu, go to **Enterprise applications**. +3. In the sidebar, go to **Manage** > **Enterprise applications**. -4. Select **New application** > **Create your own application**. +4. Select **New application**, then select **Create your own application**. 5. Name your application. -6. Select **Register an application to integrate with Azure AD (App you're developing)** and then select **Create**. +6. Select **Register an application to integrate with Microsoft Entra ID (App you're developing)** and then select **Create**. -7. Under **Redirect URI**, select the *Web* platform and enter the following URL: +7. Under **Redirect URI**, select the _Web_ platform and enter the following URL: ```txt https://.cloudflareaccess.com/cdn-cgi/access/callback @@ -46,13 +43,13 @@ To retrieve those values: 8. Select **Register**. -9. Next, return to the Azure Active Directory menu and go to **App registrations**. +9. Next, return to Microsoft Entra ID and go to go to **Manage** > **App registrations**. 10. Select the app you just created. Copy the **Application (client) ID** and **Directory (tenant) ID**. ![Viewing the Application ID and Directory ID in Azure](~/assets/images/cloudflare-one/identity/azure/azure-values.png) -11. Go to **Certificates & secrets** and select **New client secret**. +11. Under **Client credentials**, go to **Add a certificate or secret**. Select **New client secret**. 12. Name the client secret and choose an expiration period. @@ -60,7 +57,7 @@ To retrieve those values: ![Location of client secret in Azure](~/assets/images/cloudflare-one/identity/azure/client-cert-value.png) -### 2. Configure API permissions in Azure +### 2. Configure API permissions in Entra ID 1. From the **App registrations** page for your application, go to **API permissions**. @@ -68,19 +65,18 @@ To retrieve those values: 3. Select **Microsoft Graph**. -4. Select **Delegated permissions** and enable the following [permissions](https://learn.microsoft.com/en-us/graph/permissions-reference): +4. Select **Delegated permissions** and enable the following [permissions](https://learn.microsoft.com/graph/permissions-reference): - * `email` - * `offline_access` - * `openid` - * `profile` - * `User.Read` - * `Directory.Read.All` - * `GroupMember.Read.All` + - `email` + - `offline_access` + - `openid` + - `profile` + - `User.Read` + - `Directory.Read.All` + - `GroupMember.Read.All` :::note - -More narrow permissions may be used, however this is the set of permissions that are tested and supported by Cloudflare. +More narrow permissions may be used, however this is the set of permissions that are tested and supported by Cloudflare. ::: 5. Once all seven permissions are enabled, select **Add permissions**. @@ -89,7 +85,7 @@ More narrow permissions may be used, however this is the set of permissions that ![Configured permissions list in Azure](~/assets/images/cloudflare-one/identity/azure/configured-perms.png) -### 3. Add Azure AD as an identity provider +### 3. Add Entra ID as an identity provider 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. @@ -97,16 +93,16 @@ More narrow permissions may be used, however this is the set of permissions that 3. Select **Azure AD**. -4. Enter the **Application (client) ID**, **Client secret**, and **Directory (tenant) ID** obtained from the Azure dashboard. +4. Enter the **Application (client) ID**, **Client secret**, and **Directory (tenant) ID** obtained from Microsoft Entra ID. 5. (Optional) Configure the following settings: - * **Proof Key for Code Exchange**: Perform [PKCE](https://www.oauth.com/oauth2-servers/pkce/) on all login attempts. - * **Support Groups**: Allow Cloudflare to read a user's Azure AD group membership. - * **Azure AD Policy Sync**: Refer to our [Azure AD Conditional Access tutorial](/cloudflare-one/tutorials/azuread-conditional-access/). - * **Enable SCIM**: Refer to [Synchronize users and groups](#synchronize-users-and-groups). - * **Email claim**: Enter the Azure AD claim that you wish to use for user identification (for example, `preferred_username`). - * **OIDC Claims**: Enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). + - **Proof Key for Code Exchange**: Perform [PKCE](https://www.oauth.com/oauth2-servers/pkce/) on all login attempts. + - **Support Groups**: Allow Cloudflare to read a user's Entra ID group membership. + - **Entra ID Policy Sync**: Refer to our [Entra ID Conditional Access tutorial](/cloudflare-one/tutorials/entra-id-conditional-access/). + - **Enable SCIM**: Refer to [Synchronize users and groups](#synchronize-users-and-groups). + - **Email claim**: Enter the Entra ID claim that you wish to use for user identification (for example, `preferred_username`). + - **OIDC Claims**: Enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). 6. Select **Save**. @@ -114,24 +110,26 @@ To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) tha ## Synchronize users and groups -The Azure AD integration allows you to synchronize IdP groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/). +The Microsoft Entra ID integration allows you to synchronize IdP groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/). ### Prerequisites -* Microsoft Entra ID P1 or P2 license +- Microsoft Entra ID P1 or P2 license ### 1. Enable SCIM in Zero Trust - + -### 2. Configure SCIM in Azure +### 2. Configure SCIM in Entra ID :::note - -SCIM requires a separate enterprise application from the one created during [initial setup](#set-up-azure-ad-as-an-identity-provider). +SCIM requires a separate enterprise application from the one created during [initial setup](#set-up-entra-id-as-an-identity-provider). ::: -1. In the Azure Active Directory menu, go to **Enterprise applications**. +1. In the Microsoft Entra ID menu, go to **Enterprise applications**. 2. Select **New application** > **Create your own application**. @@ -139,11 +137,11 @@ SCIM requires a separate enterprise application from the one created during [ini 4. Select **Integrate any other application you don't find in the gallery (Non-gallery)**. -5. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal?pivots=portal). +5. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/entra/identity/enterprise-apps/assign-user-or-group-access-portal). 6. Go to **Provisioning** and select **Get started**. -7. For **Provisioning Mode**, choose *Automatic*. +7. For **Provisioning Mode**, choose _Automatic_. 8. In the **Tenant URL** field, enter the **SCIM Endpoint** obtained from Zero Trust. @@ -153,68 +151,68 @@ SCIM requires a separate enterprise application from the one created during [ini 11. Select **Save**. -12. On the **Provisioning** page, select **Start provisioning**. You will see the synchronization status in Azure. +12. On the **Provisioning** page, select **Start provisioning**. You will see the synchronization status in Entra ID. To check which users and groups were synchronized, select **View provisioning logs**. ### Provisioning attributes -Provisioning attributes define the user properties that Azure AD will synchronize with Cloudflare Access. To modify your provisioning attributes, go to the **Provisioning** page in Azure AD and select **Edit attribute mappings**. +Provisioning attributes define the user properties that Entra ID will synchronize with Cloudflare Access. To modify your provisioning attributes, go to the **Provisioning** page in Entra ID and select **Edit attribute mappings**. We recommend enabling the following user attribute mappings: -| customappsso Attribute | Azure AD Attribute | Recommendation | +| customappsso Attribute | Entra ID Attribute | Recommendation | | ------------------------------ | ------------------ | -------------- | | `emails[type eq "work"].value` | `mail` | Required | | `name.givenName` | `givenName` | Recommended | | `name.familyName` | `surname` | Recommended | -## Azure groups in Zero Trust policies +## Entra groups in Zero Trust policies ### Automatic entry -When [SCIM synchronization is enabled](#synchronize-users-and-groups), your Azure group names will automatically appear in the Access and Gateway policy builders. +When [SCIM synchronization is enabled](#synchronize-users-and-groups), your Entra group names will automatically appear in the Access and Gateway policy builders. -If building an Access policy, choose the *Azure Groups* selector. +If building an Access policy, choose the _Azure Groups_ selector. ![Azure group names displayed in the Access policy builder](~/assets/images/cloudflare-one/identity/azure/azure-scim-groups.png) -If building a Gateway policy, choose the [*User Group Names*](/cloudflare-one/policies/gateway/identity-selectors/#user-group-names) selector. +If building a Gateway policy, choose the [_User Group Names_](/cloudflare-one/policies/gateway/identity-selectors/#user-group-names) selector. ### Manual entry -You can create Access and Gateway policies for groups that are not synchronized with SCIM. Azure AD exposes directory groups in a format that consists of random strings, the `Object Id`, that is distinct from the `Name`. +You can create Access and Gateway policies for groups that are not synchronized with SCIM. Entra ID exposes directory groups in a format that consists of random strings, the `Object Id`, that is distinct from the `Name`. -1. Make sure you enable **Support groups** as you set up Azure AD in Zero Trust. +1. Make sure you enable **Support groups** as you set up Microsoft Entra ID in Zero Trust. -2. On your Azure dashboard, note the `Object Id` for the Azure group. In the example below, the group named Admins has an ID of `61503835-b6fe-4630-af88-de551dd59a2`. +2. On your Azure dashboard, note the `Object Id` for the Entra group. In the example below, the group named Admins has an ID of `61503835-b6fe-4630-af88-de551dd59a2`. ![Viewing the Azure group ID on the Azure dashboard](~/assets/images/cloudflare-one/identity/azure/object-id.png) -3. If building an Access policy, choose the *Azure Groups* selector. If building a Gateway policy, choose the *User Group IDs* selector. +3. If building an Access policy, choose the _Azure Groups_ selector. If building a Gateway policy, choose the _User Group IDs_ selector. -4. In the **Value** field, enter the `Object Id` for the Azure group. +4. In the **Value** field, enter the `Object Id` for the Entra group. ![Entering an Azure group ID in Zero Trust](~/assets/images/cloudflare-one/identity/azure/configure-group-n.png) ### Nested groups -Access and Gateway policies for an Azure group will also apply to all [nested groups](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-manage-groups#add-or-remove-a-group-from-another-group). For example, if a user belongs to the group `US devs`, and `US devs` is part of the broader group `Devs`, the user would be allowed or blocked by all policies created for `Devs`. +Access and Gateway policies for an Entra group will also apply to all [nested groups](https://learn.microsoft.com/entra/fundamentals/how-to-manage-groups#add-a-group-to-another-group). For example, if a user belongs to the group `US devs`, and `US devs` is part of the broader group `Devs`, the user would be allowed or blocked by all policies created for `Devs`. ## Force user interaction during WARP reauthentication -You can require users to re-enter their credentials into Azure AD whenever they [re-authenticate their WARP session](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). To configure this setting, make a [`PUT` request](/api/operations/access-identity-providers-update-an-access-identity-provider) and set the `prompt` parameter to either `login` or `select_account`. +You can require users to re-enter their credentials into Entra ID whenever they [re-authenticate their WARP session](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). To configure this setting, make a [`PUT` request](/api/operations/access-identity-providers-update-an-access-identity-provider) and set the `prompt` parameter to either `login` or `select_account`. ## Example API Configuration ```json { - "config": { - "client_id": "", - "client_secret": "", - "directory_id": "", - "support_groups": true - }, - "type": "azureAD", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "", + "directory_id": "", + "support_groups": true + }, + "type": "azureAD", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/facebook-login.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/facebook-login.mdx index a8411d94d8b165..97c8350d0e965c 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/facebook-login.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/facebook-login.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: Facebook -sidebar: - order: 10 - --- Use these steps to set up Facebook as your identity provider. @@ -66,11 +63,11 @@ To test that your connection is working, follow the steps on [SSO Integration](/ ```json { - "config": { - "client_id": "", - "client_secret": "" - }, - "type": "facebook", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "" + }, + "type": "facebook", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/github.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/github.mdx index 39abd43d8bb6ff..a6eb40f302d3bb 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/github.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/github.mdx @@ -1,12 +1,6 @@ --- pcx_content_type: how-to title: GitHub -sidebar: - order: 11 -head: - - tag: title - content: GitHub - IdP Integration - --- Cloudflare Zero Trust allows your team to connect to your applications using their GitHub login. Administrators can build rules for specific individuals or using GitHub organizations. You do not need to have a GitHub organization to use the integration. @@ -32,6 +26,7 @@ To configure GitHub access in both GitHub and Cloudflare Zero Trust: You can find your team name in Zero Trust under **Settings** > **Custom Pages**. 5. In the GitHub **Authorization callback URL** field, enter the following URL: + ```txt https://.cloudflareaccess.com/cdn-cgi/access/callback ``` @@ -59,11 +54,11 @@ If you have GitHub two-factor authentication enabled, you will need to first log ```json { - "config": { - "client_id": "", - "client_secret": "" - }, - "type": "github", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "" + }, + "type": "github", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/google.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/google.mdx index 2ccc8db9712115..07df2251151b12 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/google.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/google.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: Google -sidebar: - order: 12 - --- You can integrate Google authentication with Cloudflare Access without a Google Workspace account. The integration allows any user with a Google account to log in (if the [Access policy](/cloudflare-one/policies/access/) allows them to reach the resource). Unlike the instructions for [Google Workspace](/cloudflare-one/identity/idp-integration/gsuite/), the steps below will not allow you to pull group membership information from a Google Workspace account. @@ -22,7 +19,7 @@ You do not need to be a Google Cloud Platform user to integrate Google Suite as 4. Choose `External` as the User Type. Since this application is not being created in a Google Workspace account, any user with a Gmail address can login. -5. Name the application, add a support email, and input contact fields. Google Cloud Platform requires an email in your account. +5. Name the application, add a support email, and input contact fields. Google Cloud Platform requires an email in your account. :::note In the **Scopes** section, we recommend adding the `userinfo.email` scope. This is not required for the integration, but shows authenticating users what information is being gathered. You do not need to add test users. ::: @@ -40,6 +37,7 @@ You do not need to be a Google Cloud Platform user to integrate Google Suite as You can find your team name in Zero Trust under **Settings** > **Custom Pages**. 8. Under **Authorized redirect URIs**, in the **URIs** field, enter the following URL: + ```txt https://.cloudflareaccess.com/cdn-cgi/access/callback ``` @@ -64,11 +62,11 @@ To test that your connection is working, go to **Authentication** > **Login meth ```json { - "config": { - "client_id": "", - "client_secret": "" - }, - "type": "google", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "" + }, + "type": "google", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx index 55def605b97969..ddfcb56bb22f87 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx @@ -1,17 +1,11 @@ --- pcx_content_type: how-to title: Google Workspace -sidebar: - order: 13 -head: - - tag: title - content: Google Workspace - IdP - --- :::note -The Google Workspace IdP integration is not supported if your Google Workspace account is protected by Access. +The Google Workspace IdP integration is not supported if your Google Workspace account is protected by Access. ::: You can integrate a Google Workspace (formerly Google Suite) account with Cloudflare Access. Unlike the instructions for [generic Google authentication](/cloudflare-one/identity/idp-integration/google/), the steps below will allow you to pull group membership information from your Google Workspace account. @@ -28,7 +22,7 @@ You do not need to be a Google Cloud Platform user to integrate Google Workspace 3. Go to **APIs & Services** and select **+ Enable APIs and Services**. The API Library will load. -4. In the API Library, search for `admin` and select *Admin SDK API*. +4. In the API Library, search for `admin` and select _Admin SDK API_. 5. **Enable** the Admin SDK API. @@ -49,7 +43,7 @@ You do not need to be a Google Cloud Platform user to integrate Google Workspace ![Location of OAuth client ID settings on Google Cloud Platform credentials page.](~/assets/images/cloudflare-one/identity/google/create-oauth.png) -10. Choose *Web application* as the Application type. +10. Choose _Web application_ as the Application type. 11. Under **Authorized JavaScript origins**, in the **URIs** field, enter your team domain: @@ -94,12 +88,12 @@ To test that your connection is working, go to **Authentication** > **Login meth ```json { - "config": { - "client_id": "", - "client_secret": "", - "apps_domain": "mycompany.com" - }, - "type": "google-apps", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "", + "apps_domain": "mycompany.com" + }, + "type": "google-apps", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/index.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/index.mdx index 35835e5253b8d0..265f4aef181f7b 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/index.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/index.mdx @@ -1,12 +1,9 @@ --- pcx_content_type: how-to title: SSO integration -sidebar: - order: 3 - --- -import { Render } from "~/components" +import { Render } from "~/components"; Cloudflare Zero Trust allows you to integrate your organization's identity providers (IdPs) with Cloudflare Access. Your team can simultaneously use multiple providers, reducing friction when working with partners or contractors. @@ -14,10 +11,8 @@ Adding an identity provider as a login method requires configuration both in [Ze :::undefined - Cloudflare Zero Trust supports social identity providers that do not require administrator accounts, open source providers, and corporate providers. Cloudflare also supports using signed AuthN requests with SAML providers. - ::: ## Set up IdPs in Zero Trust diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx index 69aa542057a296..593e9d8f5d058f 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx @@ -1,11 +1,9 @@ --- pcx_content_type: how-to title: Jumpcloud (SAML) -sidebar: - order: 14 --- -JumpCloud provides [Directory-as-a-Service®](https://jumpcloud.com/daas-product/) to securely connect user identities to systems, apps, files, and networks. Cloudflare Access integrates with JumpCloud using the SAML protocol. [This documentation from JumpCloud](https://support.jumpcloud.com/s/article/getting-started-applications-saml-sso2) can help you configure applications within your JumpCloud deployment. +JumpCloud provides [Directory-as-a-Service](https://jumpcloud.com/daas-product/) to securely connect user identities to systems, apps, files, and networks. Cloudflare Access integrates with JumpCloud using the SAML protocol. [This documentation from JumpCloud](https://support.jumpcloud.com/s/article/getting-started-applications-saml-sso2) can help you configure applications within your JumpCloud deployment. These steps focus on requirements specific to Cloudflare Zero Trust. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/keycloak.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/keycloak.mdx index 11294188531c07..1f08efefbdb58c 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/keycloak.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/keycloak.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: Keycloak (SAML) -sidebar: - order: 15 - --- Keycloak is an open source identity and access management solution built by JBoss. If you need a Keycloak lab environment for testing, refer to [this example](https://github.com/mw866/tunnel-keycloak). diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/linkedin.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/linkedin.mdx index aa4b9179eb5dc0..0562a49e6d1f31 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/linkedin.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/linkedin.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: LinkedIn -sidebar: - order: 16 - --- Cloudflare Access allows your users to use LinkedIn as their identity provider (IdP). @@ -72,11 +69,11 @@ To test that your connection is working, in Zero Trust, go to **Authentication** ```json { - "config": { - "client_id": "", - "client_secret": "" - }, - "type": "linkedin", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "" + }, + "type": "linkedin", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/okta-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/okta-saml.mdx index 88143ea206fc7c..a14b86cf11dde5 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/okta-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/okta-saml.mdx @@ -1,8 +1,6 @@ --- pcx_content_type: how-to title: Okta (SAML) -sidebar: - order: 18 --- Cloudflare Zero Trust can integrate SAML with Okta as an identity provider. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx index 7f016032d1ebf1..468a7d6dc56b55 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx @@ -1,8 +1,6 @@ --- pcx_content_type: how-to title: Okta -sidebar: - order: 17 --- import { Render } from "~/components"; @@ -42,8 +40,7 @@ Additionally, you can configure Okta to use risk information from Zero Trust [us 9. Set the **Groups claim filter** to _Matches regex_ and its value to `.*`. :::note - - Groups managed outside of Okta (for example, Entra ID/Azure AD or Google groups) may require different regex values. For more information, refer to the [Okta documentation](https://support.okta.com/help/s/article/Why-isnt-my-Groups-claim-returning-Active-Directory-groups). + Groups managed outside of Okta (for example, Microsoft Entra ID or Google groups) may require different regex values. For more information, refer to the [Okta documentation](https://support.okta.com/help/s/article/Why-isnt-my-Groups-claim-returning-Active-Directory-groups). ::: 10. In the **General** tab, copy the **Client ID** and **Client secret**. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx index 54073a1ff3f5dd..aea84e3a662ce1 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: OneLogin -sidebar: - order: 19 - --- OneLogin provides SSO identity management. Cloudflare Access supports OneLogin as an OIDC identity provider. @@ -41,10 +38,11 @@ OneLogin provides SSO identity management. Cloudflare Access supports OneLogin a 12. Select **OneLogin**. 13. Fill in the following information: - * **Name**: Name your identity provider. - * **App ID**: Enter your OneLogin client ID. - * **Client secret**: Enter your OneLogin client secret. - * **OneLogin account URL**: Enter your OneLogin domain, for example `https://.onelogin.com`. + + - **Name**: Name your identity provider. + - **App ID**: Enter your OneLogin client ID. + - **Client secret**: Enter your OneLogin client secret. + - **OneLogin account URL**: Enter your OneLogin domain, for example `https://.onelogin.com`. 14. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/). @@ -56,12 +54,12 @@ To test that your connection is working, go to **Authentication** > **Login meth ```json { - "config": { - "client_id": "", - "client_secret": "", - "onelogin_account": "https://mycompany.onelogin.com" - }, - "type": "onelogin", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "", + "onelogin_account": "https://mycompany.onelogin.com" + }, + "type": "onelogin", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-saml.mdx index 82aec021b834f9..f49e025cdc3ab2 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-saml.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: OneLogin (SAML) -sidebar: - order: 20 - --- OneLogin provides SSO identity management. Cloudflare Access supports OneLogin as an SAML identity provider. @@ -84,15 +81,15 @@ To add a metadata file to your OneLogin SAML configuration: ```json { - "config": { - "issuer_url": "https://app.onelogin.com/saml/metadata/1b84ee45-d4fa-4373-8853-abz438942123", - "sso_target_url": "https://sandbox.onelogin.com/trust/saml2/http-post/sso/123456", - "attributes": ["email"], - "email_attribute_name": "", - "sign_request": false, - "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" - }, - "type": "saml", - "name": "onelogin saml example" + "config": { + "issuer_url": "https://app.onelogin.com/saml/metadata/1b84ee45-d4fa-4373-8853-abz438942123", + "sso_target_url": "https://sandbox.onelogin.com/trust/saml2/http-post/sso/123456", + "attributes": ["email"], + "email_attribute_name": "", + "sign_request": false, + "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" + }, + "type": "saml", + "name": "onelogin saml example" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx index 32b1290ada6293..805ea6cba88023 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx @@ -1,12 +1,9 @@ --- pcx_content_type: how-to -title: PingFederate® -sidebar: - order: 21 - +title: PingFederate --- -The PingFederate® offering from PingIdentity provides SSO identity management. Cloudflare Access supports PingFederate as a SAML identity provider. +The PingFederate offering from PingIdentity provides SSO identity management. Cloudflare Access supports PingFederate as a SAML identity provider. ## Set up PingFederate as an identity provider @@ -18,25 +15,25 @@ The PingFederate® offering from PingIdentity provides SSO identity management. 4. Complete the fields for name, description, and category. - These can be any value. A prompt displays to select a signing certificate to use. +These can be any value. A prompt displays to select a signing certificate to use. 5. In the **SAML attribute configuration** dialog select **Email attribute** > **urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress**. - :::note - There is an additional setting for PingFederate prior to 9.0. - ::: +:::note +There is an additional setting for PingFederate prior to 9.0. +::: 6. In the **Signature Policy** tab, disable the option to **Always Sign Assertion**. 7. Leave the option enabled for **Sign Response As Required**. - This ensures that SAML destination headers are sent during the integration. +This ensures that SAML destination headers are sent during the integration. - In versions 9.0 above, you can leave both of these options enabled. +In versions 9.0 above, you can leave both of these options enabled. 8. A prompt displays to download the SAML metadata from Ping. - This file shares several fields with Cloudflare Access so you do not have to input this data. +This file shares several fields with Cloudflare Access so you do not have to input this data. 9. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. @@ -46,11 +43,11 @@ The PingFederate® offering from PingIdentity provides SSO identity management. 12. In the **IdP Entity ID** field, enter the following URL: - ```txt - https://.cloudflareaccess.com/cdn-cgi/access/callback - ``` +```txt +https://.cloudflareaccess.com/cdn-cgi/access/callback +``` - You can find your team name in Zero Trust under **Settings** > **Custom Pages**. +You can find your team name in Zero Trust under **Settings** > **Custom Pages**. 13. Fill the other fields with values from your Ping dashboard. @@ -62,15 +59,15 @@ To test that your connection is working, go to **Authentication** > **Login meth ```json { - "config": { - "issuer_url": "https://example.cloudflareaccess.com/cdn-cgi/access/callback", - "sso_target_url": "https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=aebe6668-32fe-4a87-8c2b-avcd3599a123", - "attributes": ["PingOne.AuthenticatingAuthority", "PingOne.idpid"], - "email_attribute_name": "", - "sign_request": false, - "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" - }, - "type": "saml", - "name": "ping saml example" + "config": { + "issuer_url": "https://example.cloudflareaccess.com/cdn-cgi/access/callback", + "sso_target_url": "https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=aebe6668-32fe-4a87-8c2b-avcd3599a123", + "attributes": ["PingOne.AuthenticatingAuthority", "PingOne.idpid"], + "email_attribute_name": "", + "sign_request": false, + "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" + }, + "type": "saml", + "name": "ping saml example" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx index 4d4cb75bdd8b3e..e05afcf45079d4 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx @@ -1,12 +1,9 @@ --- pcx_content_type: how-to -title: PingOne® -sidebar: - order: 22 - +title: PingOne --- -The PingOne® cloud platform from PingIdentity provides SSO identity management. Cloudflare Access supports PingOne as an OIDC identity provider. +The PingOne cloud platform from PingIdentity provides SSO identity management. Cloudflare Access supports PingOne as an OIDC identity provider. ## Set up PingOne as an OIDC provider @@ -25,6 +22,7 @@ The PingOne® cloud platform from PingIdentity provides SSO identity management. ``` You can find your team name in Zero Trust under **Settings** > **Custom Pages**. + 10. Select **Save**. 11. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. 12. Under **Login methods**, select **Add new**. @@ -40,12 +38,12 @@ You can now [test your connection](/cloudflare-one/identity/idp-integration/#tes ```json { - "config": { - "client_id": "", - "client_secret": "", - "ping_env_id": "" - }, - "type": "ping", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "", + "ping_env_id": "" + }, + "type": "ping", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-saml.mdx index 0881fca7ed334c..bbd495bb02bb0c 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-saml.mdx @@ -1,14 +1,11 @@ --- pcx_content_type: how-to -title: PingOne® (SAML) -sidebar: - order: 23 - +title: PingOne (SAML) --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; -The PingOne® cloud platform from PingIdentity provides SSO identity management. Cloudflare Access supports PingOne as a SAML identity provider. +The PingOne cloud platform from PingIdentity provides SSO identity management. Cloudflare Access supports PingOne as a SAML identity provider. ## Set up PingOne as a SAML provider diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/signed_authn.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/signed_authn.mdx index 24fe603931739a..c0df9177e3ee25 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/signed_authn.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/signed_authn.mdx @@ -1,12 +1,9 @@ --- pcx_content_type: how-to title: Signed AuthN requests (SAML) -sidebar: - order: 24 - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; In a SAML request flow, Cloudflare Access functions as the service provider (SP) to the identity provider (IdP). Cloudflare Access sends a SAML request to your IdP. The signing certificate that you upload from your SAML provider verifies the response. @@ -36,14 +33,14 @@ To set up Signed AuthN requests: Cloudflare Access uses a certificate that includes the following 2 distinguished name fields: - * **Issuer Distinguished Name** – `CN=cloudflareaccess.com, C=US, ST=Texas, L=Austin, O=Cloudflare` - * **Subject Distinguished Name** – `CN=*.cloudflareaccess.com, C=US, ST=Texas, L=Austin, O=Cloudflare` + - **Issuer Distinguished Name** – `CN=cloudflareaccess.com, C=US, ST=Texas, L=Austin, O=Cloudflare` + - **Subject Distinguished Name** – `CN=*.cloudflareaccess.com, C=US, ST=Texas, L=Austin, O=Cloudflare` Most IdP configurations require 3 components to enforce AuthN signature verification: - * **Certificate issuer [distinguished name (DN)](https://knowledge.digicert.com/generalinformation/INFO1745.html)** - * **Certificate subject distinguished name** - * **Public certificate** + - **Certificate issuer [distinguished name (DN)](https://knowledge.digicert.com/generalinformation/INFO1745.html)** + - **Certificate subject distinguished name** + - **Public certificate** 6. In your IdP account, replace your authorization domain with the team domain generated by Cloudflare Access. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/yandex.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/yandex.mdx index 94f6e432840110..baa29536195e91 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/yandex.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/yandex.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: Yandex -sidebar: - order: 25 - --- Yandex is a web search engine that also offers identity provider (IdP) services. @@ -58,11 +55,11 @@ To set up Yandex for Cloudflare Access: ```json { - "config": { - "client_id": "", - "client_secret": "" - }, - "type": "yandex", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "" + }, + "type": "yandex", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/one-time-pin.mdx b/src/content/docs/cloudflare-one/identity/one-time-pin.mdx index 8e9082cbc38911..25185d3caa4df8 100644 --- a/src/content/docs/cloudflare-one/identity/one-time-pin.mdx +++ b/src/content/docs/cloudflare-one/identity/one-time-pin.mdx @@ -3,14 +3,13 @@ pcx_content_type: how-to title: One-time PIN login sidebar: order: 2 - --- -import { Render } from "~/components" +import { Render } from "~/components"; Cloudflare Access can send a one-time PIN (OTP) to approved email addresses as an alternative to integrating an identity provider. You can simultaneously configure OTP login and the identity provider of your choice to allow users to select their own authentication method. -For example, if your team uses Okta® but you are collaborating with someone outside your organization, you can use OTP to grant access to guests. +For example, if your team uses Okta but you are collaborating with someone outside your organization, you can use OTP to grant access to guests. ## Set up OTP @@ -29,26 +28,26 @@ To log in to Access using the one-time PIN: :::note -By design, blocked users will not receive an email. The login page will always say **A code has been emailed to you**, regardless of whether or not an email was sent. +By design, blocked users will not receive an email. The login page will always say **A code has been emailed to you**, regardless of whether or not an email was sent. ::: 4. Paste the PIN into the Access login page and select **Sign in**. ![Enter PIN to sign in.](~/assets/images/cloudflare-one/identity/otp/otp2.png) - * If the code was valid, you will be redirected to the application. - * If the code was invalid, you will see **That account does not have access.** + - If the code was valid, you will be redirected to the application. + - If the code was invalid, you will see **That account does not have access.** :::note -Access only logs an authentication attempt after the user enters a code. If the user enters their email but never submits a code, the event will not appear in your [audit logs](/cloudflare-one/insights/logs/audit-logs/#authentication-audit-logs). +Access only logs an authentication attempt after the user enters a code. If the user enters their email but never submits a code, the event will not appear in your [audit logs](/cloudflare-one/insights/logs/audit-logs/#authentication-audit-logs). ::: ## Example API Config ```json { - "config": {}, - "type": "onetimepin", - "name": "my example idp" + "config": {}, + "type": "onetimepin", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/policies/access/index.mdx b/src/content/docs/cloudflare-one/policies/access/index.mdx index 1bafdd39cb0022..3324e101b7adb3 100644 --- a/src/content/docs/cloudflare-one/policies/access/index.mdx +++ b/src/content/docs/cloudflare-one/policies/access/index.mdx @@ -6,16 +6,15 @@ sidebar: head: - tag: title content: Access policies - --- Cloudflare Access determines who can reach your application by applying the Access policies you configure. An Access policy consists of an **Action** as well as rules which determine the scope of the action. To build a rule, you need to choose a **Rule type**, **Selector**, and a **Value** for the selector. -* [Actions](#actions) -* [Rule types](#rule-types) -* [Selectors](#selectors) +- [Actions](#actions) +- [Rule types](#rule-types) +- [Selectors](#selectors) ## Actions @@ -56,10 +55,8 @@ For example, this configuration blocks every request to the application, except :::caution[Warning] - Bypass does not enforce any Access security controls and requests are not logged. This should be tested before deploying to production. Consider using Service Auth if you would like to enforce policies and maintain logging without requiring user authentication. - ::: The Bypass action disables any Access enforcement for traffic that meets the defined rule criteria. Bypass is typically used to enable applications that require specific endpoints to be public. For example, some applications have an endpoint under the `/admin` route that must be publicly routable. In this situation, you could create an Access application for the domain `test.example.com/admin/` and add the following Bypass policy: @@ -72,10 +69,8 @@ As part of implementing a Zero Trust security model, we do not recommend using B :::note - When applying a Bypass action, security settings revert to the defaults configured for the zone and any configured Page Rules. If **Always use HTTPS** is enabled for the site, then traffic to the bypassed destination continues in HTTPS. If **Always use HTTPS** is disabled, traffic is HTTP. - ::: ### Service Auth @@ -134,26 +129,29 @@ Identity-based attributes are only checked when a user authenticates to Access, | Selector | Description | Checked at login | Checked continuously1 | | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- | -| Emails | `you@company.com` | ✅ | ❌ | -| Emails ending in | `@company.com` | ✅ | ❌ | -| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/policies/access/external-evaluation/) in an external API. | ✅ | ❌ | -| IP ranges | `192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) | ✅ | ✅ | -| Country | Uses the IP address to determine country. | ✅ | ✅ | -| Everyone | Allows, denies, or bypasses access to everyone. | ✅ | ❌ | -| Common Name | The request will need to present a valid certificate with an expected common name. | ✅ | ✅ | -| Valid Certificate | The request will need to present any valid client certificate. | ✅ | ✅ | -| Service Token | The request will need to present the correct service token headers configured for the specific application. | ✅ | ✅ | -| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/identity/service-tokens/) created for this account. | ✅ | ✅ | -| Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ | -| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/policies/access/mfa-requirements/) method used by the user, if supported by the identity provider. | ✅ | ❌ | -| Identity provider group | Checks the user groups you configured with your identity provider (IdP). This selector only displays if you use AzureAD, GitHub, Google, or Okta as your IdP. | ✅ | ❌ | -| SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/identity/idp-integration/generic-saml/) identity provider. | ✅ | ❌ | -| OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/) identity provider. | ✅ | ❌ | -| Device posture | Checks [device posture signals](/cloudflare-one/identity/devices/) from the WARP client or a third-party service provider. | ✅ | ✅ | -| Warp | Checks that the device is connected to WARP, including the consumer version. | ✅ | ✅ | -| Gateway | Checks that the device is connected to your Zero Trust instance through the [WARP client](/cloudflare-one/connections/connect-devices/warp/). | ✅ | ✅ | - -1 For SaaS applications, Access can only enforce policies at the time of initial sign on and when reissuing the SaaS session. Once the user has authenticated to the SaaS app, session management falls solely within the purview of the SaaS app. +| Emails | `you@company.com` | ✅ | ❌ | +| Emails ending in | `@company.com` | ✅ | ❌ | +| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/policies/access/external-evaluation/) in an external API. | ✅ | ❌ | +| IP ranges | `192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) | ✅ | ✅ | +| Country | Uses the IP address to determine country. | ✅ | ✅ | +| Everyone | Allows, denies, or bypasses access to everyone. | ✅ | ❌ | +| Common Name | The request will need to present a valid certificate with an expected common name. | ✅ | ✅ | +| Valid Certificate | The request will need to present any valid client certificate. | ✅ | ✅ | +| Service Token | The request will need to present the correct service token headers configured for the specific application. | ✅ | ✅ | +| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/identity/service-tokens/) created for this account. | ✅ | ✅ | +| Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ | +| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/policies/access/mfa-requirements/) method used by the user, if supported by the identity provider. | ✅ | ❌ | +| Identity provider group | Checks the user groups you configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, or Okta as your IdP. | ✅ | ❌ | +| SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/identity/idp-integration/generic-saml/) identity provider. | ✅ | ❌ | +| OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/) identity provider. | ✅ | ❌ | +| Device posture | Checks [device posture signals](/cloudflare-one/identity/devices/) from the WARP client or a third-party service provider. | ✅ | ✅ | +| Warp | Checks that the device is connected to WARP, including the consumer version. | ✅ | ✅ | +| Gateway | Checks that the device is connected to your Zero Trust instance through the [WARP client](/cloudflare-one/connections/connect-devices/warp/). | ✅ | ✅ | + +1 For SaaS applications, Access can only enforce policies at the time +of initial sign on and when reissuing the SaaS session. Once the user has +authenticated to the SaaS app, session management falls solely within the +purview of the SaaS app. ## Order of execution @@ -161,11 +159,11 @@ Policies are evaluated based on their action type and ordering. Bypass and Servi For example, if you have a list of policies arranged as follows: -* Allow A -* Block B -* Service Auth C -* Bypass D -* Allow E +- Allow A +- Block B +- Service Auth C +- Bypass D +- Allow E The policies will execute in this order: Service Auth C > Bypass D > Allow A > Block B > Allow E. Once a user matches an Allow or Block policy, evaluation stops and no subsequent policies can override the decision. diff --git a/src/content/docs/cloudflare-one/policies/access/mfa-requirements.mdx b/src/content/docs/cloudflare-one/policies/access/mfa-requirements.mdx index baa901a90c44e8..a35b76f395f224 100644 --- a/src/content/docs/cloudflare-one/policies/access/mfa-requirements.mdx +++ b/src/content/docs/cloudflare-one/policies/access/mfa-requirements.mdx @@ -3,19 +3,18 @@ pcx_content_type: how-to title: Enforce MFA sidebar: order: 6 - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; With Zero Trust policies, you can require that users log in to certain applications with specific types of multifactor authentication (MFA) methods. For example, you can create rules that only allow users to reach a given application if they authenticate with a physical hard key. This feature is only available if you are using the following identity providers: -* Okta -* Azure AD -* OpenID Connect (OIDC) -* SAML +- Okta +- Microsoft Entra ID (formerly Azure AD) +- OpenID Connect (OIDC) +- SAML To enforce an MFA requirement to an application: @@ -29,20 +28,18 @@ To enforce an MFA requirement to an application: The rule must contain an Include rule which defines an identity. For example, the Include rule should allow for users who are part of a user [group](/cloudflare-one/identity/users/groups/), email domain, or identity provider group. -5. Add a *Require* action to the rule. +5. Add a _Require_ action to the rule. -6. Select *Authentication Method* and choose `mfa - multiple-factor authentication`. +6. Select _Authentication Method_ and choose `mfa - multiple-factor authentication`. 7. Save the rule. :::caution[Important] - **What happens if the user fails to present the required MFA method?** Cloudflare Access will reject the user, even if they successfully login to the identity provider with an alternative method. - ::: ## Adding authentication methods into the JWT diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles.mdx index 1473f9b65a4ff5..4b6a0d54f3e85d 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles.mdx @@ -3,7 +3,6 @@ pcx_content_type: reference title: Predefined profiles sidebar: order: 2 - --- Cloudflare Zero Trust provides predefined DLP profiles for common types of sensitive data. Some profiles include built-in validation checks to increase detection granularity. Additionally, you can configure [advanced settings](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/) for predefined profiles. @@ -12,17 +11,15 @@ Cloudflare Zero Trust provides predefined DLP profiles for common types of sensi The following secrets are validated with regex. -* Google Cloud Platform keys -* AWS keys -* Azure API keys -* SSH keys +- Google Cloud Platform keys +- AWS keys +- Azure API keys +- SSH keys ## Financial information Credit card numbers begin with a six or eight-digit Issuer Identification Number (IIN) and are followed by up to 23 additional digits. CVVs are not validated. - - | Detection entry | Notes | | -------------------------------- | --------------------------------------------------------------------------------- | | American Express Card Number | Validated using [Luhn's algorithm](https://en.wikipedia.org/wiki/Luhn_algorithm). | @@ -38,22 +35,18 @@ Credit card numbers begin with a six or eight-digit Issuer Identification Number | United States ABA Routing Number | Validated algorithmically with checksum. | | IBAN | Validated with checksum. | - - ## Health information The following diagnosis and medication names are checked for surrounding ASCII characters to prevent false positives. -* FDA active ingredients -* FDA drug names -* ICD-10 FY2023 short descriptions +- FDA active ingredients +- FDA drug names +- ICD-10 FY2023 short descriptions ## National identifiers Detections are validated algorithmically when possible. - - | Detection entry | Notes | | ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | United States SSN Numeric Detection | Commonly used separators are required to match the detection entry. For example, `000-00-0000` matches but `000000000` does not. Social security numbers do not adhere to algorithmic validation. | @@ -71,21 +64,19 @@ Detections are validated algorithmically when possible. | United Kingdom NHS Number | Validated with checksum. | | United Kingdom National Insurance Number | Validated with regex. | - - ## Source code The following programming languages are validated with natural language processing (NLP). -* C -* C++ -* C# -* Go -* Haskell -* Java -* JavaScript -* Lua -* Python -* R -* Rust -* Swift +- C +- C++ +- C# +- Go +- Haskell +- Java +- JavaScript +- Lua +- Python +- R +- Rust +- Swift diff --git a/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx b/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx index b508b7f000ef66..9e501287b988eb 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx @@ -96,15 +96,15 @@ Cloudflare Gateway can integrate with your organization's identity providers (Id Because IdPs expose user groups in different formats, reference the list below to choose the appropriate identity-based selector. -### Azure AD +### Microsoft Entra ID | Selector | Value | | -------------- | ------------------------------------- | | User Group IDs | `61503835-b6fe-4630-af88-de551dd59a2` | -**Value** is the [Object Id](/cloudflare-one/identity/idp-integration/azuread/#azure-groups-in-zero-trust-policies) for an Azure group. +**Value** is the [Object Id](/cloudflare-one/identity/idp-integration/entra-id/#entra-groups-in-zero-trust-policies) for an Entra group. -If you enabled user and group synchronization with [SCIM](/cloudflare-one/identity/idp-integration/azuread/#synchronize-users-and-groups), the synchronized groups will appear under _User Group Names_: +If you enabled user and group synchronization with [SCIM](/cloudflare-one/identity/idp-integration/entra-id/#synchronize-users-and-groups), the synchronized groups will appear under _User Group Names_: | Selector | Value | | ---------------- | ------------ | diff --git a/src/content/docs/cloudflare-one/tutorials/azuread-conditional-access.mdx b/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx similarity index 65% rename from src/content/docs/cloudflare-one/tutorials/azuread-conditional-access.mdx rename to src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx index e14c6a0af12d17..313c628889baa7 100644 --- a/src/content/docs/cloudflare-one/tutorials/azuread-conditional-access.mdx +++ b/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx @@ -2,31 +2,27 @@ updated: 2024-01-12 category: 🔐 Access pcx_content_type: tutorial -title: Use Azure AD Conditional Access policies in Cloudflare Access - +title: Use Microsoft Entra ID Conditional Access policies in Cloudflare Access --- -With Azure Active Directory (AD)'s [Conditional Access](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview), administrators can enforce policies on applications and users directly in Azure AD. Conditional Access has a set of checks that are specialized to Windows and are often preferred by organizations with Windows power users. - +With [Conditional Access](https://learn.microsoft.com/entra/identity/conditional-access/overview) in Microsoft Entra ID (formerly Azure Active Directory), administrators can enforce policies on applications and users directly in Entra ID. Conditional Access has a set of checks that are specialized to Windows and are often preferred by organizations with Windows power users. ## Before you begin - Make sure you have: -* Global admin rights to an Azure AD account -* Configured users in the Azure AD account +- Global admin rights to Microsoft Entra ID account +- Configured users in the Microsoft Entra ID account ## Set up an identity provider for your application -Refer to [our IdP setup instructions](/cloudflare-one/identity/idp-integration/azuread/#set-up-azure-ad-as-an-identity-provider) for Azure AD. - +Refer to [our IdP setup instructions](/cloudflare-one/identity/idp-integration/entra-id/#set-up-entra-id-as-an-identity-provider) for Entra ID. -## Add API permission in Azure AD +## Add API permission in Entra ID -Once the base IdP integration is tested and working, grant permission for Cloudflare to read Conditional Access policies from Azure AD. +Once the base IdP integration is tested and working, grant permission for Cloudflare to read Conditional Access policies from Entra ID. -1. In Azure Active Directory, go to **App registrations**. +1. In Microsoft Entra ID, go to **App registrations**. 2. Select the application you created for the IdP integration. @@ -38,16 +34,16 @@ Once the base IdP integration is tested and working, grant permission for Cloudf 6. Select **Grant admin consent**. -## Configure Conditional Access in Azure AD +## Configure Conditional Access in Entra ID -1. In Azure Active Directory, go to **Enterprise applications** > **Conditional Access**. +1. In Microsoft Entra ID, go to **Enterprise applications** > **Conditional Access**. 2. Go to **Authentication Contexts**. 3. [Create an authentication context](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps#authentication-context) to reference in your Cloudflare Access policies. Give the authentication context a descriptive name (for example, `Require compliant devices`). 4. Next, go to **Policies**. 5. [Create a new Conditional Access policy](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies) or select an existing policy. 6. Assign the conditional access policy to an authentication context: 1. In the policy builder, select **Target resources**. - 2. In the **Select what this policy applies to** dropdown, select *Authentication context*. + 2. In the **Select what this policy applies to** dropdown, select _Authentication context_. 3. Select the authentication context that will use this policy. 4. Save the policy. @@ -56,7 +52,7 @@ Once the base IdP integration is tested and working, grant permission for Cloudf To import your Conditional Access policies into Cloudflare Access: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. -2. Find your Azure AD integration and select **Edit**. +2. Find your Microsoft Entra ID integration and select **Edit**. 3. Enable **Azure AD Policy Sync**. 4. Select **Save**. @@ -70,16 +66,13 @@ To enforce your Conditional Access policies on a Cloudflare Access application: 3. In **Application domain**, enter the target URL of the protected application. -4. For **Identity providers**, select your Azure AD integration. +4. For **Identity providers**, select your Microsoft Entra ID integration. -5. Finally, create an [Access policy](/cloudflare-one/policies/access/) using the *Azure AD - Auth context* selector. For example: +5. Finally, create an [Access policy](/cloudflare-one/policies/access/) using the _Azure AD - Auth context_ selector. For example: | Action | Rule type | Selector | Value | | ------ | --------- | ----------------------- | --------------------------- | | Allow | Include | Emails ending in | `@example.com` | | | Require | Azure AD - Auth context | `Require compliant devices` | -Users will only be allowed access if they pass the Azure AD Conditional Access policies associated with this authentication context. - - - +Users will only be allowed access if they pass the Microsoft Entra ID Conditional Access policies associated with this authentication context. diff --git a/src/content/docs/cloudflare-one/tutorials/azuread-risky-users.mdx b/src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx similarity index 70% rename from src/content/docs/cloudflare-one/tutorials/azuread-risky-users.mdx rename to src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx index a67051243acce9..5b75fa8b83b759 100644 --- a/src/content/docs/cloudflare-one/tutorials/azuread-risky-users.mdx +++ b/src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx @@ -3,12 +3,12 @@ updated: 2023-01-06 category: 🔐 Zero Trust difficulty: Advanced pcx_content_type: tutorial -title: Isolate Azure AD risky users +title: Isolate risky Entra ID users --- -Azure Active Directory (AD) calculates a user's [risk level](https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk) based on the probability that their account has been compromised. With Cloudflare Zero Trust, you can synchronize the Azure AD risky users list with Cloudflare Access and apply more stringent Zero Trust policies to users at higher risk. +Microsoft Entra ID (formerly Azure Active Directory) calculates a user's [risk level](https://learn.microsoft.com/entra/id-protection/howto-identity-protection-investigate-risk) based on the probability that their account has been compromised. With Cloudflare Zero Trust, you can synchronize the Entra ID risky users list with Cloudflare Access and apply more stringent Zero Trust policies to users at higher risk. -This tutorial demonstrates how to automatically redirect users to a remote browser when they are deemed risky by Azure. +This tutorial demonstrates how to automatically redirect users to a remote browser when they are deemed risky by Entra ID. **Time to complete:** @@ -16,15 +16,15 @@ This tutorial demonstrates how to automatically redirect users to a remote brows ## Prerequisites -- Azure AD Premium P2 license +- Microsoft Entra ID Premium P2 license - [Cloudflare Browser Isolation](/cloudflare-one/policies/browser-isolation/) add-on - [Gateway HTTP filtering](/cloudflare-one/policies/gateway/initial-setup/http/) enabled on your devices - [npm](https://docs.npmjs.com/getting-started) installation - [Node.js](https://nodejs.org/en/) installation -## 1. Set up Azure AD as an identity provider +## 1. Set up Entra ID as an identity provider -Refer to [our IdP setup instructions](/cloudflare-one/identity/idp-integration/azuread/#set-up-azure-ad-as-an-identity-provider) for Azure AD. +Refer to [our IdP setup instructions](/cloudflare-one/identity/idp-integration/entra-id/#set-up-entra-id-as-an-identity-provider) for Entra ID. :::note @@ -32,11 +32,11 @@ Refer to [our IdP setup instructions](/cloudflare-one/identity/idp-integration/a - Save the **Application (client) ID**, **Directory (tenant) ID**, and **Client secret** as you will need them again in a later step. ::: -## 2. Add Azure AD API permissions +## 2. Add Entra ID API permissions -Once the base IdP integration is tested and working, enable additional permissions that will allow a script to create and update risky user groups in Azure AD: +Once the base IdP integration is tested and working, enable additional permissions that will allow a script to create and update risky user groups in Entra ID: -1. In Azure Active Directory, go to **App registrations**. +1. In Microsoft Entra ID, go to **App registrations**. 2. Select the application you created for the IdP integration. @@ -57,13 +57,13 @@ Once the base IdP integration is tested and working, enable additional permissio You will see the list of enabled permissions. -![API permissions in Azure AD](~/assets/images/cloudflare-one/identity/azure/risky-users-permissions.png) +![API permissions in Entra ID](~/assets/images/cloudflare-one/identity/azure/risky-users-permissions.png) -## 3. Add risky users to Azure AD group +## 3. Add risky users to Entra ID group -Next, configure an automated script that will populate an Azure AD security group with risky users. +Next, configure an automated script that will populate an Entra ID security group with risky users. -To get started quickly, deploy our example Cloudflare Workers script by following the step-by-step instructions below. Alternatively, you can implement the script using [Azure Functions](https://learn.microsoft.com/en-us/azure/azure-functions/functions-overview) or any other tool. +To get started quickly, deploy our example Cloudflare Workers script by following the step-by-step instructions below. Alternatively, you can implement the script using [Azure Functions](https://learn.microsoft.com/azure/azure-functions/functions-overview) or any other tool. 1. Open a terminal and clone our example project. @@ -80,8 +80,8 @@ To get started quickly, deploy our example Cloudflare Workers script by followin 3. Modify `wrangler.toml` to include the following values: - ``: your Cloudflare [account ID](/fundamentals/setup/find-account-and-zone-ids/). - - ``: your Azure AD **Directory (tenant) ID**, obtained when [setting up Azure AD as an identity provider](#1-set-up-azure-ad-as-an-identity-provider). - - ``: your Azure AD **Application (client) ID**, obtained when [setting up Azure AD as an identity provider](#1-set-up-azure-ad-as-an-identity-provider). + - ``: your Entra ID **Directory (tenant) ID**, obtained when [setting up Entra ID as an identity provider](#1-set-up-entra-id-as-an-identity-provider). + - ``: your Entra ID **Application (client) ID**, obtained when [setting up Entra ID as an identity provider](#1-set-up-entra-id-as-an-identity-provider). ```toml name = "risky-users" @@ -116,7 +116,7 @@ The [Cron Trigger](/workers/configuration/cron-triggers/) in this example schedu wrangler secret put AZURE_AD_CLIENT_SECRET ``` - You will be prompted to input the secret's value. Enter the **Client secret** obtained when [setting up AzureAD as an identity provider](#1-set-up-azure-ad-as-an-identity-provider). + You will be prompted to input the secret's value. Enter the **Client secret** obtained when [setting up Microsoft Entra ID as an identity provider](#1-set-up-azure-ad-as-an-identity-provider). The Worker script will begin executing once per minute. To view realtime logs, run the following command and wait for the script to execute: @@ -124,22 +124,22 @@ The Worker script will begin executing once per minute. To view realtime logs, r wrangler tail --format pretty ``` -After the initial run, the auto-generated groups will appear in the Azure AD dashboard. +After the initial run, the auto-generated groups will appear in the Entra ID dashboard. -![Risky user groups in the Azure AD dashboard](~/assets/images/cloudflare-one/identity/azure/risky-users-groups.png) +![Risky user groups in the Entra ID dashboard](~/assets/images/cloudflare-one/identity/azure/risky-users-groups.png) ## 4. Synchronize risky user groups -Next, synchronize Azure AD risky user groups with Cloudflare Access: +Next, synchronize Entra ID risky user groups with Cloudflare Access: -1. [Enable SCIM synchronization](/cloudflare-one/identity/idp-integration/azuread/#synchronize-users-and-groups). +1. [Enable SCIM synchronization](/cloudflare-one/identity/idp-integration/entra-id/#synchronize-users-and-groups). -2. In Azure AD, assign the following groups to your SCIM enterprise application: +2. In Entra ID, assign the following groups to your SCIM enterprise application: - `IdentityProtection-RiskyUser-RiskLevel-high` - `IdentityProtection-RiskyUser-RiskLevel-medium` - `IdentityProtection-RiskyUser-RiskLevel-low` -Cloudflare Access will now synchronize changes in group membership with Azure AD. You can verify the synchronization status on the SCIM application's **Provisioning** page. +Cloudflare Access will now synchronize changes in group membership with Entra ID. You can verify the synchronization status on the SCIM application's **Provisioning** page. ## 5. Create a browser isolation policy @@ -156,4 +156,4 @@ Finally, create a [Gateway HTTP policy](/cloudflare-one/policies/gateway/http-po | Domain | in | `app1.example.com`, `app2.example.com` | And | Isolate | | User Group Names | in | `IdentityProtection-RiskyUser-RiskLevel-high` | | | -To test the policy, refer to the Microsoft documentation for [simulating risky detections](https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-simulate-risk). +To test the policy, refer to the Microsoft documentation for [simulating risky detections](https://learn.microsoft.com/entra/id-protection/howto-identity-protection-simulate-risk). diff --git a/src/content/docs/cloudflare-one/tutorials/gitlab.mdx b/src/content/docs/cloudflare-one/tutorials/gitlab.mdx index 2aa0d911143060..b1fb35b936e7d5 100644 --- a/src/content/docs/cloudflare-one/tutorials/gitlab.mdx +++ b/src/content/docs/cloudflare-one/tutorials/gitlab.mdx @@ -134,7 +134,7 @@ When a user makes a request to a site protected by Access, that request hits Clo ![GitLab Services](~/assets/images/cloudflare-one/zero-trust-security/gitlab/teams-diagram.png) -To determine who can reach the application, Cloudflare Access relies on integration with identity providers like Okta or AzureAD or Google to issue the identity cards that get checked at the door. While a VPN allows users free range on a private network unless someone builds an active rule to stop them, Access enforces that identity check on every request (and at any granularity configured). +To determine who can reach the application, Cloudflare Access relies on integration with identity providers like Okta, Microsoft Entra ID, or Google to issue the identity cards that get checked at the door. While a VPN allows users free range on a private network unless someone builds an active rule to stop them, Access enforces that identity check on every request (and at any granularity configured). For GitLab, start by building two policies. Users will connect to GitLab in a couple of methods: in the web app and over SSH. Create policies to secure a subdomain for each. First, the web app. diff --git a/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx b/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx index 51b93dab9bfd0b..e359d3ca9e6af5 100644 --- a/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx +++ b/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx @@ -6,10 +6,9 @@ sidebar: head: - tag: title content: "Reference Architecture: Architecture using Cloudflare SASE with Microsoft" - --- -import { Render } from "~/components" +import { Render } from "~/components"; ## Introduction @@ -28,13 +27,13 @@ To build a stronger baseline understanding of Cloudflare, we recommend the follo -* Solution Brief: [Cloudflare One](https://cfl.re/SASE-SSE-platform-brief) (3 minute read) -* Whitepaper: [Reference Architecture for Internet-Native Transformation](https://cfl.re/internet-native-transformation-wp) (10 minute read) -* Blog: [Zero Trust, SASE, and SSE: foundational concepts for your next-generation network](https://blog.cloudflare.com/zero-trust-sase-and-sse-foundational-concepts-for-your-next-generation-network/) (14 minute read) +- Solution Brief: [Cloudflare One](https://cfl.re/SASE-SSE-platform-brief) (3 minute read) +- Whitepaper: [Reference Architecture for Internet-Native Transformation](https://cfl.re/internet-native-transformation-wp) (10 minute read) +- Blog: [Zero Trust, SASE, and SSE: foundational concepts for your next-generation network](https://blog.cloudflare.com/zero-trust-sase-and-sse-foundational-concepts-for-your-next-generation-network/) (14 minute read) Those who read this reference architecture will learn: -* How Cloudflare and Microsoft can be integrated together to protect users, devices, applications and networks from a Zero Trust perspective +- How Cloudflare and Microsoft can be integrated together to protect users, devices, applications and networks from a Zero Trust perspective This document is also accompanied by a reference architecture with a more indepth look at [Cloudflare and SASE](/reference-architecture/architectures/sase/). @@ -46,19 +45,19 @@ Cloudflare's [Zero Trust Network Access](https://www.cloudflare.com/zero-trust/p Microsoft and Cloudflare can be integrated in the following ways. -* Using Microsoft [Entra ID](https://learn.microsoft.com/en-us/entra/fundamentals/whatis) for authentication to all Cloudflare protected resources -* Leveraging Microsoft [InTune](https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune) device posture in Cloudflare policies to ensure only managed, trusted devices have access to protected resources -* Using Cloudflare [CASB](/cloudflare-one/applications/scan-apps/) to inspect your [Microsoft 365](https://www.microsoft.com/en-us/microsoft-365/what-is-microsoft-365) tenants and alert on security findings for incorrectly configured accounts and shared files containing sensitive data -* Using Cloudflare's [Secure Web Gateway](/cloudflare-one/policies/gateway/) to control access to Microsoft SaaS applications such as Outlook, OneDrive and Teams -* Using Cloudflare's [Email Security](/email-security/) service to increase protection of email from phishing attacks and business email compromise. +- Using Microsoft [Entra ID](https://learn.microsoft.com/en-us/entra/fundamentals/whatis) for authentication to all Cloudflare protected resources +- Leveraging Microsoft [InTune](https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune) device posture in Cloudflare policies to ensure only managed, trusted devices have access to protected resources +- Using Cloudflare [CASB](/cloudflare-one/applications/scan-apps/) to inspect your [Microsoft 365](https://www.microsoft.com/en-us/microsoft-365/what-is-microsoft-365) tenants and alert on security findings for incorrectly configured accounts and shared files containing sensitive data +- Using Cloudflare's [Secure Web Gateway](/cloudflare-one/policies/gateway/) to control access to Microsoft SaaS applications such as Outlook, OneDrive and Teams +- Using Cloudflare's [Email Security](/email-security/) service to increase protection of email from phishing attacks and business email compromise. ### Microsoft Entra ID with Cloudflare Cloudflare's integration with Entra ID allows you to leverage your identities in Entra for authentication to any Cloudflare protected application. Groups can also be imported via SCIM to be used in access policies, simplifying management and abstracting access control by managing group membership in Entra ID. -* Entra ID enables administrators to create and enforce policies on both applications and users using Conditional Access policies. -* It offers a wide range of parameters to control user access to applications, such as user risk level, sign-in risk level, device platform, location, client apps, and more. -* Security teams can define their security controls in Entra ID and enforce them at the network layer, for every request, with Cloudflare's ZTNA service. +- Entra ID enables administrators to create and enforce policies on both applications and users using Conditional Access policies. +- It offers a wide range of parameters to control user access to applications, such as user risk level, sign-in risk level, device platform, location, client apps, and more. +- Security teams can define their security controls in Entra ID and enforce them at the network layer, for every request, with Cloudflare's ZTNA service. ![Figure 1: Microsoft Entra ID integrates with Cloudflare for ZTNA access to SaaS and self hosted applications.](~/assets/images/reference-architecture/cloudflare-sase-with-microsoft/cloudflare-sase-with-microsoft-fig1.svg "Figure 1: Microsoft Entra ID integrates with Cloudflare for ZTNA access to SaaS and self hosted applications.") @@ -66,9 +65,9 @@ Cloudflare's integration with Entra ID allows you to leverage your identities in Cloudflare is able to enforce access policies that include information about device posture. InTune can be integrated into Cloudflare so that information about InTune managed and protected devices can be used to enforce access control to Cloudflare protected resources. -* With a device connected using our [agent](/cloudflare-one/connections/connect-devices/warp/), Cloudflare's ZTNA service can leverage the enhanced telemetry and context provided by Intune regarding a user's device posture and compliance state. -* Intune provides detailed information about the security status and configuration of user devices, enabling more informed access control decisions. -* This integration allows administrators to ensure that only compliant and secure devices are granted access to critical networks and applications. +- With a device connected using our [agent](/cloudflare-one/connections/connect-devices/warp/), Cloudflare's ZTNA service can leverage the enhanced telemetry and context provided by Intune regarding a user's device posture and compliance state. +- Intune provides detailed information about the security status and configuration of user devices, enabling more informed access control decisions. +- This integration allows administrators to ensure that only compliant and secure devices are granted access to critical networks and applications. ![Figure 2: Figure 2: Using Intune and Cloudflare device posture data for secure application access.](~/assets/images/reference-architecture/cloudflare-sase-with-microsoft/cloudflare-sase-with-microsoft-fig2.svg "Figure 2: Using Intune and Cloudflare device posture data for secure application access.") @@ -85,7 +84,7 @@ Learn more about how our CASB solution can [protect data at rest here](/referenc Cloudflare's Secure Web Gateway (SWG) can help organizations achieve safe and secure access to Microsoft 365 in the following ways: 1. Traffic inspection and filtering: Cloudflare's SWG inspects all user and device traffic destined for the Internet, including traffic to Microsoft 365. This allows organizations to apply security policies, content filtering, and threat prevention measures to ensure that only legitimate and authorized traffic reaches Microsoft 365 services. - As seen above, policies can be designed so that only managed, secure devices can access any part of the Microsoft 365 and Azure platform. + As seen above, policies can be designed so that only managed, secure devices can access any part of the Microsoft 365 and Azure platform. 2. Data protection with DLP profiles: Traffic is not only inspected based on device posture and identity information, but our DLP engine can also examine the content of the request and allow/block downloads/uploads of confidential information to and from Microsoft 365 and Azure. 3. Enforce Cloudflare gateway: Microsoft 365 can be configured to accept user traffic only from a specific range of IP addresses. Cloudflare makes it possible to define and associate IP addresses attached to all traffic leaving the SWG. This means that organizations can configure Microsoft 365 to only accept traffic coming from the IP address range designated by Cloudflare SWG, ensuring that all traffic has been inspected and approved by Cloudflare's security policies before reaching Microsoft 365. @@ -107,5 +106,5 @@ By leveraging Cloudflare and its integrations with Microsoft, organizations can ## Related resources -* [Overview of Microsoft and Cloudflare partnership](https://www.cloudflare.com/partners/technology-partners/microsoft/) -* [Set up Entra ID (formerly Azure AD) as an identity provider](/cloudflare-one/identity/idp-integration/azuread/#set-up-azure-ad-as-an-identity-provider) +- [Overview of Microsoft and Cloudflare partnership](https://www.cloudflare.com/partners/technology-partners/microsoft/) +- [Set up Microsoft Entra ID (formerly Azure Active Directory) as an identity provider](/cloudflare-one/identity/idp-integration/entra-id/#set-up-entra-id-as-an-identity-provider) diff --git a/src/content/docs/reference-architecture/architectures/sase.mdx b/src/content/docs/reference-architecture/architectures/sase.mdx index 7834e1cace8e92..cd4ea43a798feb 100644 --- a/src/content/docs/reference-architecture/architectures/sase.mdx +++ b/src/content/docs/reference-architecture/architectures/sase.mdx @@ -6,7 +6,7 @@ sidebar: label: Secure Access Service Edge (SASE) --- -import { Render } from "~/components" +import { Render } from "~/components"; Download a [PDF version](/reference-architecture/static/cloudflare-evolving-to-a-sase-architecture.pdf) of this reference architecture. @@ -14,10 +14,10 @@ Download a [PDF version](/reference-architecture/static/cloudflare-evolving-to-a Cloudflare One is a secure access service edge (SASE) platform that protects enterprise applications, users, devices, and networks. By progressively adopting Cloudflare One, organizations can move away from their patchwork of hardware appliances and other point solutions and instead consolidate security and networking capabilities on one unified control plane. Such network and security transformation helps address key challenges modern businesses face, including: -* Securing access for any user to any resource with Zero Trust practices -* Defending against cyber threats, including multi-channel phishing and ransomware attacks -* Protecting data in order to comply with regulations and prevent leaks -* Simplifying connectivity across offices, data centers, and cloud environments +- Securing access for any user to any resource with Zero Trust practices +- Defending against cyber threats, including multi-channel phishing and ransomware attacks +- Protecting data in order to comply with regulations and prevent leaks +- Simplifying connectivity across offices, data centers, and cloud environments Cloudflare One is built on Cloudflare's [connectivity cloud](https://www.cloudflare.com/connectivity-cloud/), ​​a unified, intelligent platform of programmable cloud-native services that enable any-to-any connectivity between all networks (enterprise and Internet), cloud environments, applications, and users. It is one of the [largest global networks](https://www.cloudflare.com/network/), with data centers spanning [hundreds of cities worldwide](https://www.cloudflare.com/network/) and interconnection with over 12,500 other networks. It also has a greater presence in [core Internet exchanges](https://bgp.he.net/report/exchanges#_participants) than many other large technology companies. @@ -33,15 +33,15 @@ To build a stronger baseline understanding of Cloudflare, we recommend the follo -* Solution Brief: [Cloudflare One](https://cfl.re/SASE-SSE-platform-brief) (3 minute read) -* Whitepaper: [Reference Architecture for Internet-Native Transformation](https://cfl.re/internet-native-transformation-wp) (10 minute read) -* Blog: [Zero Trust, SASE, and SSE: foundational concepts for your next-generation network](https://blog.cloudflare.com/zero-trust-sase-and-sse-foundational-concepts-for-your-next-generation-network/) (14 minute read) +- Solution Brief: [Cloudflare One](https://cfl.re/SASE-SSE-platform-brief) (3 minute read) +- Whitepaper: [Reference Architecture for Internet-Native Transformation](https://cfl.re/internet-native-transformation-wp) (10 minute read) +- Blog: [Zero Trust, SASE, and SSE: foundational concepts for your next-generation network](https://blog.cloudflare.com/zero-trust-sase-and-sse-foundational-concepts-for-your-next-generation-network/) (14 minute read) Those who read this reference architecture will learn: -* How Cloudflare One protects an organization's employees, devices, applications, data, and networks -* How Cloudflare One fits into your existing infrastructure, and how to approach migration to a SASE architecture -* How to plan for deploying Cloudflare One +- How Cloudflare One protects an organization's employees, devices, applications, data, and networks +- How Cloudflare One fits into your existing infrastructure, and how to approach migration to a SASE architecture +- How to plan for deploying Cloudflare One While this document examines Cloudflare One at a technical level, it does not offer fine detail about every product in the platform. Instead, it looks at how all the services in Cloudflare One enable networking and network security to be consolidated on one architecture. Visit the [developer documentation](https://developers.cloudflare.com/) for further information specific to a product area or use case. @@ -63,11 +63,11 @@ The diagram above shows an example of this adapted perimeter-based approach, in Such challenges are driving many organizations to prioritize goals like: -* Accelerating business agility by supporting remote / hybrid work with secure any-to-any access -* Improving productivity by simplifying policy management and by streamlining user experiences -* Reducing cyber risk by protecting users and data from phishing, ransomware, and other threats across all channels -* Consolidating visibility and controls across networking and security -* Reducing costs by replacing expensive appliances and infrastructure (e.g. VPNs, hardware firewalls, and MPLS connections) +- Accelerating business agility by supporting remote / hybrid work with secure any-to-any access +- Improving productivity by simplifying policy management and by streamlining user experiences +- Reducing cyber risk by protecting users and data from phishing, ransomware, and other threats across all channels +- Consolidating visibility and controls across networking and security +- Reducing costs by replacing expensive appliances and infrastructure (e.g. VPNs, hardware firewalls, and MPLS connections) ## Understanding a SASE architecture @@ -75,10 +75,10 @@ In recent years, [secure access service edge](https://www.cloudflare.com/learnin SASE platforms consist of networking and security services, all underpinned by supporting operational services and a policy engine: -* Network services forward traffic from a variety of networks into a single global corporate network. These services provide capabilities like firewalling, routing, and load balancing. -* Security services apply to traffic flowing over the network, allowing for filtering of certain types of traffic and control over who can access what. -* Operational services provide platform-wide capabilities like logging, API access, and comprehensive Infrastructure-as-Code support through providers like Terraform. -* A policy engine integrates across all services, allowing admins to define policies which are then applied across all the connected services. +- Network services forward traffic from a variety of networks into a single global corporate network. These services provide capabilities like firewalling, routing, and load balancing. +- Security services apply to traffic flowing over the network, allowing for filtering of certain types of traffic and control over who can access what. +- Operational services provide platform-wide capabilities like logging, API access, and comprehensive Infrastructure-as-Code support through providers like Terraform. +- A policy engine integrates across all services, allowing admins to define policies which are then applied across all the connected services. ![Cloudflare's SASE cloud platform offers network, security, and operational services, as well as policy engine features, to provide zero trust connectivity between a variety of user identities, devices and access locations to customer applications, infrastructure and networks.](~/assets/images/reference-architecture/cloudflare-one-reference-architecture-images/cf1-ref-arch-2.svg) @@ -98,7 +98,7 @@ Cloudflare's SASE platform benefits from our use of [anycast](https://www.cloudf Using anycast ensures the Cloudflare network is well balanced. If there is a sudden increase in traffic on the network, the load can be distributed across multiple data centers – which in turn, helps maintain consistent and reliable connectivity for users. Further, Cloudflare's large [network capacity](https://www.cloudflare.com/network/) and [AI/ML-optimized smart routing](https://blog.cloudflare.com/meet-traffic-manager/) also help ensure that performance is constantly optimized. -By contrast, many other SASE providers use Unicast routing in which a single IP address is associated with a single server and/or data center. In many such architectures, a single IP address is then associated with a specific application, which means requests to access that application may have very different network routing experiences depending on how far that traffic needs to travel. For example, performance may be excellent for employees working in the office next to the application's servers, but poor for remote employees or those working overseas. Unicast also complicates scaling traffic loads — that single service location must ramp up resources when load increases, whereas anycast networks can share traffic across many data centers and geographies. +By contrast, many other SASE providers use Unicast routing in which a single IP address is associated with a single server and/or data center. In many such architectures, a single IP address is then associated with a specific application, which means requests to access that application may have very different network routing experiences depending on how far that traffic needs to travel. For example, performance may be excellent for employees working in the office next to the application's servers, but poor for remote employees or those working overseas. Unicast also complicates scaling traffic loads — that single service location must ramp up resources when load increases, whereas anycast networks can share traffic across many data centers and geographies. ![Cloudflare's anycast network ensures fast and reliable connectivity, whereas Unicast routing often sends all traffic to a single IP address, resulting in slower and failure prone connections.](~/assets/images/reference-architecture/cloudflare-one-reference-architecture-images/cf1-ref-arch-5.svg) @@ -114,10 +114,10 @@ In the bottom half are a variety of users, devices, networks, and locations. Use A SASE architecture will define, secure, and streamline how each user and device will connect to the various resources in the diagram. Over the following sections, this guide will show ways to integrate Cloudflare One into the above infrastructure: -* **Applications and services**: Placing access to private applications and services behind Cloudflare -* **Networks**: Connecting entire networks to Cloudflare -* **Forwarding device traffic**: Facilitating access to Cloudflare-protected resources from any device -* **Verifying users and devices**: Identifying which users access requests come from, and which devices those users have +- **Applications and services**: Placing access to private applications and services behind Cloudflare +- **Networks**: Connecting entire networks to Cloudflare +- **Forwarding device traffic**: Facilitating access to Cloudflare-protected resources from any device +- **Verifying users and devices**: Identifying which users access requests come from, and which devices those users have ### Connecting applications @@ -130,9 +130,9 @@ This journey to a SASE architecture starts with an organization needing to provi Connectivity to self-hosted applications is facilitated through tunnels that are created and maintained by a software connector, [`cloudflared`](/cloudflare-one/connections/connect-networks/get-started/). `cloudflared` is a lightweight daemon installed in an organizations' infrastructure that creates a tunnel via an outbound connection to Cloudflare's global network. The connector can be installed in a variety of ways: -* In the OS installed on the bare metal server -* In the OS that is running in a virtualized environment -* In a [container](https://hub.docker.com/r/cloudflare/cloudflared) running in a Docker or Kubernetes environment +- In the OS installed on the bare metal server +- In the OS that is running in a virtualized environment +- In a [container](https://hub.docker.com/r/cloudflare/cloudflared) running in a Docker or Kubernetes environment `cloudflared` runs on Windows, Linux, or macOS operating systems and creates an encrypted tunnel using QUIC, a modern protocol that uses UDP (instead of TCP) for fast tunnel performance and modern encryption standards. Generally speaking, there are two approaches for how users can deploy `cloudflared` in their environment: @@ -155,12 +155,12 @@ For example, organizations can define a public hostname (`mywebapp.domain.com`) Key capabilities: -* A hostname is created in a public DNS zone and all requests to that hostname are first routed to the Cloudflare network, inspected against configured security and access policies, before being routed through the tunnel to the secured private resource -* Multiple hostnames can be defined per tunnel, with each hostname mapping to a single application (service address and port) -* Support for HTTP/HTTPS protocols -* Access to resources only requires a browser -* When Cloudflare's device client is deployed on an user device, policies can leverage additional contextual signals (e.g. determining whether the device is managed or running the latest OS) in policy enforcement -* For access to SSH/VNC services, Cloudflare renders an SSH/VNC terminal using webassembly in the browser +- A hostname is created in a public DNS zone and all requests to that hostname are first routed to the Cloudflare network, inspected against configured security and access policies, before being routed through the tunnel to the secured private resource +- Multiple hostnames can be defined per tunnel, with each hostname mapping to a single application (service address and port) +- Support for HTTP/HTTPS protocols +- Access to resources only requires a browser +- When Cloudflare's device client is deployed on an user device, policies can leverage additional contextual signals (e.g. determining whether the device is managed or running the latest OS) in policy enforcement +- For access to SSH/VNC services, Cloudflare renders an SSH/VNC terminal using webassembly in the browser Applications exposed this way receive all of the benefits of Cloudflare's leading DNS, CDN, and DDoS services as well as our web application firewall (WAF), API, and bot services, all without exposing application servers directly to the Internet. @@ -170,9 +170,9 @@ In some cases, users may want to leverage ZTNA policies to provide access to man Key capabilities: -* `cloudflared`, combined with Cloudflare device agent, provides access to private networks, allowing for any arbitrary L4 TCP, UDP or ICMP connections -* One or many networks can be configured using CIDR notation (e.g. 172.21.0.16/28) -* Access to resources on the private network requires the Cloudflare device agent to be installed on clients, and at least one Cloudflare Tunnel server on the connecting network +- `cloudflared`, combined with Cloudflare device agent, provides access to private networks, allowing for any arbitrary L4 TCP, UDP or ICMP connections +- One or many networks can be configured using CIDR notation (e.g. 172.21.0.16/28) +- Access to resources on the private network requires the Cloudflare device agent to be installed on clients, and at least one Cloudflare Tunnel server on the connecting network For both methods, it is important to note that `cloudflared` only proxies inbound traffic to a private application or network. It does not become a gateway or "on-ramp" back to Cloudflare for the network that it proxies inbound connections to. This means that if the web server starts its own connection to another Internet-based API, that connection will not be routed via Cloudflare Tunnel and will instead be routed via the host server's default route and gateway. @@ -192,10 +192,10 @@ Another method to secure access to SaaS applications is to configure single sign Key capabilities: -* Apply consistent access policies across both self-hosted and SaaS applications -* Layer device security posture into the authentication process (e.g. users can ensure that only managed devices, running the latest operating system and passing all endpoint security checks, are able to access SaaS applications) -* Ensure that certain network routes are used for access (e.g. users can require that devices are connected to Cloudflare using the device agent, which allows them to filter traffic to the SaaS application and prevent downloads of protected data) -* Centralize SSO applications to Cloudflare and create one SSO integration from Cloudflare to their IdP — making both infrastructure and access policies SSO-agnostic (e.g. users can allow access to critical applications only when MFA is used, no matter which IdP is used to authenticate) +- Apply consistent access policies across both self-hosted and SaaS applications +- Layer device security posture into the authentication process (e.g. users can ensure that only managed devices, running the latest operating system and passing all endpoint security checks, are able to access SaaS applications) +- Ensure that certain network routes are used for access (e.g. users can require that devices are connected to Cloudflare using the device agent, which allows them to filter traffic to the SaaS application and prevent downloads of protected data) +- Centralize SSO applications to Cloudflare and create one SSO integration from Cloudflare to their IdP — making both infrastructure and access policies SSO-agnostic (e.g. users can allow access to critical applications only when MFA is used, no matter which IdP is used to authenticate) When Cloudflare acts as the SSO service to an application, user authentication is still handled by an organization's existing identity provider, but is proxied via Cloudflare, where additional access restrictions can be applied. The diagram below is a high-level example of a typical request flow: @@ -205,17 +205,17 @@ The last method of connecting SaaS applications to Cloudflare's SASE architectur Native integration with the Cloudflare [data loss prevention](https://www.cloudflare.com/learning/access-management/what-is-dlp/) (DLP) service enables CASB to scan for sensitive or regulated data that may be stored in files with incorrect permissions — further risking leaks or unauthorized access. CASB reports findings that alert IT teams to items such as: -* Administrative accounts without adequate MFA -* Company-sensitive data in files stored with public access permissions -* Missing application configurations (e.g. domains missing SPF/DMARC records) +- Administrative accounts without adequate MFA +- Company-sensitive data in files stored with public access permissions +- Missing application configurations (e.g. domains missing SPF/DMARC records) #### Checkpoint: Connecting applications to Cloudflare Now, this is what the architecture of a typical organization might look like once they have integrated with Cloudflare services. It is important to note that Cloudflare is designed to secure organizations' existing applications and services in the following ways: -* All self-hosted applications and services are only accessible through Cloudflare and controlled by policies defined by the Cloudflare ZTNA -* SaaS application traffic is filtered and secured via the Cloudflare SWG -* SaaS services are scanned via the Cloudflare CASB to check for configuration and permissions of data at rest +- All self-hosted applications and services are only accessible through Cloudflare and controlled by policies defined by the Cloudflare ZTNA +- SaaS application traffic is filtered and secured via the Cloudflare SWG +- SaaS services are scanned via the Cloudflare CASB to check for configuration and permissions of data at rest ![Access to all applications is now only available via Cloudflare.](~/assets/images/reference-architecture/cloudflare-one-reference-architecture-images/cf1-ref-arch-9.svg) @@ -225,11 +225,11 @@ Once an organization's applications and services have been integrated, it is tim When all traffic flows through Cloudflare, SASE services perform the following actions: -* Granting application access -* Filtering general Internet-bound traffic (e.g. blocking access to sites that host malware) -* Isolating web sites to protect users from day-zero or unknown harmful Internet content -* Filtering traffic to identify data defined by DLP policies — then blocking the download/upload of that data to insecure devices or applications -* Providing visibility into the use of non-approved applications and allowing admins to either block or apply policies around their use +- Granting application access +- Filtering general Internet-bound traffic (e.g. blocking access to sites that host malware) +- Isolating web sites to protect users from day-zero or unknown harmful Internet content +- Filtering traffic to identify data defined by DLP policies — then blocking the download/upload of that data to insecure devices or applications +- Providing visibility into the use of non-approved applications and allowing admins to either block or apply policies around their use There are several approaches for connecting networks to Cloudflare, which can provide further flexibility in how an organization provides access to SASE-protected resources: @@ -293,10 +293,10 @@ There may also be situations where network-layer encryption is not necessary — Organizations may also connect their network locations directly to the Cloudflare network via [Cloudflare Network Interconnect](https://www.cloudflare.com/network-services/products/network-interconnect/) (CNI). Cloudflare [supports a variety of options](/network-interconnect/about) to connect your network to Cloudflare: -* Express CNI for Magic WAN and Magic Transit -* Classic CNI for Magic Transit -* Cloud CNI for Magic WAN and Magic Transit -* Peering via either an internet exchange, or a private network interconnect (PNI). +- Express CNI for Magic WAN and Magic Transit +- Classic CNI for Magic Transit +- Cloud CNI for Magic WAN and Magic Transit +- Peering via either an internet exchange, or a private network interconnect (PNI). The following table summarizes the different methods of connecting networks to Cloudflare: @@ -312,17 +312,23 @@ Each of these methods of connecting and routing traffic can be deployed concurre Note the following traffic flows: -* All traffic connected via a WARP Connector or device agent can communicate with each other over the mesh network - * Developers working from home can communicate with the production and staging servers in the cloud - * The employee in the retail location, as well as the developer at home, can receive VOIP calls on their laptop -* A HPC Cluster in AWS represents a proprietary solution in which no third-party software agents can be installed; as a result, it uses an IPsec connection to Magic WAN -* In the retail location, the Magic WAN Connector routes all traffic to Cloudflare via an IPsec tunnel - * An employee's laptop running the device agent creates its own secure connection to Cloudflare that is routed over the IPsec tunnel -* The application owner of the reporting system maintains a connection to Cloudflare using `cloudflared` and doesn't require any networking help to expose their application to employees +- All traffic connected via a WARP Connector or device agent can communicate with each other over the mesh network + - Developers working from home can communicate with the production and staging servers in the cloud + - The employee in the retail location, as well as the developer at home, can receive VOIP calls on their laptop +- A HPC Cluster in AWS represents a proprietary solution in which no third-party software agents can be installed; as a result, it uses an IPsec connection to Magic WAN +- In the retail location, the Magic WAN Connector routes all traffic to Cloudflare via an IPsec tunnel + - An employee's laptop running the device agent creates its own secure connection to Cloudflare that is routed over the IPsec tunnel +- The application owner of the reporting system maintains a connection to Cloudflare using `cloudflared` and doesn't require any networking help to expose their application to employees ![Connecting and routing traffic can be created using various methods such as Cloudflare Network Interconnect, IPSEC tunnels, WARP Connector and cloudflared.](~/assets/images/reference-architecture/cloudflare-one-reference-architecture-images/cf1-ref-arch-14.svg) -*Note: All of the endpoints connected via the WARP Connector or device agent are automatically assigned IP addresses from the 100.96.0.0/12 address range, while endpoints connected to Magic WAN retain their assigned RFC1918 private IP addresses. `cloudflared` can be deployed in any of the locations by an application owner to provide hostname-based connectivity to the application.* + + *Note: All of the endpoints connected via the WARP Connector or device agent + are automatically assigned IP addresses from the 100.96.0.0/12 address range, + while endpoints connected to Magic WAN retain their assigned RFC1918 private + IP addresses. `cloudflared` can be deployed in any of the locations by an + application owner to provide hostname-based connectivity to the application.* + Once the networks, applications, and user devices are connected to Cloudflare — regardless of the connection methods and devices used — all traffic can be inspected, authenticated, and filtered by the Cloudflare SASE services, then securely routed to their intended destinations. Additionally, consistent policies can be applied across all traffic, no matter how it arrives at Cloudflare. @@ -338,10 +344,10 @@ The previous sections explain using ZTNA to secure access to self-hosted applica There are several approaches to ensure that traffic from a user device which isn't connected to an existing Cloudflare protected network, are also forwarding traffic through Cloudflare and be protected. -* [Install an agent on the device](#connecting-with-a-device-agent) -* [Modify browser proxy configuration](#browser-proxy-configuration) -* [Direct the user to a remote browser instance](#using-remote-browser-instances) -* [Modify DNS configuration](#agentless-dns-filtering) +- [Install an agent on the device](#connecting-with-a-device-agent) +- [Modify browser proxy configuration](#browser-proxy-configuration) +- [Direct the user to a remote browser instance](#using-remote-browser-instances) +- [Modify DNS configuration](#agentless-dns-filtering) #### Connecting with a device agent @@ -349,10 +355,10 @@ The preferred method of ensuring device traffic is forwarded to Cloudflare is to To allow for flexibility in how different devices and users connect, there are multiple [deployment modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/): -* A full L4 traffic proxy -* L7 DNS proxy -* L7 HTTP proxy -* The ability to just collect device posture information +- A full L4 traffic proxy +- L7 DNS proxy +- L7 HTTP proxy +- The ability to just collect device posture information For example, organizations might have an office that continues to use an existing [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) service, so they can configure the agent to just proxy network and HTTP traffic. @@ -370,14 +376,14 @@ When it is not possible to install software on the device, there are agentless a One option is to configure the browser to forward HTTP requests to Cloudflare by configuring proxy server details in the browser or OS. Although this can be done manually, it is more common for organizations to automate the configuration of browser proxy settings using Internet-hosted [Proxy Auto-Configuration](/cloudflare-one/connections/connect-devices/agentless/pac-files/) (PAC) files. The browser identifies the PAC file location in several ways: -* MDM software configuring the setting in the browser -* In Windows domains, Group Policy Objects (GPO) can configure the browser's PAC file -* Browsers can use [Web Proxy Auto-Discovery](https://datatracker.ietf.org/doc/html/draft-ietf-wrec-wpad-01) (WPAD) +- MDM software configuring the setting in the browser +- In Windows domains, Group Policy Objects (GPO) can configure the browser's PAC file +- Browsers can use [Web Proxy Auto-Discovery](https://datatracker.ietf.org/doc/html/draft-ietf-wrec-wpad-01) (WPAD) From there, configure a proxy endpoint where the browser will send all HTTP requests to. If using this method, please note that: -* Filtering HTTPS traffic will also require [installing and trusting Cloudflare root certificates](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on the devices. -* A proxy endpoint will only proxy traffic sourced from a set of known IP addresses, such as the pool of public IP addresses used by a site's NAT gateway, that the administrator must specify. +- Filtering HTTPS traffic will also require [installing and trusting Cloudflare root certificates](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on the devices. +- A proxy endpoint will only proxy traffic sourced from a set of known IP addresses, such as the pool of public IP addresses used by a site's NAT gateway, that the administrator must specify. #### Using remote browser instances @@ -387,16 +393,16 @@ RBI renders the received content in an isolated and secure cloud environment. In Ensuring access to sites is protected with RBI does not require any local software installation or reconfiguring the user's browser. Below are [several ways](/cloudflare-one/policies/browser-isolation/setup/) to accomplish this: -* Typically, a remote browser session is started as the result of an SWG policy — the user just requests websites without being notified that the content is loading in a remote browser. -* Organizations can also provide users with a link that automatically ensures RBI always processes each request. -* Organizations can also opt to use the ZTNA service to redirect all traffic from self-hosted applications via RBI instances. +- Typically, a remote browser session is started as the result of an SWG policy — the user just requests websites without being notified that the content is loading in a remote browser. +- Organizations can also provide users with a link that automatically ensures RBI always processes each request. +- Organizations can also opt to use the ZTNA service to redirect all traffic from self-hosted applications via RBI instances. All requests via a remote browser pass through the Cloudflare SWG; therefore, policies can enforce certain website access limitations. For instance, browser isolation policies can be established to: -* Disable copy/paste between a remote web page and the user's local machine; this can prevent the employee from pasting proprietary code into third-party chatbots. -* Disable printing of remote web content to prevent contractors from printing confidential information -* Disable file uploads/downloads to ensure sensitive company data is not sent to — or downloaded from — certain websites. -* Disable keyboard input (in combination with other policies) to limit data being exposed, such as someone typing in passwords to a phishing site. +- Disable copy/paste between a remote web page and the user's local machine; this can prevent the employee from pasting proprietary code into third-party chatbots. +- Disable printing of remote web content to prevent contractors from printing confidential information +- Disable file uploads/downloads to ensure sensitive company data is not sent to — or downloaded from — certain websites. +- Disable keyboard input (in combination with other policies) to limit data being exposed, such as someone typing in passwords to a phishing site. Isolating web applications and applying policies to risky websites helps organizations limit data loss from cyber threats or user error. And, like many Cloudflare One capabilities, RBI can be leveraged across other areas of the SASE architecture. Cloudflare's [email security](https://www.cloudflare.com/learning/email-security/what-is-email-security/) service, for example, can automatically rewrite and isolate suspicious links in emails. This "email link isolation" capability helps protect the user from potential malicious activity such as credential harvesting phishing. @@ -412,8 +418,6 @@ All of the above methods result in only the DNS requests — not all traffic — The following table summarizes SWG capabilities for the various methods of forwarding traffic to Cloudflare (as of Oct 2023): - - | | IP tunnel or Interconnect (Magic WAN) | Device Agent (WARP)\*1 | Remote Browser | Browser proxy | DNS proxy | | ------------------------------ | ------------------------------------- | --------------------------------- | -------------- | ------------- | ---------------- | | Types of traffic forwarded | TCP/UDP | TPC/UDP | HTTP | HTTP | DNS | @@ -428,8 +432,6 @@ The following table summarizes SWG capabilities for the various methods of forwa | Remote browser isolation | Yes | Yes | Yes | Yes | N/A | | Enforce egress IP | Yes | Yes | Yes | Yes | N/A | - - Notes: 1. Running the device agent in DNS over HTTP mode provides user identity information, in addition to the same capabilities as connecting via DNS. @@ -454,13 +456,13 @@ But, before organizations define policies to manage that access, they need to kn The first step in any access decision is to determine who is making the request – i.e., to authenticate the user. -Cloudflare integrates with identity providers that manage secure access to resources for organizations' employees, contractors, partners, and other users. This includes support for integrations with any [SAML](/cloudflare-one/identity/idp-integration/generic-saml/) - or OpenID Connect ([OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/)) - compliant service; Cloudflare One also includes pre-built integrations with [Okta](/cloudflare-one/identity/idp-integration/okta/), [Microsoft Azure AD](/cloudflare-one/identity/idp-integration/azuread/), [Google Workspace](/cloudflare-one/identity/idp-integration/gsuite/), as well as consumer IdPs such as [Facebook](/cloudflare-one/identity/idp-integration/facebook-login/), [GitHub](/cloudflare-one/identity/idp-integration/github/) and [LinkedIn](/cloudflare-one/identity/idp-integration/linkedin/). +Cloudflare integrates with identity providers that manage secure access to resources for organizations' employees, contractors, partners, and other users. This includes support for integrations with any [SAML](/cloudflare-one/identity/idp-integration/generic-saml/) - or OpenID Connect ([OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/)) - compliant service; Cloudflare One also includes pre-built integrations with [Okta](/cloudflare-one/identity/idp-integration/okta/), [Microsoft Entra ID (formerly Azure Active Directory)](/cloudflare-one/identity/idp-integration/entra-id/), [Google Workspace](/cloudflare-one/identity/idp-integration/gsuite/), as well as consumer IdPs such as [Facebook](/cloudflare-one/identity/idp-integration/facebook-login/), [GitHub](/cloudflare-one/identity/idp-integration/github/) and [LinkedIn](/cloudflare-one/identity/idp-integration/linkedin/). Multiple IdPs can be integrated, allowing organizations to apply policies to a wide range of both internal and external users. When a user attempts to access a Cloudflare secured application or service, they are redirected to authenticate via one of the integrated IdPs. When using the device agent, users must also authenticate to one of their organization's configured IdPs. ![Users are presented with a list of integrated identity providers before accessing protected applications.](~/assets/images/reference-architecture/cloudflare-one-reference-architecture-images/cf1-ref-arch-18.svg) -Once a user is authenticated, Cloudflare receives that user's information, such as username, group membership, authentication method (password, whether MFA was involved and what type), and other associated attributes (i.e., the user's role, department, or office location). This information from the IdP is then made available to the policy engine. +Once a user is authenticated, Cloudflare receives that user's information, such as username, group membership, authentication method (password, whether MFA was involved and what type), and other associated attributes (i.e., the user's role, department, or office location). This information from the IdP is then made available to the policy engine. In addition to user identities, most corporate directories also contain groups to which those identities are members. Cloudflare supports the importing of group information, which is then used as part of the policy. Group membership is a critical part of aggregating single identities so that policies can be less complex. It is far easier — for example — to set a policy allowing all employees in the sales department to access Salesforce, than to identify each user in the sales organization. @@ -472,14 +474,14 @@ Not only does the user identity need to be verified, but the security posture of The following built-in posture checks are available: -* [Application check](/cloudflare-one/identity/devices/warp-client-checks/application-check/): Checks that a specific application process is running -* [File check](/cloudflare-one/identity/devices/warp-client-checks/file-check/): Checks for the presence of a file -* [Firewall](/cloudflare-one/identity/devices/warp-client-checks/firewall/): Checks if a firewall is running -* [Disk encryption](/cloudflare-one/identity/devices/warp-client-checks/disk-encryption/): Checks if/how many disks are encrypted -* [Domain joined](/cloudflare-one/identity/devices/warp-client-checks/domain-joined/): Checks if the device is joined to a Microsoft Active Directory domain -* [OS version](/cloudflare-one/identity/devices/warp-client-checks/os-version/): Checks what version of the OS is running -* [Unique Client ID](/cloudflare-one/identity/devices/warp-client-checks/device-uuid/): When using an MDM too, organizations can assign a verifiable UUID to a mobile, desktop, or laptop device -* [Device serial number](/cloudflare-one/identity/devices/warp-client-checks/corp-device/): Checks to see if the device serial matches a list of company desktop/laptop computers +- [Application check](/cloudflare-one/identity/devices/warp-client-checks/application-check/): Checks that a specific application process is running +- [File check](/cloudflare-one/identity/devices/warp-client-checks/file-check/): Checks for the presence of a file +- [Firewall](/cloudflare-one/identity/devices/warp-client-checks/firewall/): Checks if a firewall is running +- [Disk encryption](/cloudflare-one/identity/devices/warp-client-checks/disk-encryption/): Checks if/how many disks are encrypted +- [Domain joined](/cloudflare-one/identity/devices/warp-client-checks/domain-joined/): Checks if the device is joined to a Microsoft Active Directory domain +- [OS version](/cloudflare-one/identity/devices/warp-client-checks/os-version/): Checks what version of the OS is running +- [Unique Client ID](/cloudflare-one/identity/devices/warp-client-checks/device-uuid/): When using an MDM too, organizations can assign a verifiable UUID to a mobile, desktop, or laptop device +- [Device serial number](/cloudflare-one/identity/devices/warp-client-checks/corp-device/): Checks to see if the device serial matches a list of company desktop/laptop computers Cloudflare One can also integrate with any deployed endpoint security solution, such as [Microsoft Endpoint Manager](/cloudflare-one/identity/devices/service-providers/microsoft/), [Tanium](/cloudflare-one/identity/devices/access-integrations/tanium/), [Carbon Black](/cloudflare-one/identity/devices/warp-client-checks/carbon-black/), [CrowdStrike](/cloudflare-one/identity/devices/service-providers/crowdstrike/), [SentinelOne](/cloudflare-one/identity/devices/warp-client-checks/sentinel-one/), and more. Any data from those products can be passed to Cloudflare for use in access decisions. @@ -495,8 +497,8 @@ Cloudflare's email security service scans for signs of malicious content or atta Instead of deploying tunnels to manage and control traffic to email servers, Cloudflare provides two methods of email security [setup](/email-security/deployment/): -* [Inline](/email-security/deployment/inline/): Redirect all inbound email traffic through Cloudflare before they reach a user's inbox by modifying MX records -* [API](/email-security/deployment/api/): Integrate Cloudflare directly with an email provider such as Microsoft 365 or Gmail +- [Inline](/email-security/deployment/inline/): Redirect all inbound email traffic through Cloudflare before they reach a user's inbox by modifying MX records +- [API](/email-security/deployment/api/): Integrate Cloudflare directly with an email provider such as Microsoft 365 or Gmail Modifying MX records (inline deployment) forces all inbound email traffic through our cloud email security service where it is scanned, and — if found to be malicious — blocked from reaching a user's inbox. Because the service works at the MX record level, it is possible to use the email security service with any [SMTP-compliant](https://www.cloudflare.com/learning/email-security/what-is-smtp/) email service. @@ -520,7 +522,7 @@ Now that all users, devices, applications, networks, and other components are se Before we go into the details of how policies can be written to manage access to applications, services, and networks connected to Cloudflare, it's worth taking a look at the two main enforcement points in Cloudflare's SASE platform that control access: SWG and the ZTNA services. These services are configured through a single administrative dashboard, simplifying policy management across the entire SASE deployment. -The following diagram illustrates the flow of a request through these services, including the application of policies and the source of data for these policies. In the diagram below, the user request can either enter through the SWG or ZTNA depending on the type of service requested. It's also possible to combine both services, such as implementing a SWG HTTP policy that uses DLP service to inspect traffic related to a privately hosted application behind a ZTNA Cloudflare Tunnel. This configuration enables organizations to block downloads of sensitive data from internal applications that organizations have authorized for external access. +The following diagram illustrates the flow of a request through these services, including the application of policies and the source of data for these policies. In the diagram below, the user request can either enter through the SWG or ZTNA depending on the type of service requested. It's also possible to combine both services, such as implementing a SWG HTTP policy that uses DLP service to inspect traffic related to a privately hosted application behind a ZTNA Cloudflare Tunnel. This configuration enables organizations to block downloads of sensitive data from internal applications that organizations have authorized for external access. ![User requests to the Internet or self hosted applications go through our SWG and/or ZTNA service. Administrators have a single dashboard to manage policies across both.](~/assets/images/reference-architecture/cloudflare-one-reference-architecture-images/cf1-ref-arch-23.svg) @@ -534,12 +536,12 @@ Cloudflare's vast intelligent network continually monitors billions of web asset Additionally, Cloudflare's SWG offers the flexibility to create and maintain customized [lists of data](/cloudflare-one/policies/gateway/lists/). These lists can be uploaded via CSV files, manually maintained, or integrated with other processes and applications using the Cloudflare API. A list can contain the following data: -* URLs -* Hostnames -* Serial numbers (macOS, Windows, Linux) -* Emails -* IP addresses -* Device IDs (iOS, Android) +- URLs +- Hostnames +- Serial numbers (macOS, Windows, Linux) +- Emails +- IP addresses +- Device IDs (iOS, Android) For example, organizations can maintain a list of IP addresses of all remote office locations, of short term contractors' email addresses, or trusted company domains. These lists can be used in a policy to allow contractors access to a specific application if their traffic is coming from a known office IP address. @@ -583,24 +585,24 @@ In this example, consider two services: a database administration application ([ The policies that enable access rely on two Access Groups. -* Contractors - * Users who authenticate through Okta and are part of the Okta group labeled "Contractors" - * Authentication requires the use of a hardware token -* Database and IT administrators - * Users who authenticate through Okta and are in the Okta groups "IT administrators" or "Database administrators" - * Authentication requires the use of a hardware token - * Users should be on a device with a serial number in the "Managed Devices" list +- Contractors + - Users who authenticate through Okta and are part of the Okta group labeled "Contractors" + - Authentication requires the use of a hardware token +- Database and IT administrators + - Users who authenticate through Okta and are in the Okta groups "IT administrators" or "Database administrators" + - Authentication requires the use of a hardware token + - Users should be on a device with a serial number in the "Managed Devices" list Both of these groups are then used in two different access policies. -* Database administration tool access - * Database and IT admins are allowed access - * Members of the "Contractor" access group are allowed access, but each authenticated session requires the user to complete a justification request - * The admin tool is rendered in an isolated browser on Cloudflare's Edge network and file downloads are disabled -* Database server SSH access - * "Database and IT administrators" group is allowed access - * Their device must pass a Crowdstrike risk score of at least 80 - * Access must come from a device that is running our device agent and is connected to Cloudflare +- Database administration tool access + - Database and IT admins are allowed access + - Members of the "Contractor" access group are allowed access, but each authenticated session requires the user to complete a justification request + - The admin tool is rendered in an isolated browser on Cloudflare's Edge network and file downloads are disabled +- Database server SSH access + - "Database and IT administrators" group is allowed access + - Their device must pass a Crowdstrike risk score of at least 80 + - Access must come from a device that is running our device agent and is connected to Cloudflare These policies show that contractors are only allowed access to the database administration tool and do not have SSH access to the server. IT and database administrators can access the SSH service only when their devices are securely connected to Cloudflare via the device agent. Every element of the access groups and policies is evaluated for every login, so an IT administrator using a compromised laptop or a contractor unable to authenticate with a hardware token will be denied access. @@ -618,8 +620,8 @@ This can then be applied to secure and protect all users in one policy. Cloudfla With this setup, every request to a social media website ensures the following security measures: -* Any content on the social media website that contains harmful code is prevented from executing on the local device -* External users are restricted from downloading content from the site that could potentially be infected with malware or spyware +- Any content on the social media website that contains harmful code is prevented from executing on the local device +- External users are restricted from downloading content from the site that could potentially be infected with malware or spyware #### Data protection for regulatory compliance @@ -665,7 +667,7 @@ It's worth noting that many of the capabilities described in this document can b | Zero Trust Network Access | [How to build Access policies](/cloudflare-one/policies/access/) | | Remote Browser Isolation | [Understanding browser isolation](/cloudflare-one/policies/browser-isolation/) | | API-Driven CASB | [Scanning SaaS applications](/cloudflare-one/applications/scan-apps/) | -| Email Security | [Understanding Cloudflare Email Security](/email-security/) | +| Email Security | [Understanding Cloudflare Email Security](/email-security/) | | Replacing your VPN | [Using Cloudflare to replace your VPN](/learning-paths/replace-vpn/) | If you would like to discuss your SASE requirements in greater detail and connect with one of our architects, please visit [https://www.cloudflare.com/cloudflare-one/](https://www.cloudflare.com/cloudflare-one/) and request a consultation. diff --git a/src/content/docs/style-guide/documentation-content-strategy/content-types/3rd-party-integration-guide.mdx b/src/content/docs/style-guide/documentation-content-strategy/content-types/3rd-party-integration-guide.mdx index 4c2134221130f3..dcc19cd924adb2 100644 --- a/src/content/docs/style-guide/documentation-content-strategy/content-types/3rd-party-integration-guide.mdx +++ b/src/content/docs/style-guide/documentation-content-strategy/content-types/3rd-party-integration-guide.mdx @@ -1,7 +1,6 @@ --- pcx_content_type: concept title: 3rd-party integration guide - --- ## Purpose @@ -12,7 +11,7 @@ The purpose of a 3rd-party integration guide is to explain how to use a 3rd-part instructional, straightforward -## content\_type +## content_type `integration-guide` @@ -44,10 +43,9 @@ Link out for basic concepts (Regex, JavaScript, web server maintenance). :::caution - Step-by-step instructions of 3rd-party environments are discouraged generally, but acceptable in certain situations. General preference is to link back to an article that someone else maintains. -They easily become out-of-date, especially if we can not access the 3rd-party product +They easily become out-of-date, especially if we can not access the 3rd-party product ::: [**Links**](/style-guide/documentation-content-strategy/component-attributes/links/): May be a bulleted list that references the 3rd-party product or in-text links to the 3rd-party process documentation. @@ -68,10 +66,9 @@ Link to reputable sources within reason. :::note - Screenshots of the 3rd-party product are highly discouraged. It has all the problems of video or screenshot maintenance, but with a much greater risk that something changes and we are not aware of it. -It may become a bigger problem if we can not access the 3rd-party product. +It may become a bigger problem if we can not access the 3rd-party product. ::: ## Templates @@ -138,17 +135,17 @@ Prerequisites **3rd-party integration in the Cloudflare dashboard**: -* [Enable Logpush to Sumo Logic](/logs/get-started/enable-destinations/sumo-logic/) -* [Device Posture - Carbon Black](/cloudflare-one/identity/devices/warp-client-checks/carbon-black/) +- [Enable Logpush to Sumo Logic](/logs/get-started/enable-destinations/sumo-logic/) +- [Device Posture - Carbon Black](/cloudflare-one/identity/devices/warp-client-checks/carbon-black/) **Linking to external documentation**: -* [GitHub SMS notifications using Twilio](/workers/tutorials/github-sms-notifications-using-twilio/#sending-a-text-with-twilio) +- [GitHub SMS notifications using Twilio](/workers/tutorials/github-sms-notifications-using-twilio/#sending-a-text-with-twilio) (Discouraged but acceptable scenario) **How to with instructions in 3rd-party environment and within Cloudflare dashboard**: -* [IDP integration - Microsoft Azure AD](/cloudflare-one/identity/idp-integration/azuread/) -* [Managed deployment - Partners - Jamf](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/partners/jamf/) +- [IDP integration - Microsoft Entra ID (formerly Azure Active Directory)](/cloudflare-one/identity/idp-integration/entra-id/) +- [Managed deployment - Partners - Jamf](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/partners/jamf/) ### Additional information @@ -160,6 +157,6 @@ We publish with the expectation of maintenance. If you want to publish something ### Products where we frequently see 3rd-party information -* [Workers](/workers/tutorials/) -* [Zero Trust](/cloudflare-one/identity/idp-integration/) -* [Analytics](/analytics/analytics-integrations/) +- [Workers](/workers/tutorials/) +- [Zero Trust](/cloudflare-one/identity/idp-integration/) +- [Analytics](/analytics/analytics-integrations/) diff --git a/src/content/partials/cloudflare-one/access/idp-integration.mdx b/src/content/partials/cloudflare-one/access/idp-integration.mdx index 1b186cebea3879..83797bc7d10c9a 100644 --- a/src/content/partials/cloudflare-one/access/idp-integration.mdx +++ b/src/content/partials/cloudflare-one/access/idp-integration.mdx @@ -1,6 +1,5 @@ --- {} - --- 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. diff --git a/src/content/partials/cloudflare-one/access/scim-supported-idps.mdx b/src/content/partials/cloudflare-one/access/scim-supported-idps.mdx index e274346e69f203..b01254af5649c3 100644 --- a/src/content/partials/cloudflare-one/access/scim-supported-idps.mdx +++ b/src/content/partials/cloudflare-one/access/scim-supported-idps.mdx @@ -1,7 +1,6 @@ --- {} - --- -* [Microsoft Entra ID](/cloudflare-one/identity/idp-integration/azuread/) (formerly known as Azure AD) -* [Okta](/cloudflare-one/identity/idp-integration/okta/) +- [Microsoft Entra ID](/cloudflare-one/identity/idp-integration/entra-id/) (formerly known as Azure AD) +- [Okta](/cloudflare-one/identity/idp-integration/okta/) From 9456636c705dfe27a86cf6894afa8d401da232f2 Mon Sep 17 00:00:00 2001 From: Simon Thorpe Date: Mon, 23 Sep 2024 15:06:27 -0700 Subject: [PATCH 27/54] Updating titles, nav and update dates (#16963) * Updating titles, nav and update dates * Changing tabs to spaces! * Fixing tabs in Microsoft SASE doc * Update extending-cloudflares-benefits-to-saas-providers-end-customers.mdx Minor change to title --------- Co-authored-by: Claire Waters --- .../architectures/cdn.mdx | 61 ++++---- .../cloudflare-sase-with-microsoft.mdx | 13 +- .../architectures/load-balancing.mdx | 9 +- .../architectures/magic-transit.mdx | 65 ++++---- .../architectures/multi-vendor.mdx | 84 +++++----- .../architectures/sase.mdx | 12 ++ .../architectures/security.mdx | 26 +++- ...nefits-to-saas-providers-end-customers.mdx | 83 +++++----- .../design-guides/network-vpn-migration.mdx | 86 ++++++----- .../secure-application-delivery.mdx | 24 +-- .../design-guides/zero-trust-for-startups.mdx | 143 +++++++++--------- .../diagrams/ai/ai-asset-creation.mdx | 26 ++-- .../diagrams/ai/ai-composable.mdx | 22 ++- .../ai-multivendor-observability-control.mdx | 20 ++- .../diagrams/ai/ai-rag.mdx | 14 +- .../diagrams/ai/ai-video-caption.mdx | 12 +- ...-with-cloudflare-image-resizing-and-r2.mdx | 31 ++-- ...networks-with-cloudflare-magic-transit.mdx | 30 ++-- .../protecting-sp-networks-from-ddos.mdx | 8 +- .../sase-clientless-access-private-dns.mdx | 17 ++- .../security/securing-data-at-rest.mdx | 13 +- .../security/securing-data-in-transit.mdx | 22 ++- .../security/securing-data-in-use.mdx | 16 +- .../serverless/a-b-testing-using-workers.mdx | 5 +- .../serverless/fullstack-application.mdx | 6 +- .../diagrams/serverless/serverless-etl.mdx | 5 +- .../serverless/serverless-global-apis.mdx | 5 +- .../serverless-image-content-management.mdx | 10 +- .../egress-free-storage-multi-cloud.mdx | 11 +- .../on-demand-object-storage-migration.mdx | 10 +- 30 files changed, 462 insertions(+), 427 deletions(-) diff --git a/src/content/docs/reference-architecture/architectures/cdn.mdx b/src/content/docs/reference-architecture/architectures/cdn.mdx index abd11002b5bbd8..cb899cc1e7f0a1 100644 --- a/src/content/docs/reference-architecture/architectures/cdn.mdx +++ b/src/content/docs/reference-architecture/architectures/cdn.mdx @@ -1,15 +1,16 @@ --- -title: Content Delivery Network (CDN) +title: Content Delivery Network (CDN) Reference Architecture pcx_content_type: reference-architecture +products: + - Cache + - CDN sidebar: order: 1 -head: - - tag: title - content: "Reference Architecture: Cloudflare Content Delivery Network (CDN)" - + label: Content Delivery Network (CDN) +updated: 2022-12-02 --- -import { Render } from "~/components" +import { Render } from "~/components"; ## Introduction @@ -23,14 +24,14 @@ To build a stronger baseline understanding of Cloudflare, we recommend the follo -* What is a CDN? | [Website](https://www.cloudflare.com/learning/cdn/what-is-a-cdn/) (5 minute read) -* Analyst Report: [Cloudflare named Leader in 2024 GigaOm Radar for Content Delivery Networks](https://www.cloudflare.com/lp/gigaom-radar-cdn/) (20 minute read) +- What is a CDN? | [Website](https://www.cloudflare.com/learning/cdn/what-is-a-cdn/) (5 minute read) +- Analyst Report: [Cloudflare named Leader in 2024 GigaOm Radar for Content Delivery Networks](https://www.cloudflare.com/lp/gigaom-radar-cdn/) (20 minute read) Those who read this reference architecture will learn: -* How Cloudflare CDN can significantly improve the delivery of content to your customers -* How anycast IP routing is important in ensuring reliable CDN performance -* The range of tiered caching options and how to choose the one for your needs +- How Cloudflare CDN can significantly improve the delivery of content to your customers +- How anycast IP routing is important in ensuring reliable CDN performance +- The range of tiered caching options and how to choose the one for your needs ## Traditional challenges deploying web applications @@ -49,11 +50,11 @@ The servers hosting the websites are called origin servers. When clients access Enhancements in HTTP/2 and HTTP/3 allow for multiplexing multiple requests to the same server over a single TCP connection, thus saving server resources. However, compute and network resources are still consumed as servers respond to these requests. As more clients access the website, the following can result: -* The origin server starts to become overloaded with requests, impacting availability; companies start looking at scaling out to handle the additional load -* As each request has to make its way to the origin server, performance and user experience is impacted due to latency -* The latency for end users becomes proportional to the distance between the client and origin server, thus resulting in varying experiences based on client location. This is especially true for specific countries that may experience latency due to traffic from or to that country, like China. -* As origin servers respond to the increasing requests, bandwidth, egress, and compute costs increase drastically -* Even as customers scale out to handle the increased demand in traffic, they are left exposed to both infrastructure-level and application-level distributed denial-of-service (DDoS) attacks +- The origin server starts to become overloaded with requests, impacting availability; companies start looking at scaling out to handle the additional load +- As each request has to make its way to the origin server, performance and user experience is impacted due to latency +- The latency for end users becomes proportional to the distance between the client and origin server, thus resulting in varying experiences based on client location. This is especially true for specific countries that may experience latency due to traffic from or to that country, like China. +- As origin servers respond to the increasing requests, bandwidth, egress, and compute costs increase drastically +- Even as customers scale out to handle the increased demand in traffic, they are left exposed to both infrastructure-level and application-level distributed denial-of-service (DDoS) attacks In Figure 1 below, there is no CDN present and there is an origin server sitting in the US. As clients access the website, the first step is DNS resolution, typically done by the user’s ISP. The next step is the HTTP request sent directly to the origin server. The user experience will vary depending on their location. For example, you can see the latency is much lower for users in the US, where the origin server is located. For users outside the US, the latency increases, thus resulting in a higher round-trip time (RTT). @@ -73,13 +74,13 @@ CDNs decrease latency and increase performance by having many data center locati ### Impacts -* **Improved website load time**: Instead of every client making a request to the origin server, which could be located a considerable distance away, the request is routed to a local server that responds with cached content, thus decreasing latency and increasing overall performance. Regardless of where the origin server and clients are located, performance will be more consistent for all users, as the CDN will serve locally cached content when possible. +- **Improved website load time**: Instead of every client making a request to the origin server, which could be located a considerable distance away, the request is routed to a local server that responds with cached content, thus decreasing latency and increasing overall performance. Regardless of where the origin server and clients are located, performance will be more consistent for all users, as the CDN will serve locally cached content when possible. -* **Increased content availability and redundancy:** Because every client request no longer needs to be sent to the origin server, CDNs provide not only performance benefits, but also availability and redundancy. Requests are load balanced over local servers with cached content; these servers respond to local requests, significantly decreasing overall load on the origin server. The origin server only is contacted when needed (when content is not cached or for dynamic non-cacheable content). +- **Increased content availability and redundancy:** Because every client request no longer needs to be sent to the origin server, CDNs provide not only performance benefits, but also availability and redundancy. Requests are load balanced over local servers with cached content; these servers respond to local requests, significantly decreasing overall load on the origin server. The origin server only is contacted when needed (when content is not cached or for dynamic non-cacheable content). -* **Improved website security:** A CDN acts as a reverse proxy and sits in front of origin servers. Thus it can provide enhanced security such as DDoS mitigation, improvements to security certificates, and other optimizations. +- **Improved website security:** A CDN acts as a reverse proxy and sits in front of origin servers. Thus it can provide enhanced security such as DDoS mitigation, improvements to security certificates, and other optimizations. -* **Reduced bandwidth costs:** Because CDNs use cached content to respond to requests, the number of requests sent to the origin server is reduced, thus also reducing associated bandwidth costs. +- **Reduced bandwidth costs:** Because CDNs use cached content to respond to requests, the number of requests sent to the origin server is reduced, thus also reducing associated bandwidth costs. ### Routing requests to CDN nodes @@ -99,9 +100,9 @@ The Cloudflare CDN, which is discussed in more detail in the next section, uses Using an anycast-based CDN has several advantages: -* Incoming traffic is routed to the nearest data center with the capacity to process the requests efficiently. -* Availability and redundancy is inherently provided. Since multiple nodes have the same IP address, if one node were to fail, requests are simply routed to another node in close proximity. -* Because anycast distributes traffic across multiple data centers, it increases the overall surface area, thus preventing any one location from becoming overwhelmed with requests. For this reason, anycast networks are very resilient to DDoS attacks. +- Incoming traffic is routed to the nearest data center with the capacity to process the requests efficiently. +- Availability and redundancy is inherently provided. Since multiple nodes have the same IP address, if one node were to fail, requests are simply routed to another node in close proximity. +- Because anycast distributes traffic across multiple data centers, it increases the overall surface area, thus preventing any one location from becoming overwhelmed with requests. For this reason, anycast networks are very resilient to DDoS attacks. ## Introducing the Cloudflare CDN @@ -124,12 +125,12 @@ Figure 3 is a view of the Cloudflare CDN on the global anycast network. In addit In the above diagram, there are a few important key points to understand about the Cloudflare CDN and the global anycast network it resides on: -* An important differentiator is that Cloudflare utilizes one global network and runs every service on every server in every Cloudflare data center, thus providing end users the closest proximity to Cloudflare’s services, with the highest scale, resiliency, and performance. -* Cloudflare is a reverse proxy, meaning it receives requests from clients and proxies the requests back to the customer’s origin servers. Thus, every request traverses through Cloudflare’s network before reaching the customer’s network. Since Cloudflare has hardened and protected its infrastructure at the edge (ingress), all customers are consequently also protected from infrastructure-level and volumetric DDoS attacks. Requests and traffic must go through the protected Cloudflare network before reaching the customer’s origin server. -* The Cloudflare CDN leverages the Cloudflare global anycast network. Thus the incoming request is routed to and answered by the node closest to the user. -* The inherent benefits of anycast are decreased latency, network resiliency, higher availability, and increased security due to larger surface area for absorbing both legitimate traffic loads and DDoS attacks. Cloudflare’s global anycast network spans [hundreds of cities worldwide](https://www.cloudflare.com/network/), reaching 95% of the world’s Internet-connected population within 50 milliseconds while providing over 280 Tbps of network capacity and DDoS protection capability. -* Edge nodes within the Cloudflare network cache content from the origin server and are able to respond to requests via a cached copy. Cloudflare also provides [DNS](/dns/), [DDoS protection](/ddos-protection/), [WAF](/waf/), and other performance, reliability, and security services using the same edge architecture. -* [Argo](/argo-smart-routing/) uses optimized routing and caching technology across the Cloudflare network to deliver responses to users more quickly, reliably, and securely. Argo includes Smart Routing and [Tiered Cache](/cache/how-to/tiered-cache/). Cloudflare leverages Argo to provide an enhanced CDN solution. +- An important differentiator is that Cloudflare utilizes one global network and runs every service on every server in every Cloudflare data center, thus providing end users the closest proximity to Cloudflare’s services, with the highest scale, resiliency, and performance. +- Cloudflare is a reverse proxy, meaning it receives requests from clients and proxies the requests back to the customer’s origin servers. Thus, every request traverses through Cloudflare’s network before reaching the customer’s network. Since Cloudflare has hardened and protected its infrastructure at the edge (ingress), all customers are consequently also protected from infrastructure-level and volumetric DDoS attacks. Requests and traffic must go through the protected Cloudflare network before reaching the customer’s origin server. +- The Cloudflare CDN leverages the Cloudflare global anycast network. Thus the incoming request is routed to and answered by the node closest to the user. +- The inherent benefits of anycast are decreased latency, network resiliency, higher availability, and increased security due to larger surface area for absorbing both legitimate traffic loads and DDoS attacks. Cloudflare’s global anycast network spans [hundreds of cities worldwide](https://www.cloudflare.com/network/), reaching 95% of the world’s Internet-connected population within 50 milliseconds while providing over 280 Tbps of network capacity and DDoS protection capability. +- Edge nodes within the Cloudflare network cache content from the origin server and are able to respond to requests via a cached copy. Cloudflare also provides [DNS](/dns/), [DDoS protection](/ddos-protection/), [WAF](/waf/), and other performance, reliability, and security services using the same edge architecture. +- [Argo](/argo-smart-routing/) uses optimized routing and caching technology across the Cloudflare network to deliver responses to users more quickly, reliably, and securely. Argo includes Smart Routing and [Tiered Cache](/cache/how-to/tiered-cache/). Cloudflare leverages Argo to provide an enhanced CDN solution. ### Tiered Cache @@ -230,10 +231,8 @@ When combined with Tiered Caching and Argo Smart Routing, Cache Reserve can be a :::note - Using [Image Resizing](/images/transform-images/) with Cache Reserve will not result in resized images being stored in Cache Reserve since Image Resizing takes place after reading from Cache Reserve. Resized images will be cached in other available tiers when they are served after resizing. - ::: ### Traffic flow: Cache Reserve topology diff --git a/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx b/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx index e359d3ca9e6af5..974fd93e0c692f 100644 --- a/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx +++ b/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx @@ -1,11 +1,16 @@ --- -title: Cloudflare SASE with Microsoft +title: Reference Architecture using Cloudflare SASE with Microsoft pcx_content_type: reference-architecture +products: + - Access + - Gateway + - CASB + - Email Security sidebar: order: 1 -head: - - tag: title - content: "Reference Architecture: Architecture using Cloudflare SASE with Microsoft" + label: Cloudflare SASE with Microsoft +updated: 2024-13-06 + --- import { Render } from "~/components"; diff --git a/src/content/docs/reference-architecture/architectures/load-balancing.mdx b/src/content/docs/reference-architecture/architectures/load-balancing.mdx index 80acd528b3617e..d3e5bab9a92a62 100644 --- a/src/content/docs/reference-architecture/architectures/load-balancing.mdx +++ b/src/content/docs/reference-architecture/architectures/load-balancing.mdx @@ -1,11 +1,12 @@ --- -title: Load Balancing +title: Load Balancing Reference Architecture pcx_content_type: reference-architecture +products: + - Load Balancing sidebar: order: 1 -head: - - tag: title - content: "Reference Architecture: Cloudflare Load Balancing Reference Architecture" + label: Load Balancing +updated: 2024-02-26 --- import { Render } from "~/components"; diff --git a/src/content/docs/reference-architecture/architectures/magic-transit.mdx b/src/content/docs/reference-architecture/architectures/magic-transit.mdx index 40178bb044a3c9..cc1db1283c3ad5 100644 --- a/src/content/docs/reference-architecture/architectures/magic-transit.mdx +++ b/src/content/docs/reference-architecture/architectures/magic-transit.mdx @@ -1,15 +1,16 @@ --- -title: Magic Transit +title: Magic Transit Reference Architecture pcx_content_type: reference-architecture +products: + - Magic Transit + - Network Interconnect sidebar: order: 1 -head: - - tag: title - content: "Reference Architecture: Magic Transit" - + label: Magic Transit +updated: 2022-12-02 --- -import { Render } from "~/components" +import { Render } from "~/components"; ## Introduction @@ -23,28 +24,28 @@ To build a stronger baseline understanding of Cloudflare, we recommend the follo -* Blog: [Magic Transit makes your network smarter, better, stronger, and cheaper to operate](https://blog.cloudflare.com/magic-transit) (14 minute read) +- Blog: [Magic Transit makes your network smarter, better, stronger, and cheaper to operate](https://blog.cloudflare.com/magic-transit) (14 minute read) Those who read this reference architecture will learn: -* How Cloudflare Magic Transit protects your network infrastructure from denial of service attacks (DDoS) -* How to architecture Magic Transit into your existing network infrastructure +- How Cloudflare Magic Transit protects your network infrastructure from denial of service attacks (DDoS) +- How to architecture Magic Transit into your existing network infrastructure ## What Is Magic Transit? Protecting network infrastructure from DDoS attacks demands a unique combination of strength and speed. Volumetric attacks can easily overwhelm hardware boxes and their bandwidth-constrained Internet links. And most cloud-based solutions redirect traffic to centralized scrubbing centers, which impacts network performance significantly. -Cloudflare Magic Transit provides DDoS protection and traffic acceleration for on-premise, cloud, and hybrid networks. With data centers spanning [hundreds of cities](https://www.cloudflare.com/network/) and offering hundreds of Tbps in mitigation capacity, Magic Transit can detect and mitigate attacks close to their source of origin in under three seconds globally on average — all while routing traffic faster than the public Internet. +Cloudflare Magic Transit provides DDoS protection and traffic acceleration for on-premise, cloud, and hybrid networks. With data centers spanning [hundreds of cities](https://www.cloudflare.com/network/) and offering hundreds of Tbps in mitigation capacity, Magic Transit can detect and mitigate attacks close to their source of origin in under three seconds globally on average — all while routing traffic faster than the public Internet. ![Figure 1: Magic transit overview](~/assets/images/reference-architecture/magic-transit-ref-arch-diagrams/magic-transit-ref-arch-1.png "Figure 1: Magic transit overview") At a high level, Magic Transit works as follows: -* **Connect:** Using Border Gateway Protocol (BGP) route announcements to the Internet, and the Cloudflare anycast network, customer traffic is ingested at a Cloudflare data center closest to the source. +- **Connect:** Using Border Gateway Protocol (BGP) route announcements to the Internet, and the Cloudflare anycast network, customer traffic is ingested at a Cloudflare data center closest to the source. -* **Protect and Process:** All customer traffic is inspected for attacks. Advanced and automated mitigation techniques are applied immediately upon detecting an attack. Additional functions such as load balancing, next-generation firewall, content caching, and serverless compute are also available as a service. +- **Protect and Process:** All customer traffic is inspected for attacks. Advanced and automated mitigation techniques are applied immediately upon detecting an attack. Additional functions such as load balancing, next-generation firewall, content caching, and serverless compute are also available as a service. -* **Accelerate:** Clean traffic is routed over Cloudflare’s low-latency network links for optimal throughput and handed off over IP tunnels (either GRE or IPsec) or private network interconnects (PNI) to the origin network. Magic Transit uses anycast IP addresses for Cloudflare’s tunnel endpoints, meaning that any server in any data center is capable of encapsulating and decapsulating packets for the same tunnel. For more details specifically on tunnels and encapsulation, refer to [GRE and IPsec tunnels](/magic-transit/reference/tunnels/). +- **Accelerate:** Clean traffic is routed over Cloudflare’s low-latency network links for optimal throughput and handed off over IP tunnels (either GRE or IPsec) or private network interconnects (PNI) to the origin network. Magic Transit uses anycast IP addresses for Cloudflare’s tunnel endpoints, meaning that any server in any data center is capable of encapsulating and decapsulating packets for the same tunnel. For more details specifically on tunnels and encapsulation, refer to [GRE and IPsec tunnels](/magic-transit/reference/tunnels/). ### Baking resilience into our network using anycast @@ -64,19 +65,19 @@ The network diagram in Figure 2 illustrates such a Magic Transit setup, and the ![Figure 2: Reference Configuration of Magic Transit anycast Tunnel (GRE) With Default DSR Option](~/assets/images/reference-architecture/magic-transit-ref-arch-diagrams/magic-transit-ref-arch-2.png "Figure 2: Reference Configuration of Magic Transit anycast Tunnel (GRE) With Default DSR Option") -* Cloudflare provides the customer with a pair of anycast IP addresses for the Cloudflare end of the tunnel endpoints. These are publicly routable IP addresses from Cloudflare-owned address space. The pair of anycast IP addresses can be used to configure two tunnels for network redundancy, although only one is required for a basic configuration. The above configuration shows a single tunnel, with the Cloudflare end of the tunnel endpoint address being 192.0.2.1. +- Cloudflare provides the customer with a pair of anycast IP addresses for the Cloudflare end of the tunnel endpoints. These are publicly routable IP addresses from Cloudflare-owned address space. The pair of anycast IP addresses can be used to configure two tunnels for network redundancy, although only one is required for a basic configuration. The above configuration shows a single tunnel, with the Cloudflare end of the tunnel endpoint address being 192.0.2.1. -* The customer end of the anycast GRE tunnel needs to be a publicly routable address. It is typically the IP address of the WAN interface on the customer edge router. In this example it is 192.0.2.153. +- The customer end of the anycast GRE tunnel needs to be a publicly routable address. It is typically the IP address of the WAN interface on the customer edge router. In this example it is 192.0.2.153. -* The IP addresses of the tunnel interfaces are RFC 1918 private addresses. These addresses are only "locally significant" within the particular Magic Transit service instance that they are part of. Therefore, the customer can select any RFC 1918 addresses they desire, as long as they do not overlap with those of other tunnels configured within the same Magic Transit service instance. +- The IP addresses of the tunnel interfaces are RFC 1918 private addresses. These addresses are only "locally significant" within the particular Magic Transit service instance that they are part of. Therefore, the customer can select any RFC 1918 addresses they desire, as long as they do not overlap with those of other tunnels configured within the same Magic Transit service instance. -* As best practice, given the tunnels are point-to-point connections, a /31 subnet is sufficient for allocating the 2 IP addresses required for a given tunnel. In the above example, the 10.10.10.0/31 subnet is chosen, with the Cloudflare end of the tunnel interface being 10.10.10.0/31 and the customer's DC edge router side being 10.10.10.1/31. +- As best practice, given the tunnels are point-to-point connections, a /31 subnet is sufficient for allocating the 2 IP addresses required for a given tunnel. In the above example, the 10.10.10.0/31 subnet is chosen, with the Cloudflare end of the tunnel interface being 10.10.10.0/31 and the customer's DC edge router side being 10.10.10.1/31. -* Once the tunnel is configured, a route is configured in the Magic Transit service instance to forward traffic destined to a given customer prefix onto the correct tunnel. +- Once the tunnel is configured, a route is configured in the Magic Transit service instance to forward traffic destined to a given customer prefix onto the correct tunnel. -* Traffic destined to customer prefix 203.0.113.0/24 is routed onto the tunnel whose remote end (i.e. the customer’s end, from the Cloudflare network's perspective) of the tunnel interface is 10.10.10.1. +- Traffic destined to customer prefix 203.0.113.0/24 is routed onto the tunnel whose remote end (i.e. the customer’s end, from the Cloudflare network's perspective) of the tunnel interface is 10.10.10.1. -* Given this is a Direct Server Return (DSR) setup, the server return traffic follows the default route (ip route 0/0) configured on the customer edge router and is sent to its uplink peer (i.e. customer’s ISP's router), en route back to the clients over the Internet. This return traffic does not traverse Cloudflare network. +- Given this is a Direct Server Return (DSR) setup, the server return traffic follows the default route (ip route 0/0) configured on the customer edge router and is sent to its uplink peer (i.e. customer’s ISP's router), en route back to the clients over the Internet. This return traffic does not traverse Cloudflare network. **Note:** The smallest IP prefix size (i.e. with the longest IP subnet mask) that most ISPs accept in each other's BGP advertisements is /24; e.g. x.x.x.0/24 or y.y.y.0/23 are okay, but z.z.z.0/25 is not. Therefore, the smallest IP prefix size Cloudflare Magic Transit can advertise on behalf of the customers is /24. @@ -88,9 +89,9 @@ The following network diagram illustrates the end-to-end packet flow between the ![Figure 3: Magic Transit With Egress Option Enabled](~/assets/images/reference-architecture/magic-transit-ref-arch-diagrams/magic-transit-ref-arch-3.png "Figure 3: Magic Transit With Egress Option Enabled") -* The ingress traffic flow is the same as in the Default Configuration use case above. +- The ingress traffic flow is the same as in the Default Configuration use case above. -* For egress traffic to be received and processed by Magic Transit, the source IP addresses of the traffic need to be in the range of the Magic Transit-protected IP prefixes, and the destination IP addresses need to be public Internet routable, i.e. non-RFC 1918 addresses. +- For egress traffic to be received and processed by Magic Transit, the source IP addresses of the traffic need to be in the range of the Magic Transit-protected IP prefixes, and the destination IP addresses need to be public Internet routable, i.e. non-RFC 1918 addresses. It is worth noting that for customers who bring their own public IP addresses ([BYOIP](/byoip/)) for cloud-hosted services, the Magic Transit Egress option can provide additional value by eliminating the need for them to purchase and implement BYOIP services with their cloud providers, reducing their cloud bill and lowering operational costs. @@ -100,11 +101,11 @@ To accomplish this, the IP tunnels that on-ramps to Magic Transit are configured [Cloudflare Network Interconnect (CNI)](/network-interconnect/) allows customers to connect their network infrastructure directly to Cloudflare – bypassing the public Internet – for a more reliable, performant, and secure experience. -* CNI is provisioned by the cross-connect providers as a set of layer 2 connections, and Cloudflare allocates a pair of IP addresses from Cloudflare’s own Internet-routable IP address block for each connection. +- CNI is provisioned by the cross-connect providers as a set of layer 2 connections, and Cloudflare allocates a pair of IP addresses from Cloudflare’s own Internet-routable IP address block for each connection. -* Cloudflare coordinates with the customer to configure these links and to establish a BGP peering session over the links during CNI onboarding. +- Cloudflare coordinates with the customer to configure these links and to establish a BGP peering session over the links during CNI onboarding. -* Once the BGP session is up between the Cloudflare network and the customer edge router that are connected via CNI, Cloudflare-owned prefixes will be advertised over this CNI link to the customer edge router. +- Once the BGP session is up between the Cloudflare network and the customer edge router that are connected via CNI, Cloudflare-owned prefixes will be advertised over this CNI link to the customer edge router. Figure 4 illustrates a reference configuration for Magic Transit over CNI, and its associated packet flow. @@ -122,9 +123,9 @@ Magic Transit protects services hosted on-premise and in the cloud. This use cas ![Figure 6: Protect Multi-Cloud-Based Services With Magic Transit (Egress Option Enabled)](~/assets/images/reference-architecture/magic-transit-ref-arch-diagrams/magic-transit-ref-arch-6.png "Figure 6: Protect Multi-Cloud-Based Services With Magic Transit (Egress Option Enabled)") -* In this example, a given customer has two cloud VPC deployments spread across two different cloud providers, and in two different geographical regions. +- In this example, a given customer has two cloud VPC deployments spread across two different cloud providers, and in two different geographical regions. -* In this example, the customer’s /24 or larger prefix is split into multiple smaller (i.e. longer subnet mask length) prefixes (e.g. /26) and assigned to the various VPCs in different locations. Upon establishing the tunnels from the Cloudflare network to each of the VPCs, the customer can configure routes centrally in the Magic Transit configuration to route traffic to the respective VPCs. Such configuration can be made via API or UI dashboard. +- In this example, the customer’s /24 or larger prefix is split into multiple smaller (i.e. longer subnet mask length) prefixes (e.g. /26) and assigned to the various VPCs in different locations. Upon establishing the tunnels from the Cloudflare network to each of the VPCs, the customer can configure routes centrally in the Magic Transit configuration to route traffic to the respective VPCs. Such configuration can be made via API or UI dashboard. Note that with the Magic Transit Egress option, the customer can bypass each cloud provider's BYOIP services, its associated fees, and the configuration and operations complexity, by sending egress traffic (i.e. server return or server-to-Internet traffic from the protected prefix) through the Cloudflare global network via the Magic Transit tunnels. @@ -142,9 +143,9 @@ Figure 7 illustrates an example of deploying Magic Transit and Magic WAN service ![Figure 7: Magic Transit + Magic WAN Provide Network-as-a-Service for the Entire Enterprise](~/assets/images/reference-architecture/magic-transit-ref-arch-diagrams/magic-transit-ref-arch-7.png "Figure 7: Magic Transit + Magic WAN Provide Network-as-a-Service for the Entire Enterprise") -* In the example, GRE tunnels are used to connect the customer's various sites over the Cloudflare global anycast network. The Cloudflare anycast IP address for the Magic Transit service instance is 192.0.2.1, while the one for the Magic WAN service instance is 192.0.2.2. The Magic Transit service is enabled with the Egress option. +- In the example, GRE tunnels are used to connect the customer's various sites over the Cloudflare global anycast network. The Cloudflare anycast IP address for the Magic Transit service instance is 192.0.2.1, while the one for the Magic WAN service instance is 192.0.2.2. The Magic Transit service is enabled with the Egress option. -* The Magic Transit service protects and routes external-facing front-end client-server traffic. The Magic WAN service protects and routes enterprise internal traffic such as that of internal applications, back-end database sync, and branch-to-DC and branch-to-branch traffic. +- The Magic Transit service protects and routes external-facing front-end client-server traffic. The Magic WAN service protects and routes enterprise internal traffic such as that of internal applications, back-end database sync, and branch-to-DC and branch-to-branch traffic. ### Magic Firewall: Control and Filter Unwanted Traffic Before It Reaches the Enterprise Network @@ -178,10 +179,10 @@ In many cases, [traffic is faster when routed over Cloudflare](https://www.cloud Cloudflare offers comprehensive network services to connect and protect on-premise, cloud-hosted, and hybrid enterprise networks. Cloudflare provides various connectivity and deployment options to suit customers' unique architectures. -* Cloudflare Magic Transit is a cloud-native network security solution that uses the power of the Cloudflare global network to protect organizations against DDoS attacks. +- Cloudflare Magic Transit is a cloud-native network security solution that uses the power of the Cloudflare global network to protect organizations against DDoS attacks. -* Magic Transit comes with a built-in network firewall that helps customers phase out on-premise firewalls and deploy network security as-a-service that scales. +- Magic Transit comes with a built-in network firewall that helps customers phase out on-premise firewalls and deploy network security as-a-service that scales. -* In addition to protecting and routing traffic for external-facing services of an enterprise (i.e. north-south Internet-routable traffic), customers can connect and protect east-west “intra-enterprise” internal traffic using Cloudflare Magic WAN. +- In addition to protecting and routing traffic for external-facing services of an enterprise (i.e. north-south Internet-routable traffic), customers can connect and protect east-west “intra-enterprise” internal traffic using Cloudflare Magic WAN. If you would like to learn more about Magic Transit, Magic WAN, or Magic Firewall, please [reach out](https://www.cloudflare.com/magic-transit/) to us for a demo. diff --git a/src/content/docs/reference-architecture/architectures/multi-vendor.mdx b/src/content/docs/reference-architecture/architectures/multi-vendor.mdx index 71c0fc8d05925a..94dac0e9483870 100644 --- a/src/content/docs/reference-architecture/architectures/multi-vendor.mdx +++ b/src/content/docs/reference-architecture/architectures/multi-vendor.mdx @@ -1,15 +1,16 @@ --- -title: Multi-Vendor Architecture +title: Multi-vendor Application Security and Performance Reference Architecture pcx_content_type: reference-architecture +products: + - DNS + - Network Interconnect sidebar: order: 1 -head: - - tag: title - content: "Reference Architecture: Multi-vendor Application Security and Performance" - + label: Multi-Vendor Architecture +updated: 2023-08-04 --- -import { LinkButton, Render } from "~/components" +import { LinkButton, Render } from "~/components"; ## Introduction @@ -29,8 +30,8 @@ To build a stronger baseline understanding of Cloudflare, we recommend the follo Those who read this reference architecture will learn: -* How Cloudflare application security and performance capabilities can work alongside existing technology vendors -* Understanding the decisions to be made when using many vendors +- How Cloudflare application security and performance capabilities can work alongside existing technology vendors +- Understanding the decisions to be made when using many vendors ## Cloud based security and performance providers @@ -42,7 +43,7 @@ Cloud-based security and performance providers like Cloudflare work as a reverse Normal traffic flow without a reverse proxy would involve a client sending a DNS lookup request, receiving the origin IP address, and communicating directly to the origin server(s). This is visualized in Figure 1. -When a reverse proxy is introduced, the client still sends a DNS lookup request to its resolver, which is the first stop in the DNS lookup. In this case, the DNS resolver returns a vendor’s reverse proxy IP address to the client and the client then makes a request to the vendor’s reverse proxy. The cloud-based proxy solution can now provide additional security, performance, and reliability services like [CDN](https://www.cloudflare.com/cdn/), [WAF](https://www.cloudflare.com/waf/), [DDoS](https://www.cloudflare.com/ddos/), [API Gateway](https://www.cloudflare.com/products/api-gateway/), [Bot Management](https://www.cloudflare.com/products/bot-management/) capabilities, etc, before deciding, based on security policy, whether to route the client request to the respective origin server(s). This is visualized in Figure 2. +When a reverse proxy is introduced, the client still sends a DNS lookup request to its resolver, which is the first stop in the DNS lookup. In this case, the DNS resolver returns a vendor’s reverse proxy IP address to the client and the client then makes a request to the vendor’s reverse proxy. The cloud-based proxy solution can now provide additional security, performance, and reliability services like [CDN](https://www.cloudflare.com/cdn/), [WAF](https://www.cloudflare.com/waf/), [DDoS](https://www.cloudflare.com/ddos/), [API Gateway](https://www.cloudflare.com/products/api-gateway/), [Bot Management](https://www.cloudflare.com/products/bot-management/) capabilities, etc, before deciding, based on security policy, whether to route the client request to the respective origin server(s). This is visualized in Figure 2. ![Figure 2: Client request routed through reverse proxy for additional security and performance services](~/assets/images/reference-architecture/multi-vendor-architecture-images/Figure_2.png "Figure 2") @@ -58,9 +59,9 @@ Cloudflare has one global network with every service running on every server in [Cloudflare’s global anycast network](https://www.cloudflare.com/network/) provides the following advantages: -* Incoming traffic is routed to the nearest data center with the capacity to process the requests efficiently. -* Availability and redundancy is inherently provided. Since multiple nodes advertise the same IP address, if one node were to fail, requests are simply routed to another node in close proximity. -* Because anycast distributes traffic across multiple data centers, it increases overall distribution of traffic across Cloudflare’s network, preventing any one location from becoming overwhelmed with requests. For this reason, anycast networks are very resilient to DDoS attacks. +- Incoming traffic is routed to the nearest data center with the capacity to process the requests efficiently. +- Availability and redundancy is inherently provided. Since multiple nodes advertise the same IP address, if one node were to fail, requests are simply routed to another node in close proximity. +- Because anycast distributes traffic across multiple data centers, it increases overall distribution of traffic across Cloudflare’s network, preventing any one location from becoming overwhelmed with requests. For this reason, anycast networks are very resilient to DDoS attacks. ![Figure 4: Cloudflare providing DNS and security/performance services via global anycast network](~/assets/images/reference-architecture/multi-vendor-architecture-images/Figure_4.png "Figure 4") @@ -104,7 +105,7 @@ Some customers may have to comply with regulatory/company policy of not being de ### Resiliency -When a single vendor is used for all security and performance services, this may be perceived as a single point of failure. This can be driven by regulatory pressure to improve reliability in all critical systems, outages experienced with an incumbent vendor, or uncertainty with the long term reliability of a single vendor. +When a single vendor is used for all security and performance services, this may be perceived as a single point of failure. This can be driven by regulatory pressure to improve reliability in all critical systems, outages experienced with an incumbent vendor, or uncertainty with the long term reliability of a single vendor. ### Performance @@ -126,7 +127,7 @@ Avoid a “stacked” approach. This means avoid having Cloudflare placed in the One note on a stacked approach is that in certain cases for particular point solutions, it can make sense to place one vendor solution in front of the other, such as particular bot management solutions and API gateways, especially when migrating towards a new vendor/provider. In these scenarios it’s important to understand where each solution falls in the request flow to optimize effectiveness. -While Cloudflare and many providers maintain a high degree of availability and a robust fault tolerant architecture, some customers have a further desire to reduce dependency and respectively single vendor point of failures. It’s important to plan for a worst case scenario where some or all of a vendor's services are down and how to work around that in a short timeframe. Customers must consider how to have redundancy across DNS providers, networks, and origin connectivity to eliminate the risk of a single vendor/component failure cascading into a widespread outage. +While Cloudflare and many providers maintain a high degree of availability and a robust fault tolerant architecture, some customers have a further desire to reduce dependency and respectively single vendor point of failures. It’s important to plan for a worst case scenario where some or all of a vendor's services are down and how to work around that in a short timeframe. Customers must consider how to have redundancy across DNS providers, networks, and origin connectivity to eliminate the risk of a single vendor/component failure cascading into a widespread outage. While the specifics may vary widely depending on the vendor and business case, the technical considerations for a multi-vendor deployment can be bucketed into three areas: routing logic, configuration management and origin connectivity. @@ -162,9 +163,9 @@ Some important considerations when designing a multi-vendor solution are operati A primary focus for Cloudflare has always been operational simplicity and providing visibility. Cloudflare provides a single unified dashboard where all security, performance, and reliability services can be accessed from a consistent operationally simple UI. -Additionally, Cloudflare offers logging, analytics and security analytics dashboards. Logs with additional details are also accessible from the UI. Customers have granular data that can be used for analysis and troubleshooting. +Additionally, Cloudflare offers logging, analytics and security analytics dashboards. Logs with additional details are also accessible from the UI. Customers have granular data that can be used for analysis and troubleshooting. -Figure 7 below shows a view of Cloudflare Security Analytics which brings together all of Cloudflare’s detection capabilities in one place. This provides security engineers and admins with a quick view of current traffic and security insights in regards to their site. +Figure 7 below shows a view of Cloudflare Security Analytics which brings together all of Cloudflare’s detection capabilities in one place. This provides security engineers and admins with a quick view of current traffic and security insights in regards to their site. ![Figure 7: Cloudflare Security Analytics](~/assets/images/reference-architecture/multi-vendor-architecture-images/Figure_7.png "Figure 7") @@ -176,12 +177,12 @@ In Figure 8 below a Logpush is being configured to automatically export logs to When selecting the vendors for a multi-vendor solution you should ensure you select vendors where the below criteria is met: -* The vendor provides for operational simplicity with a single consistent UI for all operations where users can easily manage and get things done in one place. -* The vendor has useful security analytics to give an understanding of a sites’ traffic, security insights, and useful data for troubleshooting. -* The vendor has the ability to export logs/request data to third party clouds/applications. -* The vendor has an API first approach and provides APIs for all operations so tasks can be easily automated. -* The vendor is reputable and can provide effective support and help when needed. -* Employees are trained and have expertise or are comfortable using the vendor’s products. +- The vendor provides for operational simplicity with a single consistent UI for all operations where users can easily manage and get things done in one place. +- The vendor has useful security analytics to give an understanding of a sites’ traffic, security insights, and useful data for troubleshooting. +- The vendor has the ability to export logs/request data to third party clouds/applications. +- The vendor has an API first approach and provides APIs for all operations so tasks can be easily automated. +- The vendor is reputable and can provide effective support and help when needed. +- Employees are trained and have expertise or are comfortable using the vendor’s products. ## Common deployments @@ -225,7 +226,7 @@ It’s important to note here that typically the DNS resolvers have already seen In this example, we are also seeing records being kept in sync via periodic zone transfers. Cloudflare is able to support both outgoing and incoming zone transfers. Traffic is directed to each proxy by either a provider specific CNAME record or static IP. -The configuration on the DNS side can vary; the different options are discussed in more detail in the next section. DNS can be set up with one provider acting as primary and the other acting as secondary. The DNS provider acting as primary is where all the DNS configuration is done and the secondary DNS receives the configuration copy via zone transfer. +The configuration on the DNS side can vary; the different options are discussed in more detail in the next section. DNS can be set up with one provider acting as primary and the other acting as secondary. The DNS provider acting as primary is where all the DNS configuration is done and the secondary DNS receives the configuration copy via zone transfer. Some DNS providers like [Cloudflare](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) offer the capability where secondary DNS can overwrite the A and AAAA records. This allows the provider to rewrite the A/AAAA record to proxy traffic through a different vendor as desired. In this case the secondary DNS provider will provide a different response than the primary for the same hostname. This means that depending on what nameserver a client resolver queries, the request will be routed to the vendor’s respective network. This allows for flexibility and reduced complexity by relying on the client resolver for traffic steering and failover if the nameservers are slow or unreachable. This comes at the cost of direct control and predictability over what provider a client selects. @@ -245,21 +246,21 @@ The advantage and main use case with this deployment model is that it uses a sta Sometimes customers may decide to use another option due to the following: -* The requirement of updating DNS records when the record management and zone transfer pipeline is down. -* Not wanting to rely on a third party/vendor for the DNS synchronization and desiring more control. -* Having specific restrictions/regulations excluding this option. +- The requirement of updating DNS records when the record management and zone transfer pipeline is down. +- Not wanting to rely on a third party/vendor for the DNS synchronization and desiring more control. +- Having specific restrictions/regulations excluding this option. This setup is recommended for customers who desire simplicity offered by a secondary DNS and provider for maintaining synchronization. Pros: -* Uses standard (AXFR, IXFR) to keep DNS synced and done automatically via Zone Transfers. -* Simplicity as the DNS provider is responsible for DNS synchronization. +- Uses standard (AXFR, IXFR) to keep DNS synced and done automatically via Zone Transfers. +- Simplicity as the DNS provider is responsible for DNS synchronization. Cons: -* If the record management and zone transfer pipeline is down, DNS records cannot be updated. -* Some customers do not want to rely on a vendor/3rd party for DNS sync and desire more control and flexibility. +- If the record management and zone transfer pipeline is down, DNS records cannot be updated. +- Some customers do not want to rely on a vendor/3rd party for DNS sync and desire more control and flexibility. **2. Two authoritative - both primary** @@ -273,13 +274,13 @@ This setup is recommended for customers who desire the most flexible and resilie Pros: -* If control plane is down on one provider, DNS records can still be updated at the other. -* More control and no reliance on DNS provider for DNS synchronization. +- If control plane is down on one provider, DNS records can still be updated at the other. +- More control and no reliance on DNS provider for DNS synchronization. Cons: -* More complexity in keeping DNS between providers synced. -* Customer is responsible for DNS synchronization which can be done via automation tools, automated via vendor APIs, or manually. +- More complexity in keeping DNS between providers synced. +- Customer is responsible for DNS synchronization which can be done via automation tools, automated via vendor APIs, or manually. **3. One or more authoritative - hidden primary and multiple secondary** @@ -291,13 +292,13 @@ This setup is recommended for customers who desire simplicity offered by a secon Pros: -* Allows customers to maintain DNS record management on their infrastructure and use standard to keep DNS synced automatically via Zone Transfers. -* Primary is used only for source of truth and maintaining DNS records and can be taken offline for maintenance /administration. +- Allows customers to maintain DNS record management on their infrastructure and use standard to keep DNS synced automatically via Zone Transfers. +- Primary is used only for source of truth and maintaining DNS records and can be taken offline for maintenance /administration. Cons: -* If the record management and zone transfer pipeline is down, DNS records cannot be updated. -* Some customers do not want to rely on a vendor/3rd party for DNS sync and desire more control. +- If the record management and zone transfer pipeline is down, DNS records cannot be updated. +- Some customers do not want to rely on a vendor/3rd party for DNS sync and desire more control. ## Configuration and management best practices @@ -375,4 +376,9 @@ If you want your domain to be [FIPS](https://en.wikipedia.org/wiki/Federal_Infor To summarize, a successful multi-vendor strategy for application security and performance requires careful consideration of your business objectives, infrastructure requirements, and vendor capabilities. There are several options to choose from when deploying a multi-vendor strategy with various advantages and limitations to each. Cloudflare can support these configurations by delivering services through the Cloudflare Global Network that are highly resilient, performant, and cost effective to fit your organizations multi-vendor strategy. -Download this page as a PDF + + Download this page as a PDF + diff --git a/src/content/docs/reference-architecture/architectures/sase.mdx b/src/content/docs/reference-architecture/architectures/sase.mdx index cd4ea43a798feb..8c5d63eb9232ce 100644 --- a/src/content/docs/reference-architecture/architectures/sase.mdx +++ b/src/content/docs/reference-architecture/architectures/sase.mdx @@ -1,9 +1,21 @@ --- title: Evolving to a SASE architecture with Cloudflare pcx_content_type: reference-architecture +products: + - Access + - Gateway + - CASB + - Email Security + - Digital Experience Monitoring + - Browser Isolation + - Data Loss Prevention + - Magic WAN + - Magic Firewall + - Magic Transit sidebar: order: 1 label: Secure Access Service Edge (SASE) +updated: 2024-09-07 --- import { Render } from "~/components"; diff --git a/src/content/docs/reference-architecture/architectures/security.mdx b/src/content/docs/reference-architecture/architectures/security.mdx index a875521e1f89a4..6234054bef59f8 100644 --- a/src/content/docs/reference-architecture/architectures/security.mdx +++ b/src/content/docs/reference-architecture/architectures/security.mdx @@ -1,18 +1,36 @@ --- -title: Security +title: Cloudflare Security Architecture pcx_content_type: reference-architecture products: - Workers - Turnstile + - Access + - Gateway + - CASB + - Email Security + - Data Loss Prevention + - Magic WAN + - Magic Firewall + - Magic Transit + - API Shield + - Bots + - Data Localization Suite + - DDoS Protection + - DNS Firewall + - Page Shield + - SSL/TLS + - Spectrum + - Security Center + - Turnstile + - WAF sidebar: order: 1 -head: - - tag: title - content: Cloudflare Security Architecture + label: Security Architecture description: This document provides insight into how this network and platform are architected from a security perspective, how they are operated, and what services are available for businesses to address their own security challenges. +updated: 2024-06-19 --- import { Render } from "~/components"; diff --git a/src/content/docs/reference-architecture/design-guides/extending-cloudflares-benefits-to-saas-providers-end-customers.mdx b/src/content/docs/reference-architecture/design-guides/extending-cloudflares-benefits-to-saas-providers-end-customers.mdx index 5bf4e2e13dba02..0b67748f542f49 100644 --- a/src/content/docs/reference-architecture/design-guides/extending-cloudflares-benefits-to-saas-providers-end-customers.mdx +++ b/src/content/docs/reference-architecture/design-guides/extending-cloudflares-benefits-to-saas-providers-end-customers.mdx @@ -1,11 +1,16 @@ --- -title: Extending Cloudflare's Benefits to SaaS Providers' End-Customers +title: Extend Cloudflare's Benefits to SaaS Providers' End-Customers pcx_content_type: design-guide +products: + - Cloudflare for SaaS + - Cloudflare Tunnel + - Load Balancing + - Data Localization Suite weight: null -head: - - tag: title - content: "Design guide: Extend Cloudflare's Benefits to SaaS Providers' End-Customers" - +sidebar: + order: 1 + label: Cloudflare's Benefits for SaaS Providers +updated: 2024-08-29 --- ## Introduction @@ -16,10 +21,10 @@ This design guide illustrates how providers, building and hosting their own prod The following diagrams visualize the use of the following services: -* Data Localization Suite (specifically, [Regional Services](/data-localization/regional-services/)) -* [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/) -* [Cloudflare Tunnels](/cloudflare-one/connections/connect-networks/) to securely expose web applications (with [public hostnames](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) and [private networks](/cloudflare-one/connections/connect-networks/private-net/)) -* Load Balancers to manage traffic and ensure reliability and performance, implementing Global Traffic Management (GTM) and [Local Traffic Management (LTM)](/load-balancing/local-traffic-management/). +- Data Localization Suite (specifically, [Regional Services](/data-localization/regional-services/)) +- [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/) +- [Cloudflare Tunnels](/cloudflare-one/connections/connect-networks/) to securely expose web applications (with [public hostnames](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) and [private networks](/cloudflare-one/connections/connect-networks/private-net/)) +- Load Balancers to manage traffic and ensure reliability and performance, implementing Global Traffic Management (GTM) and [Local Traffic Management (LTM)](/load-balancing/local-traffic-management/). This setup is ideal for SaaS providers who need to ensure minimal downtime, auto-renewal of SSL/TLS certificates, efficiently distribute traffic to healthy endpoints, and regional traffic management for compliance and performance optimization. @@ -31,27 +36,27 @@ This solution supports subdomains under your own zone while also allowing your c Before looking at how Cloudflare can be configured to protect your SaaS application through your custom hostnames, it's worth reviewing the benefits of taking this approach. -| Benefit | Description | -| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Minimized Downtime | Ensure [minimal downtime](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/validate-certificates/#minimize-downtime) not only during custom hostname migrations to Cloudflare for SaaS but also throughout the entire lifecycle of the application. | -| Security and Performance | Extends Cloudflare's [security](/cloudflare-for-platforms/cloudflare-for-saas/security/waf-for-saas/) and [performance](/cloudflare-for-platforms/cloudflare-for-saas/performance/) benefits to end-customers through their custom domains. | -| Auto-Renewal | Automates the [renewal](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/renew-certificates/) and management process for custom hostname certificates. | -| Apex Proxying | Supports end-customers using [domain apex](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/realtime-validation/#apex-proxying) (otherwise known as root domain) as custom hostnames. Used where your DNS service doesn't allow [CNAMEs for root domains](/dns/cname-flattening/), instead a [static IP](/byoip/address-maps/#static-ips-or-byoip) is used to allow an A record to be used. | -| Smart Load Balancing | Use the load balancer as [custom origins](/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/custom-origin/) to steer traffic with [session affinity](/load-balancing/understand-basics/session-affinity/). In the context of Cloudflare for SaaS, a custom origin lets you send traffic from one or more custom hostnames to somewhere besides your default proxy fallback origin. | +| Benefit | Description | +| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Minimized Downtime | Ensure [minimal downtime](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/validate-certificates/#minimize-downtime) not only during custom hostname migrations to Cloudflare for SaaS but also throughout the entire lifecycle of the application. | +| Security and Performance | Extends Cloudflare's [security](/cloudflare-for-platforms/cloudflare-for-saas/security/waf-for-saas/) and [performance](/cloudflare-for-platforms/cloudflare-for-saas/performance/) benefits to end-customers through their custom domains. | +| Auto-Renewal | Automates the [renewal](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/renew-certificates/) and management process for custom hostname certificates. | +| Apex Proxying | Supports end-customers using [domain apex](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/realtime-validation/#apex-proxying) (otherwise known as root domain) as custom hostnames. Used where your DNS service doesn't allow [CNAMEs for root domains](/dns/cname-flattening/), instead a [static IP](/byoip/address-maps/#static-ips-or-byoip) is used to allow an A record to be used. | +| Smart Load Balancing | Use the load balancer as [custom origins](/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/custom-origin/) to steer traffic with [session affinity](/load-balancing/understand-basics/session-affinity/). In the context of Cloudflare for SaaS, a custom origin lets you send traffic from one or more custom hostnames to somewhere besides your default proxy fallback origin. | | Orange-to-Orange (O2O) | For end-customers who already proxy traffic through Cloudflare, [Orange-to-Orange (O2O)](/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/how-it-works/) may be required. Generally, it's recommended for those end-customers to [not proxy](/dns/manage-dns-records/reference/proxied-dns-records/#dns-only-records) the hostnames used by the SaaS provider. If the Orange-to-Orange functionality is required, please review the [product compatibility](/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/product-compatibility/). | -| Regional Services | Allows [regional traffic management](/data-localization/regional-services/) to comply with data localization requirements. | +| Regional Services | Allows [regional traffic management](/data-localization/regional-services/) to comply with data localization requirements. | ## Products included in this guide The following products are used to deliver this solution. -| Product | Function | -|---------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/) | Extends the security and performance benefits of Cloudflare’s network to your customers through their own custom or vanity domains. This includes [Certificate Management](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/), [WAF for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/waf-for-saas/), [Early Hints for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/performance/early-hints-for-saas/) and [Cache for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/performance/cache-for-saas/). | -| [DDoS Protection](/ddos-protection/) | Volumetric attack protection is automatically enabled for [proxied](/dns/manage-dns-records/reference/proxied-dns-records/) hostnames. | -| [Regional Services](/data-localization/regional-services/) (part of the Data Localization Suite) | Restrict inspection of data (processing) to only those data centers within jurisdictional boundaries. | -| [Load Balancer](/load-balancing/) | Distributes traffic across your endpoints, which reduces endpoint strain and latency and improves the experience for end users. | -| [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/) | Secure method to connect to customers' networks and servers without creating holes in [firewalls](/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/). cloudflared is the daemon (software) installed on origin servers to create a secure tunnel from applications back to Cloudflare. | +| Product | Function | +| ------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/) | Extends the security and performance benefits of Cloudflare’s network to your customers through their own custom or vanity domains. This includes [Certificate Management](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/), [WAF for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/waf-for-saas/), [Early Hints for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/performance/early-hints-for-saas/) and [Cache for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/performance/cache-for-saas/). | +| [DDoS Protection](/ddos-protection/) | Volumetric attack protection is automatically enabled for [proxied](/dns/manage-dns-records/reference/proxied-dns-records/) hostnames. | +| [Regional Services](/data-localization/regional-services/) (part of the Data Localization Suite) | Restrict inspection of data (processing) to only those data centers within jurisdictional boundaries. | +| [Load Balancer](/load-balancing/) | Distributes traffic across your endpoints, which reduces endpoint strain and latency and improves the experience for end users. | +| [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/) | Secure method to connect to customers' networks and servers without creating holes in [firewalls](/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/). cloudflared is the daemon (software) installed on origin servers to create a secure tunnel from applications back to Cloudflare. | ## Cloudflare for SaaS Examples @@ -70,13 +75,13 @@ This standard Cloudflare for SaaS setup is the most commonly used and easiest to The origin server receives the details of the custom domain through either the [host header or SNI](/cloudflare-for-platforms/cloudflare-for-saas/reference/connection-details/). This enables the origin server to determine which application to direct the request to. This method is applicable for both custom hostnames (for example, `app.mycustomerexample.com`) and vanity domains (for example, `customer1.myappexample.com`). Since all requests for your application are now routed through the Cloudflare network, you can leverage a range of security and performance services for every request, including: -* [Web Application Firewall](/cloudflare-for-platforms/cloudflare-for-saas/security/waf-for-saas/) -* [Access control policies](/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access/) -* [Caching of application content](/cloudflare-for-platforms/cloudflare-for-saas/performance/cache-for-saas/) -* [Support browser early hints](/cloudflare-for-platforms/cloudflare-for-saas/performance/early-hints-for-saas/) -* [Image Transformations](/images/) -* [Waiting Room](/waiting-room/) -* [Workers for Platform](/cloudflare-for-platforms/workers-for-platforms/) +- [Web Application Firewall](/cloudflare-for-platforms/cloudflare-for-saas/security/waf-for-saas/) +- [Access control policies](/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access/) +- [Caching of application content](/cloudflare-for-platforms/cloudflare-for-saas/performance/cache-for-saas/) +- [Support browser early hints](/cloudflare-for-platforms/cloudflare-for-saas/performance/early-hints-for-saas/) +- [Image Transformations](/images/) +- [Waiting Room](/waiting-room/) +- [Workers for Platform](/cloudflare-for-platforms/workers-for-platforms/) For implementation details to get started, review the [developer documentation](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/). @@ -110,9 +115,9 @@ Cloudflare offers a powerful set of load balancing capabilities. These allow you 1. The Custom Hostname (`custom.example.com`) is configured as a CNAME record pointing to a Cloudflare [regionalized Load Balancer](/data-localization/how-to/load-balancing/) (`eu-lb.myappexample.com`). This ensures that all processing, including TLS termination, takes place within a specified geographic region. Additionally, the SaaS provider needs to set up the load balancer as the [Custom Origin](/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/custom-origin/) for the Custom Hostname. 2. The regional Load Balancer is set up with [Origin Pools](/load-balancing/pools/) to distribute requests across multiple downstream servers. Each pool can be configured to use either [public hostnames](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) with Global Traffic Management (GTM) or [private network](/cloudflare-one/connections/connect-networks/private-net/) addresses with Local Traffic Management (LTM). In the diagram above, we utilize both options: - * Origin Pool 1 uses the [Cloudflare Tunnel hostname](/cloudflare-one/connections/connect-networks/routing-to-tunnel/dns/) (`.cfargotunnel.com`) as the endpoint or origin server for handling those requests. - When using a public hostname, it is necessary to set the [HTTP Host Header value](/load-balancing/additional-options/override-http-host-headers/) to match the public hostname configured and exposed by the [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/). This ensures that the origin server can correctly route the incoming requests. - * Origin Pool 2 uses the private IP address or private network (that is, `10.0.0.5`) within the SaaS provider's internal network, where the SaaS application resides. This pool must be configured to operate within the specified [Virtual Network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) to ensure proper routing of requests. + - Origin Pool 1 uses the [Cloudflare Tunnel hostname](/cloudflare-one/connections/connect-networks/routing-to-tunnel/dns/) (`.cfargotunnel.com`) as the endpoint or origin server for handling those requests. + When using a public hostname, it is necessary to set the [HTTP Host Header value](/load-balancing/additional-options/override-http-host-headers/) to match the public hostname configured and exposed by the [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/). This ensures that the origin server can correctly route the incoming requests. + - Origin Pool 2 uses the private IP address or private network (that is, `10.0.0.5`) within the SaaS provider's internal network, where the SaaS application resides. This pool must be configured to operate within the specified [Virtual Network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) to ensure proper routing of requests. 3. Cloudflare Tunnel exposes both [public hostnames](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) with GTM and [private networks](/cloudflare-one/connections/connect-networks/private-net/) (private IPs) with LTM. For enhanced granularity in application serving and scalability, it is generally recommended to use private networks rather than public hostnames. Private networks enable Cloudflare to preserve and accurately pass the host header to the origin server. In contrast, when using public hostnames, providers must configure the [header value](/load-balancing/additional-options/override-http-host-headers/) on the load balancer, which is restricted to one public hostname per load balancer endpoint, potentially limiting flexibility. @@ -133,10 +138,10 @@ By leveraging Cloudflare's infrastructure, SaaS providers can deliver secure, re Several Cloudflare customers are currently using the Cloudflare for SaaS solution (formerly known as SSL for SaaS). Notable public use cases include: -* [Shopify](https://www.cloudflare.com/case-studies/shopify/) -* [Porsche Informatik](https://www.cloudflare.com/case-studies/porsche-informatik/) -* [Divio](https://www.cloudflare.com/case-studies/divio/) -* [mogenius](https://www.cloudflare.com/case-studies/mogenius/) -* [Quickbutik](https://www.cloudflare.com/case-studies/quickbutik/) +- [Shopify](https://www.cloudflare.com/case-studies/shopify/) +- [Porsche Informatik](https://www.cloudflare.com/case-studies/porsche-informatik/) +- [Divio](https://www.cloudflare.com/case-studies/divio/) +- [mogenius](https://www.cloudflare.com/case-studies/mogenius/) +- [Quickbutik](https://www.cloudflare.com/case-studies/quickbutik/) Additionally, when migrating to Cloudflare for SaaS, it is crucial to have a runbook and clear public documentation to communicate relevant details to your end-customers. Excellent public examples of this are the [Salesforce CDN](https://help.salesforce.com/s/articleView?id=sf.community_builder_cdn.htm&type=5) and [Shopify](https://help.shopify.com/en/manual/domains/add-a-domain/connecting-domains) documentation. diff --git a/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx b/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx index 7a927dae801769..007708cac5a672 100644 --- a/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx +++ b/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx @@ -1,17 +1,19 @@ --- title: Network-focused migration from VPN concentrators to Zero Trust Network Access pcx_content_type: design-guide -head: - - tag: title - content: "Design guide: Network-focused VPN migration" +products: + - Magic WAN + - Gateway + - Access + - Network Interconnect sidebar: label: "Network-focused VPN migration" - +updated: 2024-09-17 --- ## Introduction -Over the past few years, the traditional approach of installing and maintaining hardware for remote access to private company networks is no longer secure or cost effective. Due to an increase in [vulnerabilities](https://www.networkworld.com/article/2114694/new-vpn-risk-report-finds-nearly-half-of-enterprises-attacked-via-vpn-vulnerabilities.html) found in on-premises VPN products, security and IT teams are looking for solutions that don't require teams to monitor for and respond to [CVE alerts](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=vpn). These same systems also limit the user's bandwidth because they route all user Internet traffic through a single infrastructure which results in a poor user experience. IT teams are recognizing the cost and effort to install and maintain their own hardware can be offset with more modern, and more secure cloud hosted services. User expectations for application performance are exposing limitations in bandwidth constrained, self hosted VPN solutions. In summary, running your own VPN is expensive, high risk and doesn't deliver a great user experience. +Over the past few years, the traditional approach of installing and maintaining hardware for remote access to private company networks is no longer secure or cost effective. Due to an increase in [vulnerabilities](https://www.networkworld.com/article/2114694/new-vpn-risk-report-finds-nearly-half-of-enterprises-attacked-via-vpn-vulnerabilities.html) found in on-premises VPN products, security and IT teams are looking for solutions that don't require teams to monitor for and respond to [CVE alerts](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=vpn). These same systems also limit the user's bandwidth because they route all user Internet traffic through a single infrastructure which results in a poor user experience. IT teams are recognizing the cost and effort to install and maintain their own hardware can be offset with more modern, and more secure cloud hosted services. User expectations for application performance are exposing limitations in bandwidth constrained, self hosted VPN solutions. In summary, running your own VPN is expensive, high risk and doesn't deliver a great user experience. ![Diagram showing suboptimal traffic paths for traffic to Internet resources.](~/assets/images/reference-architecture/design-guide-network-vpn-migr/traditional-vpn.svg "Figure 1: A traditional VPN deployment, where all user traffic destined for the Internet must route through the company hosted and managed VPN service.") @@ -29,32 +31,32 @@ This guide is specifically aimed at network architects or IT admins who want to ### Who is this document for and what will you learn? -This guide is written for network and security experts considering a replacement of their current VPN vendor, while preparing their organization for a zero trust or SASE architecture. It assumes familiarity with networking concepts such as IPsec tunnels, routing tables and split tunneling. +This guide is written for network and security experts considering a replacement of their current VPN vendor, while preparing their organization for a zero trust or SASE architecture. It assumes familiarity with networking concepts such as IPsec tunnels, routing tables and split tunneling. What you will learn: -* How Cloudflare can replace a traditional VPN-like implementation -* How to get visibility into VPN network traffic -* What you need to consider to implement a Cloudflare solution at scale -* Steps to take to move to a recommended Zero Trust Network Access implementation +- How Cloudflare can replace a traditional VPN-like implementation +- How to get visibility into VPN network traffic +- What you need to consider to implement a Cloudflare solution at scale +- Steps to take to move to a recommended Zero Trust Network Access implementation The solution this guide describes requires you have a contract with Cloudflare that includes: -* Cloudflare One licenses for the amount of users you are looking to onboard -* Cloudflare Magic WAN +- Cloudflare One licenses for the amount of users you are looking to onboard +- Cloudflare Magic WAN To build a stronger baseline understanding of Cloudflare, we recommend the following resources: -1. What is Cloudflare? | [Website](https://www.cloudflare.com/what-is-cloudflare/) (five-minute read) or [video](https://www.youtube.com/watch?v=XHvmX3FhTwU) (two minutes) -2. Blog: [What is SASE? | Secure access service edge | Cloudflare](https://www.cloudflare.com/learning/access-management/what-is-sase/) (14-minute read) +1. What is Cloudflare? | [Website](https://www.cloudflare.com/what-is-cloudflare/) (five-minute read) or [video](https://www.youtube.com/watch?v=XHvmX3FhTwU) (two minutes) +2. Blog: [What is SASE? | Secure access service edge | Cloudflare](https://www.cloudflare.com/learning/access-management/what-is-sase/) (14-minute read) 3. Reference architecture: [Evolving to a SASE architecture with Cloudflare](/reference-architecture/architectures/sase/) (three-hour read) ## Benefits of a SASE platform Traditional VPN approaches typically provide the following types of access. -* Allowing remote users access to self hosted private applications running on a corporate network -* Routing all user Internet traffic through a single, concentrated VPN access point where security policies are applied +- Allowing remote users access to self hosted private applications running on a corporate network +- Routing all user Internet traffic through a single, concentrated VPN access point where security policies are applied A SASE platform replaces traditional VPN hardware by offering two key services. First, it maps user access directly to internal applications hosted on corporate networks or in the cloud, unlike hosting your own VPN service which typically provides broad access to the entire corporate network. Second, it enables filtering of Internet traffic close to the user, allowing users to securely access the Internet without routing all traffic through the corporate network, thereby improving efficiency and maintaining security. @@ -62,14 +64,14 @@ A SASE platform replaces traditional VPN hardware by offering two key services. Remote users authenticate and connect to a cloud hosted Zero Trust Network Access (ZTNA) service, which in turn has connectivity into the networks where the private applications reside. Cloudflare's [SASE reference architecture](/reference-architecture/architectures/sase/) describes three methods for connecting Cloudflare to your existing applications and networks: -1. Software connectors ([`cloudflared`](/cloudflare-one/connections/connect-networks/private-net/cloudflared/) or [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/)) -2. IPsec or GRE tunnels using [Magic WAN](/magic-wan/) +1. Software connectors ([`cloudflared`](/cloudflare-one/connections/connect-networks/private-net/cloudflared/) or [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/)) +2. IPsec or GRE tunnels using [Magic WAN](/magic-wan/) 3. Direct network connections using [Cloudflare Network Interconnect](/network-interconnect/) -All three methods have their specific advantages, however, software connectors are usually preferred when considering a modern Zero Trust implementation for three reasons. +All three methods have their specific advantages, however, software connectors are usually preferred when considering a modern Zero Trust implementation for three reasons. -1. They deliver a network connectivity model that is flexible and easy to replicate across environments. You can move the applications and servers with little to no changes in configuration. -2. Software daemon architecture simplifies scaling to increased traffic demands, just install more agents on more servers. +1. They deliver a network connectivity model that is flexible and easy to replicate across environments. You can move the applications and servers with little to no changes in configuration. +2. Software daemon architecture simplifies scaling to increased traffic demands, just install more agents on more servers. 3. Because daemons run close to your applications (as opposed to at your network edge), you can build isolated network or application segments in which to enforce policy, preventing lateral movement and getting the full benefits of the zero trust model. :::note @@ -90,9 +92,9 @@ This approach allows network and security teams to get up-and-running quickly, w This guide will describe the following phases at a high level, if you need help with specific details related to your environment please [contact Cloudflare](https://www.cloudflare.com/products/zero-trust/plans/enterprise/). -* Phase 1: Quickly replace existing traditional/vulnerable VPN hardware with cloud-based remote access while gaining insight into application traffic. -* Phase 2: Scaling up and offloading traditional IPsec tunnels. -* Phase 3: Improving security posture by segmenting application access and enabling clientless access. +- Phase 1: Quickly replace existing traditional/vulnerable VPN hardware with cloud-based remote access while gaining insight into application traffic. +- Phase 2: Scaling up and offloading traditional IPsec tunnels. +- Phase 3: Improving security posture by segmenting application access and enabling clientless access. ## Phase 1: Connectivity and network-based policies @@ -102,8 +104,8 @@ Consider an organization with global IT infrastructure. Specifically, three data During this first phase, network connectivity will be created between user devices and the private networks they currently access via existing network infrastructure. This is achieved in two ways. -* On employee devices install the Cloudflare [device agent](/cloudflare-one/connections/connect-devices/warp/). This replaces the use of existing VPN client software. -* Using existing network hardware in the data center, create IPsec tunnels to Cloudflare which are managed using Cloudflare Magic WAN service. +- On employee devices install the Cloudflare [device agent](/cloudflare-one/connections/connect-devices/warp/). This replaces the use of existing VPN client software. +- Using existing network hardware in the data center, create IPsec tunnels to Cloudflare which are managed using Cloudflare Magic WAN service. Both employee devices and data center networks will connect to their closest Cloudflare server. This is thanks to [Cloudflare's anycast architecture](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/), and ensures the most optimal path for user traffic without any effort by employees or IT support staff. Users no longer need to make a choice to which VPN service region to connect to, as Cloudflare will always ensure they connect to the closest and most responsive service for the best access performance to their private applications. @@ -131,26 +133,26 @@ Although this phase focuses on using the Magic WAN service and IPsec tunnels for Cloudflare offers two types of software connectors: -* [`cloudflared`](/cloudflare-one/connections/connect-networks/get-started/) -* [WARP connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) +- [`cloudflared`](/cloudflare-one/connections/connect-networks/get-started/) +- [WARP connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) -As discussed in the introduction, `cloudflared` is the preferred method for Zero Trust Network Access, but only supports inbound connectivity to your networks and application servers, any server initiated connection will not go via the tunnel and instead follow the server's default network path. WARP connector is designed to create tunnels that facilitate both inbound and outbound connectivity, but it doesn't currently have the same level of failover support and ease of configuration. For this guide, we will be discussing using `cloudflared` as it supports the internal DNS use case described. +As discussed in the introduction, `cloudflared` is the preferred method for Zero Trust Network Access, but only supports inbound connectivity to your networks and application servers, any server initiated connection will not go via the tunnel and instead follow the server's default network path. WARP connector is designed to create tunnels that facilitate both inbound and outbound connectivity, but it doesn't currently have the same level of failover support and ease of configuration. For this guide, we will be discussing using `cloudflared` as it supports the internal DNS use case described. -For large remote access use cases, Cloudflare recommends deploying connectors to dedicated hosts. See the [System Requirements documentation](/cloudflare-one/connections/connect-networks/deploy-tunnels/system-requirements/) for more deployment recommendations and server sizing. Where to deploy these servers depends on the access they need and the internal firewall rules and segmentation of the network. Some customers start with their first deployment in their DMZ, while others install it deeper in their network and evolve from there. +For large remote access use cases, Cloudflare recommends deploying connectors to dedicated hosts. See the [System Requirements documentation](/cloudflare-one/connections/connect-networks/deploy-tunnels/system-requirements/) for more deployment recommendations and server sizing. Where to deploy these servers depends on the access they need and the internal firewall rules and segmentation of the network. Some customers start with their first deployment in their DMZ, while others install it deeper in their network and evolve from there. Installing `cloudflared` is best done in an automated manner, so we recommend deploying using a virtualization technology such as Docker or deploying as VMware guests and configuring via Ansible. Preferably, as traffic using `cloudflared` tunnels increases, such systems can scale the deployment automatically based on real-time metrics collected from the hosts. `cloudflared` instances can be monitored using the [Prometheus metrics endpoint](/cloudflare-one/connections/connect-networks/monitor-tunnels/metrics/). Prometheus is an HTTP-based monitoring and alerting system similar in functionality to SNMP, exposing metrics that can be polled from the resource to be monitored. Most monitoring systems on the market today support Prometheus as a format to collect the metrics needed for alerting and automatically scaling the deployment. For more information about deploying `cloudflared` connectors at scale: -* [Various guides to deploy and update](/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/) connectors in environments such as Ansible, Terraform and Kubernetes -* High availability using [replicas](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/#cloudflared-replicas) -* [Monitor tunnels with Grafana](/cloudflare-one/tutorials/grafana/) +- [Various guides to deploy and update](/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/) connectors in environments such as Ansible, Terraform and Kubernetes +- High availability using [replicas](/cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/#cloudflared-replicas) +- [Monitor tunnels with Grafana](/cloudflare-one/tutorials/grafana/) ### DNS resolution with Resolver Policies As you can see in Figure 4, both DNS and general network traffic will flow from the employee device to Cloudflare. By default, the device agent forwards all DNS queries to Cloudflare for inspection and filtering based on [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). This is great, because it will allow administrators to configure [DNS policies to block potential security threats](/cloudflare-one/policies/gateway/dns-policies/common-policies/#block-security-threats) and immediately start to protect employees as they go online. This also applies to situations where Internet traffic is from the tunnel to Cloudflare, but the client still resolves hostname requests via Cloudflare DNS services. -For internal domains, however, Cloudflare will need to know how to resolve them. This is where [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) come into play. After the DNS policies are applied to incoming DNS requests, customers can choose to forward requests for internal DNS hostnames to their internal DNS servers. For example, the domain `example.local` might be hosted on a DNS server running at 10.10.10.123. A resolver policy will make sure requests for hostnames part of that domain will be sent to that IP. +For internal domains, however, Cloudflare will need to know how to resolve them. This is where [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) come into play. After the DNS policies are applied to incoming DNS requests, customers can choose to forward requests for internal DNS hostnames to their internal DNS servers. For example, the domain `example.local` might be hosted on a DNS server running at 10.10.10.123. A resolver policy will make sure requests for hostnames part of that domain will be sent to that IP. A tunnel exposing a route to the internal DNS server is needed. `cloudflared` should be deployed on a host that can route DNS traffic to the 10.10.10.123 IP address. Requests for internal domains via the DNS gateway will then be redirected to this DNS server, via the tunnel. @@ -158,9 +160,9 @@ A tunnel exposing a route to the internal DNS server is needed. `cloudflared` sh As steps are taken in this first phase and the first users will start accessing applications, the need for proper monitoring and logging will become apparent. Having visibility into the traffic flowing through Cloudflare will help with: -* Operational activities such as troubleshooting by your support staff. -* Monitoring for potential threats by a SOC, possibly using a security information and event management ([SIEM](https://www.cloudflare.com/learning/security/what-is-siem/)) service. -* Visibility into application traffic to see where potential security and performance improvements can be made (see also phase 2). +- Operational activities such as troubleshooting by your support staff. +- Monitoring for potential threats by a SOC, possibly using a security information and event management ([SIEM](https://www.cloudflare.com/learning/security/what-is-siem/)) service. +- Visibility into application traffic to see where potential security and performance improvements can be made (see also phase 2). Cloudflare provides visibility at different levels, available through the dashboard or exported using [Logpush](/logs/get-started/). For traffic flowing over Magic WAN IPsec tunnels, [Network Analytics](/analytics/network-analytics/) can be found in the dashboard and through the [GraphQL API](/analytics/graphql-api/). This will show sampled statistics of the traffic and can be used for trend and traffic flow analysis. @@ -174,13 +176,13 @@ In most environments the IPsec termination points are limited in their throughpu Fortunately, most of these applications can be migrated one-by-one to the more scalable software connector based tunnels. Any application which doesn't rely on server-initiated traffic is eligible for this type of migration. With the experience gained during the initial deployment of `cloudflared` in phase 1: -1. Deploy two or more `cloudflared` instances in the relevant environment, the USA datacenter in the example below. -2. Add [Private Networks to the tunnel](/cloudflare-one/connections/connect-networks/private-net/cloudflared/) to define routing and access that is scoped more specifically to the network and applications it handles traffic for. For example, expose the 10.20.56.0/24 subnet via the software connector tunnel, instead of the larger 10.20.0.0/16 exposed by the Magic WAN managed IPsec tunnel. +1. Deploy two or more `cloudflared` instances in the relevant environment, the USA datacenter in the example below. +2. Add [Private Networks to the tunnel](/cloudflare-one/connections/connect-networks/private-net/cloudflared/) to define routing and access that is scoped more specifically to the network and applications it handles traffic for. For example, expose the 10.20.56.0/24 subnet via the software connector tunnel, instead of the larger 10.20.0.0/16 exposed by the Magic WAN managed IPsec tunnel. 3. Traffic from employees will now be routed via the software connector tunnel for the /24 subnet instead of the /16 route going over the IPsec tunnel, thereby offloading the reliance on the IPsec termination device. ![An evolved architecture diagram showing software connector based tunnels offloading (or replacing) the IPsec tunnels.](~/assets/images/reference-architecture/design-guide-network-vpn-migr/phase-2.svg "Figure 5: An evolved phase 2 architecture diagram showing software connector based tunnels offloading (or replacing) the IPsec tunnels.") -In some cases (such as the Asia datacenter above) this might mean that the IPsec tunnels are not needed anymore and software connectors are the sole connection into the infrastructure. In that case, the whole 10.30.0.0/16 subnet can be managed by `cloudflared` and the IPsec tunnel (and its related hardware) decommissioned. It is likely that this phase will be an ongoing effort: as more applications are mapped and traffic flows deemed eligible for software connector based tunnels, they will be migrated as needed. +In some cases (such as the Asia datacenter above) this might mean that the IPsec tunnels are not needed anymore and software connectors are the sole connection into the infrastructure. In that case, the whole 10.30.0.0/16 subnet can be managed by `cloudflared` and the IPsec tunnel (and its related hardware) decommissioned. It is likely that this phase will be an ongoing effort: as more applications are mapped and traffic flows deemed eligible for software connector based tunnels, they will be migrated as needed. ## Phase 3: Application-based policies @@ -214,5 +216,5 @@ The flexibility of the Cloudflare connectivity cloud to connect any device, appl ### Further reading -* Magic WAN integration: [WARP on-ramp to Magic WAN](/magic-wan/zero-trust/warp/) -* Policy configuration: [Gateway Network policies](/cloudflare-one/policies/gateway/network-policies/) +- Magic WAN integration: [WARP on-ramp to Magic WAN](/magic-wan/zero-trust/warp/) +- Policy configuration: [Gateway Network policies](/cloudflare-one/policies/gateway/network-policies/) diff --git a/src/content/docs/reference-architecture/design-guides/secure-application-delivery.mdx b/src/content/docs/reference-architecture/design-guides/secure-application-delivery.mdx index 46023dcec11ea1..071aa6260a688d 100644 --- a/src/content/docs/reference-architecture/design-guides/secure-application-delivery.mdx +++ b/src/content/docs/reference-architecture/design-guides/secure-application-delivery.mdx @@ -1,11 +1,11 @@ --- -title: Secure application delivery +title: Securely deliver applications with Cloudflare pcx_content_type: design-guide -weight: null -head: - - tag: title - content: "Design guide: Securely deliver applications with Cloudflare" - +products: + - Network Interconnect +sidebar: + label: Secure application delivery +updated: 2023-12-18 --- ## Overview and the Cloudflare advantage @@ -218,12 +218,12 @@ Cloudflare WAF allows for granular policies that can leverage many different req Customers can use WAF to implement and use custom rules, rate limiting rules, and managed rules. A brief description of each is provided below. -* WAF Custom Rules: provides ability to create custom rules based on different request attributes and header information to block any threat -* WAF Rate Limiting Rules: prevents abuse, DDoS, brute force attempts, and provides for API-centric controls. -* WAF Managed Rules - * Cloudflare Managed Ruleset: provides advanced zero-day vulnerability protection - * Cloudflare OWASP Core Ruleset: block common web application vulnerabilities, some of which are in OWASP top 10 - * Cloudflare Leaked Credential Check: checks exposed credential database for popular content management system (CMS) applications +- WAF Custom Rules: provides ability to create custom rules based on different request attributes and header information to block any threat +- WAF Rate Limiting Rules: prevents abuse, DDoS, brute force attempts, and provides for API-centric controls. +- WAF Managed Rules + - Cloudflare Managed Ruleset: provides advanced zero-day vulnerability protection + - Cloudflare OWASP Core Ruleset: block common web application vulnerabilities, some of which are in OWASP top 10 + - Cloudflare Leaked Credential Check: checks exposed credential database for popular content management system (CMS) applications The same methodology applies for all other Cloudflare Application Performance and Security products (API Gateway, Bot Management, etc.): once configured to route traffic through the Cloudflare network, customers can start leveraging the Cloudflare services. Figure 31 displays Cloudflare’s Bot Analytics which categorizes the traffic based on bot score, shows the bot score distribution, and other bot analytics. All of the request data is captured inline and all enforcement based on defined policies is also done inline. diff --git a/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx b/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx index d6ee3234e3af9f..fd582476c1db73 100644 --- a/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx +++ b/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx @@ -1,11 +1,20 @@ --- title: Building zero trust architecture into your startup pcx_content_type: design-guide -weight: null -head: - - tag: title - content: zero trust architecture for startups - +products: + - Access + - Gateway + - CASB + - Email Security + - Digital Experience Monitoring + - Browser Isolation + - Data Loss Prevention + - Magic WAN + - Magic Firewall + - Magic Transit +sidebar: + label: Zero trust architecture for startups +updated: 2024-04-25 --- ## Introduction @@ -26,29 +35,29 @@ Cloudflare has lots of existing content related to migration and implementation In this document we’ll explore: -* Getting started with practical Zero Trust remote access (ZTNA) capabilities -* Establishing sources of truth for identity, device posture, and learning how to use them -* Network building, both traditional and mesh -* Building Zero Trust into internal tooling -* Reviewing threats on the Internet -* TLS decryption and its relevance for your goals -* Exploring Zero Trust for your SaaS tools -* Navigating contractor and customer access -* Building with Infrastructure as Code +- Getting started with practical Zero Trust remote access (ZTNA) capabilities +- Establishing sources of truth for identity, device posture, and learning how to use them +- Network building, both traditional and mesh +- Building Zero Trust into internal tooling +- Reviewing threats on the Internet +- TLS decryption and its relevance for your goals +- Exploring Zero Trust for your SaaS tools +- Navigating contractor and customer access +- Building with Infrastructure as Code A few things explicitly not covered in this document: -* Introduction to basic Zero Trust terminology and concepts -* Recommendations for or against specific third-party vendor usage (while other vendors are mentioned in this document, it’s purely illustrative and should not be taken as a formal recommendation from Cloudflare) -* Details on why you should explore adopting a Zero Trust security methodology (we have lots of good resources detailing that in the links below) -* Microsegmentation and autonomous Zero Trust concepts (these may be covered in future updates) -* Passwordless authentication (this is a cool and emerging space, and we’ll provide some recommendations here in the future) +- Introduction to basic Zero Trust terminology and concepts +- Recommendations for or against specific third-party vendor usage (while other vendors are mentioned in this document, it’s purely illustrative and should not be taken as a formal recommendation from Cloudflare) +- Details on why you should explore adopting a Zero Trust security methodology (we have lots of good resources detailing that in the links below) +- Microsegmentation and autonomous Zero Trust concepts (these may be covered in future updates) +- Passwordless authentication (this is a cool and emerging space, and we’ll provide some recommendations here in the future) To build a stronger baseline understanding of Cloudflare, we recommend the following resources: -* What is Cloudflare? | [Website](https://www.cloudflare.com/what-is-cloudflare/) (five-minute read) or [video](https://www.youtube.com/watch?v=XHvmX3FhTwU) (two minutes) -* Blog: [Zero Trust, SASE, and SSE: foundational concepts for your next-generation network](https://blog.cloudflare.com/zero-trust-sase-and-sse-foundational-concepts-for-your-next-generation-network/) (14-minute read) -* Reference architecture: [Evolving to a SASE architecture with Cloudflare](/reference-architecture/architectures/sase/) (three-hour read) +- What is Cloudflare? | [Website](https://www.cloudflare.com/what-is-cloudflare/) (five-minute read) or [video](https://www.youtube.com/watch?v=XHvmX3FhTwU) (two minutes) +- Blog: [Zero Trust, SASE, and SSE: foundational concepts for your next-generation network](https://blog.cloudflare.com/zero-trust-sase-and-sse-foundational-concepts-for-your-next-generation-network/) (14-minute read) +- Reference architecture: [Evolving to a SASE architecture with Cloudflare](/reference-architecture/architectures/sase/) (three-hour read) ## Getting started — Foundational decisions @@ -56,19 +65,19 @@ To build a stronger baseline understanding of Cloudflare, we recommend the follo Before thinking about your remote access or security goals, it’s important to take stock of your current assets. Think about the answers to the following questions: -* What already exists and is in need of a sustainable model for security? -* If you have begun building infrastructure in a public cloud provider, how many distinct virtual private clouds (VPCs) have you already established, and how do they communicate with each other? More importantly, how and why do your users access those environments? -* Is it all through the console and browser-based management or terminal tools? -* Have you set up public IP access for some services over HTTPS or SSH? -* Are there resources that may allow access from the Internet that are intended to be entirely private? -* Have you established a traditional VPN to allow remote access to the environment, and how is it gated? +- What already exists and is in need of a sustainable model for security? +- If you have begun building infrastructure in a public cloud provider, how many distinct virtual private clouds (VPCs) have you already established, and how do they communicate with each other? More importantly, how and why do your users access those environments? +- Is it all through the console and browser-based management or terminal tools? +- Have you set up public IP access for some services over HTTPS or SSH? +- Are there resources that may allow access from the Internet that are intended to be entirely private? +- Have you established a traditional VPN to allow remote access to the environment, and how is it gated? Next, build a map of your physical and virtual private infrastructure (essentially, anything that contains company data). For many startups, this may just be implemented via a single cloud provider. Note all the resources in that environment that are accessed, either by human users, other infrastructure, or public or private APIs — then document the purpose of each service that sees regular traffic. As you do so, try to answer the following questions: -* Is this an internal web-based tool built to monitor your build pipeline? -* Is it a self-hosted analytics tool like Grafana, or a supporting metrics server like Prometheus? -* How are users reaching that service — via a public IP, a private IP, or a local path? -* Are users able to reach the service from other cloud environments or VPCs? If so, how are they connected? +- Is this an internal web-based tool built to monitor your build pipeline? +- Is it a self-hosted analytics tool like Grafana, or a supporting metrics server like Prometheus? +- How are users reaching that service — via a public IP, a private IP, or a local path? +- Are users able to reach the service from other cloud environments or VPCs? If so, how are they connected? Once you’ve developed a comprehensive list of your existing resources, this will serve as an asset inventory for your development of a Zero Trust architecture. If you don’t know what you need to protect, it’ll be difficult to protect it, no matter how many security tools you have. @@ -78,10 +87,8 @@ A valuable third step may be to begin stack-ranking these services by risk level :::note - If you’ve already grown to the point that documenting your asset inventory is very difficult or time-consuming for your business, you can use tools like our [Private Network Discovery](/cloudflare-one/insights/analytics/access/#private-network-origins) capability to build a sense of what your users access in your network space. - ::: ### Common goals and outcomes @@ -90,18 +97,18 @@ Many startups that use Cloudflare are encouraged to adopt a Zero Trust security Some common goals we hear from customers: -* Make internal tooling easy for our users to access securely -* Build security into the development pipeline -* Adopt increased security without sacrificing user and work experience -* Define and execute a bring your own device (BYOD) strategy -* Simplify management of networks and application access -* Protect data in SaaS applications and on the corporate network -* Ensure auditability (“a quick view of what’s happening, who’s doing it, and if it’s okay”) -* Demonstrate security best practices to our customers and end-users +- Make internal tooling easy for our users to access securely +- Build security into the development pipeline +- Adopt increased security without sacrificing user and work experience +- Define and execute a bring your own device (BYOD) strategy +- Simplify management of networks and application access +- Protect data in SaaS applications and on the corporate network +- Ensure auditability (“a quick view of what’s happening, who’s doing it, and if it’s okay”) +- Demonstrate security best practices to our customers and end-users It’s also possible that your goals may be simpler or more tactical than this; for instance, adopt a modern remote access tool, securely connect my internal networks, or only allow corporate devices to connect to my Gitlab Enterprise tenant. Whatever your goal, the most important element in goal-setting will be to establish what you need now and balance it against what you may need or expect to need in the near or mid-term future. If you intend to grow significantly, expect to sign customers with demanding security reviews, or be prepared to apply for a new compliance certification, such as SOC II or PCI. In order to accomplish this, it is crucial to start with a Zero Trust vendor, which can help layer on additional security tooling and capabilities without exponentially increasing complexity or cost. -Goal-setting is also an important exercise for prioritization. If you know that your primary goal is to *identify and put identity-aware security in front of all our internal services*, but that in the next six months you intend to *restrict BYOD usage to level 3 applications*, your first goal will need to strategically support the execution of the second. Understanding the stack-rank of priorities over the next few months (knowing things change quickly in your startup!) can save you the time spent in re-architecture discussions, or unraveling technical or commercial decisions with vendors that fit your needs in the short term, but not the mid-term. +Goal-setting is also an important exercise for prioritization. If you know that your primary goal is to _identify and put identity-aware security in front of all our internal services_, but that in the next six months you intend to _restrict BYOD usage to level 3 applications_, your first goal will need to strategically support the execution of the second. Understanding the stack-rank of priorities over the next few months (knowing things change quickly in your startup!) can save you the time spent in re-architecture discussions, or unraveling technical or commercial decisions with vendors that fit your needs in the short term, but not the mid-term. ### Identity @@ -125,7 +132,7 @@ Finally, you will not always own the identities that are used to access your sys Later in this document, we’ll describe using Cloudflare Zero Trust to protect your internal applications, and how to use Cloudflare as your SSO in front of your SaaS applications to deliver a simple, unified security posture everywhere. -Cloudflare *matters* in this case because once you’ve determined a source of truth for your identity provider, you need tooling to perform continuous authentication against your user population. This tooling is difficult to build and maintain, as evidenced by a number of well-known technology companies who retired their internally-built Zero Trust proxy and switched to Cloudflare in 2023, citing management complexity and an inability to add new security functionality. +Cloudflare _matters_ in this case because once you’ve determined a source of truth for your identity provider, you need tooling to perform continuous authentication against your user population. This tooling is difficult to build and maintain, as evidenced by a number of well-known technology companies who retired their internally-built Zero Trust proxy and switched to Cloudflare in 2023, citing management complexity and an inability to add new security functionality. Cloudflare can simplify your architecture by becoming the singular enforcement point for your identity against your private applications, your networks, your developer services, and your SaaS applications. Cloudflare is one of the only vendors to be able to provide Zero Trust authentication concepts as a web proxy (layer 7 services), as a VPN replacement (layer 3/4 services), and as a secure web gateway. @@ -133,9 +140,9 @@ Cloudflare can simplify your architecture by becoming the singular enforcement p ### Device posture -As your business grows and you begin to operationalize the distribution of endpoints to your user population, device posture is a key component of a strong Zero Trust strategy. Once you’ve validated your users’ identity posture, there are other actions you can take to further reduce the risk of a data breach. Consider this: even if your user is valid and has an active identity session, their device could theoretically be infected, and attackers could benefit from (or *hijack*) their valid identity session. +As your business grows and you begin to operationalize the distribution of endpoints to your user population, device posture is a key component of a strong Zero Trust strategy. Once you’ve validated your users’ identity posture, there are other actions you can take to further reduce the risk of a data breach. Consider this: even if your user is valid and has an active identity session, their device could theoretically be infected, and attackers could benefit from (or _hijack_) their valid identity session. -Companies use device posture to prove that a connection is coming from a trusted device. Let’s look at the theory behind device posture before listing some common strategies and approaches to getting started. In this example, you have sensitive data located somewhere in AWS. This data is critical to the operation of your business. It is (rightly) protected behind identity-aware authentication, so you feel confident that it can only be accessed by users with the proper identity posture. Your users are all remote, and connect to AWS from Macbooks that are pre-configured with your endpoint detection and response (EDR) software of choice. Users on their Macbooks, configured with enterprise EDR software, have a lower risk of potential breaches than when they use their personal laptops to access company data. But how do you prove that your users with valid identity posture *only* access your sensitive data from the devices that contain a lower risk of breach? +Companies use device posture to prove that a connection is coming from a trusted device. Let’s look at the theory behind device posture before listing some common strategies and approaches to getting started. In this example, you have sensitive data located somewhere in AWS. This data is critical to the operation of your business. It is (rightly) protected behind identity-aware authentication, so you feel confident that it can only be accessed by users with the proper identity posture. Your users are all remote, and connect to AWS from Macbooks that are pre-configured with your endpoint detection and response (EDR) software of choice. Users on their Macbooks, configured with enterprise EDR software, have a lower risk of potential breaches than when they use their personal laptops to access company data. But how do you prove that your users with valid identity posture _only_ access your sensitive data from the devices that contain a lower risk of breach? As your security organization grows and you begin to implement data loss prevention (DLP) strategies and tools, this becomes doubly important. If your users can theoretically access sensitive data without applying a burden of proof to the device used for access, users may be able to (intentionally or inadvertently) circumvent your security tooling and create the risk of exfiltration, or at a minimum, blind spots for your visibility and auditability. @@ -153,13 +160,13 @@ In the ‘old world’ model (also known as a castle and moat security architect In this more traditional networking model, your infrastructure will probably be structured in several of the following ways: -* It will exist in one or multiple VPCs (which may or not be connected by cloud provider transit gateways) -* The addressing of your services will probably be managed by your cloud provider -* You will use internal DNS from a cloud provider like AWS’ Route53 DNS (most businesses still rely on internal DNS to some extent, no matter how cloud-native they may be) -* There may always be a reason to maintain some concept of a privately networked space, as long as you maintain your own infrastructure -* It’s possible that all users won’t have a need to understand or navigate using your internal DNS infrastructure (but technical users and services likely will) +- It will exist in one or multiple VPCs (which may or not be connected by cloud provider transit gateways) +- The addressing of your services will probably be managed by your cloud provider +- You will use internal DNS from a cloud provider like AWS’ Route53 DNS (most businesses still rely on internal DNS to some extent, no matter how cloud-native they may be) +- There may always be a reason to maintain some concept of a privately networked space, as long as you maintain your own infrastructure +- It’s possible that all users won’t have a need to understand or navigate using your internal DNS infrastructure (but technical users and services likely will) -*As you begin establishing patterns in the infrastructure that you build, it’s likely that you’ll collate around a single, primary cloud provider. The main concepts relevant for this document will focus on users connecting to your network to access internal resources and services, and the way that your internal services communicate with the Internet broadly. Management of cloud infrastructure permissions and policies, as well as recognition of the ways in which your internal services can communicate with one another is equally relevant to a comprehensive Zero Trust strategy, but will be discussed in depth in future updates to this document.* +_As you begin establishing patterns in the infrastructure that you build, it’s likely that you’ll collate around a single, primary cloud provider. The main concepts relevant for this document will focus on users connecting to your network to access internal resources and services, and the way that your internal services communicate with the Internet broadly. Management of cloud infrastructure permissions and policies, as well as recognition of the ways in which your internal services can communicate with one another is equally relevant to a comprehensive Zero Trust strategy, but will be discussed in depth in future updates to this document._ ### Connecting users to networks @@ -194,7 +201,7 @@ The traditional methods of network connectivity still have significant value bot In addition to creating WAN connectivity, the end goal of bridging multiple sites is management simplicity. Having a unified network means that it is easier to support network functions like edge routing, gateways, and addressing via DHCP. However, this can also result in overly-broad policy management, and it can be difficult to manage the security implications of increasingly growing networks with increasingly complex edge cases and unique scenarios. -For modern startups, the problems may not be the exact ones described above, but you will likely still have to solve for growing network complexity. The best way to navigate this is to *plan effectively*. If you begin building your corporate network with security and scalability in mind, you will be able to easily solve increasing complexity as your security and IT organizations grow. +For modern startups, the problems may not be the exact ones described above, but you will likely still have to solve for growing network complexity. The best way to navigate this is to _plan effectively_. If you begin building your corporate network with security and scalability in mind, you will be able to easily solve increasing complexity as your security and IT organizations grow. ### Mesh connectivity @@ -206,10 +213,8 @@ If you only operate with ‘micro-tunnels’ (e.g. discrete X can only reach dis :::note[Editor's note] - In some analyst circles, the mesh connectivity space is beginning to be referred to as ‘Secure Networking’, and while we appreciate the opportunity for differentiation, Cloudflare believes that there are methods for making both traditional and mesh networking effectively secure. - ::: ### Where does Cloudflare fit in? @@ -240,9 +245,9 @@ In an ideal world, we believe that authentication and authorization should be ha These tokens are based on the information Cloudflare receives from your identity provider after a successful authentication event, which matches against custom policies for that application. Each token contains all of the content that would be signed in a user’s authentication event with their IdP: their name, username, email, group membership, and whatever other values are present. It also gets a unique tag to indicate its relevance to a specific application. -Once the *Cloudflare* token has been created, it is passed to your internal applications to validate their requests and authorize access to your internal tooling. This takes minimal additional work per-application, and can be built into application creation workflows where you would otherwise need a complete OAUTH integration or SSO integration. +Once the _Cloudflare_ token has been created, it is passed to your internal applications to validate their requests and authorize access to your internal tooling. This takes minimal additional work per-application, and can be built into application creation workflows where you would otherwise need a complete OAUTH integration or SSO integration. -By using Cloudflare tokens, your users will have a seamless experience both *authenticating* through your established Zero Trust proxy and getting *authorized* directly into your application with the same information. +By using Cloudflare tokens, your users will have a seamless experience both _authenticating_ through your established Zero Trust proxy and getting _authorized_ directly into your application with the same information. ![How Cloudflare consumes tokens to validate requests and authorize access to internal tools](~/assets/images/reference-architecture/zt-for-startups/zero-trust-design-guide-building-zero-trust-into-internal-tooling-consuming-tokens.svg) @@ -276,15 +281,15 @@ It’s also possible that you may provide hosted or managed services to your cus Whenever you determine a need for third-party user access to your environment, you should first determine three attributes: -* What they need to access -* What level of authentication is required for that access -* How long this access will be relevant +- What they need to access +- What level of authentication is required for that access +- How long this access will be relevant ### Web access for third parties After determining the scope, you should determine the least-privilege access model appropriate for the user group. This may mean integrating with a secondary identity provider (maybe the customer or vendor’s IdP) to use in authentication events, or using a temporary authentication method like a one-time PIN to authenticate against their email address only. -Some businesses also add vendor and contractor users to *their* identity provider to streamline authentication and to control methods (like the use of MFA and other authentication factors). At a minimum, we recommend working with a Zero Trust security provider who supports multiple, simultaneous methods for authentication, and can apply them via specific policies or applications. +Some businesses also add vendor and contractor users to _their_ identity provider to streamline authentication and to control methods (like the use of MFA and other authentication factors). At a minimum, we recommend working with a Zero Trust security provider who supports multiple, simultaneous methods for authentication, and can apply them via specific policies or applications. This allows you to keep all of your existing methods of secure remote access consistent. Your external user cohort will use the same paths into your network and will be subject to all of your security controls. Meanwhile, you will receive detailed logging and audit trails to dictate exactly what users had access to, how frequently they accessed them, and what kind of actions they took within your network. Assigning least-privilege controls can also easily establish an access model while ensuring that users aren’t able to perform any lateral actions or access resources within your network unnecessarily. @@ -309,14 +314,14 @@ In a Zero Trust security framework, this kind of access should be explicitly sco Cloudflare can help provide scoped secure access for both web and network connectivity to your third-party users in a Zero Trust framework. -* **Cloudflare Access can integrate and use [multiple identity providers simultaneously](/cloudflare-one/identity/idp-integration/).** This can be scoped to a single application and a singular policy, and can have granular capabilities to ‘force’ some user access to authenticate in specific ways. There are also many third-party specific workflows — like [purpose justification](/cloudflare-one/policies/access/require-purpose-justification/) — that can ensure that user access is both easy for third parties, and documented and controllable for administrators. -* **Cloudflare Zero Trust can be deployed with flexible endpoint agent parameters and [logical groupings](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) for contractor and third-party users.** If you have external users with internal access needs, they can be both tightly-scoped and limit potential conflict with other external systems. -* **[Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/) can act as a unidirectional access model to provide corporate users access to scoped customer resources.** It is lightweight, easy to deploy, and can even be built into your deployment packages and deployed alongside the services you manage in customer environments. -* **Cloudflare WARP Connector can help you build secure, extensible networks relevant for each of your client controls.** This is particularly helpful when bidirectional (site-to-site) traffic flows are a necessity for the way that you engage with your customers, interact with their applications, or address other management concerns. WARP Connector has all of the same inline security policy application and auditability controls as the rest of your deployment, so you can maintain a Zero Trust security posture while achieving customer connectivity. +- **Cloudflare Access can integrate and use [multiple identity providers simultaneously](/cloudflare-one/identity/idp-integration/).** This can be scoped to a single application and a singular policy, and can have granular capabilities to ‘force’ some user access to authenticate in specific ways. There are also many third-party specific workflows — like [purpose justification](/cloudflare-one/policies/access/require-purpose-justification/) — that can ensure that user access is both easy for third parties, and documented and controllable for administrators. +- **Cloudflare Zero Trust can be deployed with flexible endpoint agent parameters and [logical groupings](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) for contractor and third-party users.** If you have external users with internal access needs, they can be both tightly-scoped and limit potential conflict with other external systems. +- **[Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/) can act as a unidirectional access model to provide corporate users access to scoped customer resources.** It is lightweight, easy to deploy, and can even be built into your deployment packages and deployed alongside the services you manage in customer environments. +- **Cloudflare WARP Connector can help you build secure, extensible networks relevant for each of your client controls.** This is particularly helpful when bidirectional (site-to-site) traffic flows are a necessity for the way that you engage with your customers, interact with their applications, or address other management concerns. WARP Connector has all of the same inline security policy application and auditability controls as the rest of your deployment, so you can maintain a Zero Trust security posture while achieving customer connectivity. ![How Cloudflare provides remote access for contractors, vendors, and customers](~/assets/images/reference-architecture/zt-for-startups/zero-trust-design-guide-remote-access-for-contractors-vendors-and-customers.svg) -## Protecting against Internet threats (or, *is secure web gateway a part of Zero Trust?*) +## Protecting against Internet threats (or, _is secure web gateway a part of Zero Trust?_) Traditionally, the concept of Zero Trust access has been explicitly relegated to user or machine access to internal or privileged resources. On a functional level, this requires replacing network extension, reducing over-permissioning, and minimizing lateral movement and threat vectors typically delivered from VPN remote access connectivity. But for many businesses, their VPN didn’t only proxy their private network traffic. It also managed their Internet traffic and allowed them to maintain a unified view of threats — typically, either through a module to send DNS queries to a cloud provider, or by simply backhauling all user traffic to the corporate network to be sent through the corporate firewalls. @@ -344,9 +349,9 @@ Within this discussion, we are thinking about Internet security (e.g. secure web In addition to providing Zero Trust security capabilities for internal applications, network remote access, and SaaS applications, Cloudflare also provides the following functionality: -* DNS filtering -* An L4 firewall -* A secure web gateway (SWG) — complete with application-awareness, TLS decryption, data loss prevention, CASB functionality, browser isolation, and the ability to adopt a dedicated egress IP structure directly from the Cloudflare network +- DNS filtering +- An L4 firewall +- A secure web gateway (SWG) — complete with application-awareness, TLS decryption, data loss prevention, CASB functionality, browser isolation, and the ability to adopt a dedicated egress IP structure directly from the Cloudflare network All of our SWG functionality is controlled via policy that factors in user identity, device posture, and user risk, and is delivered from the same endpoint agent as your Zero Trust controls — using the same policy engines and policy enforcement opportunities. diff --git a/src/content/docs/reference-architecture/diagrams/ai/ai-asset-creation.mdx b/src/content/docs/reference-architecture/diagrams/ai/ai-asset-creation.mdx index 69f774d10c8a0d..1223203503a6fc 100644 --- a/src/content/docs/reference-architecture/diagrams/ai/ai-asset-creation.mdx +++ b/src/content/docs/reference-architecture/diagrams/ai/ai-asset-creation.mdx @@ -1,5 +1,5 @@ --- -title: Content-based asset creation +title: "Content-based asset creation" pcx_content_type: reference-architecture-diagram products: - Workers AI @@ -7,25 +7,25 @@ tags: - AI sidebar: order: 1 -head: - - tag: title - content: "Reference Architecture Diagram: Content-based asset creation" - + label: Content-based asset creation +updated: 2024-03-18 --- +#### Reference Architecture Diagram + ## Introduction Combining text-generation models with text-to-image models can lead to powerful AI systems capable of generating visual content based on input prompts. This integration can be achieved through a collaborative framework where a text-generation model generates prompts for the text-to-image model based on input text. Here's how the process can work: -* Input Text Processing: The input text is provided to the system, which can be anything from a simple sentence to multiple paragraphs. This text serves as the basis for generating visual content. +- Input Text Processing: The input text is provided to the system, which can be anything from a simple sentence to multiple paragraphs. This text serves as the basis for generating visual content. -* Prompt Generation: The text-generation model generates prompts based on the input text. These prompts are specifically crafted to guide the text-to-image model in generating images that are contextually relevant to the input text. The prompts can include descriptions, keywords, or other cues to guide the image generation process. +- Prompt Generation: The text-generation model generates prompts based on the input text. These prompts are specifically crafted to guide the text-to-image model in generating images that are contextually relevant to the input text. The prompts can include descriptions, keywords, or other cues to guide the image generation process. -* Content Moderation: Text-classification models can be employed to ensure that the generated assets comply with content policies +- Content Moderation: Text-classification models can be employed to ensure that the generated assets comply with content policies -* Text-to-Image Model: A text-to-image model takes the prompts generated by the text-generation model as input and produces corresponding images. The text-to-image model learns to translate textual descriptions into visual representations, aiming to capture the essence and context conveyed by the input text. +- Text-to-Image Model: A text-to-image model takes the prompts generated by the text-generation model as input and produces corresponding images. The text-to-image model learns to translate textual descriptions into visual representations, aiming to capture the essence and context conveyed by the input text. Example uses of such compositions of AI models can be employed to generation visual assets for marketing, publishing, presentations, and more. @@ -40,7 +40,7 @@ Example uses of such compositions of AI models can be employed to generation vis ## Related resources -* [Community project: content-based asset creation demo](https://auto-asset.pages.dev/) -* [Workers AI: Text generation models](/workers-ai/models/#text-generation) -* [Workers AI: Text-to-image models](/workers-ai/models/#text-to-image) -* [Workers AI: llamaguard-7b-awq](/workers-ai/models/llamaguard-7b-awq/) +- [Community project: content-based asset creation demo](https://auto-asset.pages.dev/) +- [Workers AI: Text generation models](/workers-ai/models/#text-generation) +- [Workers AI: Text-to-image models](/workers-ai/models/#text-to-image) +- [Workers AI: llamaguard-7b-awq](/workers-ai/models/llamaguard-7b-awq/) diff --git a/src/content/docs/reference-architecture/diagrams/ai/ai-composable.mdx b/src/content/docs/reference-architecture/diagrams/ai/ai-composable.mdx index 6c81fc0493f07d..2246dae4515164 100644 --- a/src/content/docs/reference-architecture/diagrams/ai/ai-composable.mdx +++ b/src/content/docs/reference-architecture/diagrams/ai/ai-composable.mdx @@ -11,13 +11,11 @@ tags: - AI sidebar: order: 1 -head: - - tag: title - content: "Reference Architecture Diagram: Composable AI architecture" + label: Composable AI architecture description: The architecture diagram illustrates how AI applications can be built end-to-end on Cloudflare, or single services can be integrated with external infrastructure and services. - +updated: 2024-04-29 --- ## Introduction @@ -26,9 +24,9 @@ The AI market is witnessing a rapid evolution, propelled by the swift pace of te In this dynamic environment, the concept of composability, data portability, and standard APIs emerges as crucial factors in navigating the complexities of the AI ecosystem: -* Composability refers to the ability to assemble various AI components into tailored solutions, enabling organizations to mix and match different technologies to suit their specific needs. -* Data portability plays a pivotal role in facilitating seamless data exchange between different AI systems and platforms, ensuring interoperability and preventing data silos. -* Standard APIs for interoperability serve as the linchpin for integrating diverse AI components, enabling seamless communication and collaboration between disparate systems. +- Composability refers to the ability to assemble various AI components into tailored solutions, enabling organizations to mix and match different technologies to suit their specific needs. +- Data portability plays a pivotal role in facilitating seamless data exchange between different AI systems and platforms, ensuring interoperability and preventing data silos. +- Standard APIs for interoperability serve as the linchpin for integrating diverse AI components, enabling seamless communication and collaboration between disparate systems. The significance of composability, data portability, and standard APIs becomes particularly pronounced in mitigating vendor lock-in and fostering flexibility. By embracing these principles, organizations can sidestep dependency on single vendors and instead opt for a best-in-class approach, selecting the most suitable solutions for their unique requirements. Overall, these principles pave the way for a more agile, adaptable, and future-proof AI ecosystem. @@ -45,8 +43,8 @@ Cloudflare's AI platform has been designed with these principles in mind. The ar ## Related resources -* [Workers: Serverless compute](/workers/) -* [Workers AI: Serverless AI inference](/workers-ai/) -* [Vectorize: Serverless Vector database](/vectorize/) -* [D1: Serverless SQLite database](/d1/) -* [R2: Object storage](/r2/) +- [Workers: Serverless compute](/workers/) +- [Workers AI: Serverless AI inference](/workers-ai/) +- [Vectorize: Serverless Vector database](/vectorize/) +- [D1: Serverless SQLite database](/d1/) +- [R2: Object storage](/r2/) diff --git a/src/content/docs/reference-architecture/diagrams/ai/ai-multivendor-observability-control.mdx b/src/content/docs/reference-architecture/diagrams/ai/ai-multivendor-observability-control.mdx index bffe0b057549c8..39759a59cbe955 100644 --- a/src/content/docs/reference-architecture/diagrams/ai/ai-multivendor-observability-control.mdx +++ b/src/content/docs/reference-architecture/diagrams/ai/ai-multivendor-observability-control.mdx @@ -8,13 +8,11 @@ tags: - AI sidebar: order: 1 -head: - - tag: title - content: Multi-vendor AI observability and control + label: Multi-vendor AI observability and control description: By shifting features such as rate limiting, caching, and error handling to the proxy layer, organizations can apply unified configurations across services and inference service providers. - +updated: 2024-04-30 --- ## Introduction @@ -25,11 +23,11 @@ Inference-as-a-Service is a cloud-based model that allows users to deploy and ex As this field evolves rapidly, developers and organizations face several challenges: -* Fragmentation: Many inference service providers offer only a limited range of models and features. Different use cases may require multiple vendors, leading to fragmentation. -* Availability: With increasing demand and fast-paced technological advancements, inference service providers struggle to maintain high API availability. -* Lack of observability: Providers often offer limited analytics and logging capabilities, which vary across vendors. Gaining a unified view of AI usage proves challenging. -* Lack of security control: Organizations encounter difficulties in maintaining adequate security measures. -* Lack of cost control: Understanding usage insights can be challenging, and the absence of custom rate limits poses risks in public-facing AI use cases. +- Fragmentation: Many inference service providers offer only a limited range of models and features. Different use cases may require multiple vendors, leading to fragmentation. +- Availability: With increasing demand and fast-paced technological advancements, inference service providers struggle to maintain high API availability. +- Lack of observability: Providers often offer limited analytics and logging capabilities, which vary across vendors. Gaining a unified view of AI usage proves challenging. +- Lack of security control: Organizations encounter difficulties in maintaining adequate security measures. +- Lack of cost control: Understanding usage insights can be challenging, and the absence of custom rate limits poses risks in public-facing AI use cases. Using a forward proxy can mitigate these challenges. Positioned between the service making inference requests and the inference service platform, it serves as a single point for observability and control. By shifting features such as rate limiting, caching, and error handling to the proxy layer, organizations can apply unified configurations across services and inference service providers. @@ -45,5 +43,5 @@ The following architecture illustrates the setup of [AI Gateway](/ai-gateway/) a ## Related resources -* [AI Gateway: Get started](/ai-gateway/get-started/) -* [AI Gateway: Supported Providers](/ai-gateway/providers/) +- [AI Gateway: Get started](/ai-gateway/get-started/) +- [AI Gateway: Supported Providers](/ai-gateway/providers/) diff --git a/src/content/docs/reference-architecture/diagrams/ai/ai-rag.mdx b/src/content/docs/reference-architecture/diagrams/ai/ai-rag.mdx index b4188f0fe3c206..9e1a3f66be5c48 100644 --- a/src/content/docs/reference-architecture/diagrams/ai/ai-rag.mdx +++ b/src/content/docs/reference-architecture/diagrams/ai/ai-rag.mdx @@ -1,5 +1,5 @@ --- -title: Retrieval Augmented Generation (RAG) +title: "Retrieval Augmented Generation (RAG)" pcx_content_type: reference-architecture-diagram tags: - AI @@ -11,10 +11,8 @@ products: - D1 sidebar: order: 1 -head: - - tag: title - content: "Reference Architecture Diagram: Retrieval Augmented Generation (RAG)" - + label: Retrieval Augmented Generation (RAG) +updated: 2024-03-18 --- ## Introduction @@ -51,6 +49,6 @@ In the context of Retrieval-Augmented Generation (RAG), knowledge seeding involv ## Related resources -* [Tutorial: Build a RAG AI](/workers-ai/tutorials/build-a-retrieval-augmented-generation-ai/) -* [Workers AI: Text embedding models](/workers-ai/models/#text-embeddings) -* [Workers AI: Text generation models](/workers-ai/models/#text-generation) +- [Tutorial: Build a RAG AI](/workers-ai/tutorials/build-a-retrieval-augmented-generation-ai/) +- [Workers AI: Text embedding models](/workers-ai/models/#text-embeddings) +- [Workers AI: Text generation models](/workers-ai/models/#text-generation) diff --git a/src/content/docs/reference-architecture/diagrams/ai/ai-video-caption.mdx b/src/content/docs/reference-architecture/diagrams/ai/ai-video-caption.mdx index ca7bab8d6c2789..2a933509ee6abd 100644 --- a/src/content/docs/reference-architecture/diagrams/ai/ai-video-caption.mdx +++ b/src/content/docs/reference-architecture/diagrams/ai/ai-video-caption.mdx @@ -10,14 +10,12 @@ products: - R2 sidebar: order: 1 -head: - - tag: title - content: "Reference Architecture Diagram: Automatic captioning for video uploads" + label: Automatic captioning for video uploads description: By integrating automatic speech recognition technology into video platforms, content creators, publishers, and distributors can reach a broader audience, including individuals with hearing impairments or those who prefer to consume content in different languages. - +updated: 2024-03-18 --- ## Introduction @@ -39,6 +37,6 @@ The process begins with capturing the audio from the video source, which is then ## Related resources -* [Community project: automatic captioning demo](https://auto-caption.pages.dev/) -* [Workers AI: Automatic speech recognition (ARS) model](/workers-ai/models/#automatic-speech-recognition) -* [R2: Object storage for all your data](/r2/) +- [Community project: automatic captioning demo](https://auto-caption.pages.dev/) +- [Workers AI: Automatic speech recognition (ARS) model](/workers-ai/models/#automatic-speech-recognition) +- [R2: Object storage for all your data](/r2/) diff --git a/src/content/docs/reference-architecture/diagrams/content-delivery/optimizing-image-delivery-with-cloudflare-image-resizing-and-r2.mdx b/src/content/docs/reference-architecture/diagrams/content-delivery/optimizing-image-delivery-with-cloudflare-image-resizing-and-r2.mdx index cfd256ab7248b5..5b5cc51cff1688 100644 --- a/src/content/docs/reference-architecture/diagrams/content-delivery/optimizing-image-delivery-with-cloudflare-image-resizing-and-r2.mdx +++ b/src/content/docs/reference-architecture/diagrams/content-delivery/optimizing-image-delivery-with-cloudflare-image-resizing-and-r2.mdx @@ -8,21 +8,18 @@ products: - Transform Rules sidebar: order: 1 -head: - - tag: title - content: "Reference Architecture Diagram: Optimizing Image Delivery with - Cloudflare Image Resizing and R2" - + label: Optimizing Image Delivery +updated: 2024-06-12 --- ## Introduction Optimizing image delivery for websites is crucial for enhancing user experience. Since images often represent the largest portion of a website's data, they significantly affect page load times, search engine rankings, delivery costs, and overall performance. This reference architecture diagram will guide you through a straightforward, scalable, and high-performance solution. By simply adjusting the URL string to specify image size and quality, you can cache and deliver the optimized image to any user requesting that format. Below are the Cloudflare components involved in this solution: -* [Cloudflare CDN](https://www.cloudflare.com/en-gb/application-services/products/cdn/) - Leverage [Cloudflare’s Global Network](https://www.cloudflare.com/en-gb/network/) to cache your transformed images for fast and reliable delivery to your end users. -* [Cloudflare Images](https://www.cloudflare.com/en-gb/developer-platform/cloudflare-images/) - Leverage Cloudflare Images to resize, optimize and transform your images that are stored in an object storage solution such as Cloudflare R2. Transformations are performed based on a specifically-formatted URL which requires minimal refactoring to your application to support. -* [Cloudflare R2 Object Storage](https://www.cloudflare.com/en-gb/developer-platform/r2/) - R2 allows users to store a large amount of unstructured data, and in this use case will be used for storing our original images (best quality) for transformation. -* [Cloudflare Transform Rules](/rules/transform/) - If you’re migrating from another solution to Cloudflare, Transform Rules allows you to Rewrite the URL from another solutions syntax to a Cloudflare specific syntax, which reduces the complexity of migration. +- [Cloudflare CDN](https://www.cloudflare.com/en-gb/application-services/products/cdn/) - Leverage [Cloudflare’s Global Network](https://www.cloudflare.com/en-gb/network/) to cache your transformed images for fast and reliable delivery to your end users. +- [Cloudflare Images](https://www.cloudflare.com/en-gb/developer-platform/cloudflare-images/) - Leverage Cloudflare Images to resize, optimize and transform your images that are stored in an object storage solution such as Cloudflare R2. Transformations are performed based on a specifically-formatted URL which requires minimal refactoring to your application to support. +- [Cloudflare R2 Object Storage](https://www.cloudflare.com/en-gb/developer-platform/r2/) - R2 allows users to store a large amount of unstructured data, and in this use case will be used for storing our original images (best quality) for transformation. +- [Cloudflare Transform Rules](/rules/transform/) - If you’re migrating from another solution to Cloudflare, Transform Rules allows you to Rewrite the URL from another solutions syntax to a Cloudflare specific syntax, which reduces the complexity of migration. ## Image Delivery with Cloudflare Image Resizing and R2 @@ -38,10 +35,10 @@ Optimizing image delivery for websites is crucial for enhancing user experience. You can easily convert and resize images by requesting them through a specifically-formatted URL. This section explains the URL structure for image transformation, referring back to the diagram and detailing each URL component: -* **Part 1** - Your specific domain name on Cloudflare, this is the Zone you onboarded to Cloudflare and where your website or images are served from. e.g. [https://www.mywebsite.com/](https://www.mywebsite.com/) -* **Part 2** - A fixed prefix that identifies this is a special path handled by Cloudflare’s built-in Worker. -* **Part 3** - A comma-separated list of options for the image, such as width=80,quality=75 -* **Part 4** - Absolute path on the origin server. For example: /uploads/image.jpg +- **Part 1** - Your specific domain name on Cloudflare, this is the Zone you onboarded to Cloudflare and where your website or images are served from. e.g. [https://www.mywebsite.com/](https://www.mywebsite.com/) +- **Part 2** - A fixed prefix that identifies this is a special path handled by Cloudflare’s built-in Worker. +- **Part 3** - A comma-separated list of options for the image, such as width=80,quality=75 +- **Part 4** - Absolute path on the origin server. For example: /uploads/image.jpg The final URL used in the request would look like this: @@ -51,7 +48,7 @@ https://www.mywebsite.com/cdn-cgi/image/width=80,quality=75/uploads/image.jpg ## Related Resources -* [Image Resizing Documentation](/images/transform-images/) -* [Cloudflare R2 Developer Docs](/r2/) -* [Rewrite URL rules](/rules/transform/url-rewrite/) -* [Serverless image content management platform](/reference-architecture/diagrams/serverless/serverless-image-content-management/) +- [Image Resizing Documentation](/images/transform-images/) +- [Cloudflare R2 Developer Docs](/r2/) +- [Rewrite URL rules](/rules/transform/url-rewrite/) +- [Serverless image content management platform](/reference-architecture/diagrams/serverless/serverless-image-content-management/) diff --git a/src/content/docs/reference-architecture/diagrams/network/protect-hybrid-cloud-networks-with-cloudflare-magic-transit.mdx b/src/content/docs/reference-architecture/diagrams/network/protect-hybrid-cloud-networks-with-cloudflare-magic-transit.mdx index e287f2a492e879..9b551a6dcb7088 100644 --- a/src/content/docs/reference-architecture/diagrams/network/protect-hybrid-cloud-networks-with-cloudflare-magic-transit.mdx +++ b/src/content/docs/reference-architecture/diagrams/network/protect-hybrid-cloud-networks-with-cloudflare-magic-transit.mdx @@ -1,12 +1,16 @@ --- title: Protect Hybrid Cloud Networks with Cloudflare Magic Transit pcx_content_type: reference-architecture-diagram +products: + - Magic Firewall + - Network Interconnect + - DDoS Protection + - Magic Transit + - BYOIP sidebar: order: 1 -head: - - tag: title - content: Protect Hybrid Cloud Networks with Cloudflare Magic Transit - + label: Protect Hybrid Cloud Networks +updated: 2024-09-09 --- ## Introduction @@ -54,6 +58,7 @@ With Magic Transit service being the single, consolidated cloud-native network p One other added benefit of using such consolidated, cloud-native network protection solutions is that you can easily migrate or relocate Internet-facing networks between the various hybrid cloud environments without ever losing protection to these networks. They can do so by simply changing routes in the Magic Transit configuration to route traffic to the new location. ## Scenario 2 - Customer lease IP address from Cloudflare for both on-premise and cloud network deployments + In the case where you do not own any network prefixes that are equal to or larger than /24, but would still like to use Magic Transit to protect their networks, you can [lease IPs](/magic-transit/cloudflare-ips/) from Cloudflare to assign to these smaller networks. The following diagram illustrates the architecture of such a deployment. Similar to the previous scenario, these customer networks are deployed at on-premise locations as well as across multiple cloud providers’ regions. For illustration purposes, below is an example list of the locations of Internet-facing networks and their respective IP prefixes. @@ -76,6 +81,7 @@ On-premise data center 2: 192.0.2.64/28 7. Magic Transit Egress traffic is subject to Magic Firewall filtering before being routed out to the Internet towards the users. ## Scenario 3 - Customer BYOIP for on-premise networks and lease IP address from Cloudflare for cloud network deployments + In this scenario, you can deploy larger on-premise networks and smaller cloud-based networks. You assign your own /24 IP prefixes to the on-premise networks while leasing IPs from Cloudflare for your cloud-based networks. For illustration purposes, below is an example list of the locations of Internet-facing networks and their respective IP prefixes. @@ -98,14 +104,14 @@ On-premise data center 2: 203.0.113.0/24 7. This Magic Transit Egress traffic is subject to Magic Firewall filtering before being routed out to the Internet towards the users. 8. The server return traffic from on-premises networks to the Internet users are direct server returned (DSR), bypassing the Cloudflare network. -*Note*: Alternatively, customers can choose to also route the on-premise networks’ server return traffic through Cloudflare via policy-based routing and Magic Transit Egress functionality. This adds an additional layer of security and control for the egress traffic with Magic Firewall filtering. For example, it can block traffic destined to questionable IP addresses and sites, prohibited destinations, or countries. +_Note_: Alternatively, customers can choose to also route the on-premise networks’ server return traffic through Cloudflare via policy-based routing and Magic Transit Egress functionality. This adds an additional layer of security and control for the egress traffic with Magic Firewall filtering. For example, it can block traffic destined to questionable IP addresses and sites, prohibited destinations, or countries. ## Related resources -* [Magic Transit Reference Architecture](/reference-architecture/architectures/magic-transit/) -* [Cloudflare Magic Transit](/magic-transit/) -* [Cloudflare Network Interconnect](/network-interconnect/) -* [Cloudflare DDoS Protection](/ddos-protection/) -* [Cloudflare Magic Firewall](/magic-firewall/) -* [Cloudflare Magic IPsec Device Compatibility Matrix](/magic-wan/reference/device-compatibility/) -* [Cloudflare Magic Transit Leased IP](/magic-transit/cloudflare-ips/) +- [Magic Transit Reference Architecture](/reference-architecture/architectures/magic-transit/) +- [Cloudflare Magic Transit](/magic-transit/) +- [Cloudflare Network Interconnect](/network-interconnect/) +- [Cloudflare DDoS Protection](/ddos-protection/) +- [Cloudflare Magic Firewall](/magic-firewall/) +- [Cloudflare Magic IPsec Device Compatibility Matrix](/magic-wan/reference/device-compatibility/) +- [Cloudflare Magic Transit Leased IP](/magic-transit/cloudflare-ips/) diff --git a/src/content/docs/reference-architecture/diagrams/network/protecting-sp-networks-from-ddos.mdx b/src/content/docs/reference-architecture/diagrams/network/protecting-sp-networks-from-ddos.mdx index 0acf624113db58..f3cfd1e9a8515e 100644 --- a/src/content/docs/reference-architecture/diagrams/network/protecting-sp-networks-from-ddos.mdx +++ b/src/content/docs/reference-architecture/diagrams/network/protecting-sp-networks-from-ddos.mdx @@ -1,11 +1,13 @@ --- title: Protecting ISP and telecommunications networks from DDoS attacks pcx_content_type: reference-architecture-diagram +products: + - Magic Transit + - Network Interconnect sidebar: order: 1 -head: - - tag: title - content: Protecting ISP and telecommunications networks from DDoS attacks + label: Protecting ISP and telecommunications networks from DDoS attacks +updated: 2024-07-19 --- ## Introduction diff --git a/src/content/docs/reference-architecture/diagrams/sase/sase-clientless-access-private-dns.mdx b/src/content/docs/reference-architecture/diagrams/sase/sase-clientless-access-private-dns.mdx index e7844c6f5d4f76..c6f38350d466d1 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/sase-clientless-access-private-dns.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/sase-clientless-access-private-dns.mdx @@ -1,13 +1,14 @@ --- title: Access to private apps without having to deploy client agents pcx_content_type: reference-architecture-diagram +products: + - Access + - Browser Isolation + - Gateway sidebar: order: 1 -head: - - tag: title - content: "Reference Architecture Diagram: Access to private apps without having - to deploy client agents" - + label: Access to private apps without having to deploy client agents +updated: 2024-04-03 --- ## Introduction @@ -16,9 +17,9 @@ Using Cloudflare to access private resources - such as applications, servers, an Typically, to provide access to internal resources, you use Cloudflare Zero Trust Network Access [ZTNA](https://www.cloudflare.com/learning/access-management/what-is-ztna/) which supports two methods for how the user device accesses a private resource. -* A CNAME in public DNS, that resolves to a hostname representing the Cloudflare tunnel which proxies the request to the internal application. +- A CNAME in public DNS, that resolves to a hostname representing the Cloudflare tunnel which proxies the request to the internal application. -* An IP address exposed by Cloudflare tunnel, that again, proxies traffic direct to that IP address. +- An IP address exposed by Cloudflare tunnel, that again, proxies traffic direct to that IP address. ## Accessing private applications @@ -38,4 +39,4 @@ Follow this [tutorial](/cloudflare-one/tutorials/clientless-access-private-dns/) ## Related resources -* [Tutorial: Access a web application via its private hostname without WARP](/cloudflare-one/tutorials/clientless-access-private-dns/) +- [Tutorial: Access a web application via its private hostname without WARP](/cloudflare-one/tutorials/clientless-access-private-dns/) diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx index 707769872ea03d..a654887886cef2 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx @@ -3,10 +3,8 @@ title: Securing data at rest pcx_content_type: reference-architecture-diagram sidebar: order: 1 -head: - - tag: title - content: "Reference Architecture Diagram: Securing data at rest" - + label: Securing data at rest +updated: 2024-05-01 --- ## Introduction @@ -21,13 +19,14 @@ Cloudflare's API-driven [Cloud Access Security Broker](/cloudflare-one/applicati [DLP profiles](/cloudflare-one/applications/scan-apps/casb-dlp/) are used to discover if files stored in your SaaS application contain sensitive data. Matches are then compared with access controls and findings are generated, such as findings to alert you to a spreadsheet that contains credit card information that is accessible by anyone on the Internet. -When Cloudflare CASB is combined with Cloudflare's [Secure Web Gateway](/cloudflare-one/policies/gateway/) service, which inspects all the traffic going to and from a SaaS application, customers can achieve comprehensive visibility into both data in transit and data at rest for SaaS applications. +When Cloudflare CASB is combined with Cloudflare's [Secure Web Gateway](/cloudflare-one/policies/gateway/) service, which inspects all the traffic going to and from a SaaS application, customers can achieve comprehensive visibility into both data in transit and data at rest for SaaS applications. ![Figure 1: Overall solution of user access controls to, and the discovery of, sensitive data.](~/assets/images/reference-architecture/securing-data-at-rest/securing-data-at-rest-fig1.svg "Figure 1: Overall solution of user access controls to, and the discovery of, sensitive data.") ## Securing user access to data at rest 1. Cloudflare authenticates users attempting to access SaaS applications, whether they are initiating the request from managed or unmanaged endpoints. + 1. For managed endpoints, we recommend deploying our [device agent](/cloudflare-one/connections/connect-devices/warp/) to maximize visibility and control of all traffic between the end user’s device and the resources being requested. 2. For unmanaged endpoints, we have [client-less solutions](/reference-architecture/diagrams/sase/sase-clientless-access-private-dns/) which all you to still have visibility over and inspection into the data accessed by users. @@ -45,5 +44,5 @@ When Cloudflare CASB is combined with Cloudflare's [Secure Web Gateway](/cloudfl ## Related resources -* [Securing data in transit](/reference-architecture/diagrams/security/securing-data-in-transit/) -* [Securing data in use](/reference-architecture/diagrams/security/securing-data-in-use/) +- [Securing data in transit](/reference-architecture/diagrams/security/securing-data-in-transit/) +- [Securing data in use](/reference-architecture/diagrams/security/securing-data-in-use/) diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx index d2f8a1e3150dc6..1bc39e748bea2a 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx @@ -3,19 +3,17 @@ title: Securing data in transit pcx_content_type: reference-architecture-diagram sidebar: order: 1 -head: - - tag: title - content: "Reference Architecture Diagram: Securing data in transit" - + label: Securing data in transit +updated: 2024-05-01 --- ## Introduction -Data in transit typically means when it's traveling over the network. Because the Internet is made up of many thousands of networks, it is important to ensure your data is secure as it moves from device to server and back. These days, most common activities that generate data in transit are related to: +Data in transit typically means when it's traveling over the network. Because the Internet is made up of many thousands of networks, it is important to ensure your data is secure as it moves from device to server and back. These days, most common activities that generate data in transit are related to: -* Browsing online and uploading/download data to/from cloud applications -* Sending texts, pictures and emails -* Applications exposing and consuming data via APIs +- Browsing online and uploading/download data to/from cloud applications +- Sending texts, pictures and emails +- Applications exposing and consuming data via APIs Data in transit is often considered vulnerable to interception or tampering during transmission, so it is important to secure it through encryption techniques such as [QUIC](https://cloudflare-quic.com/), Transport Layer Security (TLS) or Secure Sockets Layer (SSL). This helps to ensure that the data remains confidential and protected from unauthorized access during its journey. There are other methods of inspecting data as it passes network boundaries to make decisions on if that data should continue to travel or not, Data Loss Prevention (DLP) technologies can be used to inspect the contents of network traffic and block sensitive data from going to a risky destination. This document outlines the methods Cloudflare has available to protect data in transit. @@ -23,8 +21,8 @@ Data in transit is often considered vulnerable to interception or tampering duri Cloudflare is one of the leading providers of cloud network security services. There are two main use cases Cloudflare is used to secure network traffic. -* Providing secure connectivity to public websites and APIs using SSL/TLS -* Creating secure tunnels to private networks and applications which are hosted either in the cloud or on-premises +- Providing secure connectivity to public websites and APIs using SSL/TLS +- Creating secure tunnels to private networks and applications which are hosted either in the cloud or on-premises Cloudflare's [SSL services](/ssl/) are used by millions of websites and are easily implemented by making changes to DNS entries, so that all connections to public websites and APIs are terminated on Cloudflare's edge network. Connectivity from Cloudflare to the destination website or API can also be secured using the same SSL technologies. To ensure the strongest security, Cloudflare uses [post quantum cryptography](https://blog.cloudflare.com/post-quantum-to-origins). @@ -62,5 +60,5 @@ The following diagram shows a common flow for how Cloudflare inspects a request ## Related resources -* [Securing data in use](/reference-architecture/diagrams/security/securing-data-in-use/) -* [Securing data at rest](/reference-architecture/diagrams/security/securing-data-at-rest/) +- [Securing data in use](/reference-architecture/diagrams/security/securing-data-in-use/) +- [Securing data at rest](/reference-architecture/diagrams/security/securing-data-at-rest/) diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-use.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-use.mdx index ff0784103117f5..dc0067d8343067 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-use.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-use.mdx @@ -3,10 +3,8 @@ title: Securing data in use pcx_content_type: reference-architecture-diagram sidebar: order: 1 -head: - - tag: title - content: "Reference Architecture Diagram: Securing data in use" - + label: Securing data in use +updated: 2024-05-01 --- ## Introduction @@ -25,9 +23,9 @@ Even more, organizations can enforce specific data in use access controls, like Common policies used with RBI: -* Content category - [Social Networks](/cloudflare-one/policies/gateway/domain-categories/) (e.g. Facebook): Given the large volumes of data that popular social media platforms collect, these apps are an attractive target and yet another attack vector for malicious entities. RBI allows for limiting what data, especially if that data matches a DLP profile, from being pasted into these applications. -* Application - [Artificial Intelligence](/cloudflare-one/policies/gateway/application-app-types/) (e.g. ChatGPT): Generative AI tools can boost employee productivity, but understanding who is using them and for what is imperative at this stage of the generative AI evolution. Again, DLP profiles here can be applied to prevent the copy and pasting of sensitive data into public AI tools. -* Application - [SaaS](/cloudflare-one/policies/gateway/application-app-types/) (e.g. Salesforce, Zendesk, etc): These applications can often contain highly confidential data. RBI can be used to really lock down access for risky users that require some access, such as contractors or partners. Controls such as preventing printing, or even preventing any keyboard input at all, can result in third party users only looking at a read only view of the application, as if RBI is a pane of glass between the user and the data. +- Content category - [Social Networks](/cloudflare-one/policies/gateway/domain-categories/) (e.g. Facebook): Given the large volumes of data that popular social media platforms collect, these apps are an attractive target and yet another attack vector for malicious entities. RBI allows for limiting what data, especially if that data matches a DLP profile, from being pasted into these applications. +- Application - [Artificial Intelligence](/cloudflare-one/policies/gateway/application-app-types/) (e.g. ChatGPT): Generative AI tools can boost employee productivity, but understanding who is using them and for what is imperative at this stage of the generative AI evolution. Again, DLP profiles here can be applied to prevent the copy and pasting of sensitive data into public AI tools. +- Application - [SaaS](/cloudflare-one/policies/gateway/application-app-types/) (e.g. Salesforce, Zendesk, etc): These applications can often contain highly confidential data. RBI can be used to really lock down access for risky users that require some access, such as contractors or partners. Controls such as preventing printing, or even preventing any keyboard input at all, can result in third party users only looking at a read only view of the application, as if RBI is a pane of glass between the user and the data. The following diagram visualizes a typical interaction between a user, RBI and a website such as ChatGPT. @@ -41,5 +39,5 @@ The following diagram visualizes a typical interaction between a user, RBI and a ## Related resources -* [Securing data in transit](/reference-architecture/diagrams/security/securing-data-in-transit/) -* [Securing data at rest](/reference-architecture/diagrams/security/securing-data-at-rest/) +- [Securing data in transit](/reference-architecture/diagrams/security/securing-data-in-transit/) +- [Securing data at rest](/reference-architecture/diagrams/security/securing-data-at-rest/) diff --git a/src/content/docs/reference-architecture/diagrams/serverless/a-b-testing-using-workers.mdx b/src/content/docs/reference-architecture/diagrams/serverless/a-b-testing-using-workers.mdx index b3e5be4a86e627..503fb21b445cca 100644 --- a/src/content/docs/reference-architecture/diagrams/serverless/a-b-testing-using-workers.mdx +++ b/src/content/docs/reference-architecture/diagrams/serverless/a-b-testing-using-workers.mdx @@ -6,9 +6,8 @@ products: - KV sidebar: order: 1 -head: - - tag: title - content: A/B-testing using Workers + label: A/B-testing using Workers +updated: 2024-04-29 --- ## Introduction diff --git a/src/content/docs/reference-architecture/diagrams/serverless/fullstack-application.mdx b/src/content/docs/reference-architecture/diagrams/serverless/fullstack-application.mdx index 66efd7a7678602..f0e066bd2fa525 100644 --- a/src/content/docs/reference-architecture/diagrams/serverless/fullstack-application.mdx +++ b/src/content/docs/reference-architecture/diagrams/serverless/fullstack-application.mdx @@ -18,10 +18,8 @@ products: - DDoS protection sidebar: order: 1 -head: - - tag: title - content: Fullstack applications - + label: Fullstack Applications +updated: 2024-04-29 --- ## Introduction diff --git a/src/content/docs/reference-architecture/diagrams/serverless/serverless-etl.mdx b/src/content/docs/reference-architecture/diagrams/serverless/serverless-etl.mdx index 25fc662dc10b35..046be646da037d 100644 --- a/src/content/docs/reference-architecture/diagrams/serverless/serverless-etl.mdx +++ b/src/content/docs/reference-architecture/diagrams/serverless/serverless-etl.mdx @@ -7,9 +7,8 @@ products: - R2 sidebar: order: 1 -head: - - tag: title - content: Serverless ETL pipelines + label: Serverless ETL pipelines +updated: 2024-04-12 --- ## Introduction diff --git a/src/content/docs/reference-architecture/diagrams/serverless/serverless-global-apis.mdx b/src/content/docs/reference-architecture/diagrams/serverless/serverless-global-apis.mdx index 1a42d45618a143..14251cccba3881 100644 --- a/src/content/docs/reference-architecture/diagrams/serverless/serverless-global-apis.mdx +++ b/src/content/docs/reference-architecture/diagrams/serverless/serverless-global-apis.mdx @@ -8,9 +8,8 @@ products: - Hyperdrive sidebar: order: 1 -head: - - tag: title - content: "Reference Architecture Diagram: Serverless global APIs" + label: Serverless global APIs +updated: 2024-04-29 --- ## Introduction diff --git a/src/content/docs/reference-architecture/diagrams/serverless/serverless-image-content-management.mdx b/src/content/docs/reference-architecture/diagrams/serverless/serverless-image-content-management.mdx index 5bf991613a95bd..e8c802fc5111c4 100644 --- a/src/content/docs/reference-architecture/diagrams/serverless/serverless-image-content-management.mdx +++ b/src/content/docs/reference-architecture/diagrams/serverless/serverless-image-content-management.mdx @@ -11,10 +11,8 @@ products: - Bots sidebar: order: 1 -head: - - tag: title - content: "Reference Architecture Diagram: Serverless image content management" - + label: Serverless image content management +updated: 2024-03-18 --- ## Introduction @@ -27,8 +25,6 @@ The servicing of images to requesting clients is secured by link signature, resi ### Products included in the recipe - - | Product | Function | | ---------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- | | [DDoS](https://www.cloudflare.com/application-services/products/bot-management/) | Volumetric attack protection | @@ -41,8 +37,6 @@ The servicing of images to requesting clients is secured by link signature, resi | [R2](https://www.cloudflare.com/developer-platform/r2/) | S3-type object-storage platform | | [KV](/kv/) | Image metadata storage | - - ## Getting started This reference architecture diagram reveals how to harness the power of the Cloudflare platform to construct a fully serverless image and content management system. This implementation leverages various components of the Cloudflare stack, including edge compute with Cloudflare Workers, KV, and R2 object storage; application performance optimization and caching; application security features such as rate limiting and DDoS mitigation; and artificial intelligence with Workers AI. diff --git a/src/content/docs/reference-architecture/diagrams/storage/egress-free-storage-multi-cloud.mdx b/src/content/docs/reference-architecture/diagrams/storage/egress-free-storage-multi-cloud.mdx index 56ebeb41e7e445..0a3a4de4dcff56 100644 --- a/src/content/docs/reference-architecture/diagrams/storage/egress-free-storage-multi-cloud.mdx +++ b/src/content/docs/reference-architecture/diagrams/storage/egress-free-storage-multi-cloud.mdx @@ -6,7 +6,8 @@ products: - R2 sidebar: order: 1 - + label: Egress-free object storage in multi-cloud setups +updated: 2024-04-11 --- ## Introduction @@ -28,7 +29,7 @@ Egress fees are charges incurred when data is transferred out of a cloud provide ## Related resources -* [R2: Get started](/r2/get-started) -* [R2: S3 API](/r2/api/s3/) -* [R2: Workers API](/r2/api/workers/) -* [R2: Configure aws4fetch for R2](/r2/examples/aws/aws4fetch/) +- [R2: Get started](/r2/get-started) +- [R2: S3 API](/r2/api/s3/) +- [R2: Workers API](/r2/api/workers/) +- [R2: Configure aws4fetch for R2](/r2/examples/aws/aws4fetch/) diff --git a/src/content/docs/reference-architecture/diagrams/storage/on-demand-object-storage-migration.mdx b/src/content/docs/reference-architecture/diagrams/storage/on-demand-object-storage-migration.mdx index 8528b160a3963e..015fea8d5d4328 100644 --- a/src/content/docs/reference-architecture/diagrams/storage/on-demand-object-storage-migration.mdx +++ b/src/content/docs/reference-architecture/diagrams/storage/on-demand-object-storage-migration.mdx @@ -5,9 +5,8 @@ products: - R2 sidebar: order: 1 -head: - - tag: title - content: On-demand Object Storage Data Migration + label: On-demand Object Storage Data Migration +updated: 2024-09-16 --- ## Introduction @@ -34,8 +33,7 @@ Here's how Sippy works: it will first attempt to retrieve an object from R2 stor After objects are copied, subsequent requests will be served from R2 and you’ll begin saving on egress fees immediately. - ## Related Resources -* [Sippy Documentation](/r2/data-migration/sippy/) -* [Super Slurper Documentation](/r2/data-migration/super-slurper/) +- [Sippy Documentation](/r2/data-migration/sippy/) +- [Super Slurper Documentation](/r2/data-migration/super-slurper/) From ed2e96631cea24a2ca8a8117e25fca5212dcabb5 Mon Sep 17 00:00:00 2001 From: jsoCloudflare <150061260+jsoCloudflare@users.noreply.github.com> Date: Mon, 23 Sep 2024 20:10:58 -0700 Subject: [PATCH 28/54] Update login.mdx (#17038) * Update login.mdx Added capabilities of Sign in with Google * Update src/content/docs/fundamentals/setup/account/login.mdx Co-authored-by: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> * Update src/content/docs/fundamentals/setup/account/login.mdx --------- Co-authored-by: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> --- src/content/docs/fundamentals/setup/account/login.mdx | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/content/docs/fundamentals/setup/account/login.mdx b/src/content/docs/fundamentals/setup/account/login.mdx index 96a99bcca0af60..2dd429029f83a3 100644 --- a/src/content/docs/fundamentals/setup/account/login.mdx +++ b/src/content/docs/fundamentals/setup/account/login.mdx @@ -47,3 +47,9 @@ If you have chosen to hide your email when creating a Cloudflare account with Ap Changing your Cloudflare account email address will unlink the login credentials with the Apple ID from your Cloudflare account. Attempting to log in using the same Apple ID after the email is changed will create a new Cloudflare account. If you created your Cloudflare account using Apple Relay and decide to change your Apple ID or email address, you will be unable to retrieve the Cloudflare account and all login options are permanently lost. + +### Sign in with Google + +- A Cloudflare account has already been created with your Google account's email: At this time, this option cannot be used, but we are working on the capability to link and de-link social login providers to your Cloudflare account. + +- If you select **Sign in with Google** with an email that does not already have a Cloudflare account associated with it, Cloudflare will create a new account and allow you to sign in using **Sign in with Google** moving forward. From 9e6d3fa54369eea5b2305a022ae8e932113632d1 Mon Sep 17 00:00:00 2001 From: angelampcosta <92738954+angelampcosta@users.noreply.github.com> Date: Tue, 24 Sep 2024 09:13:22 +0100 Subject: [PATCH 29/54] Removes Terraform (#17045) --- src/content/docs/speed/optimization/content/speed-brain.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/speed/optimization/content/speed-brain.mdx b/src/content/docs/speed/optimization/content/speed-brain.mdx index a4dda4f3393f77..65c76e5ced1caf 100644 --- a/src/content/docs/speed/optimization/content/speed-brain.mdx +++ b/src/content/docs/speed/optimization/content/speed-brain.mdx @@ -71,7 +71,7 @@ While you can use Speed Brain without RUM enabled, you will not have visibility ## Enable and disable Speed Brain -Speed Brain is available in Cloudflare's **Speed** tab of the dashboard and also in the API and Terraform. +Speed Brain is available in Cloudflare's **Speed** tab of the dashboard and also in the API. From 1afa1d84e583dba87646cf9165e6aa06234b6f92 Mon Sep 17 00:00:00 2001 From: "Chris Draper (Cloudflare PM)" <115131024+cdraper-cloudflare@users.noreply.github.com> Date: Tue, 24 Sep 2024 04:54:30 -0400 Subject: [PATCH 30/54] MNM documentation update for Birthday Week 2024! Let's Go! (#17044) * MNM documentation update for Birthday Week 2024! Let's Go! * Apply suggestions from code review Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Apply suggestions from code review * Update src/content/docs/magic-network-monitoring/index.mdx --------- Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> --- .../docs/magic-network-monitoring/faq.mdx | 25 ++++++++------- .../magic-network-monitoring/get-started.mdx | 9 ++---- .../docs/magic-network-monitoring/index.mdx | 31 ++++++++++++++----- .../magic-network-monitoring-free.mdx | 8 ++--- .../tutorials/ddos-testing-guide.mdx | 2 +- .../tutorials/encrypt-network-flow-data.mdx | 14 +++++++++ .../tutorials/graphql-analytics.mdx | 2 +- 7 files changed, 59 insertions(+), 32 deletions(-) create mode 100644 src/content/docs/magic-network-monitoring/tutorials/encrypt-network-flow-data.mdx diff --git a/src/content/docs/magic-network-monitoring/faq.mdx b/src/content/docs/magic-network-monitoring/faq.mdx index b34266f81fc279..a177283cf58d2f 100644 --- a/src/content/docs/magic-network-monitoring/faq.mdx +++ b/src/content/docs/magic-network-monitoring/faq.mdx @@ -4,9 +4,21 @@ title: FAQ structured_data: true sidebar: order: 11 - --- +## Can I send NetFlow/sFlow data to Cloudflare in a secure, encrypted way? + +Yes. Both enterprise and free customers can send encrypted network flow data to Cloudflare. + +Enterprise customers with Magic Transit or Magic WAN are able to send encrypted network flow data via an IPsec tunnel to Cloudflare's network. You can achieve this by: + +1. Configuring your [NetFlow](/magic-network-monitoring/routers/netflow-ipfix-config/) or [sFlow](/magic-network-monitoring/routers/sflow-config/) data to be sent to Cloudflare's network for parsing. +2. Directing that network flow data to be sent over [Magic Transit IPsec tunnels](/magic-transit/how-to/configure-tunnels/) or [Magic WAN IPsec tunnels](/magic-wan/configuration/manually/how-to/configure-tunnels/) to Cloudflare's network. + +Cloudflare's network will then identify this traffic via the destination IP address/port, and direct the network flow traffic to Magic Network Monitoring for parsing. + +Free customers can route their network flow traffic through a device that is running the WARP client. Then, network flow traffic can be forwarded from the WARP enabled device to Cloudflare's network flow endpoints. You can learn more about this in the [Encrypt network flow data tutorial](/magic-network-monitoring/tutorials/encrypt-network-flow-data). + ## I have Auto-Advertisement enabled and it was triggered by an attack. Do I have to turn Magic Transit off manually? Once Auto-Advertisement is activated for an IP prefix that is under attack, the IP prefix will continue to be advertised by Cloudflare even if the attack ends. You will then need to manually disable advertisement for that IP prefix. Refer to [Configure dynamic advertisement](/byoip/concepts/dynamic-advertisement/best-practices/#configure-dynamic-advertisement) to learn how to withdraw your prefixes, and stop using Magic Transit. @@ -41,14 +53,3 @@ It is recommended that you set your router's public IP address and network flow Currently, all data received from a customer's router goes to our servers in the US. If you enable data sovereignty in Europe, you cannot currently use Magic Network Monitoring. GraphQL analytics is retained for 90 days for enterprise customers. For non-enterprise customers, data retention is seven days. Cloudflare also retains data for six hours in the US, for threshold crossing detection. - -## Can I send NetFlow/sFlow data to Cloudflare in a secure, encrypted way? - -Yes. Enterprise customers with Magic Transit or Magic WAN are able to send encrypted network flow data via an IPsec tunnel to Cloudflare's network. You can achieve this by: - -1. Configuring your [NetFlow](/magic-network-monitoring/routers/netflow-ipfix-config/) or [sFlow](/magic-network-monitoring/routers/sflow-config/) data to be sent to Cloudflare’s network for parsing. -2. Directing that network flow data to be sent over a [Magic Transit IPsec tunnels](/magic-transit/how-to/configure-tunnels/) or [Magic WAN IPsec tunnels](/magic-wan/configuration/manually/how-to/configure-tunnels/) to Cloudflare's network. - -Cloudflare's network will then identify this traffic via the destination IP address/port, and direct the network flow traffic to Magic Network Monitoring for parsing. - -This feature is not available to Magic Network Monitoring free customers. \ No newline at end of file diff --git a/src/content/docs/magic-network-monitoring/get-started.mdx b/src/content/docs/magic-network-monitoring/get-started.mdx index a8578eaad8fea4..be9ea7653dc541 100644 --- a/src/content/docs/magic-network-monitoring/get-started.mdx +++ b/src/content/docs/magic-network-monitoring/get-started.mdx @@ -3,16 +3,13 @@ title: Get started pcx_content_type: get-started sidebar: order: 2 - --- -import { GlossaryTooltip } from "~/components" - -To begin using Magic Network Monitoring, complete the list of tasks below. If you are an Enterprise customer, Cloudflare can significantly accelerate the timeline during active-attack scenarios. +import { GlossaryTooltip } from "~/components"; -If you are an Enterprise customer and would like to use Magic Network Monitoring and Magic Transit On Demand together, begin by [configuring Magic Transit](/magic-transit/get-started/). +To begin using Magic Network Monitoring, complete the list of tasks below. -There is also a [free version](/magic-network-monitoring/magic-network-monitoring-free/) of Magic Network Monitoring in a closed beta right now. Refer to it to learn about the functionalities and limits of this version. +If you are an Enterprise customer, Cloudflare can significantly accelerate the onboarding timeline during active-attack scenarios. Enterprise customers that would like to use Magic Network Monitoring and Magic Transit On Demand together can begin by [configuring Magic Transit](/magic-transit/get-started/). ## 1. Verify NetFlow or sFlow capabilities diff --git a/src/content/docs/magic-network-monitoring/index.mdx b/src/content/docs/magic-network-monitoring/index.mdx index 4f4bcf3313b3aa..22e178f90e801c 100644 --- a/src/content/docs/magic-network-monitoring/index.mdx +++ b/src/content/docs/magic-network-monitoring/index.mdx @@ -6,14 +6,21 @@ sidebar: head: - tag: title content: Cloudflare Magic Network Monitoring - --- -import { CardGrid, Description, Feature, GlossaryTooltip, LinkTitleCard, Plan, RelatedProduct } from "~/components" +import { + CardGrid, + Description, + Feature, + GlossaryTooltip, + LinkTitleCard, + Plan, + RelatedProduct, +} from "~/components"; -Detect and receive notifications about attacks based on traffic flows. +Improve your network visibility and detect DDoS attacks based on traffic flows. @@ -21,9 +28,11 @@ Detect and receive notifications about attacks based on traffic flows. Magic Network Monitoring provides visibility into your network traffic by analyzing network flow data sent from a customer’s routers. Magic Network Monitoring supports NetFlow v5, NetFlow v9, IPFIX, and sFlow. -Enterprise customers can use Magic Network Monitoring with [Magic Transit on-demand](/magic-transit/on-demand/) to monitor their network, identify volumetric DDoS attacks, and activate Magic Transit on-demand to mitigate those attacks. +Magic Network Monitoring is generally available to everyone with a Cloudflare account by default. You can log in to your Cloudflare dashboard, select your account, then go to **Analytics & Logs** > **Magic Monitoring** to get started. -Magic Network Monitoring is automatically enabled for all Magic Transit and Magic WAN enterprise customers. Any enterprise customers without Magic Transit or Magic WAN that are interested in testing Magic Network Monitoring can receive access to the Magic Network Monitoring [free version](/magic-network-monitoring/magic-network-monitoring-free/) by submitting a request to their Cloudflare account team. +Everyone can use the [free version](/magic-network-monitoring/magic-network-monitoring-free/) of Magic Network Monitoring in a home network, network lab, or business to get end to end visibility across their network traffic. Potential enterprise customers are encouraged to use the free version to run a proof of concept. + +Enterprise customers can use Magic Network Monitoring with [Magic Transit on-demand](/magic-transit/on-demand/) to monitor their network, identify volumetric DDoS attacks, and activate Magic Transit on-demand to mitigate those attacks. Learn how to [get started](/magic-network-monitoring/get-started/). @@ -56,24 +65,32 @@ Set up notifications to learn about an attack. Mitigates L7, L4, and L3 DDoS attacks with Magic Network Monitoring with Magic Transit on-demand. + Provides HTTP DDoS attack protection for zones onboarded to Cloudflare in addition to L3 and L4 DDoS attack protection. + Connects your network infrastructure directly with Cloudflare – rather than using the public Internet – for a more reliable and secure experience. + ## More resources - -Connect with the Magic Network Monitoring community on Discord to ask questions, and share feedback. + + Connect with the Magic Network Monitoring community on Discord to ask + questions, and share feedback. diff --git a/src/content/docs/magic-network-monitoring/magic-network-monitoring-free.mdx b/src/content/docs/magic-network-monitoring/magic-network-monitoring-free.mdx index 2f5255cef6e2d5..3f02d445c707c8 100644 --- a/src/content/docs/magic-network-monitoring/magic-network-monitoring-free.mdx +++ b/src/content/docs/magic-network-monitoring/magic-network-monitoring-free.mdx @@ -3,18 +3,16 @@ title: Free version pcx_content_type: reference sidebar: order: 8 - badge: - text: Beta head: - tag: title content: Magic Network Monitoring free version --- -The free version of Magic Network Monitoring (MNM) is currently in a closed beta. All customers with a Cloudflare account can request early access to the free version of MNM by [filling out this form](https://docs.google.com/forms/d/1umsmwHmXgMesP2t4wH94uVExHaT60tb5RTeawqR_9Cg/edit). +The free version of Magic Network Monitoring (MNM) is generally available to everyone with a Cloudflare account by default. -If you would like your request for early access to MNM to be prioritized, please join [Cloudflare’s Discord server](https://discord.com/invite/cloudflaredev) and ask about early access in the MNM Discord channel. We prioritize Discord community members because Discord creates a great environment for engaging with users, helping with configuration, answering questions, and collecting valuable product feedback. +All free customers are encouraged to join [Cloudflare's Discord server](https://discord.com/invite/cloudflaredev) to discuss the use cases, configuration, and troubleshooting of Magic Network Monitoring. Free customers are always welcome to provide product feedback and discuss feature requests. The product and engineering team that works on Magic Network Monitoring regularly engages with the Discord community. -You can find the channel by joining the Cloudflare Developers Discord server. Then scroll down in the side bar navigation to the **Products** category and select **magic-network-monitoring**. +You can find the channel by joining the Cloudflare Developers Discord server. Then scroll down in the side bar navigation to the **Cloudflare One** category and select **magic-network-monitoring**. ## Access the free version of MNM diff --git a/src/content/docs/magic-network-monitoring/tutorials/ddos-testing-guide.mdx b/src/content/docs/magic-network-monitoring/tutorials/ddos-testing-guide.mdx index f96c4300caf072..189965794a360f 100644 --- a/src/content/docs/magic-network-monitoring/tutorials/ddos-testing-guide.mdx +++ b/src/content/docs/magic-network-monitoring/tutorials/ddos-testing-guide.mdx @@ -3,7 +3,7 @@ title: DDoS testing guide pcx_content_type: tutorial updated: 2024-06-18 sidebar: - order: 2 + order: 3 head: - tag: title content: Magic Network Monitoring DDoS testing guide diff --git a/src/content/docs/magic-network-monitoring/tutorials/encrypt-network-flow-data.mdx b/src/content/docs/magic-network-monitoring/tutorials/encrypt-network-flow-data.mdx new file mode 100644 index 00000000000000..869a2b8f969a5b --- /dev/null +++ b/src/content/docs/magic-network-monitoring/tutorials/encrypt-network-flow-data.mdx @@ -0,0 +1,14 @@ +--- +title: Encrypt network flow data +pcx_content_type: tutorial +updated: 2024-09-23 +sidebar: + order: 1 +head: + - tag: title + content: Magic Network Monitoring encrypt network flow data +--- + +Customers can encrypt the network flow data sent from their router to Cloudflare by routing their network flow traffic through a device running the WARP client. Then, encrypted network flow traffic can be forwarded from the WARP enabled device to Cloudflare's network flow endpoints. + +To learn more about the WARP client, and to install the WARP client on Linux, macOS, or Windows, you can visit the [WARP client documentation](/cloudflare-one/connections/connect-devices/warp/). diff --git a/src/content/docs/magic-network-monitoring/tutorials/graphql-analytics.mdx b/src/content/docs/magic-network-monitoring/tutorials/graphql-analytics.mdx index e9cfb51d44c6a4..9bfa5f0ba90456 100644 --- a/src/content/docs/magic-network-monitoring/tutorials/graphql-analytics.mdx +++ b/src/content/docs/magic-network-monitoring/tutorials/graphql-analytics.mdx @@ -5,7 +5,7 @@ updated: 2023-01-04 languages: - GraphQL sidebar: - order: 1 + order: 2 head: - tag: title content: GraphQL Analytics From 2705bca9ae2ab1481c393459166ccbb0167e0a8e Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Tue, 24 Sep 2024 10:33:40 +0100 Subject: [PATCH 31/54] [Support] Custom Pages: Add note (#17047) --- ...uring-custom-pages-error-and-challenge.mdx | 130 +++++++++--------- 1 file changed, 63 insertions(+), 67 deletions(-) diff --git a/src/content/docs/support/more-dashboard-apps/cloudflare-custom-pages/configuring-custom-pages-error-and-challenge.mdx b/src/content/docs/support/more-dashboard-apps/cloudflare-custom-pages/configuring-custom-pages-error-and-challenge.mdx index 9c231b594ebde5..a36c3f920c4e7f 100644 --- a/src/content/docs/support/more-dashboard-apps/cloudflare-custom-pages/configuring-custom-pages-error-and-challenge.mdx +++ b/src/content/docs/support/more-dashboard-apps/cloudflare-custom-pages/configuring-custom-pages-error-and-challenge.mdx @@ -2,29 +2,26 @@ pcx_content_type: troubleshooting source: https://support.cloudflare.com/hc/en-us/articles/200172706-Configuring-Custom-Pages-Error-and-Challenge- title: Configuring Custom Pages (Error and Challenge) - --- -## Overview - -Cloudflare uses a wide range of [error codes](/support/troubleshooting/cloudflare-errors/) to identify issues in handling request traffic. By default, these error pages mention Cloudflare; however, custom error pages help you provide a consistent brand experience for your users.  +Cloudflare uses a wide range of [error codes](/support/troubleshooting/cloudflare-errors/) to identify issues in handling request traffic. By default, these error pages mention Cloudflare; however, custom error pages help you provide a consistent brand experience for your users. If you are on the Pro, Business, or Enterprise plan you can customize and brand these pages for your whole account or for specific domains. You can design custom error pages to appear during a security challenge or when an error occurs. -:::note +:::note[Notes] + +- Responses with 500, 501, 503, and 505 HTTP status codes do not trigger custom error pages to avoid breaking specific API endpoints and other web applications. +- Your custom error pages are not used if requests do not contain `accept-encoding` headers. In these cases, Cloudflare will show the standard error pages to website visitors. -500, 501, 503, and 505 responses do not trigger custom error pages to -avoid breaking specific API endpoints and other web applications. ::: Alternatively, Enterprise customers can customize 5XX error pages at their origin via **Enable Origin Error Pages** in the **Custom Pages** app in the dashboard. :::note - -Enable Origin Error Pages excludes errors 520 to 527. +Enable Origin Error Pages excludes errors 520 to 527. ::: -*** +--- ## Step 1: Create a custom page @@ -34,93 +31,92 @@ You can use the following custom error template to start building your page: ```html - - - ::[REPLACE WITH CUSTOM ERROR TOKEN NAME]:: - + + + ::[REPLACE WITH CUSTOM ERROR TOKEN NAME]:: + ``` :::caution[Warnings] +- Your custom error page should include a page-specific custom error token if applicable and cannot exceed 1.43 MB. Also, it must include HTML `` and `` tags. +- Make sure that the `referrer` meta tag is not present in your custom error page's HTML code since it will disrupt [Cloudflare challenges](/waf/reference/cloudflare-challenges/): `` -* Your custom error page should include a page-specific custom error token if applicable and cannot exceed 1.43 MB. Also, it must include HTML `` and `` tags. -* Make sure that the `referrer` meta tag is not present in your custom error page's HTML code since it will disrupt [Cloudflare challenges](/waf/reference/cloudflare-challenges/): `` - ::: +::: When published, any additional scripts, images, or stylesheets increase the size of your custom error page source by approximately 50%. ### Custom Page example -Here is sample code for a 5XX custom error page without styling:  +Here is sample code for a 5XX custom error page without styling: ```html - + - - - 5XX Level Errors page - - -

5XX Level Errors

-

::CLOUDFLARE_ERROR_500S_BOX::

- + + + 5XX Level Errors page + + +

5XX Level Errors

+

::CLOUDFLARE_ERROR_500S_BOX::

+ ``` -*** +--- ## Step 2: Select your custom error tokens -When designing your custom error page, you must include one page-specific custom error token.  Each custom error token provides diagnostic information that appears on the error page.  +When designing your custom error page, you must include one page-specific custom error token.  Each custom error token provides diagnostic information that appears on the error page. -To display a custom page for each error, create a separate page per error. For example, to create a custom error page for both **IP/Country Block** and **Interactive Challenge**, you must design and publish two separate pages.  +To display a custom page for each error, create a separate page per error. For example, to create a custom error page for both **IP/Country Block** and **Interactive Challenge**, you must design and publish two separate pages. The following tables list each custom error token grouped by the applicable custom error page. -| **Token** | **Available to** | -| -------------- | ---------------- | -| ::CLIENT\_IP:: | All pages | -| ::RAY\_ID:: | All pages | +| Token | Available to | +| --------------- | ------------ | +| `::CLIENT_IP::` | All pages | +| `::RAY_ID::` | All pages | :::caution - -Only one page-specific custom error token can be used per page. +Only one page-specific custom error token can be used per page. ::: -| **Token** | **Available to** | -| --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | -| ::GEO:: | IP/Country Block | -| ::CAPTCHA\_BOX:: | Interactive Challenge
Country Challenge (Managed Challenge)
Managed Challenge / I'm Under Attack Mode (Interstitial Page) | -| ::IM\_UNDER\_ATTACK\_BOX:: | JS Challenge | -| ::CLOUDFLARE\_ERROR\_500S\_BOX:: | 5XX Errors | -| ::CLOUDFLARE\_ERROR\_1000S\_BOX:: | 1XXX Errors | +| Token | Available to | +| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | +| `::GEO::` | IP/Country Block | +| `::CAPTCHA_BOX::` | Interactive Challenge
Country Challenge (Managed Challenge)
Managed Challenge / I'm Under Attack Mode (Interstitial Page) | +| `::IM_UNDER_ATTACK_BOX::` | JS Challenge | +| `::CLOUDFLARE_ERROR_500S_BOX::` | 5XX Errors | +| `::CLOUDFLARE_ERROR_1000S_BOX::` | 1XXX Errors | -*** +--- ## Step 3: Style your custom page -Each custom error token has a default look and feel. However, you can use CSS to stylize each custom error tag using each tag's class ID. If you are familiar with CSS styling, you can customize the look and feel of the error page using each tag’s class ID. Please keep in mind that all the external resources like images, CSS, and scripts will be inlined during the process. As such, all external resources need to be available (i.e. return a 200 OK) otherwise an error will be thrown. +Each custom error token has a default look and feel. However, you can use CSS to stylize each custom error tag using each tag's class ID. If you are familiar with CSS styling, you can customize the look and feel of the error page using each tag's class ID. Please keep in mind that all the external resources like images, CSS, and scripts will be inlined during the process. As such, all external resources need to be available (that is, they must return 200 OK) otherwise an error will be thrown. -*** +--- ## Step 4: Preview and Publish your custom page After customizing your custom error page, there are two options for adding the page to Cloudflare: -* Account level: the custom error page will apply to every domain associated with your account. -* Domain level: the custom error page will apply to only one domain associated with your account. +- Account level: the custom error page will apply to every domain associated with your account. +- Domain level: the custom error page will apply to only one domain associated with your account. :::note If Cloudflare cannot load your site or you have blocked the United States (US) via [IP Access rules](/waf/tools/ip-access-rules/) or WAF custom rules, publishing and previewing the error page will not work. -A common error might look like the following: `Error fetching page: Fetch failed, https://example.com/ipcountryblock.html returned 403 (Code: 1202)`. Make sure that you are serving the custom error page with an `HTTP 200` status code, and that no WAF rule is blocking or challenging your custom error page. +A common error might look like the following: `Error fetching page: Fetch failed, https://example.com/ipcountryblock.html returned 403 (Code: 1202)`. Make sure that you are serving the custom error page with an `HTTP 200` status code, and that no WAF rule is blocking or challenging your custom error page. + ::: :::note - -When publishing the custom error page, the system will ignore query strings. This means that if the custom error page URL contains a query string the address published will remove `?` and anything after that (ie. `https://domain.com/5xx.html?removeimages` -> `https://domain.com/5xx.html`). +When publishing the custom error page, the system will ignore query strings. This means that if the custom error page URL contains a query string the address published will remove `?` and anything after that (for example, `https://domain.com/5xx.html?removeimages` -> `https://domain.com/5xx.html`). ::: ### Account-level custom error page @@ -149,11 +145,11 @@ To publish a domain level custom error page: ### Update custom error page after publishing -After successfully publishing the custom error page in the **Custom Pages** app, you can remove the page from your origin server.  +After successfully publishing the custom error page in the **Custom Pages** app, you can remove the page from your origin server. If in the future, you need to update your custom error page, you must re-publish the page at your origin and in the Cloudflare dashboard, even if the page URL remains unchanged. -*** +--- ## Troubleshoot common custom pages issues @@ -167,14 +163,14 @@ If you block requests due to a [rate limiting rule](/waf/rate-limiting-rules/) a If you block countries or IP addresses with a firewall rule (now deprecated), affected visitors will get your **1000 Class Errors page**. -### 1xxx errors +### 1XXX errors **1XXX Errors** do not customize the following HTTP errors via the Custom Pages app: -* 1001 - Unable to resolve -* 1003 - Bad Host header -* 1018 - Unable to resolve because of ownership lookup failure -* 1023 - Unable to resolve because of feature lookup failure +- 1001 - Unable to resolve +- 1003 - Bad Host header +- 1018 - Unable to resolve because of ownership lookup failure +- 1023 - Unable to resolve because of feature lookup failure ### Custom error page size @@ -182,16 +178,16 @@ Your custom error page cannot be blank and cannot exceed 1.43 MB. To avoid excee ### General troubleshooting advice -* If you encounter errors while attempting to preview or publish your custom error page, use an [HTML validator](https://validator.w3.org/) to ensure that your code resolves properly.  -* Make sure that you are serving the custom error page with an HTTP 200 status code. +- If you encounter errors while attempting to preview or publish your custom error page, use an [HTML validator](https://validator.w3.org/) to ensure that your code resolves properly. +- Make sure that you are serving the custom error page with an HTTP 200 status code. -*** +--- ## Related resources -* [WAF custom rules](/waf/custom-rules/) -* [Cloudflare challenges](/waf/reference/cloudflare-challenges/) -* [Troubleshooting Cloudflare errors](/support/troubleshooting/cloudflare-errors/) -* [IP Access rules](/waf/tools/ip-access-rules/) -* [Rate limiting rules](/waf/rate-limiting-rules/) -* [Firewall rules](/firewall/cf-firewall-rules/) (deprecated) +- [WAF custom rules](/waf/custom-rules/) +- [Cloudflare challenges](/waf/reference/cloudflare-challenges/) +- [Troubleshooting Cloudflare errors](/support/troubleshooting/cloudflare-errors/) +- [IP Access rules](/waf/tools/ip-access-rules/) +- [Rate limiting rules](/waf/rate-limiting-rules/) +- [Firewall rules](/firewall/cf-firewall-rules/) (deprecated) From 404d396c2ffb497129ca2649cd9e87fab0667f67 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Tue, 24 Sep 2024 12:10:22 +0100 Subject: [PATCH 32/54] [Key Transparency] Add tile (#17048) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --------- Co-authored-by: Denise Pena Co-authored-by: Thibault Meunier Co-authored-by: Mari <7750294+mgalicer@users.noreply.github.com> Co-authored-by: Denise Peña <75506267+dcpena@users.noreply.github.com> Co-authored-by: Jun Lee --- .../api/auditor-information.mdx | 29 +++++++ .../docs/key-transparency/api/epochs.mdx | 54 ++++++++++++ .../docs/key-transparency/api/index.mdx | 12 +++ .../docs/key-transparency/api/namespaces.mdx | 86 +++++++++++++++++++ src/content/docs/key-transparency/index.mdx | 36 ++++++++ .../monitor-the-auditor/index.mdx | 72 ++++++++++++++++ src/content/products/key-transparency.yaml | 21 +++++ src/icons/key-transparency.svg | 8 ++ 8 files changed, 318 insertions(+) create mode 100644 src/content/docs/key-transparency/api/auditor-information.mdx create mode 100644 src/content/docs/key-transparency/api/epochs.mdx create mode 100644 src/content/docs/key-transparency/api/index.mdx create mode 100644 src/content/docs/key-transparency/api/namespaces.mdx create mode 100644 src/content/docs/key-transparency/index.mdx create mode 100644 src/content/docs/key-transparency/monitor-the-auditor/index.mdx create mode 100644 src/content/products/key-transparency.yaml create mode 100644 src/icons/key-transparency.svg diff --git a/src/content/docs/key-transparency/api/auditor-information.mdx b/src/content/docs/key-transparency/api/auditor-information.mdx new file mode 100644 index 00000000000000..7f75d18dd5499f --- /dev/null +++ b/src/content/docs/key-transparency/api/auditor-information.mdx @@ -0,0 +1,29 @@ +--- +pcx_content_type: overview +title: Auditor +sidebar: + order: 1 +--- + +The Auditor is designed to sign epoch information, which includes the time at which the request is received by the Auditor, the epoch number, and the epoch digest. The Auditor serializes this information in binary using protobuf or bincode and checks whether the requested inclusion is valid, as in not satisfies [publication constraints](/key-transparency/api/epochs/#constraints). + +If the Log is setup to provide [AKD](https://github.com/facebook/akd) audit proof, the Auditor verifies them asynchronously. + +## Get Auditor information + +`keys` contain Auditor public keys which allow for key rotation later. + +```sh +curl 'https://plexi.key-transparency.cloudflare.com/info' +{ + "keys": [ + { + "public_key": "d1036a33a8731e82a29dc68210988b32b60b7c1bd22d2341f2e339f4db3a2f4a", + "not_before": 1712311441501 + } + ], + "logs": [ + "508607faff7cb16be841e901eca41a6239461f239e7e610c9ea2576f334bc144" + ] +} +``` diff --git a/src/content/docs/key-transparency/api/epochs.mdx b/src/content/docs/key-transparency/api/epochs.mdx new file mode 100644 index 00000000000000..aede0f399528ae --- /dev/null +++ b/src/content/docs/key-transparency/api/epochs.mdx @@ -0,0 +1,54 @@ +--- +pcx_content_type: overview +title: Epochs +sidebar: + order: 3 +--- + +## Get an epoch + +```sh +curl 'https://plexi.key-transparency.cloudflare.com/namespaces/{namespace}/audits/1' +{ + "namespace": "your.new.log.com", + "timestamp": 1717084639921, + "epoch": 1, + "digest": "1111111111111111111111111111111111111111111111111111111111111111", + "signature": "f6a51443bb6703813b330959d9d97471bc06464142165e59733fa102a18b052782a5307d59c31b8b13c1af7dfff6f6e7bf44e880d44e26e96c50a72f72a30c07" +} +``` + +## Publish a new epoch + +Refer to the example below to publish a new epoch by requesting its signature. + +This API is authenticated via [mTLS](https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/), so that only a Log owner can publish new epochs. + +```sh +curl 'https://plexi.key-transparency.cloudflare.com/namespaces/{namespace}/audits' \ + --header 'Content-Type: application/json' \ + --data '{"epoch": 1, "digest": "1111111111111111111111111111111111111111111111111111111111111111"}' +{ + "namespace": "your.new.log.com", + "timestamp": 1717084639921, + "epoch": 1, + "digest": "1111111111111111111111111111111111111111111111111111111111111111", + "signature": "f6a51443bb6703813b330959d9d97471bc06464142165e59733fa102a18b052782a5307d59c31b8b13c1af7dfff6f6e7bf44e880d44e26e96c50a72f72a30c07", + "key_id": 74, +} +``` + +### Constraints + +- If `root` is defined for the namespace, the first epoch must match it (number and digest). +- Epochs must be increasing. Second epoch is 2, third is 3, etc. +- Epochs must have a unique digest or it will be rejected. +- Epochs cannot be republished. +- Digest must be a 32 byte string hex encoded (length 64). + +If a namespace is disabled, you receive the following error: + +```txt +HTTP 400 Bad Request +Namespace is disabled and read-only. +``` diff --git a/src/content/docs/key-transparency/api/index.mdx b/src/content/docs/key-transparency/api/index.mdx new file mode 100644 index 00000000000000..e2f4ef456c940b --- /dev/null +++ b/src/content/docs/key-transparency/api/index.mdx @@ -0,0 +1,12 @@ +--- +title: API +pcx_content_type: navigation +sidebar: + order: 1 + group: + hideIndex: true +--- + +import { DirectoryListing } from "~/components" + + \ No newline at end of file diff --git a/src/content/docs/key-transparency/api/namespaces.mdx b/src/content/docs/key-transparency/api/namespaces.mdx new file mode 100644 index 00000000000000..713d55186f52f3 --- /dev/null +++ b/src/content/docs/key-transparency/api/namespaces.mdx @@ -0,0 +1,86 @@ +--- +pcx_content_type: overview +title: Namespaces +sidebar: + order: 2 +--- + +The Cloudflare Key Transparency API is organized in namespaces, each one representing a Log monitored by Cloudflare Auditor. If you want to register a namespace, contact us. + +## Create a namespace + +The following fields are required when making a `POST` request: + +- `name` +- `public` +- `root` +- `signature_version`: + - 0x0001 for [Protobuf serialisation](https://github.com/cloudflare/plexi/blob/main/plexi_core/src/proto/specs/types.proto) Ed25519 signature from the Auditor + - 0x0002 for [bincode serialisation](https://github.com/bincode-org/bincode/blob/trunk/docs/spec.md) E25519 serialisation by the Auditor + +The `log_directory` field is optional. If set, Cloudflare will use it to fetch audit proofs and validate them. + +This API is authenticated via [mTLS](https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/). + +```sh +curl 'https://plexi.key-transparency.cloudflare.com/namespaces' \ + --header 'Content-Type: application/json' \ + --data '{ + "name": "your.new.log.com", + "root": "1/1111111111111111111111111111111111111111111111111111111111111111", + "log_directory": "https://your.new.log.com/path/to/proofs", + "signature_version": 1 + }' +{ + "name": "your.new.log.com", + "log_directory": "https://your.new.log.com/path/to/proofs", + "root": "1/1111111111111111111111111111111111111111111111111111111111111111", + "status": "Initialization", + "reports_uri": "/namespaces/your.new.log.com/reports", + "audits_uri": "/namespaces/your.new.log.com/audits", + "signature_version": 1 +} +``` + +After publishing the first epoch, `status` will show `Online`. Possible statuses include: +- `Online` +- `Initialization` +- `Disabled` + +## List all namespaces + +Refer to the example below to get information about all public namespaces. + +```sh +curl 'https://plexi.key-transparency.cloudflare.com/namespaces' +{ + "namespaces": [ + { "name": "your.new.log.com", "root": "1/abc", "reports_uri": "/namespaces/your.new.log.com/reports", "audits_uri": "/namespaces/your.new.log.com/audits", "log_directory": "https://your.new.log.com/path/to/proofs", "status": "online" }, + { "name": "my.new.log.com", "reports_uri": "/namespaces/meta-bt-2024/reports", "audits_uri": "/namespaces/meta-bt-2024/audits", "status": "initialization" } + ] +} +``` + +## Disable a namespace + +If a log state has been corrupted, lost, or needs to be sharded to be maintainable, the Auditor allows the Log operator to mark a namespace as `Disabled`. + +This API is authenticated via [mTLS](https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/). + + +```sh +curl -X PATCH 'https://plexi.key-transparency.cloudflare.com/namespaces/{namespace}' \ + -H 'Content-Type: application/json' \ + -d '{ + "status": "Disabled" + }' +{ + "name": "your.new.log.com", + "log_directory": "https://your.new.log.com/path/to/proofs", + "root": "1/1111111111111111111111111111111111111111111111111111111111111111", + "status": "Disabled", + "reports_uri": "/namespaces/your.new.log.com/reports", + "audits_uri": "/namespaces/your.new.log.com/audits", + "signature_version": 1 +} +``` \ No newline at end of file diff --git a/src/content/docs/key-transparency/index.mdx b/src/content/docs/key-transparency/index.mdx new file mode 100644 index 00000000000000..c60e75a28e0772 --- /dev/null +++ b/src/content/docs/key-transparency/index.mdx @@ -0,0 +1,36 @@ +--- +title: Overview +pcx_content_type: overview +sidebar: + order: 1 +head: + - tag: title + content: Key Transparency Auditor + +--- + +import { CardGrid, Description, Feature, LinkTitleCard, RelatedProduct } from "~/components" + + + +Secure the distribution of public keys in your end-to-end encrypted (E2EE) messaging systems + + + +Cloudflare's Key Transparency Auditor aims to secure the distribution of public keys for end-to-end encrypted (E2EE) messaging systems like [WhatsApp](https://engineering.fb.com/2023/04/13/security/whatsapp-key-transparency/). It achieves this by building a verifiable append-only data structure called a Log, similar to [Certificate Transparency](https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency). + +Cloudflare acts as an auditor of Key Transparency Logs to ensure the transparency of end-to-end encrypted messaging public keys. Cloudflare provides an API for anyone to monitor the verification work we perform, and verify the state of its associated Logs locally. + +## Related products + + + +Certificate Transparency (CT) Monitoring is an opt-in feature in public beta that aims to improve security by allowing you to double-check any SSL/TLS certificates issued for your domain. + + + + + +Privacy Gateway is a managed service deployed on Cloudflare's global network that implements part of the [Oblivious HTTP (OHTTP) IETF](https://www.ietf.org/archive/id/draft-thomson-http-oblivious-01.html) standard. The goal of Privacy Gateway and Oblivious HTTP is to hide the client's IP address when interacting with an application backend. + + diff --git a/src/content/docs/key-transparency/monitor-the-auditor/index.mdx b/src/content/docs/key-transparency/monitor-the-auditor/index.mdx new file mode 100644 index 00000000000000..6ccfdf1ce5d5ab --- /dev/null +++ b/src/content/docs/key-transparency/monitor-the-auditor/index.mdx @@ -0,0 +1,72 @@ +--- +pcx_content_type: overview +title: Monitor the Auditor +sidebar: + order: 2 +--- + +Cloudflare's Key Transparency Auditor validates Log audit proofs and provides a signature for them. The Log can then distribute these signatures to its end-users, and provides users with confidence that keys have not been tampered with. + +In order to verify our work, you can use [Plexi](https://github.com/cloudflare/plexi), a CLI tool that allows anyone to perform proof verification locally via a public [API](/key-transparency/api/). + +## Features + +- Verify authenticity of a signature, to confirm it has been signed by a given public key +- Verify the validity of [facebook/akd](https://github.com/facebook/akd) proofs +- List Logs an Auditor monitors + +## Installation + +| Environment | CLI Command | +| :------------------------------------------------------------ | :-------------------- | +| [Cargo](https://www.rust-lang.org/tools/install) (Rust 1.76+) | `cargo install plexi` | + +## Usage + +Use the `--help` option for more details about the commands and their options. + +```bash +plexi [OPTIONS] +``` + +### Configure your auditor remote + +`plexi` does not come with a default remote auditor, and you will need to choose your own. + +You can do so either by passing `--remote-url=` or setting the `PLEXI_REMOTE_URL` environment variable. + +A common remote is provided below: + +| Name | Remote | +| :--------- | :---------------------------------------------- | +| Cloudflare | `https://plexi.key-transparency.cloudflare.com` | + +If you have deployed your own auditor, you can add a remote by filing a [GitHub issue](https://github.com/cloudflare/plexi/issues). + +### List monitored Logs + +An auditor monitors multiple Logs at once. To discover which Logs an auditor is monitoring, run the following: + +```shell +plexi ls --remote-url 'https://plexi.key-transparency.cloudflare.com' +whatsapp.key-transparency.v1 +``` + +### Audit a signature + +The Key Transparency Auditor vouches for Log validity by ensuring epoch uniqueness and verifying the associated proof. + +`plexi audit` provides information about a given epoch and its validity. It can perform a local audit to confirm the auditor behaviour. + +For instance, to verify WhatsApp Log auditted by Cloudflare Auditor, run the following: + +```shell +> plexi audit --remote-url 'https://plexi.key-transparency.cloudflare.com' --namespace 'whatsapp.key-transparency.v1' --long +Namespace: whatsapp.key-transparency.v1 +Ciphersuite: ed25519(protobuf) +Timestamp: 2024-09-19T09:59:44Z +Epoch height: 476847 +Epoch digest: 9d217c91dc629d16a3b1379e8fd7c949c27b1b6038259e3918bd0da3cd6c34d1 +Signature: e4c83e3091ba8764752120bd7a726a28759d25a01f39d07131d6ba66a913d58d8f0f48f63bc7e037cc5ddd81dc76acc847dbf8d02b2f55251e6f2b1f00191902 +Verification: success +``` diff --git a/src/content/products/key-transparency.yaml b/src/content/products/key-transparency.yaml new file mode 100644 index 00000000000000..4bd1a6ad33b55b --- /dev/null +++ b/src/content/products/key-transparency.yaml @@ -0,0 +1,21 @@ +name: Key Transparency Auditor + +product: + title: Key Transparency Auditor + url: /key-transparency/ + group: Application security + +meta: + title: Key Transparency Auditor + description: + Key Transparency Auditor docs + author: "@cloudflare" + +externals: + - title: Cloudflare homepage + url: https://cloudflare.com + +algolia: + index: TEST - Re-dev docs + apikey: 4edb0a6cef3338ff4bcfbc6b3d2db56b + product: security-center diff --git a/src/icons/key-transparency.svg b/src/icons/key-transparency.svg new file mode 100644 index 00000000000000..63dfbeec970f30 --- /dev/null +++ b/src/icons/key-transparency.svg @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file From 8e154e99acb59966200015149ac59be1484c185f Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> Date: Tue, 24 Sep 2024 12:24:02 +0100 Subject: [PATCH 33/54] [DNS] Add DNS analytics update (#17025) * Add deprecating info on the previous analytics API and properties * Remove references to advanced NSs being required for GraphQL * Move content from graphql-analytics.mdx into new page and create redirect * Update features list with time limits for new Analytics * Update mentions to DNS in the Analytics tile * Remove legacy refs, add placeholders for all sections, and describe overview * Add dimensions list, describe query stats, and re-org h4s into bullets * Finish describing all panels and add avilability and limits * Remove outdated info on limits from API section * Add note about processing time vs response time * Remove redundant expression * Re-apply availability and plan limits to index.json * Change link text - small change just to run actions again * Revert last small change --- public/_redirects | 1 + .../zone-analytics.mdx | 15 ++++- .../docs/analytics/types-of-analytics.mdx | 4 +- .../docs/dns/additional-options/analytics.mdx | 61 ++++++++++++++++--- .../dns/foundation-dns/graphql-analytics.mdx | 29 --------- src/content/docs/dns/foundation-dns/index.mdx | 1 - src/content/docs/dns/foundation-dns/setup.mdx | 2 - .../reference/analytics-api-properties.mdx | 10 ++- src/content/plans/index.json | 28 ++++----- 9 files changed, 88 insertions(+), 63 deletions(-) delete mode 100644 src/content/docs/dns/foundation-dns/graphql-analytics.mdx diff --git a/public/_redirects b/public/_redirects index 2ca453ce37cd6a..b5d24ef97e1db8 100644 --- a/public/_redirects +++ b/public/_redirects @@ -313,6 +313,7 @@ /dns/additional-options/cname-flattening/ /dns/cname-flattening/ 301 /dns/additional-options/dnssec/ /dns/dnssec/ 301 /dns/faq/ /dns/troubleshooting/ 301 +/dns/foundation-dns/graphql-analytics/ /dns/additional-options/analytics/ 301 /dns/manage-dns-records/how-to/dns-load-balancing/ /dns/manage-dns-records/how-to/round-robin-dns/ 301 /dns/manage-dns-records/how-to/create-root-domain/ /dns/manage-dns-records/how-to/create-zone-apex/ 301 /dns/reference/troubleshooting/ /dns/reference/recommended-third-party-tools/ 301 diff --git a/src/content/docs/analytics/account-and-zone-analytics/zone-analytics.mdx b/src/content/docs/analytics/account-and-zone-analytics/zone-analytics.mdx index ca71f4f0a0fbed..9b64ddb711e2c8 100644 --- a/src/content/docs/analytics/account-and-zone-analytics/zone-analytics.mdx +++ b/src/content/docs/analytics/account-and-zone-analytics/zone-analytics.mdx @@ -7,6 +7,9 @@ sidebar: --- +import { Badge } from "~/components"; + + The Cloudflare zone analytics is a major component of the overall Cloudflare Analytics product line.  Specifically, this app gives you access to a wide range of metrics, collected at the website or domain level. :::note @@ -14,7 +17,7 @@ The Cloudflare zone analytics is a major component of the overall Cloudflare Ana Read [Cloudflare Analytics](/analytics/faq/about-analytics/) for general information about all of Cloudflare's analytics offerings. You can also understand the characteristics of the data that Cloudflare -captures and processes. +captures and processes. ::: *** @@ -55,7 +58,7 @@ These metrics include legitimate user requests as well as crawlers and threats. :::note Privacy-first Web Traffic Analytics are available on the Pro, Business, -and Enterprise plans. +and Enterprise plans. ::: Analytics are based on Cloudflare’s edge logs, with no need for third party scripts or trackers. The Traffic tab features the following metrics: @@ -86,7 +89,13 @@ The metrics aggregated under this tab span multiple Cloudflare services.  The p * **Origin Performance (Argo)** (add-on service) - Displays metrics related to response time between the Cloudflare edge network and origin servers for the last 48 hours.  For additional details, refer to [Argo Analytics](/argo-smart-routing/analytics/). * **Overview** - Displays a set of pie charts for: **Client HTTP Version Used**, **Bandwidth Saved**, and **Content Type Breakdown**. If available, the expandable **Details** link display a table with numerical data. -### DNS +### DNS + +:::note[New DNS analytics] +The **Analytics** > **DNS** tab will be deprecated soon. + +To access the new analytics dashboard, go to **DNS** > **Analytics**. Refer to [Analytics and logs](/dns/additional-options/analytics/) for details. +::: The DNS tab presents statistics for DNS queries.  Note that metrics are available as long as Cloudflare is the site’s authoritative DNS server, even if the site is not proxied by Cloudflare. Therefore, DNS metrics are not offered for sites with a [CNAME Setup](/dns/zone-setups/partial-setup/). diff --git a/src/content/docs/analytics/types-of-analytics.mdx b/src/content/docs/analytics/types-of-analytics.mdx index 80272300dd5ca3..723065f45febe0 100644 --- a/src/content/docs/analytics/types-of-analytics.mdx +++ b/src/content/docs/analytics/types-of-analytics.mdx @@ -6,6 +6,8 @@ sidebar: --- +import { Badge } from "~/components"; + Cloudflare Analytics is a comprehensive product that encompasses all metadata generated by the Cloudflare network. You can access these insights through the Cloudflare dashboard. Depending on where in the dashboard you are, it will show you different aspects from the collected metadata. ## Account-level analytics @@ -40,7 +42,7 @@ Data available under the **Analytics & Logs** section includes: * **Security** - Total Threats, Top Crawlers/Bots, Rate Limiting, Total Threats Stopped. * **Performance** - Origin Performance, Bandwidth Saved. * **Edge Reachability** - [Last mile insights](/network-error-logging/) for Enterprise customers. -* **DNS** - DNS Queries by Response Code, Record Type, and Cloudflare Data Center. [Available metrics](/analytics/account-and-zone-analytics/zone-analytics/#dns) vary according to the zone plan. +* **DNS** - DNS Queries by Response Code, Record Type, and Cloudflare Data Center. [Available metrics](/analytics/account-and-zone-analytics/zone-analytics/#dns-) vary according to the zone plan. For information on the new DNS analytics refer to [Analytics and logs](/dns/additional-options/analytics/). * **Workers** - [Detailed information](/workers/observability/metrics-and-analytics/) related to your Workers per zone, and Workers KV per account. * **Logs** - [Detailed logs](/logs/) of the metadata generated by Cloudflare products for Enterprise customers. * **Instant logs** - [Live stream of traffic](/logs/instant-logs/) for your domain. Enterprise customers can access this live stream from the Cloudflare dashboard or from a command-line interface (CLI). diff --git a/src/content/docs/dns/additional-options/analytics.mdx b/src/content/docs/dns/additional-options/analytics.mdx index 1f9218e3e2f692..b4e189adf50111 100644 --- a/src/content/docs/dns/additional-options/analytics.mdx +++ b/src/content/docs/dns/additional-options/analytics.mdx @@ -6,24 +6,67 @@ sidebar: --- +import { FeatureTable } from "~/components" + When you use Cloudflare DNS, you can access data about DNS queries through a variety of sources. +--- + ## Analytics -DNS analytics allow you to evaluate aggregate data about DNS queries to your zone. +DNS analytics allow you to evaluate data about DNS queries to your zone. + +You can [use the dashboard](#view-on-the-dashboard) to get insights quickly based on a [predefined set of dimensions](#available-dimensions), or [use the API](#explore-with-the-api) to have access to all fields available in the GraphQL DNS analytics schemas. + +### Availability and limits + + + +### View on the dashboard + +For a quick summary, view your DNS analytics on the dashboard: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and domain. +2. Go to **DNS** > **Analytics**. + +The DNS analytics dashboard contains [four main panels](#dns-analytics-panels). The filters and time frame that you specify at the top of the page apply to all of them. -:::note +#### Available dimensions -If you have [Foundation DNS](/dns/foundation-dns/) and advanced nameservers are enabled, analytics for your zone are available in **DNS** > **Analytics**. Refer to [GraphQL DNS analytics](/dns/foundation-dns/graphql-analytics/) for details. -::: +- Query name +- Query type (same as DNS record type) +- Response code +- Data center +- Source IP +- Destination IP +- Protocol +- IP version -For a quick summary, view your DNS analytics in the dashboard: +#### DNS analytics panels -1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. -2. Select your zone. -3. Go to **Analytics** > **DNS**. +- **Query overview**: the number of queries per hour and their distribution over time. This information is segmented by each of the [available dimensions](#available-dimensions) and the graph displays the top five values. You can select the dimensions through the different tabs above the graph and quickly filter for or exclude a certain value from the results by hovering over it and selecting **Filter** or **Exclude**. -For more detailed metrics, you can use the [DNS analytics operation](/api/operations/dns-analytics-table) along with the available [Analytics API properties](/dns/reference/analytics-api-properties/). +- **Query statistics**: an overview of query metrics based on your filters and selected time frame. Namely, **Total queries**, **Average queries per second**, and **Average processing time**. The average processing time is displayed in milliseconds and includes upstream queries in the case of [flattened CNAME records](/dns/cname-flattening/). + + :::note + Processing time is different from response time. Response time would have to include information that is not available to Cloudflare, such as how long the query takes from the client to the resolver and from the resolver to Cloudflare (as your authoritative DNS provider). + ::: + +- **DNS queries by data center**: a map indicating which Cloudflare data centers have handled DNS queries to your zone in the selected time period. You can also find a list of the ten top results and quickly filter for or exclude a certain data center from the results by hovering over it and selecting **Filter** or **Exclude**. + +- **Queries by source**: a breakdown of the top five, ten, or fifteen results - based on your selection - and grouped by the [available dimensions](#available-dimensions). + + +### Explore with the API + +For more detailed metrics, use the [GraphQL API](/analytics/graphql-api/). Refer to the GraphQL Analytics API documentation for guidance on how to [get started](/analytics/graphql-api/getting-started/). + +The DNS analytics has two [schemas](/analytics/graphql-api/getting-started/querying-basics/): + +* `dnsAnalyticsAdaptive`: Retrieve information about individual DNS queries. +* `dnsAnalyticsAdaptiveGroups`: Get reports on aggregate information only. + +--- ## Logs diff --git a/src/content/docs/dns/foundation-dns/graphql-analytics.mdx b/src/content/docs/dns/foundation-dns/graphql-analytics.mdx deleted file mode 100644 index 5b6f3239378321..00000000000000 --- a/src/content/docs/dns/foundation-dns/graphql-analytics.mdx +++ /dev/null @@ -1,29 +0,0 @@ ---- -pcx_content_type: concept -title: GraphQL DNS analytics -sidebar: - order: 4 - ---- - -With advanced nameservers, analytics accessible by [GraphQL](/analytics/graphql-api/) become available. - -Once you [enable advanced nameservers](/dns/foundation-dns/setup/), [update your registrar or parent zone](/dns/nameservers/update-nameservers/), and wait for the time-to-live (TTL) of the previous nameservers to expire, you will be able to use the GraphQL DNS analytics on your zone. - -## View on the dashboard - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and domain. -2. Go to **DNS** > **Analytics**. - -## Explore with the API - -Refer to the GraphQL Analytics API documentation for guidance on how to [get started](/analytics/graphql-api/getting-started/). - -The DNS analytics has two [schemas](/analytics/graphql-api/getting-started/querying-basics/): - -* `dnsAnalyticsAdaptive`: Retrieve information about individual DNS queries. -* `dnsAnalyticsAdaptiveGroups`: Get reports on aggregate information only. - -## Time limits - -You can configure a maximum time frame over which analytics can be queried of up to 31 days. diff --git a/src/content/docs/dns/foundation-dns/index.mdx b/src/content/docs/dns/foundation-dns/index.mdx index 0cee74f0ebc471..3542b1eda45dfe 100644 --- a/src/content/docs/dns/foundation-dns/index.mdx +++ b/src/content/docs/dns/foundation-dns/index.mdx @@ -15,7 +15,6 @@ With Foundation DNS, you get access to increased reliability, security, and insi * Reduced exposure to incidents or software regression * More consistent nameserver assignment * DNSSEC keys unique to your account -* [GraphQL DNS analytics](/dns/foundation-dns/graphql-analytics/) ## Availability diff --git a/src/content/docs/dns/foundation-dns/setup.mdx b/src/content/docs/dns/foundation-dns/setup.mdx index 018fb0a7c5f84b..95703d70ee5b16 100644 --- a/src/content/docs/dns/foundation-dns/setup.mdx +++ b/src/content/docs/dns/foundation-dns/setup.mdx @@ -10,8 +10,6 @@ import { TabItem, Tabs } from "~/components"; Advanced nameservers included with [Foundation DNS](/dns/foundation-dns/) are an opt-in configuration. -Having advanced namservers configured is a requirement for you to have access to the new [GraphQL DNS analytics](/dns/foundation-dns/graphql-analytics/). - ## Enable on a zone To enable advanced nameservers on an existing zone: diff --git a/src/content/docs/dns/reference/analytics-api-properties.mdx b/src/content/docs/dns/reference/analytics-api-properties.mdx index 5159620e6402eb..6184e997dae0d9 100644 --- a/src/content/docs/dns/reference/analytics-api-properties.mdx +++ b/src/content/docs/dns/reference/analytics-api-properties.mdx @@ -3,6 +3,9 @@ pcx_content_type: reference title: Analytics API properties sidebar: order: 1 + badge: + variant: caution + text: Legacy head: [] description: API properties that you can use in API requests for Cloudflare DNS analytics. @@ -10,11 +13,12 @@ description: API properties that you can use in API requests for Cloudflare DNS import { Details, Render } from "~/components" -This page describes API properties that you can use in [API requests for DNS analytics](/api/operations/dns-analytics-table). +This page describes API properties that you can use in requests to the [DNS analytics API](/api/operations/dns-analytics-table). -:::note +:::caution[Warning] +The [DNS analytics API](/api/operations/dns-analytics-table), along with the following [API properties](/dns/reference/analytics-api-properties/), will be deprecated soon. -If you have [Foundation DNS](/dns/foundation-dns/) and advanced nameservers are enabled, analytics for your zone are accessible by [GraphQL](/analytics/graphql-api/). Refer to [GraphQL DNS analytics](/dns/foundation-dns/graphql-analytics/) for details. +To access the new analytics dashboard, go to **DNS** > **Analytics**. Refer to [Analytics and logs](/dns/additional-options/analytics/) for details. ::: ## Metrics diff --git a/src/content/plans/index.json b/src/content/plans/index.json index 6b0dfcd32a3e8b..72c05d5690fa1e 100644 --- a/src/content/plans/index.json +++ b/src/content/plans/index.json @@ -549,14 +549,6 @@ "pro": "No", "biz": "No", "ent": "Included with [Foundation DNS](/dns/foundation-dns/)" - }, - "graphql_analytics": { - "title": "GraphQL DNS analytics", - "summary": "Advanced nameservers analytics are accessible by GraphQL", - "free": "No", - "pro": "No", - "biz": "No", - "ent": "Yes" } } }, @@ -598,7 +590,7 @@ }, "dns_analytics": { "title": "DNS analytics", - "link": "/analytics/account-and-zone-analytics/zone-analytics/", + "link": "/dns/additional-options/analytics/", "properties": { "availability": { "title": "Availability", @@ -608,13 +600,19 @@ "biz": "Yes", "ent": "Yes" }, + "maximum_duration": { + "title": "Maximum time interval", + "free": "2 days", + "pro": "31 days", + "biz": "31 days", + "ent": "31 days" + }, "historical_data": { - "title": "Historical time", - "free": "6 hours", - "pro": "24 hours", - "pro_plus": "36 hours", - "biz": "7 days", - "ent": "30 days" + "title": "Historical data", + "free": "8 days", + "pro": "31 days", + "biz": "31 days", + "ent": "31 days" } } }, From e199a746e352098b04b70c97eaed6a6d08389ad3 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> Date: Tue, 24 Sep 2024 14:02:55 +0100 Subject: [PATCH 34/54] [1.1.1.1] Refer safer browsing partnership (#17031) * Make page on ISPs more visible from main setup page * Add blog placeholder link to network-operators.mdx * Review blog placeholder hyperlink text for clarity * Apply suggestion from code review Co-authored-by: angelampcosta <92738954+angelampcosta@users.noreply.github.com> * Add specific URL slug to blog link --------- Co-authored-by: angelampcosta <92738954+angelampcosta@users.noreply.github.com> --- src/content/docs/1.1.1.1/infrastructure/network-operators.mdx | 4 +++- src/content/docs/1.1.1.1/setup/index.mdx | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/content/docs/1.1.1.1/infrastructure/network-operators.mdx b/src/content/docs/1.1.1.1/infrastructure/network-operators.mdx index 152d3e5d28c8c6..53ae91d8beef60 100644 --- a/src/content/docs/1.1.1.1/infrastructure/network-operators.mdx +++ b/src/content/docs/1.1.1.1/infrastructure/network-operators.mdx @@ -5,7 +5,9 @@ slug: 1.1.1.1/infrastructure/network-operators --- -Network operators, including Internet Service Providers (ISPs), device manufacturers, public Wi-Fi networks, municipal broadband providers, and security scanning services can use [1.1.1.1](/1.1.1.1/setup/) and [1.1.1.1 for Families](/1.1.1.1/setup/#1111-for-families) in place of operating their own recursive DNS infrastructure. +Network operators, including Internet Service Providers (ISPs), device manufacturers, public Wi-Fi networks, municipal broadband providers, and security scanning services can use [1.1.1.1](/1.1.1.1/setup/) in place of operating their own recursive DNS infrastructure. + +Cloudflare also partners with ISPs and network equipment providers to make [1.1.1.1 for Families](/1.1.1.1/setup/#1111-for-families) available within their offerings. Refer to our [blog post](https://blog.cloudflare.com/safer-resolver/) for details. Using 1.1.1.1 can improve performance for end-users due to Cloudflare's extensive [global network](https://www.cloudflare.com/network/), as well as provide higher overall cache hit rates due to our regional caches. diff --git a/src/content/docs/1.1.1.1/setup/index.mdx b/src/content/docs/1.1.1.1/setup/index.mdx index 4c8e2137871131..cd0590d5144bfe 100644 --- a/src/content/docs/1.1.1.1/setup/index.mdx +++ b/src/content/docs/1.1.1.1/setup/index.mdx @@ -13,7 +13,9 @@ slug: 1.1.1.1/setup import { Details, DirectoryListing, Render } from "~/components" -By default, the [DNS server](https://www.cloudflare.com/learning/dns/what-is-dns/) your devices use is provided by your Internet provider. To start using 1.1.1.1 for your DNS queries, you will need to change the DNS settings in your device or router. +By default, the [DNS server](https://www.cloudflare.com/learning/dns/what-is-dns/) your devices use is provided by your Internet service provider (ISP). Some [ISPs and network equipment providers](/1.1.1.1/infrastructure/network-operators/) partner with Cloudflare to add safer browsing to their offerings. + +If your providers are not currently using Cloudflare, you can change the DNS settings on your device or router as detailed in the following instructions.
From 776107ab7e07af6031de45fa572f340ebca10924 Mon Sep 17 00:00:00 2001 From: Thibault Date: Tue, 24 Sep 2024 15:21:47 +0200 Subject: [PATCH 35/54] [Key Transparency auditor] Add plexi@0.1.0 long output (#17052) Update the code associated to plexi audit long output --- .../monitor-the-auditor/index.mdx | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/src/content/docs/key-transparency/monitor-the-auditor/index.mdx b/src/content/docs/key-transparency/monitor-the-auditor/index.mdx index 6ccfdf1ce5d5ab..55e36a49bd338e 100644 --- a/src/content/docs/key-transparency/monitor-the-auditor/index.mdx +++ b/src/content/docs/key-transparency/monitor-the-auditor/index.mdx @@ -62,11 +62,14 @@ For instance, to verify WhatsApp Log auditted by Cloudflare Auditor, run the fol ```shell > plexi audit --remote-url 'https://plexi.key-transparency.cloudflare.com' --namespace 'whatsapp.key-transparency.v1' --long -Namespace: whatsapp.key-transparency.v1 -Ciphersuite: ed25519(protobuf) -Timestamp: 2024-09-19T09:59:44Z -Epoch height: 476847 -Epoch digest: 9d217c91dc629d16a3b1379e8fd7c949c27b1b6038259e3918bd0da3cd6c34d1 -Signature: e4c83e3091ba8764752120bd7a726a28759d25a01f39d07131d6ba66a913d58d8f0f48f63bc7e037cc5ddd81dc76acc847dbf8d02b2f55251e6f2b1f00191902 -Verification: success +Namespace + Name : whatsapp.key-transparency.v1 + Ciphersuite : ed25519(protobuf) + +Signature (2024-09-23T16:53:45Z) + Epoch height : 489193 + Epoch digest : cbe5097ae832a3ae51ad866104ffd4aa1f7479e873fd18df9cb96a02fc91ebfe + Signature : fe94973e19da826487b637c019d3ce52f0c08093ada00b4fe6563e2f8117b4345121342bc33aae249be47979dfe704478e2c18aed86e674df9f934b718949c08 + Signature verification: success + Proof verification : success ``` From cbc1aef17996980f56739e9a2aaeb849feab5b33 Mon Sep 17 00:00:00 2001 From: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> Date: Tue, 24 Sep 2024 14:38:16 +0100 Subject: [PATCH 36/54] [MT] Tunnel-in-tunnel charts (#17053) * added tunnel-in-tunnel imgs * refined img --- .../images/magic-transit/mtu-mss/ipsec-mss.png | Bin 0 -> 85631 bytes .../images/magic-transit/mtu-mss/tcp-mss.png | Bin 0 -> 82502 bytes .../partials/magic-transit/mtu-mss/mt-dsr.mdx | 6 +++++- 3 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 src/assets/images/magic-transit/mtu-mss/ipsec-mss.png create mode 100644 src/assets/images/magic-transit/mtu-mss/tcp-mss.png diff --git a/src/assets/images/magic-transit/mtu-mss/ipsec-mss.png b/src/assets/images/magic-transit/mtu-mss/ipsec-mss.png new file mode 100644 index 0000000000000000000000000000000000000000..315bae52a7523de3479776c07ac3f4c156587c51 GIT binary patch literal 85631 zcmeEugbR!Hkl8PeTAl)I|APq{_2na|kHFSqC z47_{v-Yeek?>~6&ejeq_oOAYBd+oJ8E6?~nRFWpRNO2JYfe^^bNIr%@@DUIQmJTj9 z_$Fnu9ejXXcrK#}g+NGeqW@vYK4#biUt&NXOW%hS_E9Z?4_K!66z@SGB_Vjn&(1?I zl&;81-h1MLu{vp;pS0)xb!(b~usH~a-<6m)(U(J}`%{xz>?;;J9P@{1))#cgx9B2@ zr=R%w7}ToN(8bUy@-5P}I#Dt^Xw7?nQKI`y!KvuCD$~|#L2|W|k$#lH3imMvf*_cl z$;oBAZ$lKBtlMCp{1)jcmIM{OzBIg5y|JQw>2yVKbHQydzJ{G1(D%>qN-DVU&j)aj z;?IwB_A`qgSm^JO68_(5G&lZZ%TJm3PaJ-!#((1QpE&%IgrEQaCl3FK!++xNpOO3} z1OFMxUwrrv75_uU|4{KiRQwMW$>Nib=a{zAucL11S9F?+>HSuVrtKFm7Gtc+OAPdb&Yme`EUk;NW11VS8}( zfu6_V{LRxxsOZ~I1z$?q9qlgNd`m4~VmI4XP4q1y`Phg`)Xine8d^Ky!BL%Dw;n}B zSUy7cDeQ7M+dQnZqH}Gd8j%D$NQU>gA!BWWva_-bau#Z*$vs!ctM2ZvPmc5CYOYR< z+mGX0N9P`UlqaKxb{oGha79{%S%!~Uj&^&>|E5-dVi>E5%x!@yITq=BLVQB|DdAb? zd)iM?fkINupWXzjbmckC^xvARHm-}pkQ4Iiq`f(Z-X?jd?6ZDc2B;5(x>fOHJWP)d!W<<4*m&)osQEP~?IjqEbL4^J)1| zgV>~~Z5L{xC3@eT4QZb2>Q@wpXt*LzU`eL!cH@GKynzBW#Ossa4vUzpoga>D0}p-tU4)?my{QYc{Uuc z4l0X@RFU4)V75oPi5W&~Z!Emv8Oes(^jgPl4bjdYu1-|%q#bk#R%8#)IjvpbGmd)< ztMJT{T2HS&sh-An9V1pua`lm%>~sIT;JUvf%D15cD-tH@MWhJZu1#0eRjoO8v*%V% zni2|TwQauDx1k-R0N zbfL4zb$>P1Rjg`>RIhv*UQB!Xqp?6zd@`8F_kH?piEwy5>U^+5a?bK7+V>*QvJ|4Lfer{xPeb7%&}8E) z{SEt0DW#4p!(`Ei!}ZiNb6Sx(_dogO_|r=VYww~AMm$!(mMGCi7GdHLw(vU!3_KRK z?PX_5exp6TuoK;gIp1KKFzDtJ*Z8(NdH;y-V3N?QDU3R9^Sd6*XF_78Qd{Mcbhhh5g3?42FvL^l+7+{Q?J8FhU41YlV?hg2rd2aoGe zLhnYBEaTw%Q*XD+4igqks~aW_-gCM$AB+&zc2O*dXf0O5*W}1}dOBr(uZR5t*sdmR z*R_gk?s|+-kz##tuXOdvS5XVsk)|%6gZaB$D;|ks^ICAp-_1ELa7P3h zMRQ(Y7;PK%-Wfh9beaVb3b;&?mx?Ua7M)5Np3{CJJL>#1&PtU#1;yk=H4L8jc(99k$ zi&%MTP8yaWGo^_S6Whzi=EjMg?M6Pv9W|mIDrVd%`lyv3WoO%r_H-PCrkoLv= zhp;9Krap}5M9xe`0($(8lyq`UZM)X1Xv5n#7rGyrlt4C+q#HhN)Dep8fWM=7xSLK@ zq@dObXn+pLRmrlUZrLe@aY*|KkHsM#-4CNX)nP1}6TIfFQ5A1flS86>6_%h=>(pC| z0`_X5kE1C2DHZpfH4UZ_>jp@!nP}0|Dx1WogMpQC2h7Q93kT$KJO_#GHXcdOlw7I1 z59e4vQE}!)m&c2Cx49+&PHpxVrxWRjzR%Xh>nDIQPjUGd?G6ha>Bkvf>3-J_qW?MJRV2ULk)Ns6x|7?mEXKjM^Q9 za;Oxl?Cg9Yyzif|9R9M`&7K;#66^==O7BKXjk~ow!o?cVZkoo;MqBASu6K+>JC_BGy7)5~-2J$|A$QOtT8#?{v=*5 zwo4+r4@Y)n$fb?&`-?6cl{?}+iHmp~Cnk1*GpUQ27f&&x6B!+$k4@cfq#q7%y-)JG zt3-Z|CucjBbM@p8=Ka?6pzLS&cWU8fL?e;%u!8H+Bmoirvm z^(VN5dB%w8EtW=F$79Gs2jrE;Zw(5>Z5-Gim!g1gL!GUhypDw-a6Ut!cd7E!#=dsp zO4NjMk=?zM<1l(@K}5;3Pd-XmrJrHk)5`J}%(k_55Zh6RcgSTY9fA66mSTWXk>7uOp9%ARIlrB4l8rt zkudTkGw^}rUXqdJpO=4j{f$>sGtR9XYY_E(a!#%9EJV$$0)aeSx*moQ!dq!C43s2gKNAyH?YE1S; zelyG~%4GRtAVhyi$itquO@Mc2?}wjWuVv8F6Jfkd|%{5{A7(3e1$9a{Q| z;2!hWwLKME8sHD|^{)MW1^7!(4~UU^Er3^RA<;4gm)5SoaptU)fg+@s4HruK&a%wX zBuKYP>i5Ye-x#n~d|c>@2oi@AE9aIY$FuZ5VMIU__@60l2wLu&wTwdlI0x2t!TGeD zJ-f|sgzjX{6WvDf*JyeO#DnqcNP_@n>_f!3=QR%ZTYsMee|@A9FxgW9^Je@^y+zl= z$m~{)&YZ@7!;hnXE>Tc~GHTZnW!xNyLlfYFIujp2@DtEitR25-8QtlBCuAG^qim8` z-P%`mW3}2>n&wOZZCr%$e68ZtV&p^X zD2EnXPr5TyV55n=$C*-%Y?RcCd)7DM(N4BVbts4bW%#aC#oh|t33A;xPm$ydIAR+q zLfAP@=HmO`**sIKSw;~fMfr9dqokQl;Sbyj;5=toWCkQ!!Pi#gn%(Z3_q=*BD!2|N z^Ay*G$j^{~3B)yqXb>m;?)Zj=8|BNs{3VIATR?=~f>0HxQetp}Fgvx~{>04q1qZs| zWNwk)cn=}N2O@;E=xm`R2o$?d`n;gL@ryHx&yK5d%>)Z#7@-2CfeB+T99f!tir-ry zo!to-&|AsQ?ZP)OTq zr>S8IqxGx4t%ylISdZ?fgnL|PDO!97wl7fE&6+ohyj&K~VT`k@dSjieHt@AB)yJbV z)8)NIUzl{fLKcVbuG*ArW8~3nq0Pq$l{rjf?`Ck zNK|QmOqluFd1ft(v4BDN!6)o(7N^bMu?4$t_s9aB{XKZl^glNUjDY$-J1^MH(IeZg zcLvA3k^nQLR$E8t`jSHY*cZhSxdh!@J+j$TG1YewXNh65#PkX~8YMdy8fe06yL>Xb zV%vi)!KY2)e%)}x>tjOTyWr%&u}yFe(A_tqBkzshpD`Ps1Aq@9bNfmrn`wx!sL)H(8{`YCZrn31bmKwYa`k+_ zm)EojoC2xUmX#7ZkN8D2DCjbt(S&uah!Zv2Zs^*{{+zsg+_ zmrL1My>#-u{%s@2;WH&c*E1V?9L{}S{}7}BH>$o2aS{wX%l62o+y`g8?F}n;Z}#L!Z93}yS~t9dnBV!&?szSG`F?md0NE8xM@~1*A~)V zbliXHt7S|5qLidqfevoyoYdaj?P}ktSk*G-xxb~swNqm>`1ZH5GIj!MjJ;eS;Yt2! zbKm*Wg91ELPryMlZiXknI1Ymy*pnM5q9OAUpi%&vX>H&+las17BoTnY*}}D za3N9)dMDYwWe7t}4bRa5_};-r@XHr-TV&N}<1li)MLfZCw|i^Y`Gm!Qh~)m1Gpz2Q zOwU)oYR%VU?t01T4E&&V9HvV`hZ%Hm(uZl+nH3@_HYITQiT`wHI>1@)NQ{HnWPS8z zyeQQ>)Vk-IYn=2{SyjW%JG<}gMQxIs!gsoM_;ue+xX7D^_l?OCH2uRX4LhLq^iBt# zh_k1B{hWt(a;?^jGzzNlj5SQZyi2mz42`F>zAEU}b&1xq? z=~;c23rLT1*#{@JiHS154T+DnHH7`KK#<8m6gy)10Nyb0_*~-rogzxF{x~g97=njy z2r;tpVR5Ib@pRJVAoG;c_H?b;1%aFn$n0Vkvpj8WTyoVS`iDw3w1G7s_eyZN&8WuJ z!z{W7H*GBR5y$cBEZuK=N@t?`ZmOc5OOeSiv8r)LUH+n@y{p}CyY-2&4}+{^Z^gjC z5fAD=M6?K8BM5slXLl**3gkPT3AyX( zr>l#2z>9>RLId6iJir!|_GCvcx36T=dmKwCTmcXioz1DpM4yQ7aHo1}wgjx{H=s%Z zACujH51#|lxru0~t@W(jacJ3!(DBH6%g&^DeOatWR^=KUjfe2em!%l8Q!^b%aiDR^ zZ*5DjWCW0eZ#Jw)N^%394lK@TGnudUTleJnAaBOzBga3iKs^aSx#k5$4yQzR#Lnym zsK4w*hu6PX1`#JfnlDIOl5aKTLZ(vo81WV!_qt4>lVv2Flx_VZY zX6;Q12en6do^c-b9iULh$dOq+j_if`Dfc&Yk1!H1V4blTzm}vS2|8jg&-vsr6gHq# z!zdfCjMemCT!?Ydb0S<+P!xZ7#*Y5HL)@Mgu;W77Rjci?n>I5#9PRNsn1V-CBf%uU zne^+Z`1Nx_2!o7=(s3RFizH7!xHA~g(E3|G{<{QWg zrHwuX+Wq8=2lDIcZd?RJ{G1|NrSyEX%Xz2*ypC-A5<^t~CN|9e!vq#2^kLP>+l~_Dn+95Mq$Su=Eks$jM=l-T z^=z+SMKp$mPCSp=I7AX+i&jxKFl*Q`6&#WC7FG6ChCnv+5H9Jif-HR> zAFb!e{P~p4n>wKTT3wB0dzL7#LsG>fxTD43w43^Jjac2CXtVRwSLMXp^HWHIyp#?V zFd$7u!HO#x?uN$Gv-xkXhF9yC{5jpXUS^2b>)I{(`Y7$kQP>U*jj2`P%IqfMOqX92 zpj3}AASrnswvGD11MNC{j(@VS)1mab2yaIoL$&zC;2cxsxxIFrh62>llu(u0T*emoyTzp2R zRon-yIBd3V?P85mQnfQqIC>I)AlF|*)tdUfl%Vk$b;qk6Mc(VPo|E!uCb*38sU77f z&33Sc9><-{6QJ*$zXI`E3l!GN$bUlHf8kbCFGCC_1Xph%-#&S#B2G!&JrRA??~yWa z9-=Q_rOjl&suC7A`3kouez_r9<$M$EcMBWNSC>TELu#_6?8+0uk`@MM1h-z6Xd_@# z`__oPuh$Bk=nl`jA5bs29~5l4v^<#Uxz18pcVmW)jdMW&PkOK5?U(c-_pu+c13Hb) zO{Ik*72%>DrN5tzKKk~&`U0e>l4UqxRp?gnx6%N~lO0_QeR`80S$Q5s#C1!e4oxl- z?#1`!%8Z@ns8kHFcmh8M`?!d@Ch(fDeNSW<*|Lf%7b~%7awD*vAE~?X=k!E<7?5~N zpkqa1D+OuZpM!*zjn?SG@Zi?~!VFn+zaE6XZ+`EVj*;+?Wdfg9>P_OzWxL>N?SaAs zD=e1*|MrXF-q>Anwy}#)&2_lvibsL`84w1~3LOJ*(M0=vHDcio zqHJWZ;F7>@<*pe~dzR|+nVZ(fa}7B6`&`^BV3jv(8Ay`#{S-Dz!yEwsW*;=B+YgEw zC^4V(Iy6@?ky*b)^MB5Vi;>uby8tOkf0nQ=fs>mmrom)=%pe=D&9b!q zRNCWZQxdnAlhf!cj2&v&`Eb1*pFdgpnDRRngvQU_cB|?_E8V3@ z#_(i%2wldF*M&#*1BcobyHr-Rp%JuLj;q;wPx<5zQhhLXpdQ7#1KE*(S`J#rOgxDG zXL6vQ#bi%>eA+MAiZ@htWS>gUB@bB7LAnASQB+1v~@#GKr7v>z792^^>n7yTp> zl*}MQ)gIIR!0k2kMKI65rmgr%=IVNpU!bsZMvYoVwc=wrk4l+Qg|Met7a;+GECNE6 za)=}?di-;)%lVTA3R?G=ET5epa=6T3t>EX-IgGL6I_3WKkHtfBf`E$S+XKbp+`Aa& zzem?D8Ws6`^Z{L-4N3K;8;1T%AA7;%yy#%ly!YW;zPnVmk!4~!1`{I|g0Xm{Bm;i* z(kDd8JFaocf8q~qg@CrrIf%?f)p6InMF!S_XfE4a836WRLLmSg6hro*RJcnm$_LHZ z=BWK%%mtzLNSUd-9;|=R=k?_QFx%lh01;_WK^^O;@F$E{0)V;CiN@5pcZ=zec)(8t z<^1I_uXU4K{Q}tC^Im^Uz#M=!%{kX}f!aY=Rmi_cB{6MpRQW5gkwTu?^YFn| z^GKkFu%TIlB+1Jta|(bo@V5s>C0x(X_E&lh*8j(Fy8$4Az0U68+&3J$yBpVFi1#wk zc*!UqJ4S6rPP;&vtp`s!Fw!!CuaKa_JMHfJ#7mqzCZc|ZLzeXpv4+I|wKOkf^wJKk zZ1oYJlqIJQi=7+PzM9)mlTGz+Dtg##taa?T+E&mheTUJ#tG2xh45Fka5F>$FtC#3) z#8n-p?!F0is-^{c^art!h74ecMa_z(9(~6y&Mu^WnrV%adnKStMei@ErBqwgO zbqRt2=%$y$+9-{h{>`;6+3-h#$^-3sw}U^XH5^iC4WJy?bJiviTj?GLVaQFB61k9C z)RyYKk-=Go>tdP%**!$2cCwAeA~=*2NW1HnYotpa(4rOzu&cAtUcbX8NRv%mT%6I$ zaDn}|CJb{kGj^J5SFd)yf0S;tK2gnSKEMD-Ev9_itq2&we#_yyRp_woG@D5nl2{xm3yKt;vpdp9z+l#)LlJHss_eOCgT58IX!%0NwH9~*Y7Y#3_ zPR!mUtZw9o?Gj1IiM*XC+PHM>JU+<-mA{$JZECZtqjV=c`HTr{5}@ePthUc2?%0y{ z7L4b$=CmOxC@Fcgzb-POe&1Wdi63}CM4n23*rt?}=BUc30ESoryZ{F1cLVybv&wCO z)!_#_2noW4_xi}d^8`fmsF}l1Z-F*mL%BffU8>nsl%MK=svgss?PeIOaa=L#48Mut zEg*-&|3P=_MZ@H>8I_w-AzTSvqDfT17NHV{W~jK-W>QgM#!{O=r2ZaWk~swhQC(eK z9y{e16=AUIe9f}957aysPo_BuHrcewW%?2X=$&TltAX{-$Z`PB_gZtb(t3BLIia#$ zT^63|)6h;KDchL!#WXV}|4l$9bUb3lLSQ5`y1Mw|*S3f|8_$bIG;3A0+bM(QwJI19 z4LmcqsD^BH3Q`733gljy>+tH`{|>WCvcEpH$`zAd^b8S9u_WNqRBs*eh?&W-3tyH} z4AxX5Af|D*V7jJr11cHtC~PS#vyJ17Pa2Awr&h3h;IcK-`uLHZ%|o~VbU{W_GnTl6 zgLT2|d}3T21^tKga{pdX`aG&6=d($`C+EzV_E=e7K3dmv+iFFf6Jwm*n5uV0(yRzZ zFkL#<)jOEish19Eb|cgqH;XX?Z8B{yUhc0|7aklg9u=c+Z@_g)7EzfY*0#Wu&{@eDKKH(g(`@zRYH_ zrokB9^mMJSAE8mKe{b4w0}_gDtyZW#dN*eFaDswpTYDO+$5?h0Qdk7vsL!vd8GC<3 zVl|zcnwmNd1)Ykc{Ja|%C0?9#zq`v9toKPiY2@(|=MDvIK)g5nro3BHk=pG6{|8ey zs5e#+&-st2;mzK_0C_z@n^8#9!WfMvW2X|P3^iPoSrZS*$DIi~Z&~+AsEaFRwqUlJ zrBkc;!?Z9#Jr*89@+0!_iRoH2MstEkcaG^V7CX zm49j(E_fOgd~uBVzInD^_uWQqlfDFV2er)yLf$dyDHhU1Yq-yx$1pOht4BW+ArO;x z5<<>B$zqKgbqZ)Skh0LJT-6rx(Y>~&@hf~I^3^=wmXUhNvs_VXT%*TJz8o8`zmm{; zXOplmrd&~S{Kf8}+j*T=)rSl5$g!y7wWlG^_Lhe{4oZx>Ne#EvR8@`3Ma+>=&g|0W zs&oXxu*zpk&`F0uMGv_8c=PTHGujTltJITki)Jw(w5mT5y|@JJ>gnh)q z&EBHASvV{0erNDupwd>j(>z16Ds+sm0I#ON=Q;N4h&E-;`$C1$T$e4S#4VlA$?7`z!zQs^9-^k^>}EJpZ-ft1X+;eiq)b!qhcd!5BYSAVpd%pKTJcPyasc zhL@bV`I6VgPc=cN?9%TnUBd_TgGPtbkp0Fdeai1FA4-i|l}~n-1-0dOq{EAL4~5@Z z#s``5w{!VsAncKARg~}oYuyEoCHI2-bPQ_G_Vn^e`H*hC&p2Qi_kK!DTX~vX?sFa- zn+&@OZt@#fH3)#Y7{Gfe@+=`0u?X+=HGj%34Z~3RUHnWzIW6drnKXr(9 zi<|AT?bLVjvKJwhduIF(Fa;N82eXwa+uvi*Sd(lMB4U~;BM|lkC5tCLl~;5QYE}v( zxJ+N*tbL&kX?z}RgFN1WA6VyMP`Z0$Hpg6LRYPOfmWDUaV3y*__;8t`bVz&I$6%Te zfldDbq7b#CM>U>_$Ev}@D;XmIkuFon0bB+_CxRxoegYl1MY{nT z;)g>p88c+Jt2PcRw+~j^>NnIXGYQg2Z6<~DUL}}vNlKp@$>q_imNxHb(<5theOmS^ zxRdKj1|mJe*)@0oLqmZ=avOi)mV5qA?@DS^sylT^AqWm3UeKSe+}9`0WU0Z;N_pRn zZfgkZdmJ?Tc!UT6|IuVg*zQU&MX?Qto7=urS)+89@+awZY=__Is4{te>PuNM3(d^5 z(rSbS*S!pS4g8)C{WOdlzeshr2X9zTRCL9^+u2o0ajgjc_jqh403#9IpLn{Fc6J^`;plB?HGP)MYpQH(>RhWi~) zII)%Ig5x0Kz>%g4>9)r&5~6c`Wk0EW&~KFEfl$8L+shk{KLyAOD8BE>+I1kS6jodK z1!j)qWivtKY8;;gzi;Mu7_N86JJk-)YJRI-AWO1zL;Ftf$CpDEg3eY;2VaK<7z(-<0KU>1h;O8t zyl#VAHHUtHK#DJ7Ycb;)b%AdB%9}2AO5Z9Mbv#bidzcWf#h?&BUdo}swHf2 zLfB=Drt5_Y69;-9JyN6y-;$Qb-P2yT+*Q#lk9cd^(GuUMSL2Xlm-jNtZ0l+dN3yc_ z?UK2TYQ-0mJQ_Pdj*7WRiY=R3?-h6^f;w&H-+Q+Kj!!I*)kxo|m zB%HcQNO)*byP0%tr8wBMHlWh@JRaqvFfxeO=U;e{lXQhpc9%+wWi5XAytecwAwl53 z9_7wu=m}_2y=kC)<4~V~945m^)W3h>{f~=>X2#cTgX?|-KPO=p!9k5eNeBAT9+>#@ zHWjt1kOUTmyXw2A7vN?OTe*zV5(O7}{tF@R8#rC0P zXhwErKko7^uKb9K6a(>x?f6>`BRDqCE$_rLs(pxae+|7zeveVp>@$n%sSbKybK1DL z(=kHK29?N?67Q6!ccKNK#xk3LAU>vCOM&~`%?6fpFzkTx2tOy@tt{&M4k99ia3wZl zW8)jn1D}b4ux+^AGN`SGi}a?e6pFT5{78TU>sx-ZSh85L>82}k7e1o!&eh4SpO6t9 zPuNZ4lRcnc1-`u3Hx?QuP|)#i9h@d1hb1w*7Wm<33Xx*HxH7#7UFhK$!{Am(TO&=f zCK*%uM((g>ll|FUc>k-R{Z{L>ZUA#Z_a3_SV~7clGuDk;aOcl5KXmmaf5Bm1`<5nK zfG8lzdwtppnwyumGGdax;-eKinj6byx=)anhA6ZaO|q7JL8z7bHDlzX`ok_I78)d5 z3MRu>mFcV1pH?X$GNDf^Ueg(>Rm@V&DZ>WwY!z$p}O_7<0*d=a-aY!ko!NA8dGXViM%6U^A*o$*QP zDeS>jJeI@wi;!7zhXKUqdQ)0R@3OdD^4+BGRP7H%4Vx%Na=sLR)58oN-(y1A%Nv*1PDrT2isnrX`_fCJ}TKdk2NhT*1F_tsRl=8YfA zc}2Wq96htz?5+mroAPSgUN5Di$j6-^#|nXjOAm{QJrKu%=x?sJ zJPWpt}OS#+8E4X=^0S*q8cw zFB6owsP#T-VA*upChT+(t5W0S9e>rcTs!6PoCGc&IyC}7&8xk(ULs^LU(RZ~%60?l ze|2ML$Z%iOroOKMTMpQVhF@MXv+1)ihwJ{fro>OXuXEBSM0oTDda0UI9c~fCnhntq zT!&pZUH9LUVrPDMKB4E$Rm=tRp#(|a14l}>-I_T!(;#10kX*7u=l{JJvYwHbdB1j& z!&R$jE1UiJIaR{j$E@dDNax7WSZqs#Q=~620|bpNbP4J0Mc@^ZwQ(+d;|C1mK-*~> zKq?QwRJq%sJn=rb|5Nz>Rk-`& zac?{yrK&Br*{nc^U!{&hlJMx)sv;In3WxqROACu*!ripycycZiGF6M+x}JUf$*Rf+ zvF(UXDw)=its|}VUT7%EhP7iYXu2myEW-+V4C8=5ZkJepuyLp{-n{w>P9_s+n0yhk zi%yLJA0n9JT>w$v(%|f@mQf!I-#NC1+yS$jarx&1aMlqTR??J179!QNdEr{deWcEndGJ#xK)vKV7P(c0S?#GyK1V&(QKLncVp5= zWQ%s@-|5*nEXVNMrD@E=*2=j8oMtYxOjiIv6JJ%GdVtV`h(A9%s2^=evnCUK!)4}I zDYQ7(4cdTFHreo0464M)(P-i>sO1l-Z1LSX0Grph8!EQ#QfBvr)%3Wnt^^_~1`L6V z-S{oyqJywsMly$&m+(iigTXfpROEEJfnE{~5#TSnCr4riCNgN;97z^%10v}t@ zvg*UT5&yi*PTYAjGRAa=Lf6Tc1X9#+RUG%ip7Q}WuTYdPO_XF#3l}7$zf9d_M#(F# za4eN9+ZXs|M5!mdxkfqU=|-KM6j4ZN+s9$}GgN(?cyKFI@Nr%+=`!n=N1B?W8+PXA zIUqXWsI(C|;5!9MhT}jsT4E?Y?e4BymhR(>z$L(0IuX8(Oh>Z6TPX;hTZSnK0ydfn ze^N@tiussIt=h9Qpv2H1RXlXK^eb?-4MAEU-owU8*;j zLe}QSar#5%FM_W}?JKS@5Z6gO0MkK2{kbPn(}UGi_tdzD`ZX&AgMH*odSaeA;P$h3 zfLA?_-Y9V|UY6sRJ}9#o%57)|i9)X2j+lGo?yH){Qtx8xgk%?MY9>F}%^HD}OsQ4u zY2|CQVZqw~$*K;r0@bRKhry!3Z}e5YdRDBWu(NxLBSha}X9=@X!_@f(^g|o_f47n5 zqn+mB43O$|uv$S42t(DXAJv}|cM#ad3nY@J%gz3(nvHaC4-*4|{hBms>kG(`mWwsW z&D`^rMElZx{(CcQghiKwXiR|$+<4=g*8AP#uJT_26of9|+Ff3jG2qQ-rd}cl`+*k@ zvQCn`wo`1WpPz@A{*dtIa;hN+^YWM#Uf>Q)mnn_YJA* zSqq0adv&QBqy3_v!%K!AWL4PB*%7NCe_CBI7NgbZSOyBJSmL|JcQn`*iwtK4&0URh zJ_KJUFn3q)CO4mc!hCzWp%b^aC7?ll8S3*Q9~I1n(M)yKqLmgsr_6bZTm8j~x9$-V zxGmO9sal`Y1im-%XAX0ADG7$8W-5YmGh<3PYS|8^_GT-q+lP>P85(O-YtZTsOf!t< zTY446x$P?J4B-&XWO+;hkmTgCNhgl!x8P5@3foQKPMIa|*>V&?qsPyY_OeR=;#FK> zn;%IN61*@rT5mWg*jWRuhWOqoFfeFe7SM6E2-@_^rYVBR-CEHY(yVQb*&WN!5$JSJ zd?B;3l|BlS^1eI8&1QgoPuQED zkzmoRf@-qS+1CiXC*9`ZeqNUQOFBF|3aAeMXJ37&%pS}XB&M|AMzN~zTd!2>+=82nZh+Tn1EB|QggdZv zI-s%P*YJ}0S-=wa4U{7?9(23Y4ReVgW`GdsfDQwDr_pm52FyqyOSI4MSZO?c#DC>W zHM`yZWNj-)AYm=UtEqfBK&b>5W>#^HApOV1BZdeKT?yqJdy%lZA9WWYGT2ooGIL*< z5Hw;ak+3iXx_B0P#Rhfh05Pcy7x7rGrMs4N7xFk#1r+-w#_79{?+h*rK+=>YY{~Ul zNodtL{p(jk@t=F?eli6#H7t#l zsD1=O{h(%f1xwt@Oq>bvT@hr{Z;JDmZah^4Ig+!(>lQl9#a#sYZg6!7>h)EQ^{2Ha z`Fu}?3S@{Ah5v>Xpig1oP~|Q+ZZ&+*m#urRO_68Z2?ZYp3baSr$asRLOgvIQgD6Qng5c(mV zM)jXNdCb3!$6)#F&7A5+>7-S+oV=TE; z%0U=>oMqY{@yoH}&R>;j%jZmg9PDF1(5`&;y%az|DF4zqh}Tolzq9nUT**K&nI3pK zfO;%(gP0rC>d**>^--JST8CEln76k&Swnj?jn{J$4j!JN9UNMryU&_FH5tlw2|%gn zzetk(i<&uf9shBHQ{jeyi#WQc!lf%ll@a*&xL$K9%_NDOg|VZ2%AW)&#yD74Vh$pL zBqaDjdGjg3%p$6M=JLOgCFdnrn|SH90`{zjiPa@v5yv;~QeAxh34>}%I3VA$v)h`~zL@?|!MUfhRoJt2foata)#G8sa`{p5f zSARAKfY!Fp>tzBOFxoJ$7swQBLGSPF788+}fp1YhxZe zpq$2>nVC88hSEA$n&3rK>+rmTF8#dcYMCr{tSC%H5=0(hZKdRKQsy;FK4{^boF(8vXWFmSQ_ zYyZ3=Gp_1bSXcyZ`rf4wzwo3!D-8M#y!LJc#`tabV7?tmM__XCfj<1V8a% z3i|ktU3{Q!1tf$U?u+h|r;2=&U(^pxK~=jAbwk33tO|LsvGLS%;)7kA8`tOb=2-B` z`o1gSqzTA>y2G=--_RSfp`f4$YzpF=1XYmUVHQKwdWc+j>X3`@Cl2rvGb3IW_bHwa$SxhdxII#+GrsYakVe>S zV!0BJlx;D-@x`7+tdO(K^lWY}OZs-GIifES?47>zzg1I)gF=|YoVF$2R9up^`D++L z;8vM`FrUaZP&bzK7T7_+4=C>s(Dpix=v*5L4aasC_I?N?YDLIKga*C>ez#%+3cS){ z`hTl2?fjD`Pj)9qHvOE7Te(8fHOT;K*jtn1H@-c&yjr)Vy*Ypmwauda^}JWsaz|hZ?F?8&&F86bpvRMP+|M+5`}mld_Hw&(8}CMC;$l6={RUZ~A`bjs=McpQ%X zxF<9KTe3VZ(C4u*>wuXrLw}Fqjc zdPb;i0eB`;K+lN#6chn57c%u!{&1X{K*29eHllCuO@E57=>rO#1=gZsBZw`ZIKA83+i@w9o(#;Hz0{ z?BNcA@}NR6$n*_Gfs7#zg@$IMhx_#GqjV|q9fwl6gYUMd4e0PctspnoqDh#5K;&>P z0)rI;(EODEm=N)=f0t^PS6afzGl6JuiBInntJ6hiM@Ed`uG)Iw??;?$o2;2I6&VGoZ8{jgXNp%ve9KQ?*= z0-wm#mrs6kzjJAS-1a)V?e<(}cu$?TG(hgvgCC3i>1e@`wX-YXP*qct;|7JO!i@&( z5Rl23xYpKR{24TI0ABKyJvya~d|)1wM8S4F4_1w44C@Fc)s?)@g*ts?7ok z+;GiTwaQYAH+gN~FrcqwXlOXSZKg&%pdXBAP%qN8rc!?J;K6iVz3Tx50G%d%ao~=C zaX-`@aZxszBYVT{pCt9)Yal!3CQBQ7s_>%m{d<}4MC?#Gd3jJ!(Ki9Q-Ig(Aslck1 z?>n~l*4vVVW`-ewC6qOJ}q>&H>1Vlm_6-fz^ZUqTx zh8|J@LAsR`0TG7oZs|q^h8U2}p$8a-`K{6O+~=Il39$UUELm31K>*B_pp9kkfkadrv z8%b$O_XoOWg3}VOK2?qailm7pEPu{## z?iryN*z*WN9-@zH!+M}cp^@n)grVz)hEwvNaYX2?cL6?3lMeMKLe@O)rR3ADqb%d^AE7_=ZlfQrXBd?T>z=vAGQKt zd-gg6@}(Kj;{W}vK|S#1e^)wxe&heAAXEHr%{avG`cPx8x+f_kx!lWWvwluDWCVo? zA5_$ngW0IolMpgX@V^VjsC}T(iH!(fKVfu3<;M2~hO(P>7@Q-5r#y?kvU?#o87+AO z;z#y>mN+NFA{!LC8o-z3Sm)gGIOSN-sQ3~!|Nj(;F=_DQu)$;65i7$=Y5X1s$b|5% zc}e?!7lT>V_|}fAaVYWHCc|+9|A)fsHm6j6?#TPI{w-OZ>?6bM31$|TAk63g7PHJ( z0o>xakmJfK{!c^ljnhjGv(pqvQ1l3U139L``clrK+$S7&GQYWE9<7A9p;5hWTo~gc z?H4A+LnZ?|w@VgAnyx{l34;aj>w)y8|JvFAo{2f^zoB3L&*wwh!-=4UzT4kY-mH>( zBrADF^qSgAMOW#aO?cxzW_@YnfE6VhNrB%dlue<*|F_3OhewKFA2^BD>79UYV6^^Y z2FD~dEInbhd=(hvJoDz5I`i#7BtLZzW*|C7alf|ztoy!)sY^8E>yl73wGpMq^1GQ% z$`4P!Mo@MSUSs<>dN)QHiwiX_r0om?w7h*@kr+ROoB>_SEOh0EP7!3yDiSG(PJqobe_^G;Pf%L`R zh%-%xK3jqbH~ij#SrA`42lTJn$*+j`I5&GSP_^so{MWGelPa7Kr_elp@*S{P6xl#T z?mUM2XC!XqO~AkOM5Ubdp4a?dazY>+4w<0IP`nm~Hgd zH|V7O4qi>kXM&z3$$F7DKdoD{-ytf&cy+chkdwbysVP}jbrK%r0JuT^jH4<3f~Xfp zoa&k|yJ@eYsP|fk;hu;7E28o#&N*Gh0Id7-!llRQ1F1ug@>1sQp8acS^4Ps`PKPZpi z`j~lh;YRmb5L^aWEHrF^l%F7asf=aJXjuQg1s@?aj&Tq81>bzB;e|BM;`OBDLKbs( zfSrq*_n&6~e~C#af&wz+#bd5T_ug`aY+8~_i(VELkZ#2%5A_~_k|PC=iINK~f207u zku~H00`=IMBEsVn-iZK39ffkl>8+UiufLk{7y!X~#plQT=7}M!MbeP*(R*VdQ%CF} zNjXg%fAx9+gSsnq{xWn1V8L#}FT(#^@}wDr(DJuor00`;lyisE*=zwT!DiJIQ_jUf z^V2Ej;MC77CVg7$X{Z(j0OS6wlK|>=GgSz2W_ok8I3IxK50$LU{`o-g7kP8q+GvRi zf+cHaU|BNjPSNB6dU*xoM;*Ek6#;fUFS)D$W~;yE6_b#?9=P{==!};p0PTS+?B7?6 z_OI6OEPr6x9{2o=ls?@mrH+l#EV6|=dtMI?M8R(|FX9KA4&JclEU7JF;xooI`E(2R zANhk2$nVwhoW|uyaaD3wT{oV@FdAt4Pp8}Lc?%!QIirG{)EB+LTPOd6$+4d)?$qif zWx*Q? zvSMBi9FuWHG2Q$ULPfHtV!Wb zMG?>y{aS)R2Wl<_hOUvb_Pld@hT!GyEg2~!tAm|Wdn}QaKtS0`i!vKnfyf451QqS+ z@M=qvYWQWbvc@lHp3aCM=!O*bOIG&xko!a~cGZdt9dN?C zvY78?(>3CS8T4XeUZqMb_qoTcywdY(4S3LOF`Ley{FW~L!^l44nzyVmGX4ogRB0;k z;A^@R%ZKKZ@cz=5+Fs{H&Q_q>P0k%3gBDW--ilT!(>;Fr?*fvkk5fdDHaNAO=OSRSxCPL)0_e#f-qt9eDS`#Z6KQ`O1!$?g6YlQ~CU zw{vyv+0E3uXs_2Ful@LE;*xiv?eSQ89i3ztQWQhUNkV2N-Fa!%fL&cOHfq3RcOxd+ z2}{6K?K^u~1nr6Dz@@n)+6;WW8ysG0oW^G-_!;_r$VP!Rkuo7trOr3O?TU#~!Mg>t z2&A0?-!d`+UYUz9@Y)CxfG^_@RYVEyxBW?#l_!;v7eneMKf$ZgMbLC6!+3OZ8~`5Y z?F&?8S*QV zKBvz1E8o1n5=xNPtpP;}@5fR5vou5&@$$F*yV)_?4KHffjj6y|IX`vwK47^aHg&mG zq(BgD%(Stys+w=`DrCN_Q2F&l&79xq@>E`Q5m zWPBYOJ=3(o5^ddi!AL4y%Jy8=9Z$b=5SFDb-few}PLW+e#xoI#I@}>%d^77-k0blF)`tf^CuDdxnmZT`z=e zR&3=vE1k}pbEkO*pIltr30gr9l%q8`_Hi*gcXQLE@LWpnyi8$3tLM@8@xiAJu_FWP ziciEaGuJ#keC?Y%-o%4GGE;{&Dflu9s3-NnvSRs^?58n`Gqzh%cE-l89XdvONd_OE z2>+B{fu#}Q-VURgAEZEgf3(nD50Gfs*26id+>wd}0+*v7;7wo7^o+Rwp=Y?!gVfDb zwj&G_i+)skhUSM!WUrBPq#^OE>>^IMd&}JiWJG7OD--OjiyITKRuNFk=F%OBi;Ml` zuR;QXBJ+%GVyIC}PpSS+aDIeC4tPS0^62~Jf{0B26uQRilb6YB?MbjJSpp_|t?R%(c^Nm}&nfDu&-gg|O5Ko2 zL{Xjyr?u86lWj~^ral7pn`z)~m%|^t`R+Sa35egfp}!^yz^{!!SN!mTic1@yeV;B~ z$q8>(%olyUaw$vGjfBj8e^?yJj(lIM$3`m*vwao!|A zh;JY45wAkz-{4$!{Z7Z^E-uKg%Q-o2UDzd~4vY7_DXGQx&@%fIN*k?}PW+yx=aZYE z4SXSBJqYf}!F4MYSY~tGpJnaxz%DxD)lh&SluUfx_mK-ip@eiZa=&-vnHJwDz-*O+ zR=?`gDJkM+?Ax@8YM0)HdioX-Nay`g zQb6yjg+?(~9WvTdA5%Bl;o^RXMH%hRQw4!7j(1hX>NvFn2}oYWx( zuF>P_V_c0e9kDBN3IJt2&s-vK{kb9CuiLVVJj_}GDVZ;rX%*R12$-ov{@^tf&%~&n z8F;d7n5cXYzu<(c-+RT__k7?LGIKW^CBpW^u%E(Kly>caj4{5AgUCYe+MiJl5gR_t z0gH3RT~x##%p0=SyLT(p)HM3_-n{Yu<5o3y?M9&x;Xxe=T8{Hff< zl5>77@@+!Mvr)=h1(+WgUb@kd-sLWa#QwMp8jrW_SA;)iK1$jB#Ii@U8hmmr(h%=s zcci|uTyQQGWxrDJIWvPzY*l1@7V6Ux$44O#`ThHC1}O8cHz(*#%A6h5f=yed8y=PN z3m_K$_<(!R%9+1*#+$j%tnDAgGSzh=VcXhtpHA$2AVfh=3r^=t?-(NcXd{Z20<%Qa4j zFJiXlR|OD(LK|T|ROTSJBviTl*14N;zv$hyl0@~}5atJy`it5q6#rvUWVLhDZSfeH z>Xww~Al65=Yf=7KL<(4 z6;bZP=7u{aX8pD|bQI_`A835NT^p+J-jYIBL~(pL=E=3p7F##H>^yhOqFK>E1*Y*u zs`aNJy#q!V=NTbA`n($9Xm4K$@Xp+rKm1EV6-4G69w+ z`9YV@qICs8L~~z?--@J_8_L7EtOHjpN1=^XC#Gn@BYA-5yRYwKD2Pc`PnD+iYA~v* zU6=xn3p;z6IgiPfK$yTWT0fTeBTy3y?l*^D8zN@?ab0QpBAwTO+l@p}%tQRP`4;%` zKdX})mfC>(8KLkouXy;;= z5(Y~a`jvt0*V$INql#$j8UlziCofvR^(Dw$mH-oB_~pmovxCW&1LxVWs3Pj-2!qXg zBQ-gS5J*G$^y@>_hzmB!J5MLg`!?SVn?zLhU+q>qP-!xKUsN1pPpuw8 zBi-Y^hD{7#rAvGk&u(hb%U;uVq2xt{p&9yY=vM;<-Y^$$meZ2bQ}_7F%*rm9=7~Hh zx)+O_ROasB8fN#wGRAk0kVbY2)upLX>JpUHek|0GBW zfmFpmorMYoNI)12(9fOFa5VKF4!W*b_Y7!}zUmM;my@V)-EVTo-2tQ4#@14{FlEao z-g4M);0n{3!WMU9%cWK36A;mpRV!5P(gcHdk!UOQT;lk=H*k?9^6aZ{ecT-hj);?# zbfKUgk!F+M&ig9T_0HeFs@;QJ^(=43KW8uRRGJmxM9RFJV=bwR8?xe%Nm^9Pg{6MP~kt7JQRM zt>qI!za}npVXIO&C}l0W+q31~78Y$P50fr^6!@IE`4r)L|&~#_)%Yu(~*ojYYTo20SbU*2hh3A_sS;EWR1LL zSw2bfbY5yFoD@oEp&!Nf+j-*JnZJ{(##XvpT0qa$m7xSeW-10Nto+v59_4PJ)C?EC zykK^c@)UKSm5CqRXX+d75yPE4K%*bs(n8XN_4y5Sk^8*Ht&C+Dj_M5gFMIWb_A|SK z+e`DCTK-{n95YhcoC$|a%Ao-uTM98Tbi;D*qgMa@*L|F^Ah3$44+VVTU{ms1$7g#@ zgm+WQ`q@k>4`}GOnnT0ZA{Y*)9y&PhU(J`F#&tWs&Z`q)jM2kY-gn-0uSoMP36*5M ztNhb(No+wCtBb+B=(rzmDAn$L#uVUurZIFbYE2;Pfi>Eqr&7m2f|An{x;s~} z5__c>x8auAbt}G{{2yq3lBLt5)ftTWg|uCDh2UxX5P|ggZ^LWC$Bf1pOTOg{eh}^A zpDveZwUX-;-Jbe~y%;z>|H!FZ5h~A;B}TDV51u?k8cqj(_Kvz|ZK+HYz>Gn4NmRoIpW* z08bPc(OYfZI5ar-`|Dm91Tp~DPv~U1m#)6+qoy_C3=PX)kIY_4kcV0AZ(q%=wGQYz z>n`zIw|ctBkG{WpBI*!YNoFOc!3P$w@Sjib7n~=AxE|scc*$*xouVt zy#@A6B4x-GCAZ~(c?NSz%@C`zePvU4j>*mEBKr`aGV0>cx0AyZI)PuK%92zWji2&{T}wx-d5ihIrsZZo#Dc~@CAs&09e+8==+Ax zy{w;1b)GcY9f_C^{^Nf zkelK?z8)+qqKM&JI(%|sqyW}ppB3H7XO0CCZYc%Ed?t-rgMcNnKAjmExbEL7f`|rf zSkQ4PzcK$F9gi3t;;pN|UEd8t27r!%OS-4pt*uk`>71GdnDYlK6V>vTEcHiMuF+7~ zYa;1+K;c1@-<5Bx0w5tv+P9`jtRIO`?No*8p>7)Cw`a$n?iIOXWC@Ln0bhwJ2us81; z$#tJWNhBI01Y`t%z{AP`AdZmegvnKod{zN@FTi&FN`rHVbQoYw&1dB=#fI*r-zG^o z%43{g&Bpq}m%dq<&TB_V00~0VPv|~6VdS~WyKv{)m&-IwbM%{PI{;<6uo;$t8B<9A z%hEA_vbyscRHuREg-s?Z-!!4WpJz;rA3vHU-a zjZ7?&DR3-XY4q&K!RNVk0T=Q+->5+^e+V)J%*tlRyNl{ZMm*AN0$EUWdOF`*Q5;6Z*8u4f=gkg8QZ32fsFrrcPp&j8SI%J)A|eOybl4Wfg@A*590%R zlFg5eu9|ku4g-yCn@)MzllBi4#7tKNFAJ^Z`h42n;yr4`XPwFi|1$k8TBDlpVBq-< z(4d*Aj7&!d92A#*@kS2da~t^_P85BfWPEpOy#U)Pl4s*-e<4ckyePs|csU{+vhQx(C+g~<@I2_criti z7Ekg+S+mC=fzj{Ma1RlrI9pAT&8?wy`XgeR&ZEhE*Wcc97Q%~wbse6 zdxqvLn?AkhQ(;n2l|qd_BV;E%y8F^-MQZ5#~)IdWO_NuZi25#01aL?;fSA1!7B&_vO!TYaY+w8aKO>sNiKfwGf&;5ksL zy=^IAX1%|OX|a@EZjuyb4*g&sCB}o1Q+S%8(LW4PzN2Xe+SOyf#{VZ%oGZ`RGBL1G z?=@{)KsWlHmdm6Xy{~Hm)H=!8ScvvPN}(`d)11|QnB~kR@+Sw#7`>54fj}M9iI;by zQZP8XfqJ0Zr3b4~56bLIc*45561Xe4H|e;tfsdfLa$V$y$+OhSJj{~S#A~QCHOYpI zvQc9eb!04X3$Uq!$cJo@Nf@1Au25cn-;~|9CoH%q9$wS!j;#e|rvPY^7O43$cTe0J z)w!naf3crc{9fi|_BneC4SPr(=6LgE2g^K`zra0ThBHouwBws9D?i)yG*;bX{suO= zpv7#3FAt^ae9kN#?x+>Z4i+h%kF3uL-xk%&bM4xG4@^D)?=Dz&NOf*F$pVpF2 z7^~lGXLyCi~a6AV-nYWA0#foe-WhfANIdXK)b4|^YU)iyaIgPd2EaZUB_N4I{hLDh6F_44Y;Va zb=GF|YalXI835)4;3(>SdA{IJb{E=qdrfZVi+=&$Ujzd9O7b?Nv%NKwHvH11kVnU% zDO$In5!@8Z%RIugvw{LtDpaLCNWlw+a&q@cej1ay5gD9S@J>KAB=FVQ0#K1)3=1>U z*W|yph)P?&|3FeVKuCYD;)MN=LZSN`bWCp*QB#Sm-!df`*+WjUuN$XP$i1{=4QCai zZ{v_pf}Mx7%Yv1Y&`|D)V9Q$(+TDpmJ*8%s4XsDAlkw*Rq2;NTpce9x^D)*Jn)-$S z@sg>#ohktai?rK|n^nlII%738=2#94YMjBwgYP2gK2w}^7ddV-1Jr~RD-WH|KhC(7 zT8BFg5cdIZ=OtKR6}B7{TstKX3_o?m2ARtSow-ClYP(GqAEF`t3q#-1F7`RIghr8;_u&)tzi7A$$uDmfr*UbR+#JsiNus_bx zfZ{!2^!kKR^+V0jp20vj-40iE1GV8E>8f*6jkbZ%nnO`}S-lpoLe;~!&pN-lyb`9h zTN&44#|vAy_A5$X@U>=*A>KTE4DTJk`_c6GvOO3yEEZa~Vznzny$&CIxs@7rH~Y7< zaL>iO!c3}HhYe$l4!AimLy!`+99krgZ25#SroD6~C;mbFJ3FXMU5I5nkpYYwt-;~p zXV|SyZ>&oxMi7j8dBMWU+l~y@_V1ujWbg(%Z<6Km-n|4(^U_FbhsTrNj?Oq%O1=E|}q zY$TM-fDK=b(r*U}vCH&4Ae@I&MDR#?{_w49uwZBK1v36HlK~*)Jn6@E`tBRII3UWc zd=l|$O;C^$Ug`wcRwD1&j^uF%`-|7z;}Z%DBOdc6+b*rSNuYZ1*PeOZqag#+&uLr?77DB!j#o?#*9Qf}8HP2<)PtMD=7akq2N2WK84_!7h zr{eck9ROkmkluRrn?n}E?YF~Giumg9j!Fd)Q$gM?x+VPqMFyia8-T?qO|OrdJg#A! zG_w853ZQAfaAzFab@jBriRKY)XBS2H$#Txg1uIe9(UVor1BH2?6Bo36M>*`o7Fl9# z+l*cJsl%zWuEyF?v&paDcl6$;2J|NK-5?>V1WuLogyxcY+rW}vZ%*PufcWQU;@+Ei zQ+{(Pc!`&WQWer6hLk>Y?2g)Ni)^Y7GuZFh=RqVAO>B{(5IF8J+GX8~?8euZY2YNb z6N5^Vmh;3iRjD8&0J8IE`}hYRE=V*=j=Pn*w&|Z}UCkDwc*XU~3O=^2_V7b9xX(pc zk#aeg-in`J;d~=kXtptpI5#n~2nfQ3FrVO8XQJ%B5f7Fv1+f~ppJOz)Qf0J%;4PI} zmN~9K#x(@dnQDs|HaZ-?$xpmybmpRQdBsgSUpy_UxY(BUS zfzg2gL*v&e(o{}gfY=`dwq34{U`&*H@}886Ssjj?;cW8sO}sX8+>w2s(=i4@t3iC@ zW6k}`w`l4Johh#MJ@+JmTTc(t&9e4fDGH5CRMe=j-(^U6mahJ09o3Ep!|ML@-XG<$ zunxfo;R;q3JHT2ct0o7xvvlW(S)LqMAn~2SNJ^3S7ef!a4!%$70|kUS<07SXOG$#=sJbJ0^Sgd;+SF0(d)QEp(JLu zAvX00km$gYKlC}gcfADZ^8UsJgDvfd3V#SWdz%!m)e9z|pmYvY7hL|1;f+xvys~ts zK+ROHZ8t?$O!YH#=tCda(E{fpVI3*i=?P`4NU_X29`idnB_+e(vR%5wF&tYRxXv z=7nfUcPL78B*mMx5-+XnCG=lE-WjE!I^HUBv^)AD-*1Oow>+Q^dG#;{2$Ya{BGFz_ z_}$$f0aLdn6?tl3afHGXF^P0RzJntx%MS}86{B8k0y@!{P$X>&ix?prfQbnTUyftC zc%x3&3`dT8Tqgr0`M>s+8&tH%RTMu4q{fGn!D!9X)8mPYQogtDw<&ps?>El4GKn+4 z+DTePoj~62EG)LB$wMGG_Wma0Dq>P! zLJkE}!qk1j=B*$7<}R1CBwztV&D}4Q5au_JbCWV(;<-h(>yt*-q}5)Y3K0cxa_j#o zlY%ZH0*AFU00N)uHCK*w0V(S6!p4&~R+bO7`yGKTM_tdeQ1}?H4DT)nk&KPS{ZY5h zd}p+ZjHaumPmlM)v7983)jf|b%6DVMVd4rz=JLy+!cTB9KJ{IQnVRF**#yP+CpGTp zRCdzK7`iW%LjbSJ>~!Ct49UyYCL~*45e(5{?na{HLHv6MItny5Bp=^%<%!KLI|qo` z?(1E%>S~Q(A!!@GCguB1PTc3Ld`$PXPTP2gr9E*2G24qq>i@%<(c?@9__O_o!N60K7xIB?%p!4FB_rbNF$!bn> zi#gRio@TGSR2`jMr1-}{EjkOW!>f+04yO&U@K| zRG;3U8w$Ug#M$5ZYh7GJRA{v>);sU|L4TOwo%%f{%j;7R$g6Uz4Oo%HtSG*~aE&p+ zl)>nFR_187?n;;lW+c)MC{6@7XC%G!P|5Thcqe!UlUP5o zi??@f1bfUF5MbK-giPXx{iIr($O%30xTchfgv@)NK($O zVIT2`62IKfE+X!VA>yIW=Cp=NdfxDHXxSaTnq3p|tRId80lll^)!^7MG%Xbra2!e} zaYHkq=dK#j@|+GAv9qWe~lB^s@p&ETf{2>GqDwL#82CAZE8Qaa6>F# zIDE_jV0piV=tJ~_@47lH5~!aF=s8i-G$=60X@bu%dx2Ho&J&?kzl&Q`ApV~FYwPp6 z#@Wncmnyyh&-`e2Abv8lc(QHOkzo*NTO>4E7*K3Qjt`7(eGXJg;P~(75MKj*CjT7xfR6|2;t8ZKUI_&Gg3t2?Pg899&KnrCZ=%J3CmG~c zux9N!ow)lqY>1P$3M+x%xG4a79-`PI=J42q|E5Ukl`v>=Y3kr{8<8)EqVF;hBzLQ3 zO#fYB=DV2Slz2;Gc5<_2EEfs)({&G_jW-Dw8+{r9!$rxgLF+VJ-23He=)%e{lt9cX zs^jXYJMh#5*|vH|fGiQ#IN*ALFCR@t7D%ErT^!wz}ba(K0d%z6!8 zi9selkE6?y9>X_SuyDaHWr3m;ZC^KVz5tc(V5PQxn9y~$ghnDDYEzTA_>$}H-Dr@F zr1biA_69g!+*rO-0OUureth7uYgY0FST%v24Rc<~(|Gw9o<=YpLNnqq*Cy57vvUQ^ zo-1BBa%Gg)P50yWo7w~SY34pYWuaQn1XC!-$IR5hd63wbHi%t6EWJWtjB$$qAO|^( zH`(!40ib+d{dJ`J1q+^TYA=@0%Qw4h9q$em%OR$U%S2{(C%=+}C|>k8nM)~M9mc4m zfnt)tmG6^L3|FRHz+q0(7KhqHxkM&_Pwf6p5QR|K0;v8xY^YKMtjdq!lli)%`rZwN zg@r{<5kVFLQIvON9)LmWlfhuTzE+Q~67xICK#)pt-p)$N`H*c48P4n(vf3< z=oUjk5+yitapEb3CT#*R?BIGU)Cae)6gyBEu8)-8c4gS8*m>xv9;WQQywr(rZRV1d z47^%{`4yOdi3}uPI-8HTq^KQ=aSz^o*I#U40dPj3fnCkR#e!u)0nrtTPlCWGuY_>4LHvUKuNIH?RDgdGZkP1CAn7pj^gm(}(1?Vj z!`0$7Ukg~prXFx$= z;)6a;ME{*7!AjxJ9E@GD=Jz&;fXIiT^;L-sW`0a?=7m@pcS#&N<-0?ZPD^GGgWxbYofqob!GRiERbJaLcU zHs&bX_;gOHNzs8l*3< zmw~W|qI$g`kTJoWUP(x*0!r!TFO`un4nU&|ijkEQZv>7J?zkc@B@+^VC?_KQKzJqd zn@L8Z$;&vkG>&n{G^ccn7n}j=L5IHX0rVh6?V~&jl%_@TYMgkgKF%^1Eo@1H^uT5++KEsO0loRY1M*Nh{`FG$-!$ zY{Z!+GEAlOO@WX%D1tH%4G^yT%@59CuP(xr$!pYF@3iD)rfgY~(C%KkAvfafTR(_`4ScW*`GdY(N*`9%QPNVTHPEh!F%KzhT3 zF{rF3=~g003iv$~;EyuB-;0IKDlntHJicA+y<%^+ zMzj0j z_};s%u*UKAtQKmaJ5o2cEqV>*}WNTiHv*Q^Z_TgPtT>L6D zy(O4YIhs*dX}v_jU@tztsCnhYx(MM9 zU^DChWDoDV-lcnQiFlRve%$CPoU_Cl9I3bIhWwbjC=~@HdBOPO4&)X8R)#WtFc}W} zwq5$SMlG~SbcHo9oEjfK0W<@kCL1UUfz&g6^|nX0TL+Bg-fId?6?CEqK1K$(!%Ffx zvDs=MNhyp|I%J9d1&fH3d*4G|_}{ZKdOjNme@_Z3-mkz1VClSW6aptNQ20omAk28G z_4x}+j9xUZ$8U}_u097&B<2wFdLcLND*8C6pfC-JB(*}H0*9!^HJIJYj{+cad!8M7 zPzOUvHZkkXtW1A_$I<8)YqTXu081Uzn*3d%z?;gddxf(-FKu3K8bzSQjb;2G1Z))x zg*v3c+;A#TZ(EpOO63glI0> z``n@Om1McF8M3K16&KH=e`Z&$;WPJYzLCn4biJzS9(#KE?Ncw>_h#KacQdnH_mRPx z+3%$iK1eY{$3#+MYF?~bm;J(`mcD)G=Q#0P8Jw8H!A5Qrg*RTbIj+0*>gRZ*zS(y! z6ymqH2`ccyuKg(QmGz2Y^4Z-J$gzO#4g;2-Q|@B zsuzqc3Tw73s$4DKpBT4j9gSm;wcbK&2mMV3q{*h78XYkvekS~{RNLgnD2KodpnyNE z3#=o-7wCQpOkGos)h(7?8nu}A{T7~XgAW0cUCG3Qf+0b|0>LabPq^Lmz>z79JK4z$ zmhZp*vY+M#$LHJ&y!{7c--&;9@gy+a=a|FeN!V-v)n?@6E$(3@>TZ)S0ft`pgWEfJSC#9R3`W$G!u=FH9xISGcK~C_fM!8iwXln&j1w+8&6$tsVQM z7Ojsn{8`9wdD^&k(%(p5;>KoIl1MKC<_yP3AV^;lXFqx*kv3&4ZlC+4@T_ih0Pgx( z3YEHrwv;184ZFf@2hJR#7gnuJGe$qyArD8hUr|Rl%31T}K+!5C1g!NtO^lSw7g*VB z^8*3pwmDdcQD}X~eY>I1^H~kD!8qR%c^HP-dmcXSpZ1xbwnt`3i9BjEN1-- zCK^{6F&H_pLOq~6RAcBf)o8R~(#4Uk7zlgQ^DHrsi}yO0&%vp_x^o93>yWkOy!Id} zas6!dO2YYjP#lU_w`AF{gn-1xQcb=fWmlx+RsVpS&9wxzlLxy;hq#2IzT^7r?H}I; zE32-M{9F;ij`nK@Q_=R_H%7{E@t=1^bq$|#=hj(%3xK05JSK%u1hG?6dkrW8t``NjQ%%% zf@8I^9U>xjtrLOzSj@}H;vU0+uz?}WHF(GaJ^ zm%5^|c;=6WKxJ9$DsFu@W%NL?!1k?(H)7hj*>{S~s*TM?FQeOT9~mC6a;;QdcKMBRXnIkTy0MNGzRk0Smx~q!Z9zrK_D=&J5Qxt1dsQ2Y8l8GH z+lsk0al4M5_3^TKzd6!;P>VZ>2DiCgKr!0rQt@!0H{QXe@w9SW*<$m-?=?@Q)6s3};w0R>YWW0Y0Cuwyz#nj+^n~-=q4)$2fko@d; zYU_-qf{w)hda6~d?3JI;4T`>?_Rb$6{JuO zZoV4$jkM9q+Z@+?1gl~`WI3+NJjW?ka`M1*EL{*jHWsm|R(Wc}idd5zXP&li+kbTQhC z^ScVaxgN$X6LroN7U^0W$ro5 z!qNDORn_2N5@=lj@s3QRtib&SirslmssdE>7W;Viv3+aDK&%j}lB{W4ej@De8dW}z z8stVJqqVYdgCZk4`Y_Gp`)6sDYJzgBpoDPqPhA;oqB@~Lm78W?brB3TT(PEnlRZkD ziP8Q!{_!|+*J0B16-Py8LHLo+>|1dw`k2@7Jeu%h-BL7*wJm|5ukh42##i`eT3Ihe zx1P_e4NcY1|2C9WY3$j!nb*H^Uzfz$_82pFD8>|uBJkv)@)dmrFOF^`)5$%r5%q~x zx2!j7b4T+Pht_09%6C)SF;W+C(>U=O>-_Rl_H9pOgQnSn2X^^;8AH#dh3a%(Y|^KO zO%H_|QIGdiZPsI03sPe)U7%5^d1ZN|3BX7Q(Z7g6Kk!QSl~}RQ=>T{%o{+ZnsAwcs^}yilxI#p9*GzSiu;8_viQE zlX*ZIEDxP?$0%vUr>*n~d86bFs!04va5g)LtePg9fkw9qo$MlbkS>T544!GS2;EoO z>nj2$pk1|o#7A;xQM|s}ovHWqQhdXPX{J6tU||R#mdZT20It(e_%0KxD;`%ZKwTNf3-5S>HWjY zjdr199rwS;^V_FzS()-uzzuMj3WzG3itn)UMl!R3RMv<~Cl1by`+3d{_0yo{{4ANh9{IX2;bo!uCuE5sk4vEO=DnnH zPq{^E-UQB2e_}!0S1z-DCEtptm$J56&+EGMFK0OhSC9$AcxgG6z8c;JwQbCHb9AH7 zNv($AOKgQMKh{2cD1hO-9Eoo%SG;lc!!Kh?1D_ImKS+QQwPJWrR}{-%qKKQ$t-*Qo z&t=@$^ET;4>eKm4SEc*zJ=ERwVY+i%tx2JbyqI4vgmY-op-GD7cvUty-2H>}z3MJD)IjnT=9K1W1Sm$HNJ-pjoBoz%z zK?ilGXCBMl1jc0Egw1UnV$)+d@1|Z*izK@FI_83L^#-=D=a~9t1D4{AwsX8XA8HH9 z5UX=?Mq*Q_-d_m*3Ru)^>oL85*l9xPHwqPl@a6a>I*087+4L&Feh2ANSGP+#rKwhO@xrg~wR4qEMP0HWD1n-8PE6a_Xf82$ka=vhzh{ z(D3Hlc$VE`_R|a#XPr0o@^Ql^0TA}1kxq@z1v!S}p+;{Ue1&{xr!1fi=AN76Qyz%Gf8Q3%vx4%}l8`YEWe?`6n=SU*oUmQG+z9-r5U~t)DWTV>>4~jc@(n@nVC` zn{!er(7X!$*5kcQkVq0Xbrg)5sX8sp%(zZi)Sj6N@Fe`T!K20}_dNbM#bi?=XHZcC zO}$YOa^o$C{+S#pf&QlGd){)MWB6*d&Kx-UCxx2(v#A@(iyWXwlERST%(?d#f6Ugl z=OK3^|Fu)G(oFG2RbUJoQ4a5c)tfy7gx5^G-pkgPbMC<;uqB&hd~s+KcqCT1Fye^E zQ^9qp9TlwvTt@$oske@6^8NnDhY08tQ2|i_0Tmb^p)^PcNGZ+ely2!9LlhKLKnZ8k65($Lf7I}{(=6o!L zkD6E93OMHW-pak3_N)<`+v_tO|u=w4>Ym9w2WE@s~lr}aX=;!Xr2}~?KMvW{18KvhK4)hlxmgWFT*L!a{C53NMy4JAu)?@^}m*op~+*X>MIYaN+ zc%WyXl?8Q(Is_K0JD!g)#O`fbVc1K({IL|EwW@EqxfB8Rv#wJah&r!eeu)!K%<0Y% z?#QRTKdMXM!Fp*kabY3f17(KZd(YEa%6_b(52!!L{^yZ`EF_U3d=C_G^$Nl>S=p-3 za1S(7ml^Zia9rbfqv(RozWOQu^G^6!b4(^F2-dTM&mC`Mz-Pd=DxQu+@KxWce=j?@zyhR-=bgaNqyqTxDpOmyuce%_7a^v z2_iYf#r$zfkvIjsST@ZmDSzDA@t^r5$mnCx!GBFo-6q@A_-$rqn^tA~Y^$1akFKYE zO19}?z&2E#d*FOguIe9M1<>M_Lxnrl27mbGm}n=D1*{BMHt_eut1PBwJ`J7ri38}s zcAn7YdoA2I6WaN_r)Crzcfv4cBu30PDQ?VYPI*}KYpt$K-I0*PDf&q z(a$&!iDrI?#>S0b7&v-h0l?|v6LnJ9Q$t3@f2|Fp#AR&=7idiY+WW`Nb4bB>+-d+e zV?Vdb%T>99uP(YPi<>s$h}k-06HAT^d1ObZ*{%IdE;7yDi%%oU&RgskB?UFUT*%?d zchdQOCBpo;Z}L%}Jn}rnQ}24b6O~3`r?5+_cdT!;YZErrjvN-*a`ip$<(GA|vb!tehSFa8Y2HlnDlU}H^U_=)eL{y~z1L9SKE+ZV{^ zK_=?!e@wz=4J8zw-w{bGM@JuEHj}PDId9wmMcss6*U0{Ezg9nVI?lU``RY%)^!1|8 zTnvB=CVapaG>_K6pzOeZ>as!giuuszj_cWG3s(TGOZcQchsZ}3OO>+ox>A1s@H#!i zzLjs?v1ZYs1nv>-Rkz7uR(wQ?;7Hq_mAkNSG>qa=tV2AW!Sb)q#=bUJXv|(7KYw|7A3cUegbSzf}&27m1lyblD(d+c@VwkLwyBdguFpn%4d?#S5g>UkhFBb-H`DDvcg`{`R7sO4@ z5E_Nz(re5bs*f4c<9wWG*C&b6ocfQOY5K4=uw`OxeKuF9 z-i_Q-)>JDazWNMFVuy?TbhkiZWhP<~MA#1;>Yxk4Loh382mdrc1kI4RSLpPQm4I}& zwf~Y>QN+-8Z?FCNC=6ySu}SZB9E94O>gNcRoZ{%sAZDoM?6 z$^ZU3Bs5H*d_|TxV8(uFeVv$b@|doAs!Bh)N=kY0Ti6K(qNR18BKHEvsR;Sw)Hk`# zapmhqGayn?_0ET_=-%DYi4J92v*o4l6xkH35Xnr*uAk5GydPS)!8n<3C85IL)hT?u zOl3;-!zp<2O`_!4b8#FNypkl`20AbWuXfkA1(fX$ZUPAXf#E-xeyOK0{6NL`qXt#q zR(Q;K-fiH-T{2CSry<0l8Ab7LZv+@QE#xIsV4P-MAByu&&f&+QwF*yCMf}Qaj-Mu4 z1|gdjazL*IsxS_{HLr(p{0|(uY8r3l@)m+XWl-bkSx0)_j$#H_ZS*5(`{_I~*LcNB zzx&P#6XPTD&CDRP$HvWcazx3|f(e{HX(vSVXl}zRieR<$D=-y9_aGefBIT;Vs8$=0 zT}&&P)8->cq<6WA9{qgM?Z0C$fqzF)0t!Ym+Ivv@NVkcz;lhC zZ74bcfxo2bej!7R4%E*u}R-T=YVa9GJS>Ih4MCK-_=d z@62Mj+LlH!5l_AomWpdv47!+oB#0Jw)OzUPiv~tteg|^D5a@qr_f?8%pPSyC13n$) zQR{Gg{WCW$di%AVApTFW|D5%Ng;BlJ2Y0!xp%NXYYVK>>lc`mR2=?j1y7lW_GR;Y9 z#)|MM!>&pP=0-v^$X>gU)>$1h{kiQGplNPlsBGUad8MrcATRRq7`q-pd* z@d<=T6VyogZ&$tfv4KQ30BPr)Pdj&_{dlfQB_zj~XL#$~=%6ETS&9Vqz6|2~5_{@+ zq4x>e;pLC5T#TiGC4Tq?De#JEr6OSr6(g$;%Bp6?mc%GR4-3je_pS5}vp;hRc*PNc zo(*9hc@~;d>9K{JB~pXj z`tTcKb?u`rPQIR1DSzJ`DM2?oW5NNo#im@(o?!iw_X9Gipbe8_2`e=12c$$YMD1-R z4mqOlyC_~j_cT6~y)i&axJadB?fNq0li6YG?Qmy$tfw!g60NhS1dZjY+Q|P*4vI+e zAL@5{QFrf}Pf9Ndl9x!bCOr9w2sm-nZpYJ+M3}AO+1s!@pKcZW061gp@7pW4`ce~R zkh*EUn0tHXTj$*oHdtk%w_xe*S$O)H={~ee*LPEQ28jc%)Pd|d=U*p(rYBW|$3aMr z_=y|M@bbP&IYeBzVPG3(Wzu<^>V>yf0Gy;oFFrK(jL2uA zq#${x5xFy~2H~rrW=C>e)j*G4D#iaR%`|yFVTkJUmDAxaNJE*ev`4gAhWaN9)Y&k` z319ru1#8u^n(A%4;SQ$mAE+8U%$@XPD!9c2r|Nh9+sQRxB7kt2_8gll>b`hB*W2yN zsUUiQESRYlL}Moa6)(U6jVFzgsU^0FLI`i{pK6>E_98$%gYo0F6(O)~1!mk9B7rwi zMg@)PBDwLM?0u=@%yEyvTf_eIPYY5`$uX7eYZZkTIYgkrA&eq~9MA-eJvNB9AYtRE0&`kMB&JVB4c^{OfTI z`IMb{|IIZFoE7~HkwVEF_squpE6S6uDo1ByLwM64Uhx?7I$KpK=canpyBkBXjo+N( zEmFl%z#~-kH2Im`@c3!1r!Hmbeh~BJKw%UhN{COWaH<70uhljrd|WTp_xCk4q#tNc zox9QUo=np#I#y!<`yMNYq_Fs>OuzUOE3yuKwa@sy>TGUXQpHaok9moEOptAjJk{=C z=+H6FiueuOyb*ha#_stOiT6{7l;zQaIwg^>NRrtY_(U;V#h84sYL0_79H9k>KPc_| zU$1u6n{{35^b(>GM+|4wdb+y>vij#C%{JBiHSp}OcJTHpO=bDo?$$(#XmcT}q0e%> zT)gh~$O;Tc88I(YCR8%SS*NN>Eo;h!By}tYs>MApzkk?F?>(XLSFoB%BwwmX2 z15i@(O6d`&u{X-1k&cS>Q&qmf?Xg7_kP+PWr=C+_KtrrIy6M&k{SOu7o1m$tCpAv+ ziO$YCqHaWDZ|Um;(V;x<>=I2S6dj1Cpk&*rIxK!@m3{ex+F{b{In%8c1qPnf zPL0LwI*_6>Vbj8c6CQ=TE2F?IiusIqMdM5DMl~{6MFh(4X<~%&$e_%$&Y!`&I=D5K zEgiUrFdEq=``e2)v*GILdNH_z=`USxDer<{)Bh7x%5LwzpBlGOuFp>ADJ|iCLq5zT zmUtxdd^4?Fb5bcn@MAb@pqSdx3t%^Zll1#%hE;)X?KdrUS`S2Le%~#OAFZ2t_Qz6H z_9;XsvtL!jmFsTYo>+-fOrvT1Yg%70F#)qujFJ)pyXH-VB9=9cypmDCEs|c}5c2Q8 zw#)};kRljH3sb4_)XlyZ8cx-n?*)Gtg*tOtxo9E^XnNA=q=+b_Je1``{K`bMt`}lq zXS9U}e7N4I{Ib0dxA^Z^h{ijz@H(3-Eu~R_4g?rP(Zp4boe~q(zYGC$fg@*qS+usN zLLOhx6~z%0r8RT&LB9fZ_qX~7pGQ~`y@Ufx^Ml?4{s2++BNCOX)r@__(9iBul`hSD zYG_U5-xcZJ5WO+U>>z6YYWYLdKR2Y7D@m(%hiR zahpmIm=Vt^9Ntpk_z0yz!x{)ZZ0+`AN;ZIoCD}WOj_P3HMb(rsSFoB*G*g#={tXiD zCKHJ%YdI`uX!Fzap(mlb4EN@69#Nf?eGHZD+Bd4yE7#jIZDzGktp94^P7E}AiUQ=5 zi`-y9*Ed9L6ksQd%vMy{Scyqg@8BS~XW(>5S|&U1i))rTXZcLN>n;0c zT+`7BuU%gT-vCI;7S{c;Y*XXBordx>uW8KzT@u`siw6{~Y?ll!+n=zd{V>i=J;U`L> z$C-C%eZq+1FLQWigD=S%7OQqW5Py&wW`Rsgx&{^{u@$QBZNt%~2FcAHAwk8{)7Y)S9 z$i%YaKE}JJ5VI^1N15BNvV6+hGgA;XgiqZp%Ct$X6mM)PJWYf4od*+vl=aT?nW}d1 zo`YPJht-VGXaf3DU;Bz3FayK&@rwCsc`Sz1O!2q@qL@Di7Ea~{!LtdV17?Ekdu+xP zEQXt1ADDjLWsfajE%=qSm$*tvoa2PgI#d*?D&3ImElCXr@Rex6XQg!Om4*7Kd)?oT zaM-OihtzT+@)h~+ZFqvDR+a7Q7D(~h0F9*PwC^YMAe z<$P7^{=O7tygzQks=HYJ7T_4Cjj*Bga_Mp~e=);)S#7RQ(F9ojqDUEr90_xSbng z2akNH-zaJa$paH5(n|6Gr9OLKqHjd$lr>OT`0OZ9Mu-`R#N&!W@2ajV`QMS)#+*N% zC_}JB6)#+7x?LakeAvMEGt}7Q>oQ{TH)Nh_ag&qqkT4>_xf0c@Z$3TH;FDch z=m6;yt~+mJi`K?|t)y<<{z1`q*9_2m$`i-PTNjQs{L8}ZEHJpX;qym$*zw`X{?z-X z8PC>7$1%T-J@Y~F&RmKrfmt)p0jR{<_$WV%J$T|Nqok{H&!YOt5K+YvhG^Z9MVxv(jXVW>T=t} zUah}oBhZ}mQhV4N2DBm!7#ta>>C^Kp{IQ)^w#wNh|FVY#bHy zd4&PqMJr^$PBkLrG5LJ+qSbhbDr!fH!E^yK)`*b z6oXps%Po%f1O)fQTr+giLu$5M7LfznLqO`hzUj*uy3L&@0*dXm9iEehCGC9!?J6C{ z%Xchyd(}cTl?Ey^Fr=STGyR20pH%wi!vyKDE95hthQ+hw9T&Bw^K3AdH`1RkXh}Q! zmKj2-rkEL?iTV}tbfv6gRSMs+h59SsPd*oc22~-&Sx@77GtP8+sXBElXSM{9D$i-4 zuJz}cme*YSST0GX5{g6s6R1|C=-K^l#e~?j9 z49c4t5`AJx`@?!1{P!zn&L+vVcv-QkFA9$DJ!y2!!UTu4lDUF|k|E7~-zuJ0vaAxF zWK(rJH(-LbJ@l8?e#CG>#W>p884#h-c0zI;nzp1B^c54FcHJ&QEEry$hs|_IEm)K5 z_0_yRO*Y$*YK~Y8DW)Fzvm?v)r6g4~oMpmA5I*>@%W@p>HL8*>391Fk#QO0(O~>95 zGdb#zOrNN}5yxMs@}Zg3cf!vZb>guWd9iTnVu@*BuX z+$&gJ3(E&LK1qcqP`_%;d2d9LVTn ziM;ZX2&DMy_fSD&V)a^eirWEg*Kb}#{nT2!3dRD_l6g$Mz{WzJp~d*(U5q;2&FKQV zkRyEq<9_GIu0i_`o~DVuSiZsWvev)YjM$|hPi;`~0H_sx>o`l!j7y%LY{Jy-djCE= zzoW-RRIUDN)>K(N;70^|hoN=lzT;CyZ3*9B_FbP@jX6Fz&x{+!)^DfVd;kW2s`Ao*{E!39eDl4cP3@_Oj(fAa zANdMJmtSX{(@yGFzeK8`ZRi%ijBwezUXmdL{7>hv%TiDk_Fj53bV-wWwoFH)UEWXZ zb^QFQmaR*X`%bH^Q2`8ya9E-E$+0@p54qcZhv1~edB2UWP`L@g7 z^!o#D#JrfcWjAI zv64&{Ogo5jdTvsSxGyn&2E!3K?Yvd^#GrwuL0Y0>4IOGXJX=SLd`1EtwLJbXBxmA1 zOR5am3QZA-qwtGo3zpP}-mghQ84rssOqEW+kf{4|go=fg&`J(%E=Gv>qTn-|6E zH`%rIBvNO|&t7kcY{O?GNkP+xT4o&;o`hm{5X6|igCc>R zyQn^bMz0RREqpA8tjh?BvK7ar0SVNr+&n|)NC{JF$`!rCliI(LPvV(0wX0^49Cn|b z)9`IF5lDT=N#WJ%jUUVu$V6vd61T^NfxQbHWWLDNEREkA!icD$bNOvg%&e|+F&go_ zFUR;$!hSf9Ny~d%hub{;UERgr$IxE0J|I>+_J*m+qiFgLa%N~4w$*( z9j$eos@S_OK@bV0jQEarYK9+y`L#!PoHlMiftt&g`Ac)Ti~8PX8yh!k`#q(d3R2X? zeA5LF?}*4XqU(tyF;7d4H$oMZ#V@8V1vLGahkFqHO0okwaB9%yqyPWMH6>_vs?3O2 zO+d?~JOCnwhcws=Tp^&~QPp8M!0QB1510Znu{!JeT7@{EfSRTq8)m;co-BOIT6TM`_FnjNaUO>k zFk!K5cYI!BtNx;Pr0np=khqD&$Y% ztJs~2lAhU0@#Vdf)JpPu_(HBqiEyGcx_{_d|Du7URj=pqB%o-&jrvyj}04m;8CW`m3wpY-s3{gS*R_mo(8$$tsTqYT%E)uy3 zIw0k^lVT}qBylTWWcPpWjdO<+0Ou>w_I?xf_xO3|HGS0RtQEnBwh<M9y{96 z$fF!Ffr;(GXj00Jv|)GLhy&DJaNe<#?@P`<@>kM*tvDy7`Kx~!+i52qno6&${ak4% z@A2Qkgv=>vHb?Yk4TyP;;#)fwFRBjY%2OTwa7H~!O?Y$UnaT%(2!pT7UM08Or#JXy zk@l5G- z>yS+uXuP1)+uNzHT8RA$++kNX;>W<2_`I7CVNXAS_BWw;>9G@E@XZ4%1QavhhAYQ8UTa zk*BU(!2_}ShJN%>#jnK8J&ex78(&hG)AZk>8FZekU1+tW?BnR2vja99cx%8tz3k?a z?tysNKE*}~5_22~|888;z~on3@BjTAmTX&V9}86-VgM0P$n?ZivB)c*g#_WxZXH}d zJKW#JtgWgvrTB)7M^W4>%K}S_IEhH$@k@O?ptT48{0GI*Z9l}^7gBNSw=bG(e*OY5 zy`62Y4brFP^?1Mtg}GUc*poj{ohQGo>$hwIm@&!I0wLGJ!+P(}Oz9gfn+^GNx5_RB z3}()%X@+>8l?grq0Pgd$KLFY)Kd7XCfb9nWEF~;$)JUR8PHIn+N!qe>d%vj`FXj%w z1)hoIB^%c5*&;bw=_sz8Z1MygmG$rrXwR*y^x& zvG0Iw8CgD(8rn3RxfruyC}r?F@xd10Pp>Iul=7XNv0lXGeJHnmzii%hEkwbM?BbQU z_0g!+D#j6ipQi~;U5+kcVP9Ul|J!-ESd+MqD2-L72%o*25zJPudlc^UxXFx{>)6so zpCb2U^#q9j8m5*Ro-WA~(c|LX_Y2#+2RBP4sX&Y(|LtE`3tKt&-J9NTUshH0kQ_5# z5_q+ma^HrYd{Ffz1GI}x#u@OfX0N-fM+0S`@j&)?~VN@b-*3`akfEpl-}HmHp~6`G%A;bw}ndco9r_vHI{6E>3f+hX(sj#<@Ze>R z1270i{|^UaR(Su2kk1tS%{T-KG2pisSyGAztfSIoQ*JF|I^BTDP0tREf3GSN>mVt2 z;H%O4>%9>*{q*CN`JRu1#Ran;08yC~Yqj4AQ0)4M*o|!bGk`HxW9R3H%bZ1&Zgc=fc{jA~ zpYc)rT984&NS#uu%W_nETkdJnf>bA{zI=JJ{Pm8mK$pL-sS6`7G-7u}Hw0`RhP;$8 zo6E&tzmORpOAJb5{V&zA$M(h2ljQC)lA6LwSpmY*gC_DFz#crC2Gzmn%cf zSdNU?OR7~Q^ME9MxYBr6>#>dC-)b+53ZG0KC;j%7WKA?tu5vSrtE|4!;~RGcpdtQHjOA{pn3G4Fq0=zu{XqX431@vZ>Y?Xg~)%W9@l^Z5? z63}PGMJE=fc<~==p(6S}0DTWiiz1O0nKXXt%TfQ(`Q=NJm zbkiiMK@)yGLdQ7y&e&7}h{v~mC7lX_HmXwMeo*d53m~BYHvQ&v37tLQEL@`*yal)x zhnPiVbdxRf3)DSv{&xHAY)xCjBO@OC6I+Y)vxRuA@zQbSLjC2&;yUYKT;DFu#Kjkh zQOV$7B{DP+#N09e`I3w8<{NxAvBMDwvBLzJ%2P&pqAyB`0@;4X&0m_|lld}z&8ujn z7xfskD`{M5d;m10REpzi24;xHxFox8j_8`1of!I5!j;xX!XIwwxcg0y7gyz?MS$7C zr7pRyPpx|CFtuk^lT{8z7lfDqRF?a;bL$%E7y#k=n8x`H3D8W%UKx9m>}#9leo!CH zewL@F%;eviAXN5i#Q*d)0K``kfmDmRF67^+lh8v4*F)06TBKtAe%p7F<$r%)d_S?r z1IH}hXjir0XQ_l~j2We1=GHg16Yw)xa5gwE`SNIEAsqASIfH>6@at<9{~1$SYUz)< z$W7#oMNQoPX&naiQ&Qg^+2cWs>W45K+vP8FnjAOVA6Et)lZ|R^|XdZUHl$L%kcD~b^ zT++pqM7gzUVnG+=dftTyRrY+Z1~beNCx}shJt6f#P%xYXl$~89sK0bQLeSzFE=b=H!*OeNHD9WNt(+^RC@CLd{a6m(V2s;L<+;{NyF3XD7>>{g1V_R6kkXjH_N66-AYdrbgqsCMv)Z-6b!>hm# zgU(2UwC=oSFu#WJ?H~{m#aOQp8AU*ncpn4R0jiD zubYIPS&`Oe-7%pr-G|lx+!G!c_FA%IjV7uS|#C{Ki*a za`TDJIDY5^fSNQY3IVL0g$l%pS&<;cZyFL_gSD5YccDtV+BnrKazwOn9$A!GU^87K zMv7i<7D>*jZ*0tPf6sXnL0?Q>?DIKu6})Z^CO##pp3hZ$su?V-04v$~)bbd=Nd)RI zpSU>4;J^qa3g&v%T4l=<@Y*LSZt&LS>h!rU62s}E_~jNU@vxO5y-IeQlop{^F;CY0 zir9s~$1>z$c|FarH60n~n+n|PiUyV<{qCQk*97tx6n~7M_O|Kd#{C6g3ugmpR((gD z=BA}@_q13^`~)%RbkKQ?otVgo@a$&a0V#-sF&rgRQ<{ zUk6qk75NuF0D+k0Oi6+q&Vi})gQo^4=sDDxYE8AD`L2tqPzREpW-mnX1)a81M-gV$ zi3Pkb1Xg=uSjT6hFA}C%!9Wt_HU)IO-g`j9Wf13bF=6!N&Sug%TDh_t=(zQLM%(us z+g)MIxmlIHTHNDk*f=8GkHwpz{Hjyf8AJ4Ym6~zu4Yjz_$s9A)ezs`)@ISMpm26wj zPl%00I`9s5il_&N$PxF+U5VhL%qlF3I8N6qdc$E)eSLX{jHv=%Z;Kbk!K_BmJuOy`z@j z*;j1qm^th!u(NhoB2J=|3#)oTpmEn|H-L20U68Ziwl7z-D_z#cza(xyyU-*KF#6Xy1Q4!Y&}uc+X0?-F42a#2uc->) zYO2zkXT*Hqd#B+;YK(0R-D-1En{}OH`ImUWpjrnzT@r!w`BW2BTE0fENAK~+*A)_# zqYkZT71IYrlp|#M2vDurh{t)y(nNH=gyA9m#gSW*ZRS~Dr4lah)Uh669k~%_AW`$P zyUJlwN}AIVTa3Y>M~@6o6f|~{)?jcUIfq>`*I{J`?akVzAuJ*=^QY=vpjV4s_y~$W z*L8SWoGf5$&U7Y;W+Rj?NHYOu4WQit>W zO|_u-IlNYp-g1zP=GS)4+@s*2kn>GjZ)mje+qr;aJ%_>PaAfT=Ul8<$qUUwn$cZ#N zDcpREZi2_w*g$O(G8z2GTG#Wn&vuK@#->R`=YVe=zM>(lgP}^z*gDmxPbnWkwO)&y zi0n-dGei$$A{WBL1feI2lcRgZV$F8V=<<3P!Iw;P0#IWRa9dSHOKqbZ41B6MlSSLO zV6*ie3Y#}*XYeu0ku5@i&%J<_#tw>W1DBkJ>R}w<-$cNDDdJ&UyL(qxPQ*$%296q; z4b}lOpTc}XggMM)9yJfmM) zCn!424Xz6Kg|Krvvr=(#bHHb*C-|eaIKX3>Jr%k8)5YxxLT2$~^cK3$VHA3>>*}!c z5nhobVb4-L@s+ZHlrHG~`KtEhE<>zD5`oDCn3#xeiK^#sRJKp`v8W&V=%7c&rKw4W z8u~xx`1IXgCeswg3uTPRrWh@gI0W*kU~J+6-^t`!4$6D87`GRHG(jQv_>yE-Zxuk> zsw{V*0GOGwX>zaRl%sW#?{QMr{Nv&D& zg$2#4limT{xvF(ry*=Ipi^Hl**nm^Wv>RDw-3TsQ+c|nDOME!1G&HOoiJ5zPI_i1e z5ryD>-$D6&rBwXNqD1b7Xi!_=`MXR_CR#X(`9i!rpOgd?yA^F8+eJP_u8_#mKtBR)QP-rOIO*YZgMl5Q)E-;u7WXk6}!mAjE@Khq$*UMVGk zpHt!4%6JB$ZING}NcSHCIyq|wy^Pj9N10O1IZs~M=2q-~1oUx%O!Oh31r7U{ zTn}597Z2$(d)4Af?b^5vEpq&>q+nj7|H%I6B@SrHcfe@bO*XL%mI2t%bx2fI?5JGR zuQ#}j!n4I$AXM{D(t$axomVCI>7u;;q5#Wjf+VhVmqcJ4sfpbqj!)C<8-~n5{Z{|z zQlK;$w!(!Ho<)kU)=fx}FDckoG4PPJ%XxDgU^n`4Y)hqpGtxUM9ejN^2IWz9RWgsW zxl}HPCm69>b3}GbedmJ$4c}lH94EGpSm3Xr1IqPX4UJ?ZQXT_-_>R;=j-{8c1n2c8vWLA@<=Vai*%- zCA)t<4-Vp_s&l5crIJxwlO>{|5f~7t_#$y7-GNHPYk{KI8V>mC*A11UjSSw(J3#x} zpr3ZhLIay0HLhY}c{YfH-c}fn#)cs?RNv~37Mn2Gz-W#J%IrpqE4SsfPg$*jW~Eg? z@629zz-q0CA)F3Vfa3hBS_`)?*J!x5rh?C2j|Qhoi4`;CDktmp|NL^M)68_W;2_Hz zf5aX@^;~5-S}B!SGA^`S+#0&7BA7iS?U#;*0frG<<RSNCMqA~k57)+@n>;^=+$}NFe)4_O zUq2nJHHt6V7u?lxq9-QR1;E*vhS2oYx2+FBpl4&gzqg7n>|niyaGrXXtnp6-3V*-@ z$$uOPU2E9Js^Ll{a_>7)W3m(kd^ZbR3o%c78x(lAnK2Yj3x2-#qo0b@nd^GDB!g>Z??7ZafnF@h%& z9BF~1Oq@;p>s6h1Ebuv*O^3;<9{oP!^xqdvh)pUH;5vvveW_UXwb9PQ9+mv5L}dn8 z0$){fcBF1!nETVM9Dw%}JkuWJqpjBy8eO+7QdB_`OBs@X~Zj~2NLQ$LL4 zI{Fjs|cdAeS8>w3Cdb%K1=4d#9!jSx7Q zasRvMA^KN!{$D1-=0p%P3spt#84n`$fq}q-MY#_3P1pBQTTAhZ$Nt0kegT8*$7=d~ z*?IzozGdrz)#RhA9q_jy?tCc?kYC011H zNcY@2$rSYIJG6?&zb012pI~kKgpc~FgJ&Q)F6Tj-&Rnht$HgF^=Pw%Cqy}PD3`%ra zgpS=48)5Io1wg|Rw@AF$<-(t)vHGoW0fZ=*y+fenV5^&n6hu;fwk#tAPzc;|#-WeM zVLuHeo??6ULslu}_N|_Pow`0-ehg<$**~uP(05*PGV4i^*^aJxSJlY)v(;7{$Ug0we}Lwm+6qnQ1!2Q^_vzVAJ=EXCm1GV zhwYe$T!OX)L7yIL-Mh$cL=wFma`_Dc1)=_40~GJd{mzf<3y@DkRdxlH$g|XuVn$`6 zg1M;MC3}6nMKi-?#p$m8%O`)5-_ZxTQ%w+o(yD7WDMnUdhq^7oumO*4o2wwn@c+D2 zf-Du=k|ma87`77T&%jy{>*YcX^zAq-oQ0q|Vi@r0~;_ zVe`*0V4h8>25jK^=dbsr-RVJ+;~J=>(c0XgQL>HC-WWmP!Bn^YX=LE9gwN~wAfT~q z^dfgwr+kRo-CQ&(w(xNLaCe=pMM&5>{5U>mWVZO&X!HJPrIE0AFtnY)jCk`p0B=a4 zk|Kv`KDhcIImF)xtQ!#fwEgra1zq`D_xA7Ez*`th7Vo@OMlIb7PFY1PRye>qCp_#c z!yb{5pDqTu3v89gkca!0Z~*+jgnOep?KRh~gS2*Bi&$26iuK z9RN2~<{#Ys_vybsW;*G1h)#0S{J0fM3pj(>h$Ibw@t$r4i5R*s!A&50U^(iqE>WpX z_7-_O5x@EZ*pGbQJ$??GRLe0~Un&Arv6qC4`iiSZ$R$`KG%lULNZtSzkFwacIS(QQNwN`? zSgdd4D*9}4$HHmKylPqHjxJ2eZ&JIR!LGjPxb|=t*O2Hl?TrcNrcC{XPZ<8qHlGwa+VdyCVZ9PJQpMJZ22OJ+L{$l$+M5_ zjVh;%oHz(EevFvS`o1YZJy>g#1jLzXSN`+DfZtV>ojA6y9GMj}2Z*GJgxaZev!b)X z_B*uQ0ly!N!t>gL;Zs1~CLb3)oxX1--6ud5BP9&%{#Zz5LEd)_SxtwHF^Sm?F>U^2 zfVpvV5KwcUSdBk76$WyEQGCgz@{VT_7B86+jB!dHC|jzU0g?PmBGcn5fCT`4p6crV z6W30et|5*>_x;c;ZwDuI)zO8XQ>C$2_Z#Wja=1!pviJb|A|+67%VvEu=X<9xNv61y zzj?McCoo$YI>eMk3|hNt8tpo$#vBhxkABrFKXZ;SduF6VI!Y1Z;GyR{ zMRw3s$fV|&^;?G%0jI3LCVk-lNnV;fp`I+P+Cv|pCe34z(Rsm?S|oB9lJ~-Rw7^A| zRngH3=bg_b;VA>Vy*KRO`OPkB-s>*Jpo7ArQ9Q4k|FU(9@Tn{$_xK^OCP-B>Jj{rs zBjkQ>{PAcEHFWvjgWC-QP1|s$nckH)J5F8<&axU_vw0Sq6ip`pp0qUc6QyXl>5#ZM zYX$5N4*TWpD0R>(F5JIIXgwJB!&%HkqfqdeL-d{f*a6U<^d_G{pI#OIlxU7vdK%JB1 z4|9EfIZYduyMb5L+Y`K3^|i!l%FYQW8eDs?VU!~IIvGhTpZ3?+j@k$Z@iUhb0e5>r zHA2}}n%w`{zbkqIB|De+G5~0E6Cf%kdeNt10)+?94#3>zixe2Qt=VK}2DFof5pX3x zY>r*brte>+UXtqy<{vp2venLJH`_UW1MyWRn?l+&X#)2Sl^PIhmnD_dNCX8qU1xf2CRyc97@)?BKgV z0s42NY_UZQKRw#%C#Wf zX^_AFe6G3yp^!V(nDCPp#8@&IWIU*LA`7)lQ2u~qD722`K(j)F9zg4B_h@4Hp`!}a z{Z}VfppUvA;A#jr?&m)W``=?U=wU^!206+=oe5=NrzwF#KuL#h__nv|GS^;kz%^kUFGMM^v&n4%)-`F`&3q-G5ywA2Gw730M} z`Z-}$lDFDODar{9k5hkC_UA^nWh{-66`{1GW0#8fvklkWEFh@%GcnQ^yTkk@hhbU`gQje^ZZy)d7tm z=2JFQ{QLCqi-0>HMJKPulY4Y6Tvyl{w#{S*^9iyjc+B>MXS1XeEkuyxTWHj zzl#K^3f!lqb?8eGo1scVI!@Pd?Gu3-UjcO)jW^|hL$``vT=mg7>~`{^_ND^-LC~6l zL&;WErtukVpztS|7sZ+IV?mEMXuvB>yQ|5x8ZYS{Puszayg}-E^g!{lb%uJxN|n_j z*0#5yP>P@8HLvfyQ_rtPZkz!B%k&L#$3*abf~wsBc3MFztesm~D>DsiVCXh&!KTWBMXCKQrvP}?jev?&26F5=zc3x_-3063FVEF#37Zy2XX+s9k^*J)xZV7@uP|qe08w?P0zeh6 zUX-XC5(%T@OQI5eg#Z6|d+VsEx;74UP(cN;00|MWNClJz2@ym(hwhLDX^<2|K~iZD zh7=eY=^8;wl#Y=`knWlRh8gZ2@O}Nh@7{ISx@+Bg_a88E&Y5#|Jn?&;=eONrZp&}_ zu&n9~wGrLvAlQ)*N}@lE9qxUCPuu`c+e7Y{;5hgVN!+gM7&{z`78lx{fYlwwifRqf z{fx=cck1W=%qC@8Si|)QhdZinU3nv)8z5#?3ICPjA3k#3EQ!O59m@+IKGNWiMipyh z-bfbu%gh<0FI|*p)(<; zR-RiVETA~}oV-by)7+h5=W4mJe9!VGLd0vgGFTewz-=k|QjQ|O8Z#|{(HH&rGKtSl z=27?aBw}Lx+}QY|`Tf$hs~xkzZbKJ?BvEJa2jiRb(Zx zq(SJslOis6JiW=E058Y$QT*+g`S6mCO-jbj5YqhbRdOAx^_999oKC*W*KSY+(oyzZ zBb3eri@;@MiYch*fFh64oeEDZa;5n;`qS9+0p2-r3daNNSGNLI`DfBbH{=Jo3QJHL zZlk^S6Op`f(H#0>*+&d{2~nf+S|Gp{)x=$7uC=#{qr6IC@zGLr9ZHYe-A1rWV z;LniZS8fu>t;pqkfAsTr$NOUo_8;^6on6a23YM<|$CJBIoGa1axJ0w>A=pl_bWO9t z%R|MCmeBE&B5Xpd@hRxxMfgCKVMNnIqgT|G1#0WrS1a;IwDV;|j>omVWK_g_RWc_> zg}9FO;iif3l^j=9knI6B3b&38kuXb)TWPLY!@ju^IFew?*`_>59~c29`)YY*Pa?uM z2|89kLh_UV68Wu4^>dM3zjM<{g6Q414*nG8C^|u{7?5>;^rh@K@O@?IH#`hAkT1en z2?Y4OnXk}vJWpzzdVir1s4!sNoP2OuDsiOe0zo;gQk zbw|^?P4O{|kmQ;>LE@S^*5Mk5z73m3;fhW6$nS$O!XVmJq5NA{APfOB>x@99`iV&V z3I<4)wtWw7$l!s_A;TNbp60&5e8}Z-!$Jd{%p0$5my9z4^wz10%69Eu?+4mN~!NT(1Yn- zc@|>>pB}Z+LK+5saxD|tb;_$*u{sT5NOoBN{L#jP>q<_pqB4|G)tzY}A(FEjcq>qw zrV6Nm3Cf;+UC?(PrYPd;7%_bM6&ji*72~gByDim^U(>>`|3q(7Ee>PM)$TG<*==fs zv$Ui>)68KEJ@vo{j*k-yt~8%@5V+;Ux6OnN=nDgq`ho=AUzgwPV3B^&43fYP|9 zVt^T)Ho(WEAb!r_zDK;vtK?#WC8#v^ZMM^miN!JxLCtf+2uLw@B)it5 z%s(H9;K6iBJ_i$j^Wc?bu!m7&`XI-=FGw+lFkk#*qo!JrGboacAKYd$koGG4o>m{`NeR zt?%kcx!#bpBnDNf+Lr2C1&Pcl3LszrKLvp_m4UFzh^t+B14Djd7<|n1>h+fj9cc1* z0(FK~ebMYc`t@RF*e?_$_SYRugf72Ss5w-lB!cYd&nU{Og??+n z);7&!PCp#3a!^gDQS8~+qfh1w8!*q^bEky4^B13czXKgMSyLbR$3 z>}T^m&Tto?%5%;QLk?#~LFxmrU0LsYGv9lkYb6U{%FW#6ASBSQiM*+*augYDt_j(k zk*p}w^cf+r&{y`*_VS7Ea(8oKV59Yf-`e*X^B>AB`{m^UlOUvlP*v8T0rAkkU|b z0i*A3aZO^0x@NbaERKh14ESq6fOi@tuI|CYLt*Y(z~5hT6qbo(8WJ%rM>1+u6o9&L zBHl-~w)h&YWS#mppcCH`d8C8thI@UE0C0V42ds&oW(h<0Sm}3n_ECk^?w)x7uz)~R zs;x4IfwiQtb`UTeou|;ywJEx&d~LU;__T=D6tU0|=S0=3*#kfu->Ovd!QT%Yq}RQHBFIiSlw80)QO zo^2rVQ|ZHHQ?53*($nB+%pQR9+_d{4N>YI7i^>#KDlI-ltj3H>7wHV~Xm*BHr^Pt3 zwiztQCohA^r_KAwuAsKU_58l+!;N2^)N#s@v+e%BuT%jTSuYOYsccNd=kUR9D`D)wu z1ATRyBM;7J1T|MHc}j4MZ0(w9=$O4`9=)&@ehBD)R%mA7r1F3Sgwbpn(jk$E6zL|wq$ZjR9V*T;_YS7OhW_DocDuhhR# zuvyT=r;nr-Pr}sB6EX!73Lp66)$gV+PUiQFMr5YXNu}m zzmj~?W*5Bp_O+ABYhX(-yH)x&ue8b&$*Nri(of6*N`)Wb=vSb^TCq=*rfvEtwZH?? z5eNU8qY|EB*p6S!;7JZn^AZ1GCjSgvJB}){YpILuw*B;eDiCv!K{(+A?NCmVc$Icn zHum^xJ7$fOF!K1E1hwIEtlmUX z;-jy`S*wGEn7jsyPm<7M|H##)kNi3(K+%~cfj5^!)sIx>!GlHSN+)$wT0P@;&jNW@ zAXM3Uv{~5&q5?dSS^LGltP0D1#`S8^oPHe^+Kd^s!H-~jH#ZN1^<2fRK}zDOy(gk0 z6&Z%%`n5`3H7?6_PQ8@JtQ(Nm4hYfm`qEM3)5~?pXP+i#U+V1A2HHP_7D!9Ryzn2a zkH~H68pVjmX-x7I>04%d%}7aavvu7YD<49w5Pe=o#BwXzs$VWJIl69%EC}N0=O`|u ztuZd6NGcQtJD=@!wLFLE*n86)v&Xz7I#Fk4SyqRpryf>^?;Wv7 zeb4)|HRD>mKfqS#b(|ql^0SF@ZHw8fb|BtF(h1l!;5_NOs;jCoF61kl_P0B5E{_(& zrAJ+2oDV_r;?)t9UHMQaTdDT^-X-=23`OBETF7{XQ&@Rh(f6{0L9NwndTxl=S`~|& z74g0D`kK*=lve>YubtrR4L`JpcrtY*8;gup2I&GL{8v|wcIiDD??BJXWX+98f)E?) zO8@D1@g(KI? zI}<8kOIYU7bvp!sSkX`whtuU-sertRATWKIt)J)Gb-9?c5V2p)Al^g$>!ZTzO>bpT zl1*uNK2Ih?h8wROYLY97F>cSG%ZsA8-b@dmrnT|) zU~h8#n9ix``SK>a!0hYHCYnzZh-Q6eDWiA*>Nm%&Y7@*glaW%Rp=4K=&S#{`e^&)G z?5coQ=?$Dc@jbVJt%}ZW1M4jpT6LYHjyxRMkiw0q*!valoZ7%b8K$B;%GgI;N&;b? zWmV@NU(e#>crVZW#k3#(Uyyx*JOp^i^VXvy-Y5S4e4P>bWj;vXg72Qh(-s{Puj0b7 z32gHN`nB!pO74tQUGHa(4k@m`n2Z9r3UyqDAwa1 zs|#^xySEl$W8(7nfp2826uE$>?@(>P-Oi&**1JnnzP*slCqaB=R>x+6GY^z^LLlue zxA1c0<}lvNn3+6!=d$8^yKn1;)J3iBr5M-W z>xEn5TrGV7aINglv6Z(nzjVgwj#Uc-uv7<-@z^E%tG{9sK3~I=duJIK7f1+%MUui&F>e- zGSOUMehp^q@yQzXEPqbs{*w{}?u9{vcy8b%pm=^B@XWk{Czh?g>>4rf{syuaNpH+S z&A|>}lOWT@9+|ZI64}vLrP_&GojHSdHf5CmIN#tkXr?!Li@Ox|TO;oArgr&x3C=EG z(gcBg0HWMv9@z3Nd{AroF(x@lgxnsZ>n{LK$T~^=K0X=zX-_;wj)%(qE^d87g&2J9 z=rsW_u{hrS0jTA5ksg_pk-hJE)3yx&rG+Rp{S8M!em}-16xp^VHt!fL7kGE8gRZYs zjZB|A@O_wCYc)4+d=e9Ac?be0h=ZhNliV%%tgZ>~ES~2@EI98tE1Q|@#@kEU0ER@T zXy`j9xS1>9Z*4*P2B;ED-Wq!{gsOd8H~+ZA$3@)%CzsdYT+%|c4U(~xmhd?;73Q!~ z)K__R;Takq-*-9BTXokrn|nb<6vSzd;~5J!Q<&z6!TiP zOQtMX3HXy@`zJt6>b)|cj>5-zi?->}CSawjuIaCiCy;@gVLnT2SC*G3bIjs5%=%P; zH<~ZdQ5&Y;OWmP-xozp~UAh@T)H-UyY0w$Yu4e;c1RxB`U5<0D#|I{o5u(YO-bHAP z>YzLBN4PjaGDtEQDG{;{I-=ftL!i8i!Fbkj;tP1BZzfBL+M#|VZMMaA0*p!6|Ktw; zF@3l(L{EcK_yAM$GT<))RuLq+CcM>q=&%U3OP9qXas{9*_Z5qZfi9|>FG(}0chY)b z>}bx}W;t0qs6G9Cv6o~E5K{mvt{Y5*`Q{~h=iGyI8BQn~+jKe1E;D0tIeY>oa7wV9 znb$c!d29D<6#4VsNgr&)~noFYjFYyVRLEq4MXG5x#uCK0eHdj3Jp*GpP9qzojm!5+nt6 zQ8>iJ)u)Dw3&qTL17g#c86bg7XqLXgnyJ-b0ZLD-en) Rt{GIzQsW$<;3goilTX zZRTr(BfFO0UhPg&xRbKnt4Kgkjc$-|p$&A{(Tz}R$E#)Uzw1QFu;joa#; zhGPa?ApM2>fMK{Qz~rH;ljB;FZ$a=RwK6Z^%F$>0LsM%X)4Nb-Lx9?B0?M>-I*{iE zxXY{#jX*5}j;uxYg}+OJ@DNy_G#vR^ zwyFZ>Aw8qO7Xu*VNKx?&5CnpwfT7wQKCq8)rUK3`4{4QE}MY@$h z3#qU*{#m7tn)NPxl8j1FxC=JI*`RpU>(hnLAupbRV?Me7Q6&Q4IHqPvFRm z%IkO^1(+jftdELzU7M~N!8*|XI$(UCm%MUO2YGQE#l45^GS(my>CHqgNN718D!^ZY zUl^dCi1M$vhHT*H8b^Evrvk9W%6=wz(5a0Sb$RxPjHGzBkCb))%Sa|>uK{S1lD95R zmZPjGukMiRALc(ass|RlG^A*er691dYfT=~R4aaxE?73Jnw7Y5q&QbeD1}~VwwYyIi z`th5M6hM@^MaTA34)sYq2Nd28dL1-IaXt6>N-|ewqyK9av4!O-FuvoKbQZF6gFUnV zI8aH}zj*#}8e$KDjFVGRF2@&Qf0sm@}!A zU6z2wb1>ZN2e?yf@{OE?2goFCH@k9>7^1WMSux>;fCclF(@Xh|J5+hVN`Qtj$>Cua z2xRJSN2mG;(xA1L!+C~oK*6jj@fi!Nqau%dkN31}pp?4vflgrJ?2a@7zhcLX*r#fv zEtu3ge|0z;j$yW@$JW*;O)Czg6 z;wKRWhG0I>MOW!JDp~c{K|U^Qbx|MUQ_1;`nFlBmB>uQfW_rX~p+d zfH@IRtkz5a`iSQM8T7%Gq@OXvcRa|-sGBD~M*!+6nKh@2;2FgVAP`hwt8pv8AJrlI zT<4 z^T2$166p_LQ^s53CSk?z&N~&nJk$*V84g?W*tB;7@SzN>M@%exRTogKXlD2H+=J<; zG!1;7l|zin*!BeDr^{W{CiPN;4m)*@&bTAG6M5qo^`9LHIB|7Anat3^2OmCrY3d%! zet(Kp|Jm&HZ&nxf zvi?mJ(4|MHQ$oPVh;@F^Mlw-HDfTYeLBX7%%~QCT{}tZ;2JPbs{o(Oz2C@HJ{sahr zE>{^@6UicTmD8O~3#p53^E_H@qxSCWp4$^T3g4XzE00LOOT3~HCA2<_&|i3NSU>Fd z>e_WBBz2v``pNUAI{!ysM_MiCyq?b3kY>mBs;0%r1U{dRat6FEb*jFXfig)oWx1d# z@FM?2dO{Ze<4ix+E?R4R#Pb=ROw68D>UI9{6X5?`{`6ml{h!Z&|AVUidmR2nbdCUg; z=bVQN{5#=%f4UERCZ_aX7WAK^+Ry)0OXrjy7=vZ?t0eS0*uUCb2qvXP*ZveQ)vm!Z z@szXg6c?MVK=R!`t>qsJD2O!YGf2~^{ed56;=6#=n$PUXD>??4v1dh!m%eDIHDK{( z2D=}n4P*8GoGmt~cHC1+L~wJCAZ~nV2x#q+yLCD>UA1_R=D7LE{b3-yhxa%=ZMsf$C(iKi@$TPUejgFL~?DNN`C%71#eL z;Bf!*DgH7HI)A&pJqp;DC;AlsRjPe1J{9bLn?Rc5i3|Z>jQ6b1-6tZKLm z#R_DC0o+;$j!QR^xb$X%Pl+wa)K>Q}cferPi zjbFb0=*P)xV%uL$fzpkXq$$3j$m-$6bQqVpLf^~u-NV!SJng=-9WfPPC-WZ8*RgsP zHVK_DQBi055gY(Zd(A}gxS|a}xFj#NEyNGlF}aVm(-SIyKy3=QqIc1DietbkqF)#5b$>@f2*iPu)U)dky@ zAoHmkV8sjY|5>79TD_2?xAZ>zs}CDxcylWIKgRpv*jFCItESz?_rmKGMz zh^15QpHWDhXYZ$EmWx{BitRL)fK`k8#*Ufmr+x8KW@f$?;-OlY#s>7+e`x)aPU(mw z+R2_NqKWDNRm}Cocf(mXa}HWphCkP;{pvv--lQd+y0rF$f{#1LVEG{Lz+%|z;*Qj! z>gBt77P3f*8oz`>dOgKPmQk~pi6YsJ-9G^$U)LRuC{Px;Z3L@cdjWIfBV=>PT}=@8 z1C!~5l;F?M;QyIDJB{lPr02Dtuvt8lx6aI5Y&*(3TIG;YpjTV5-D?j9C9T^GbUbRr zx@Z_*x8qV?0Ad@i4Mi0PPly+={>UJMPjH1AS7%{DCg0S%9S?;&4IE@vRWND~+P(D; zZ}RU-*TDJrFIKU<&hCaMU8LooB19dY#FZJi{$edBHxcTK9~v-N64bb>JEQ zG$PUo7|1;^m%K{&Ql)@iT@nu>OH;@{EN3ALqy$AcCZM3URP)|*P`FdF*q=SGHvXh7 z9oK&_qVQ>z#UdSBBTcT`vt_3j$Tap~N%`^F%2hB|0#i5&)+-j9D7Cw8WF*0CCj)Q5 zMpA7912YFIaWhW8INZFJ&^DG>wVNN+kaqUzPE(@xa8`Thr|)0&DCp9qK<^^H~S# zKr-g91jIkMUujw+*6vFkQT4LNi!Z*>#WI{h8IQM&MrEJ^84V30i{&HJMW=4PELdXL zPi@>MKDU=!&kjj{5efH|$W2UdJfLZ(rv(;F3M#APaiOUHW0LyyBGYsidUv4u z`1H|~_YJ9H`v6lUoSAS_5Z9ue9!WE~V5j)~6S0cr^_s4-lyENhg3Osq=@uBA^|R4k z1PX?5Of#Y4u~O?`vAQhrD@V>d&AJB>+NGu0&O})gd$>9@Kcu%U_*QTox7>16KLeK& zSc)=y_SAX&Op%b@%-VtL_x&Qt8?f3ne`G=I=G%@#*j-zV?|BbnM7nX-ynEGW0gU$7 zvOMV@rRUs1lk`3>0)Fov1~a8B=(4LquhthmUNIt|vy}}%mxmIqoqfV#2l0l#2qgMy zeYt)}uhdjJ4oz|D8PEP{=EfJ1M4On=>lc`^h#UB6z7&atF_Io=__h1Wy%YtTwvLqo zWb`Q^JRI$`*tRk1Cjg85O}yfUU` zbDe2$Uk=LhiI#ccyh2jrkA|d-1xGXV7wingQ9S$djrV&H_lb3Ky z(#j)OE->sDg-n^Z(A%UpWZ>PptEC}!Ur*@@V2yzvV{9i6j{mEq&Ml^YdRLEA z^7I~0yxz@oe42WvdwJp~M5{zY;YJpHHHq9)B2?@>*3f2UDkgpl{nN8N@%m|3fE28L zx~f)t_&CaWP_j%t^gtif`mjgwPP5%X9t> z@2T2OEc9-Sl+@fX19kb*X_tM=$q;glg>vLwFO0}EdY`Rso@Mhlif#~3<2e%O5zx5I z`V6M$Ch}EWf1KiiRJB+NYVp$d>h6yuMb*|y5x@|D#8xE9$FsSUTIn=;7~Q0$yyfWq zo0VoUo>4Bohx#4>AgE3To%#CxWtx@dH*NO;NNV+5*8~b^4Np2ltYHD2J?D~lkC$N+ zqq@672#g%14)W3$zi3H6Tv8uyuecRVvKT~EZJmUB;a7E8DUzt2E%X=M%tDWJ39a$< zMZjULD$8Ai7>=Roa=X?%zvKQqq9+$13QGK`BP+UJ)URMO!!8)Ip(1f^lXx6?PZVoPx`K2mt6EA zU~X#6(3RNNt?3RJS+_6JF^CdZnhuWwX*GW0|KNh4EVYP7w6t`4wkiWxK${xP|y#^`;{T~z8;GrO%9LqTe+F-tB#V)ufxVUJCx ziuhV%h2@q;yRz8VRVKZ`Xu#aYOb{cdyZ5CVdZ1KJ8hAnGei<2*(dZ7^W#z7?mGe@vDx#dRk4M|kygpg|x&S^7P2B>hDg$xjQ>gRz<= zfsqQ-EUF0oG?eQ709~L*%@a%z%|%sD=x#?KfeU+pcZRhRY#&6%U4)zg`o?-#Xk=F@kux#fu4=kK>UFG76ftjc!uIUD$0rsN@68mfCiP?)*%{{%VIMZ@CxcAw77nOhA&=@BH z*@}6`mNoO~Rm|kV!y=H$^~dhtdNm0M$i=GrAgJO-tTNHU*#It_Uq}YQs*vl-v&4D$ z?>%&0&nr=}>3rSlhpQqPNG`o5_)~mP3uF9AzjmFnr2k$N4S`NIrf# zdxDdkj1&0V5lvLa_H3h>OwqZk9{>bUCQy+3BmLD1%~;{9)saG?hO>DtduJ!CmFh@% zEUp79O9q~pW=nYXYj+~g_tGp@8XPf|Rdz+*%mlvJ9pberqzY-L=kD3eZF)1*%ZtS< zvMgzoOSfgC2)_y>u=?iQdVf^MlA6AqIWr`%Xx

uhKX}o45Z~ci15oO2TNc}ny3VkN%$<;$(U3IPP2)4X{a+VJ3l*i7EjYd1;8{7| zjaW=|s`96bpzym;dP^V8$Sh4=*qa;XnuLjJ1C)z}r}emUQL5)~6*;~kVadRo`b=Qk(1nu8;ysx^BTY2cMFE(5+TZiVUQ-fkb z^5r0WkOIQ&@V1cZhM;dxkpakya&!PLv8L2aLl+W{s+54eX7I-l9(tGW;bqL$I+t5Q z{cc=Tk?&T-bMuQ2AOb2a=QVhq26P4((bUgRT)L=oNxkhER9O7Gg(z5_3uB7j-t~O^ z2HpL=4dXS1H*P---55z=*^9al9okrLgI+ja@u1&fSs2>W>snSg8tyCXYhXU2U*q)q zpsiQHao!T2gfr^$>-15zlIT-`vqnu_mT+RWMqW5p8BJ}b=L;j6+}0S}M9Whhl^VeU zotqAxfCtC^maVZ;F?x6dK~_hXky0eL3QFIPm`4Fw$+LML4v?7GUX^k%N$9BJjWBf@ zKgj(Mrz2IfJxq|k_v7f@kvICwH)O=Pohv9DPmTCT%W(3af<)S1a6JR05zEYaUQ64$ z;z?Z`Lt^oZi%Lt*ol7Gw|eK3rz08n;h8m$L-oZ{Aw}C%i_CrqQr#sxiP8pMhfB0-_eFMH&BVT!%7Z&;V zLx>;k|JvWj-#PvVp7{6R|7S4Q|9=-2s|4PE8z_h&ZOOo?BThs7QZ)YLQvP%EsTzG# zfa2PCW2$lDP6E*`CN8WLc7ow7{~_|DuJPi184H_>H5;on_EdGKgp(9`G z5s?a`F;lj@P7_I=*@yvY_@D6*OPR6kr;6J=fwu-Ky8xqK?8DTI2De7qn;)Z+rsl=5 zMcoRlxMh8qsP{EbRSU^UML|Zygli~3nzH@}w1J3QaMm?Fz;ixqr8E)XiEF5TTnT*D zL^M2~p-23XS>o!o9}eGhRsm7oTgj}7R^tcu9gJcFak(`iqE%ehL-)R)4TO$W_e6Jk ztdQVM*nM3rtVl*VYl9ki#7s3_<_mjjH$hg7isb+5(@5?rgIAQk3z9dl*RQjBF!QIu zxqXN&f20VH>L{LG)`QXscY#jMYqigz_eJHA-6gI#+=-0Q-e(l zWC@z{OFh2e%l~w{ybcB*%Bcxw=FA{K8^v&tFKCrp#Yj?In6v1?ZOwicsw_YcsQZo% zR)7R(G#v7TrFZuUbN1d2^>UbhqY%ha@N-o9AM7}lfxBJz=6ism3`gF4au1+e-GI*Q zXI4`P^OuKK136vN->YOE;CA&EvLeYXHs4z6O42$+grDLyT4pQz^$9RjXuIY59%4VO z!mUC8J<^oLB(6AeB&Dz$Xt3$s%A=|>dN(=%5yh2#O!D`i$D>fm>x;Ap^R?Dbid^(v ze7+WjO!4YL)2DcTO=?7rYP?8RLmE{8@*Lh9zP{D_@TN@HDwCn@sohME#6$8b8RYs% z1A?R62ku1oNUBhDye56W(WwAyx~(;^1*e%EnH^FdOj<*E7JJ)yDkGlwBSS{@KXv;> zt-2*0Y2zKnT9iLv7Ib_I8p&s(Nu$53F>J;RF@xPL6 zz`!U$Xnxb>Z%xlx_lemPKGWr)X%o%S?dI7VMUWQcy`!cvOp$L%&}H69$MORmb*{j; z#AADoefukX(>d zJ&)q*;3LBD0birh0f8O|%>3d{^1U9Djl>s?p@y|wdT)o%>3_zVI2P^Za6aYa&YFSd zn1EdO2O}psBp@I zlF(~MAHLgE7+2h#msGSY9(ABfQ3o^$IcTJ(flq;1DX3Y@r4yukuTw>xd49_A6(OY zn~~;?kU+QOF`{kmm?})0T&I?=AYu<}>l!36z8r12v3#V07`)9d<|>ntPvx z;a8WGW|GUjHLg$JCbJ7!W#F!sdg$Q`Ye>cQ+{plMCS3QsBd5i}+q?BcNQXUia$&lv zhy_Nu;fb0hYlk_*-uPT$mQ5jxn{Dm7WC0%#t@iXrw$8RM8fknX^52(!>K+}4UJ{(g zb;#qsM2E{`TwsrnJT?tDUhcpY%eB7OF1H}`Yt|is>jJi9{zvs4|Mz>eeQ9pUaCa*8 z#gU&K>6`+On88h|`^&5{XYvpd=MfTVydd9&krWQ>za9p6-}qZp+#CIy7D9L*MhD9j z=PKB^L^CUa&A~Z9g$5#snfL{})V#0NF_LR;paYMzw=}kTUM3#eZWt)y7@nl%12CNH zFs*HB_p{r&eu&J?Ov8=#$xDqQ@)V}3qE)Ve&`QT0YS%%dorH@%*Ra^NQ_tAlr|pri z&y#%^B2f?Ms4QNOG|Y;(*?aP=(TZophm$;JNpQ#|Ph?PVsoO@Rdr1|EXxvUUOoa(G z81lwJ#9a=1rx z&=tL*?-KKps{^}56$`xvyIE8Z^*Dx=Faa_7{z$bKwS^CrBSraR*lxV-$~#bhd_(w? zV0WX>r8R?570HhbzV593=uC3KDIy5-pPiSZ13_-6CMJ)Aa4rm=uL#;7EP-6*=a(bH zm>?Cpo`Oa!T;Vf;8-GslM$+;z2nyZ$x1$``=ZjAQ#)4odJUpAW;?ZcdUiikCp&tdS4a3Kfp}w3hg!?1gk+Q{7=;x=>>kmTPCcN@4-fwY;aL7XMwN^Cmk6M*? zP$KqPG_YNuTH$-Du>mHGFJ`~t(wC0ApdbbEw5b_2+VLBA+w7o+jKjCy$&Gq)E=m?3 z1)&OGL&LO@wl;{Pvb<2+2^GM1^pYtLS)jf(Lw~gQ4&hYZ@*5Rcs87}_>*h?x_S)+g ziGllI_wE~pubRr!!s{O0W^5W>2mP=$A!-rz`-|a0ON=X*SW%YM>$N_{wbMQY;>G+5 zF6jQ8C1Hf|WUP=Qi9?qQY#DYikj)H;WG?swRUBBU)@$KDE{80xA22T z5%so3;Rc7%E2J*hTOX{2k=39d+={>Cvk{ObT@wKvQ>ZE*;hsdQVPP>AOY^|Q*| zvGdFq?=L`mk(4Nw*gLRGAwv>dfhOMrJGr_So?E#&5u{sp5N)n#5xLhwtnih4(u6_12p;b7@yX`TFf57a;jc?V7^JrXbn<%a#P+T9 z{GS#44G#GjNzMAaDK#VIN1tvtFV-8t+g|Frc@@#9!b=`?eXS~Vzu*!v-z|*RB`|ck z`d?imbK`+gZ6Y&WRF$Vj&pFu#9$2fK^oTX+t->E*GK8l zCLg7)%)jQpbSpNe3l_w@G#$5>T+=qG5|nehq8_C8#Ave03%0sU{~Qt~GDb|}f@Y}D z(mWNr;it!AZw0;M&mk@m4=o?hGj%!3Uk~E0Jpu;s$uRFc9c;E|-8&3hL!t3^9}|!D zb%K)_{b%3}7mWMRF-=MF3pnh$udgYSQ(HwhAGI)JMcWx{VCw@Cil`Zrz;{+L(Sjv< z4)pitDolK9m<}|+v~ygXyz+Wr)v5XZ*NJYUAlsTgEIC?Pg2V+=KeiO^(tHJ~du1|Y zyI7kiSD~3vQ53ra4Kbc}JrFLODdiuMzZOwY<8)KKCHDtk1r#kyp-ieuJLwbA$oh1d z=~OL0W#Nuy&h?^c_nq2KHY^<^Pu9Ay0Dse8ShxG)z}`eyucbaD(rXGKvy7}Dhd?Y& zb!!l4o}bu_$U6L;jW{@%JgSMl&P$;gbBi$u>J0z3`ry5gdRkEMbp0*CAXq_j_s&zo z@jSI=^irYuO=M;Ka)P3+#)<)jeDiMoW|)0`7~{)IOOb6`o$<|8w^0%bBz4}~=86W~ zZqd2~kqi3C*c=dkLZceCCTNGSZ-;}gar@zJ>%`)Ns7uQqgO+nEst>At+Hxl=cKX** zCbfA^>1!{qmD&&PYK-0()kQlw2wzc#RwCDZ@(PRkyy;z*g^9LrpeL3Wg(n6(xUi^d z^p?-)pgrb|cf-Bk4~pY~7@lu3_N_oy%nLQtzii8AOXjFYAa5)~F{3*a?=@-G58k4- z$6?r|WqTZy1+klWDqmzS3q8+C&KV)5{}hnhjkW4`G$ZR)7zf5oL$@L&9Gk$3Q- z{NLtx$Kl^J5B!IBfEAweILl@s7_{|0(c}?Ze5Tl$U%l z(74VNuZrViI0x#FxSb9)2@Kuo4z$6o_)#1`M`(VvlQ}WOw4B$D1%DvE1)Ru)V%7po zzx}n7&mew}|8|34TCI^P{uf4~Qm3EAgLmj{im8`hT-`|3h4XtBV~! z?B8Ge@c-q&9{=?1G@j}-)K>Lp&}pDuNT2kS!%jrudmggDcx(~?*6L+z4ww+r@pBt; zVkbQf=Ryuy zF-~(`DaVtxnCf$O_Q?AE8wFT>1UemmDagx{yMNHII@gytri7_qe4+?sCzzk1K1K@G z+p%4q$Bzvmxp_Ql9nFQFRvZZT9VL7>`nAN1c%`DY&gaeH&w+$6{5fc~77VR`PyUZ& zVO9JWhBu!pD(>nDWKW)L#=nOQTsiI!Gh>Wx7JjODQeG6%#(!aWvrDw12(>jdcRv}O zivI+1O$NVwLO=4jt>)Hy9ZdP;9V_EvhR@xAZNtkL6Mo#|#Z<>L;&=YAxBcp@(|nhv zFpvfiKM#5O1N8)9tk)`fXaa3`Jp7s$@V&VC{O%^1Mzy}afN zyF8CY3MAy@xm6H~oMD4b>>@5X_*)W7W-Cl|LQb6g@Ep`|p`h!j6TbWy*gx4yW0{%W1+B{|O z-+n1BpBn)e{c+}_@n%cjxU0LdECVM{(qF`|F23M zdHi#+J8kZjJajs=pho<1F*8OADM3gW+FCiO&RDUIS0xaLd~c#P zNV0=C>$)Gx&K{az*u8}-JY==pj-K4Y*K7Eh^#nUMd`9TZu)eNVCe4Q zPlm`JPhIzxmBm~~yY3t1lOfN{y)fZjnGt(e*^^?v+YNEj!6T`a^4 zV-G1B_@K`($;W`D6TP`w8B<=ne&3|BZurb)aD?B@V21hWU-of}*%xCHW~An^`|gNV zPcHm5#K`cg9isoBV!xc^pgNv*YnqKr;?{uHXD2sH+xlENo5|zFrx_pQ@LWMy=Q&J3 zot;j!B9$RK>DcRlSiBq3)d4dlbp||dM_?O5t+cgbLbuiKr%J1x*OU3lf@NOkblA}E zH(dz)gi?<>_X5Pik3M>*{rD)TtUa&4a7KWONiljDh19ZM_bkq@JxV*C)IDeLtI3a! zGJ<~fj38HAL=5A*9`nvM&+j#7Mf6LJjemr|JbV*`J<_=zKNo1p9xJSNQq=N9Pki9< zd_B7z>x;4ZBv&jSg(oU`|PDy{PphrsP$te|)|> z&H&f&z-075(Z^+@WXcdz(%%4!9c^B%{a%Ci@sbR+eQ-?;6Gi&UE=h%Lt_lgxd}Wwt06h%W>ahiI5cG_R z@u#lWl9FZmW09Mv7KFF2C!#?k@pq!47msi-b}XebdbqzkjcYco+zvK6p2!L3d}MP810#j` z*YOzMYjt}Ywb#o<140Q)MCVas%87SU=9_V*`DOD0^9Y>VY*V9@EdJ!?qYN(6bD}k7 zZT>;bGe^Cj!U&PLZ8z1&vZ`&Tiahj(nvstvl#hj4kEsb*r+(TGhE1?ch@pghO0pK6 zBm5%JZoO)w3;IjGcNf^d?I{s1I1T6bv+^2-ak6hJ? z%MqAt%Uid8EQAu0CWX?oKia3i`&F}e$JnzJLl&i;#MtVu`TmZ{!4x9)Q!v!NG?D+B z98)FBTL05ALx-cfdF_0S@3p7cmkMYa?VVyzSPZSWIZrZJ_zC9WG1apvv^>>&iaWMtP8`v+Bu)CH35tX;nf<1iu%|v(tO=zB}k9ct+qSzjkQK>jhC*yQgmhv zx!0Ci5}aHs^HeUMZn7bRyEAdzSM6bI<-}MOG^{Cc932}PJnH7gD9tAgwEROK*|m?~ z=-y^=4~dxHs`(yY?GXQtKPed2nz#=}xXWi%KLg+n?; z5qble7lekrt@_*7%??TJS*_RHrL@pp zXcxw&7Sj)#wg|me{mSyPp~7Wih<277jN{3J>a=|C`O{|O*h?|_Kf8uuSo;LwT^lXe zRjgJe`nK8X=%n7mX?{0Uc0I@UhD2qSN%vs-WV`}5}i+NX8Z zOxOK?a^32AwVMrFl2YRH81MCcCMs`>bN?(epZfLfZ*|+ix67if>(3wg$Mf27?$=Wh z1!w2iZb@0Y1X$K&>U4bmH;cda+a=4*FYf2}=RV#KjF8WZ?#ug?KC$SltTi@kFU$&NPRvwpspU(>O1LDjzNGd4c>ervt= zz26_dLZ&?n&PBH%4pGAJh5^b$plWY=zfnKH59AqF?p* zEpTHfVJDK{pY>rwz5F?K8=oziAK|wKEqyPh9v`7I40)_K5qovts mX$C4#MvD}1APk)%<>mBf_LnnO0#9WFIo#9L&t;ucLK6VpQ1SQx literal 0 HcmV?d00001 diff --git a/src/assets/images/magic-transit/mtu-mss/tcp-mss.png b/src/assets/images/magic-transit/mtu-mss/tcp-mss.png new file mode 100644 index 0000000000000000000000000000000000000000..ced1b5da04d11e02b4f4586a1082df530c0df0a1 GIT binary patch literal 82502 zcmeFZXH-*L_b(jvh>8dzAOR@?M-dPRi1c1ndY9fsdhaDD9YRwn(xrE#cY@N3^j@WR zkQyKm?vCd{irL77c$v*rW0&@%xA&*P99k7(M09UjG;OaM z%XIYX6Nji#v2)12V3WC&Up=0lBKT#KvD?tJs_e8e?a+HU?NE!ff^NFZ?&)3ui2M6$ zdKq@>@BgF!ExpNx{gM6FzaKID_?H_PUVuRVa^qia{KJ8NmEj*&0RQ=y8~<|S9}fJh z4F9m=U(@(k8U9sm{3GW^4ee?7y$%JBbG?dd8Ox$W&ZJflWIk2z=I~UvzWS28LCigN zV0duYN{ z)s6PcU9an1?PTIP7<&13>kXmJcewC0xe|MOdqa?`eJRxWYK7#^UheIKe9=2EQ-+?6 z6=-15)HER$bY(c&?O=t3M%?THqw$N?S7RR~Lhq9xiN!N~Xj>^5YM)3@n5FEz98-eW z(PrLEKS%vY;A$Vtln&jce4-;gAQ68YwZlB4?2aHdO5FO4SyR*J-(wT=%OrA_T)JMI z9g&PF|BPG+{Gj9)HSM;VM54?(h{)J1EG)cORf6pO^d)GsrE*{UvOu;zyN`G=m=Wd( zJ*~^=PxCaFa-TgK(-T_zTr>HsnAAip&S7aA?pBIR@53Nq=AQLUGD<5y%!Vx38-yg}ufy5Nrcyo=uC zQ79#mWsGKtWDit=_A>Nv+=1xexvx5d>=bEFE-3MIzpw&GuERtQsv}}DFtI7pVe)`g#31X;8 zMFCn~`$;r}BRGx2j8?YwiEP`8u55!pmz9~6f=UcqL%2!A{E3!_I6s^otdb%*?xdf8 z-W)AtI)22^f*A(X%VKmjRc^+8v+yEi=rDNy;lkNwaq(*pfa6C{xlJ4#lJ)9_hKBK- z2E?pkSDS*8wxYKUu1J?}sPSyQ+eIG(bZq}7omZe47&EBt@o(c)%~w;EDF?ru|L!mG zP?4qee&$WXAMwvGR)@-A`)f2BwT@;boc=^+T7c2*c`?Ml5NX+8?q>QPT<-lO(*sb$ z-UV*iiYEk&T`5V&nHKA-(sQ4CGgmWyVi`L(@+M&H+!KC5?+he9qy?fKf}MEH7upcV zO98|*QOaqL=~)Vwwq?}loum3em+bWinRnB*-D63Z)DEe$8Ndv`o(R|g{)uFBYI2fs zfdI3LpFLcUK^xEf=dDKzac$bpYF#+E(0glHR|$#9?UGfvdiz%N%r0Fk%c;hOG;CT1A}j&3JoZfsyc z(ejZQuY}q6w&2-kh0+#-exdZquC&Lyb9&S2yh77ux}JNjhT9o0KZbDA70S+O#jiw# z54rrgyeciE%x-Jm5uA)wnH&xPjLV`smbExezXWh=G}#Imnm{VPXwx%e6!-8zrkatM z8MbA~CddS1{la|Z9F+46aK*vl;o%~yL&kW7SjMFw4X8|SfgZeZp}Me;S*=)?vTD}d z0_*wVLAQ2~>%vLvTU%R~)030rSoe;EgRrat6lo@dbrTdR@!xk}{@?NO56l|f{IDzq z1p55%M+|TNpSaOW;PXrdQ9?K1Zq_e0TulwnY%-ks0^gl+KDOpN^9>y`Y4bB< zbDGX@RX@mVNV&}9#&R{_7{F|#8LG!!f0FKfx4GOY4Rk$TaHQtDca&%qnJ|Qu7^iel0aSPVv>Ldt@;`2L3RV{ z8?K6Dq1zY&xT^pH;$IN9DC-Dq&Tu9=o=L>Nib@N;{v-B2l8lJuX>U>y;)S9lF1r%m zhhut=6k>x61~O?)7E)u(AWb}yK+IFM_K6Y=&41h%as3C>Q?ogg!i>HB%qt<(Yi!_} zU7AaM?Q+O#?i$%htYxj<1j5{NvxOFfuG@y6UGrAfXtmws!t6y)&W+3`Mi-5;%|$N> z+roxs)&C&Fns7ok=nAZsSeL)l!in%XUZzcH%W|vQk4{p$DDMDbqYSI+$Um=>x%Ack zaKytr#vKYoL&YPNvA%^p0Vw56dpKUL^W#6jVlUa+7ClDqJTT5!2Xo13VFAjf2`ONv z5F*)c+{)Kr_6$$m@-}N|JHR39SoUe_e9sV+trNnk%>C<_$81-KfZ2Wk9OE5zwgNk%EEC?dB@)TDzqs-$J{*g=i4%U{CbPYc zq7gBio4~TPEmuFFd6P;;l+`*@Hkod><%by-)GGr}b7x)9`On6h#es3>w^FUAXbU-B z=W2PsBE6_RJW*D6(g28mxdnUiZvb*^I#%`Ext))$-(u!wUwE)&10oEqNcDcZL&6klHsut9!%}N zTr#zb44ekDPM>Ficdvm<+7SgzmG%`u5T&elV`B>29z^b(zHW1?-XvQw-1{>gZ_VhGU^C*|AhG0ngjmt~D%%`Aa96#oT z^z5Znuf8YNJ)cmAgZr#!DAH*p!17NoL-Sg|fJa#Dt11Q)muJkGERNs8V)}3~+m*=q zJ%LRe3A7n#N8dCWn-wToE1Hs|FesP#oY+u#2xCryhXB-=qV<_%b#V9ih6nFe3?(@> zfEHya{TV3=v%gJWMMBf|R{C9w6T-80JYx8LWeuHXN|yC`=S+9rJ)@_I{6c`T>)Kgc zjX9KT_lIMK0c`-tpF5Y;=F+;=uDd$eZm}F8@!WIELXSW5CSA?SHTBjPnc&5~#xrX9 z)6aB!^Jbx;b0#%X&V}Lstw_W4G&r`RX7?oHgA{kd*SYX;Z%Q_+!{M~vjYb}cA)}$J zAu$XejoP$WL!w?0w$a0#^k9`}wJ&>Slgl0JJtj0hM2MkF*o$}9wHO2z4Y}I*Yp{91 zYwN{jjsM4~h46JKc{+3J-Gkj~H*o|92Q1?H0ZS-PY(4Y+a-I8OcZkxEw(=!T4UMdo z7yDxaCG)4VeaN!LU8e1nkg4JZ21%_Dok6u7crOZ}8mxnv&?kz}5Y+5$ym}dagycd{ zXG4DOXjG{_x_k1mPKXkaZDIxIb?{g{)ZnSxrK*Id9Xmst>sFwUpjqU=^f++>)v0$0 zwJd|<%Wu-BOHmWD&pe=G+t@OXWxE3LBfkDg3fvhsbYK0^_ZL?rt^J}FLT%;{nbqrJ z)IA}P4-)G2e2revIRSe6uSf;Y)y{Uq^5@}{Xw&+#FkLCe7jg$fatRdoHswY8iDzCUuPTUTG@mot77z}ZHMwL3f9=jXk*>{Wc7{e&W}RX0qq2pt+Ldd!7Z;^3x4(`JslZID zEJMt}Cw!bFSRr{M0xi$wRQPP^KtwF@)!iLkx&FrhGW z$bUVS0z`6!O*632S%PUmL(F4?X@@cTv=Rf+L~Aqlwhsus=SvlLwDO-3(vg`nN+L>< zF+_tl(C9f5wFlRJ4rE(eywK-Mr^E)+e6I*4I|n1Qsh`cd52PN{9q$C20}r=NHed(k zR6!sp<66`)UarIAhaew(X95HGQ)ppmMJ>++(*?L@o40{)$Fml4d!JRTVp|`9C|;@_ z5N}J$OkG-QIKF&|$ETvAFq}U8LZAkSc14?=DW?81FDDZnrvWubM$|=6l5yl>LC>5! zG&ub>+p~8_+5vH-n@qRlWCAmX+)a-kJRm23EMAy#b5ZA7mLWg%Cn>fjCEvZaR#oU> z+Pe3>^B{dxu<|7_bwz2w8K_bSl|g|G9{*ew^erG<9VvpA-sBmQ)i+!} zV4Cq4;Z?1P(r+Y~pT13aP{CpJ-M`fs_F>0J3cz5L*wX<(>j~aD{Us1?2Y{HPqU9i_ ze7R~NXsbH>3RhT@C2ktZ@3m2$lSOQxJ&ELcGUn#$^3Tj5P{ku)ZdQu(x{yVe=X&HL zXvOBQGjS-1ejf-d*HC221R#3lNVfIGZh5AI$Da4PPQFR6Pw=0t=f{~?1DS80gVshS zlzFVaIEgwv7B28YeLh*L+My=q?s01`$f+0&om1L!*`6V~E##rK$0I?eXLhOb)D7W* z7Ur7~Cix@k-7O#&#*AtHLmclR5W|9t(r+;K{-A<{8I*e-6{`^ww!x}&Rb;+BF?$<# zx5BwPJNwc>tobAkU>XSk(xmdf0OEQ}!Pj`neUZf5iWR06lmVmc&+rGhrO2$sTSba2 zp7T=oM50(*0Zmq=pcb4as;ER%c(rw81^Q7k-MbJO!Q+E6b<>_Z!){6-wFwNh(I zFg8J2Xo7?gRj>r`NI&4Je%z5A@T$%p|B$Qvm=swwhL9+X4tLhKDX_)cNl(w%mI|vVgWBcUqy}H8VSbxQ1i@`1bNhF_4L?mLA?9A7n`IR ztpxMdNpqPNYhw-+x2^4mR>(!P!(^H!P5_uMVhbxTPIU&bw&R_+(te1us7m*$(4g)X zHF7=znQaINbSlIPJ=A#`$DPGOuOY~BV`H&v`%+A+x>Q9uEJ4N2^JF~ge~^ZU%cj{T z3p1~=?>#sCE*=7jfi6y!0L&h6x6?cCugP~NVymn#Zy4`uT(Xkz+Y7TP4l0_xILsZ& zBRAv-r_{521c22;Yixvs&fdWp=hT<^^T!r8jK@iEx95V0ltwbG%ex|$o_5m1ugu7$ z+5<=z9H6Klvo4#VqK$}CWZEP-&bdHs#03k6MxRM;As+`#X24Sk&6Nm@3SP=w?#(v~ zl-N1w`9x(IXFM?id~I6%;Iko*Kc~EF8Wtue;ck!PAH;`rf=AdPE!^5NEhnq+p(1F| zNw=QF)_EYf1fdJIGuh=_{BerlKQM3km_!J_@Jjpu-OCDEv1<_eMlB%&b(mW%r|#s# zP$FE2PDk7wXOtVJhMINd6(uXgVBxEr_#WF9b9##6;Gt|?%8^0tCoSBAmpl?+>Ex}c zl#t6)CA~lPwgQpwgA$Ki3L+Gvk}rF2)2_&c$Hg8iyGLYWdAH$cwkryBX5?)FRta*| zZ!R1jgaT_Q-_F!a`Q;uWsN0OI#6%l78?8mtB8|x18}`>DjiXIL2Pn=N`TE6B`X{)$H6+qyL|KUrd8JA?smTr zcA86V6gC`Z;M~J{4*$jUORj~5XfH*{kmndCq^be>_k&_f@KeQ32{np4FVm>`fL><^ zun|_5?QnP7i6w646`jbcod!~g9~r@93|-YLosBQapr_qINvil_n4y3w%5cx*YD%YO z>|>RJ3#d@=K;=>9cFA@uTyVXXI5N@lgH(m*LK5L_;ys%Vskzy@20EMVi%VX^vxM}O z!3@|G-&q=rz6|;iW&4jXs%{ znk*Z0L9L8z<&w~qAdbA~&Sq`A_JvxeM>oX5olV?tHhf%HETgilw5Q1TMwnWTni8OruWT{MOxI%Bf<#pUn%LZ?ySUfti%E=D~k6}lV1C^-MJ=-7z}`z zxp5G-dkihylx&i#-NnR&l4G05(%n;`?n~O3dSrtl^EELT*)^2fYKYP&z?kT~9j#iV z<^<2N%5uL4WpPz@Xx*DlN2bRYB|Z~EAy?t{gH1Gr3=$6*T29WI=fWC_m!*i8c{wd% z9`FfL18tsc=Egx(E>V&Ew-@fHLq_?QaUhjks5a=KZmmHpv8SnBON`dpd)T@x;cm@W z*8aG?6^s)5C^~rq%#X4A$QXVDb#VFC!rGFN7FJVevpWN)cXrwizO2~ErR{fh-po3g zUEK)ezvPnoCU98?ZBeM97yyBCKXQmE~fCEB$+e%4bF!1 zL;I@q9Fz$qD7H}a$2&LVifS84QL%SLMNzo#0zfZw&ZC5t6vR~wf6j`kifTon*w!7S zU6ZHo)xY1SBPP})VZ6ERaGllftez#<>s1bJc@@sqb*)<>BH|f;;+(2~eE3fErUvKT zo0rKKz1#^C6B9pnw%}!DyNFFE=at0IJPy5|lb$_;I|#yeD+iYoeF@ebFF)Uqi?{Sgp>nqz;CbT`ha|FCl2XV8n?r(`}i+vtLovqH%F*kBhX&w>)yuG`8QTqJkf z`BrLxETe2Q4OhiRKmi{f;wa#18-tC+RFC}Y1wFohQ*_Kmot<;<#PRH<2ad*wlJ&vA zW^ydKRuuTyEg&O85ma6(v8vBP9y5J3ewbxA$EN%W3sONG|6ud^FtKRreADneXW6uw zHYlnTw@vEuAn;Z5S#~mu`nMC4>##kKu&~cJs1))d*}RMG*b-IXR4<=nm5{*h@4><^ z16Uf%P8*N+oTj{~niX+a>^m6Anr9+3sn#K=S%xyKX~CN5S5tp%1yknhS&pMD`Qb(u z5DxpP;;G8U=JE-mH&{*$QjVr@uP$QSG3_#sS?E@Pq?N=6jm50iMx!jO2=@DT&h2u% zY0a)yV4rWw58k_tooHa36$np21TS^w+$($?(r7*9ZUCeCbsk=rX{EP4d?9!jBiW{Y zq889(*qoPTPckIGxtzM<{3%$wVg&LgEa5&f{PVs4@l#%Iqsf<)ZM(DkA6-v>sQUs_ zx14k|<{4mqC#-nW5JcINY-^j#E-4WJX*@V@P$Xt%wFyNz_sLU-q;=eFJK(FVj4*u! zGoq))a#+G_z>`Uyt{Z!lZO?)f{qn#MQam`lH(7g`b>>`BT*URf4uzmOj&93bv8}Q2 zlBXd*S4`n!2K5v$GEyu8{u;&+PC#75*cP86q=;*HKib%zI)!Ab3gWeMr0$x9YWFys2jIbV7vfO6R146lvv zjc)FBbZ<^&TLCgXKO08GSU<2FD?V5A+?ecMtSQto9DO&m=#YY19Ct}+NEf1TJE6(c zZwJ&YoVrNs!QAP#D-0#Vbu+WpM4;z@_SS5oQU*;V)J(xWxOX&?X!BJ(FS7}v+l0 zv~ty%2Zv-tbfez1m^o8tazHso=Q~D=&B_tG5N6-2eY@l2*9w=Ht@f5}o`w<$IjAxC zm5k{cEuKFLz46p9s`Pu?s?b3v_iE1^t7^yVg9G}7xJPg;-1o*0jUO&^Ui2Oyoa17m zA%2j6*|yOjk_aqIC|4%Dwx*=kT>Wcclh=>+jeHyl)Vo82O~D!tb@H^HP@ifh(73+n zB8LnE!^f(@PcO{98%B8b5v!aw z!QT!G^UT5RC~B$pTPeJPS(lULN}$Cq8y2SP?AB+qE@{Q~4`!z;ne$CRMyOe-8@@IJ z^MubHkHW3iCo!w@`S4q1W;&Xh{3CQpS>dPV$nwvCXGx*9SIae*q+@pk#5k=`D?`>4 zciMPuF?A6iCg82%zwi$3^+b32>+?61+ybbDXDJk)y1-=LJ7^jX#L6bG(c~UYSnc(5 zjkV=7FKeL^?Td&p3)faPDQ<$$q z@KHZuaSmr&ac8{^Mu-8v+eh_AE1z6<27Z*Bo{}0_NLx?GK!)KdyLH#N(vwAhX01gVYoywGCC?3Na-;Uc^QRXDekJDJVw71)Y}*-1*Y5@N z&hG|Q8|buH*f=L9FCxQ2xp&kt#TFkzIiTPXCDu+&+_&q>#%T$y^qM3pKBqmN^s-#9 z)G>2&)6%{m;A(@`>^qb=Ul7gUKp0Ee+h(6-x0G!rho%%?O7K^?b^G|UmEuae(7?=z zvSov=d0T02HMZv{wT2gL>=Dde#>PF{jEpOpLzOVixuIsO*FW>|$#jF-E}i<#zV(yW zd9*<5@9i}?B-u>uskNjv|4#x-CW!FEJ*tX=)n`2`yfoE1$6b0p#XT?D1bshZf~(@{ zpKppGV%xHRYnBnbIeYYuzDhSEF;UhINgwL4X8c#E?6rGsuTf!8*yT~*rDkno{$0t| zoXX|i5Xu@BjS9MaqiM%6p;&9a`5dEK&*`)6z81a9^DO)!dt?&dri*m66xf}t?e*U4 z)%6EjbiJRI8!^RnpD2r}DnR@M0zhQcK3Q|xvsVSvUHc=JqO@8WOvfbQdHR6s6N@qq z=`0UaZN0RL^J1!OZ;evEHVHtiRRSM5)!MM%F>;P$B!`DYeTF%M^9$TG*uJU5w zqjTiU=3=Mnru3NU78f&WjI@YBN3Gim(MoUqL`My|u_eUp&-NtTH%6*_YmNV+_LLB6 z>xwZO$ot%&D~GQFSnw&K`UR8w3dr)YId8h1nOaV7t3etzlZfDf{r$?5g}Dn^&lL+O zrM$qUB`k@bGaS{B{)z@>r%axI2Cm%3AGHh*4p`eFs5BoeBFIV0@OdAS+acl8 zlzOMoOZfQVmIIsn)|xBgdrjuX{jj{k@I8c!7yWTUsS7$#3~uZALr~pUsKe9gDanbu z|0DJ6Rrv0Etl-~t^D#j4WTVk6p~to$C#vu$_}DBO(l%Qx7c_@FI9Sx9u7z`WwIT6g zJlTEWd&-EA#z}|oapSwcax=d+OS4wSd?W4I9&g zrW2=j+?B);I5UqZNniBQOSsRcJ4=|5GI_6R4k~YUHXlf-&E;p;R{n9J%6nN%WUv1C zO$)QUb8@mOd+%qgeNZs{x`vs@AaWoET~2aNj~Gm%1xj$fEw<-AwX6s~DpKk@LfV7_DU{ScbMJG_kpwoJN%CK=t+?7Xk1CyfITEU@ zn4|Y4U3?r7=F$^?4@oKL)WqmG{0z_E?_l3Y zV$?%WD^0T}>@=`>lU_k9DAg|iMQ$wi@+?(AhrW15Pe1RKq&8mKHwF4b0zQBKxFN4s z#`8DHz&m)~R9Zl1Kh7H>g3%s>RnSfhjaKiX!TuhU`aF2h*}(O4o&3f615NDFWq`n` zx6SwF)%hunY3tUlGQ*4n9&1f)yAvK!aPu%M_$a$->j~D58JG+Jq2c*{Y`t;LhAISgFVk{&;H@pS{KScA94Z7>nPMT6plRQ`QT=G4hF0dRnRY-hd z2v$vzE;a<*m6o@PSQ&Fzqvdf|+7^xEqLhvA}eE!b2R$TlSo<#w+W4Q2>61A`iDqtf$Vvz3e_{MOSIU zFwuul9H`1UmbJ--3JEP0ysp|_-Ah{C4W+K&ztOtQZPO$Ce z$bj8#g;@fu{?aptj2ry5pHSRZYb6wMqf(GPCz_qz(r#<1z@4pZ+rIJ_7RUSF0g2ZO zG9OnoND-U-dNJ`De)0MBW!JNk`4Lm;MY7SgO$QmuXOG@Qq>z*y$KNlbKR3_iy@BC@ zusV>(7#OTnn`P4Eo2VGyHEKRKeHEMFQr=R@rOO~YckV77*e*9?WWR0?7wD!51yY=L z-MR>pTFe+AcUgdsm8EHbLfya`yGfsn1nXCz!=Q&)JOv380Qd^)I*j~3z1{B^QxwMi z*3GSY;hRr@EIF13LvyNMg|kxfe1d>h)A>^%tH9k7cV%I*`#oFyR&6aoZbR610yvqs zjMO?4Zj&EWuiVjabZzn9WeH>*yoLO4BntlK>`^BR;&}IfdYjiVihc-sJdU-bH6ju= zpRE2;x`q84b&X!@llxv+ch5wDS#Zh9$Hym+w#mL%FSKK6azFiVmm5%mr%&Oe+_&Q~ z_5QzT1f|k20=>rBSgN&CuVPoM_A-bZ2r76M`CJkOuJtYmy&6HRImv0!_oUS%igjFV z#JjPZxNFZv@bt%P_XdK(3I{As<1DDL3Z_1~K=v7siKncM(&w;TpA5Ql$B!E`u1^$N z1!CA=l#~#Ngv3x1svpvHV66u2Mw-5UyaKZr6Hl2rdE2rfi*>i(2z~b;^G4cSP6*cb zhXH^!7Z{U-l0-_v_IjDDcZigD``GKXt&*bCCPLBUGJp>k5x11oEn46 zApAh4+bo)l2i=YbL&)}R?FA~5-D^;XVb~N%J_UI9I!FC;s*s5)%s~yyMun>Y3;PaW zz>s#Mro#V9FhI3{G>B(Eh!m*U4R~QKy#EnU6X>`0bhOP^;jiaesC|xgQy~^G`nRz{ zVBej6Y5)t}#H`Cl4n0?wIrxE=QNPK}#mPX7QiD>7fI+`<;)&c$7nQ)oCr~OC`uqDm zA#wbV0{~2l{m93GD+&q@*^-`@i-coE!LDX^nN*(g7i`xcFi8RE_pG7`Y-|hN)N3PR zhDH|XOjt{gNxd?T2mAHuGk>%Zs@a6Rc9jzEW@UP-y{F$2qD*_g2P+=?2tFVI$u52O za0!4g#!O>-kPEcIFk0xY@fUK&VR5AY30AxXfqba$wP1Jx0f-+X)RyU60EdZ+%ilHE3Q@)E4t9}bPB}iBYNS2Y*5!KGJEkH`|HUwaOEPn|D z;uokt4A02(^cohYAEjd~1I=i{|6egWHMb{W)@>3Nj74!jD_{~?_NRMvChLOv-_G@-;4gg9sV$5 z{~yQJFnpiKW$wx?A?@8`tJ~BizrJD(zD5cF6=jVYLBn}UzIGc=4#Q0g!qpyZkMNfb z?^7czu^JM>bZAkOuK4#3X*y%oNQL2d|67f|3|s-hUTd(e%>P(6XSb*<4}*_#qPn}- zA87H-y6ndVeg4=LE44l2>}A-J=moS6ndLFs4ZZ~^zrLSF1B2o6Sx|*m*O*7%y~&)O zbj<)ZL2hQlZw3DqM^nuJF*MzbqzTEipeypK_H2Ng2-5|6hLaI>8^CVQ=@i9dw5eYP zZCJr3%OOluTRO|3jg#Z#c8lrD20$I>Hi7CR3>9yw(DvgOKW`4(jL7bQafkv}ws@3KaBHv;yem;gWc&K~nMstHT(;47jhi_sHr`elnw-@b|6_ zFxfqgz1J9#;7Oxr`-4#x!in!|PE-Rkom16)^Ur;sc}c+h0Vwf2(bl3QU*GXjEKjUg zGvsE(KR*Gf0Aa2P5={e(D1y1VI^b#5Y-x0gfw3rNLGu-y=Lg~B6!D=M6Zzln#hGQ@ zmGp;TFdjtv_n?C?8W^qtCgSLG1M>D^ks&AYA1qCG69bb(LnMos{-H&f5DB^Q4 z^lUnp?N8Je@(1PjoDQe@U$g)G2=wGnfGum^=~pFtW=vO4me>fTS7TXkObu2LGEqek zF1AV06=`94H2<=xDXXigF9EZ^SZBRZ6mC|tVN^GJZTqX=53*k){FdUc{Bl`YAS}m;pu4I>!ps6Z`9O4iFy%LXyMZ_@K!&GW^n8q+j zSl9sIgYY{Yls?RrbQbIV6Mq_DFZ}iB5eR2xTTtwjeyb5i*A#97GF4E>GuS%Jq{bSH z20hl5+<*Z^>(G$|j62rv2*U@Z+NxOx(L8sPnfhwl0=u=m7d90j2)1waB|ON&jL{Sc z1W2FvolVVFn=avV&Xc{u;(E;WbcR1}AK7&OYE5gVl}l0;`qjU$$@B2T2=9*D<65Uy zWcR^(u=bpG*5>G^Yt%Xb9%JU~>i*m6Ibx|%zXI*rDP3ABt)><-V|7E;hqBwFq^QV% z@3bjgf4;i{Quq_SCI}gK4yS`?3oLkmwHBA{X&gz3qjwFiWNgGt8O3mi!H<<7`RM^C zTiRW|vcT>{MEB2j9tT=$&!+&2u1(&Z6CmH~c+RhUudxt~vE^aBUp``7t zq6ZW&(ZL3H6kFF!uM4uX`z07tA)y3wLvyCy)$B)1OOoJH?&(3HGI-8B7~ zY5>1|qt10nYw9JdzttWu(W0p4am-VVL7*hbtX28+{?peAxFUEJc;QdAtG{}^uCfNU z|ItODW#1!^VAyYblP*xwI653pwkPiH1> z*zRmSJ2n8(u4OH>SrorZQ+m%{Xi=d_s2rnr9#c|qPDP5|bz_}<8r0tIaKNA@V zFFTB&2%wH8V+i>AlD$(1KH}1OYTr5^db#0d>XVj#w=FC}qTt-EC7yX1p*o95tRXx& z-gSl7TdfBZW;>U`NJwX=IQxz$sS~C+V!t@o^(Ii+iB37p9LP9oqNXJskTv)I))k0r zX{m%&j^W-ytKD8JsY_hU$m7xtaSICzGkzu`&+|p<2)c0YG!9g#-g#Q{1p)uBCj7X?|Ano37k&-&C2L1`?}_sz%*a)Ko20rgiWmul!X1 zakamTc!ArO#X}0XmDmL?xsLy1^NRXWw;KD#)9R`Fj`&7T<5Z!^8YE)BF%ym+l_T_Q z-F{JmO25zdcdIq5`kC)hS3KVsk*&R~v z)fz&w-L1ns<-Cuo*i4A%T<){dVb)6rUK6W|SUv7`Q(^qP`1qc%`90?$E$}rHGr-0md|A1NhNw6PuMMnakYJTB)y@w*0HKvV{a1J^bZ*@7wOF@)z)xJ>e{1Gt!p44K*h_b!K=MQTAEoudCckA{%T5s$RE^siLIKE zwRMExk@16XT2!^9zIJ@QYQ{8%cq$WR0CT&|E4RtWF`x`!L3~4*i87Rzhtf9MnVivj zF!WrTKEi*sYBeFIpA53ysabWd6%e}>okvLa3XCrT~f`&;yH*ZI6$qY+S(bOB9k12*^#|_!`^k$@7gU;F+eM z9mmljvuX)ztRn`Ic*-g+wNc*!@$`+GXvByaSfAbfU?ny3B@mBKAEYPqgN;qeMn<0H`95@+ zwv!69O78yn?L$Z+G;_m@1*u`0q*}!&DQIe)UG$zD1o`kgk{h>%eS^5{_71r#-Jx4% zpDklJ8=3avm48s6fX-x9mcDHOj^UAO9!Q5(@VEIH8?mZsOynhe|!u$`mrSSBL`=M z=g2`pB20nVLw;+6r}kq+{$c(2%z-+h_w@z;M5qx9a<845`Y5KV)Y|Qy=&>dmI}oco z-Ao%4WFIfx5X%&J5=+CBxe~dJJHaLu@QCpnY&NGzJSq>UOfH@0=bIbXN!m<3%WI}Q zYRgx3VfoO<2SuH)$vGiqD!%0DUIj@2-VH?81LNJk=1XWD$DeiJz#2zp*PD3O?RXl2 zwnH3QAdq`pDY#>hQQ#d#e@lfrV>d6b$(=Fchwe=adG?c&b|KvjMM%D-3UYxIK0Z5S z;J)8U&o`ZX13}87Juc|I9IYO+qFUz-yo$N|E3qbA=SbfbFp5v2k1GIUl^41=tlr4W zPov)uaOo0$$s)F0x^jyknuu^;+}|@<8{Tyb1iUf-R_GngHICI3sCOU{DdRz}$*>q5 zniF4u2DNYQ znK+97Zn6Na^YR$_XT^J`F=mH9f2`Eu|dGe@7s zso7N&J=n!0tOM%>SnF=fobORz+Ra$S&|54W7q}P-&kBw0*3Dg5GgPyU)7zi)ia^P> zyl4R1)$f$M&nN;rw@UdI=pId{RGI6!CPr;e-KQX4nR2LF8EPDOpR5BNQl+~;c1QK8 zE1JQpkvnw{to1tFhHo3GJm{$mo$l3`ui)EtAFI0xT1y7t77W77$1C4$PQo)>XY~~g zko*zo%mXi;e_YQi4I1#UmhVKs<9Lfo-8V<=!S@c|+31h>`})wXsXjsE)@vXDz$twC z?urBYkn&8Pql4%+OWjs!ZA7CFs5b~AQ?TJBM0AlgC?fGF zG7^4JR`_$;p^w?0W8dZ63o)a9rlWUDJj1do7hin1a?$wh;zB4Zi%ws=`s59Blhr%Y zF;5wE`YJ;`X90L0+g27vGbNFiQdO6iR$(Pw<2jO~XG~8V?er=-FNb90+lO}_x>atK zFFBZcC^$)szFHp8?xV1O;H>&3XQI_JzP9=P7QviCPY+{voh^_z0Cc7OB~uM z8u7_>>$fip?V#+)%5w^JK+?uF1Ovg&Sooah!H-Pc z2g+8(L1B5x^2u=ufIsHXN&W`g5Eh4aeI#Y1hYaW8D`rd*-On2dfG9aN{VA`O(;!e~ zx-1@==#s3hc=!m}ZK=p2wUCrWSbLT$OjcGZ^7rJ41%_t$T~vI3tbjwI=3ys|ZZ zXp*4de6FZ5r=6@lYRTGVHZl5PiYYKLi}E_i87SI=aE*HfeU%A~eymgq1v(`<_a+8y zjymE?561%uui_6Q^`Z!!+O^rB2h^d0326U%m~IzaKmY>cjePUv@7H@k(Q)mNr%)*= zO*cBEk>9k7h{)W@<(>$%bCw>CoY{?$<2ae<^H$R=+IdepvSF34(%{8z$qqPf>(yuD zB6xFbZ-dxyo9YyMXYD$jQ48^mK{NlV&Av2hs+EaVDmWaA?mwX6(JA ziKy}dCy~Gapw^GuG%j;qF1fstIArD~9+GOYXwT!(@kI^ihPh3GfQK`KtAb53$!Q#L zw1U%wo0wdmn~FME7Qh4Bi+Rm|x}|8Z0G_dUhh1eQsfr+G`mv5x`*d%OjGM?& zvfs#{t1)XXZay`G4u&{v`|j#D=Fz7!a3iN2jw*TW;7qMrOi5{>dubz&m-+z(W1|s7WhI3g^yoLJamZ>*t+AGE$$dt* zGRnXDUSk=(DUK6WTGm@2%2pN%YFQQv7kO^u4y;xf&Ud=>amp9GUfRtPY6C@1IqfD? zsctfURot##47VV7v}Cf}0w4;W_~;8WQ|06-_+3RQ_bk$MoUvr zD$v;H`22u64Cs9T^}ZWbvEIObHA18PI54pWiP3!0a>#uhX6Z+t26S#3LFP0^$#hNo)APYhA#r*?B*h-gtFo~5HnMgp>*Yn|^7e`irAK*43w;5^=jW~_+RryE=aKua`(6A-S>gfr(I{f@B{EuA9ETJ*_h)$7h+W$js3Azn8|%~M zYpYznRyA!e%|Hb-dTb7^%Xc>N#~1N@;CstqM6iVcBUQx*h4u~F{nY=)~-`32ukJC z=$v2AP649&Lopjh{jIKAr_HpAiV9-#j?*{Mfype&=EfTPJWLVW>jy`wYT2$!QBtqQ zBDfcVuDH!^tgdYz`_b-sk@&oUT%Lz7q8$zBEqUYaRg&~;peKp9=a_>OH_Ls0E1yns z|6Iy^sCk&0`C9iro`h2np1847$UN#lWjGR`iS;D0pc=?ne@WLc->16&*ZR zc$#d{MQk1J)tufTb_fK}f|@tDMmG)qeiHDC!2n)&q`5{K3x}GH&--0;zk8RK1?1?qxN3JTuuT}0f*rVePQgE*oJ zIPET85?Tlm+HDj(fe{@?R9lJE*tajSp&i0s7sL`>VP7|XxR|9(3v{uofvplG5$%y3 zpf-tJ#VZ(Q{nh+wVFyJun?{743|=Ed@INRid5)u^R{z>wrG&5Y}riu_D%2|vhzGK^S~(3&%HPCN#n(8o(m&@Mika1fX*T@SHBqW z5Y{EYffkUJWf;0|EL|+sGbLm=Z-9B?_l`!6=uRVGlg%H8p?C(szPqGLWiCPTk`@1; z?l~-lged@TTLkwcX_`(7Ub%BRcrD3SK!egq4C~Y(2)aiqYqEYGL`LKizIyaP{?^+L zW!ABjMnypQe_y}**|LB7k^<5L_Vl1t{26^TD~2f0nJ-YI`m`d8wXw~|`}ZmKe~$rL zBLt*?x&F631n8dR-&emFa46f}u(EusG;0I#$H%fE6J@4VbI#q&Ri9Yod6qxLaoYhE zI}SRmA>#*uNJa*n*0l-QE-34rG!gy@xWn)So5q^va=iN#0OoMA*~~>_y{W0<#*HWQ`GG$H!n;VFKn!0Hz@i)chd zv!G#nr95(;01C+dhq=n%>jwIyC6*JV)EChWBtduc+SccSGPZ zxvPs3j@pFl)+VcRvp-bQF`+Fs%`yIZl^}wD|3%)UpUHm&G2-8dAmEVJAo!ZJAxGu0Oj|G z=(HdasNZj^aun6?cl|Cr)h0*O0KAkI3E%LMzptk@ZydE;zT;0kIg%>Q+jgJ{pT!7>50J9bT0_;5a`vPBKq(_*Z z{9H+}*>UuEgs0&3zsUN}u%@=>eH;#=ph#0dB1k_9f=cgI5wHUSq97nedhaa+q)HVL zPEb?W*kLuCK1&WX|=Yay;_YkqP9=7{~A5z@LUTlq5u-vWk4)EvhSt=USvCJ&L<>ljc)&vZWV=M48i;tv! zpk46#a|1qxco>7|BGG1^NZjnWF+nU zHgn9DX($u8jOph8C!X_u6Yb@?JlbYbglh{X0pz24HCgpuDq!mWUhm>B7X+Rg)e$aG zW>z_SdKyl|I{_-ChAubNT`zR~LVkS#8#q4NjZK&5^JtAfQ$N$zoyaR@8P=_R#B_P{ z-yBRG6nG5J$O5wA{T~p{53K?oRctY1_aN875~rB_w~gw%;|H#Y2d_hmI^Qk4pvkU# zdY1yqAI}={;FkJ<$Y>9}sz*yOa8Ki@79F4hcX5AZ03e7mKc-OV#(_TT10p7Ld8J!LY<3xpc{cuhp-D$e95sWjq7 zd)!LK3%4SA=mW6%>-y;DDU#m3iFzN|m;@AG~>> z=Y+T#cLp7gqasJ&}yvEeAO1B?oGfL4JvUi3o@48~vS*@(P+PX7zODdk3k!*H`47DoP*Q z5@ro-)%A+YPhnv|VMuLNj?9C}qLGC6`%TM9Hd9>{d)=fntI%XWQ%7P80V7EX&f;LO zwAKdDa9{mzsU?Q1S$v~H6g~4D5f9@f_-}pt{bu;x=I}S3H^7D%?MW9D z8mIVd*M8Yb4TubZ)=X(T7H*2;l#{T*~d)-%n6# zp1@dx0j8AH0t}rhS489?s*E7gOayCLsQy`YJnR3Rl%$!larZRY_baiWjfvd+ASq0s z>9SDK6?}hK;Q+1wh1Vc}&LoYi==m%S$m;g|y+?+Z9AK?enqvT0vosf^Kb2!g3xrFc zoett|+|pvF_!+fzrLKFo*+*V%MZZXAid!m?|mPQ&+E zO+xi$6E{S)2%Lk>;jA`btBv_`f0sJwyS%9d_r4mryR!^|sB(f=u^Ip*gXWKl;E4an z^*>$(L>ep^NPtL+dB~vhdAedn1D(IX%76Jos>iKVFf^bQAW;#L{nEjl?Ezo|jUKz6 z|J^O<65B1HjCUnrO?DFfkj-7<`E}op)$qS~mZTjbJp5kgz@aoq*d8RG9@f-(Z%uiw zMV*H-Iy79~<>-$(wF>0@5O1zRlN$#5gx!~REk%Ftknxu3YNW7rP1q1f1)+Bo!pSn2 z%lSK*P=ZF!Qoa)VIi~*prC6z)n%UY(3F$s09fuMFX@9)0!!-ty*~>Dku5?3Jo!|fc zYeqFqep4myjjg@Gv++6*7GAIiG#`b_{(F%^duL5G7zOPdaBu{BV**zs`RoOV*u8|m zE(esm6Gb9{9A>;mw-rj~0P>9=dH)A4AcOv~PcNGy3NK)b-g+)~>>V~_bJKoeXZ)V0 zxwL+%QQR8~$)Ni`%Y;B!er*~@@=B=q+IzKE2yUlTpY(^(aj@>@BO^Zw-GbhU>r9}8 zP>@ofzn2n+m<^Ptjd|tfP2Kjqg8{k^xx^(73T4Z#WV^PFA)6QXO~K?brNIC9F2{Lc z#*x%dUlO9i><~QtADMS!O=V{Z#iJJ_YiLF=pqmgobqhJPi+Szwi_TbkxkGIl=+#i|v(j|EY5-A0w@sF2&eF93b(oYiqDa%${$Huw0 zy>fitc)~vl3!BUmh6F+ClvvF7#8SWX6GOI9k-dItRIw(sug-q5Y$F9m;WgtP@mxsM zWGUoWlFs}!m{~Oz=`i`?z(oHsQ}Fsb)sAX*ZM}&xC2@-5fsaEM7O;_qtX2AuLE!TN zFxaC+_~kXsVt8J|yyW1VhP$L<_Ma<5HBH0sh@70k^|=V|d@oGSVquRXF*K`oRemW` zFucy*E3Hr3B}-l5c*`W%;%SKRF^hM%#$c-~_gDix-sEd5G(tW4a9t53jF5#@kL`x7 zcWX;?Z;hT+9;SMwa=_80s&Z)5P%$1$8!~8U+CvTrd`J>cA7!uQX!R&+m)C?49+dwD zPGWI@-GA<^Oa1YSO^=Q+(1M37-bblW^M8I>!jL0rcwl;vV^WF$y0B}KgY|wr#KNp# zp{G~TJHI{+eVvxTGXZtplAfnU`;>aSzqF~Lv~6s>(33od@}qS4Fea%u>Z4GJ>Ah@| zSu%f1cM3&KZv{&e$n$6%4EcCPCE;|fnaT|<-&%LybaizsA4-f3$+QO zaGpkNi+^a17`sTVg%;zp68$E7QI^e#Ds&Q^e~N=qLLu)1vIq}%819^!8%&=hHzV?q}T?*dsj6f_XuN)Mk+YYg8(Clm5msLc4eqn$++1;a9`T3Sa zKSUw2951o4!<>hF03)$Zblcc)rb(dV&}WDEivTap=YIqKiRQxEuNO;(jQ_i1hT=^F z#DQI0*M}HgY$%9;H)M+J(qKO?zl58#H>@qiA$@Gx_8r;{6ld7+TYY2W^9Q+lS*3=A zIYE;cJa6YV%2EzJh@71`aX#6pO*Gw&ep|Mgg3r2e1b4+**_BR;Mm5@#8}|qjYgP`* zoRyyycf0i#i0FH4f~ltZ9tO90+SsIpcKj?1+tpakzJG+M->)n>>wGXNyg8~b3GpT| za3K?*gW%ydf2i&vAQmAr-h}-+FQ+gwYJjev6ggS8ABK$im!Y; z-RdTdO2tXZ*vBf=>R|-ZYV*bx^^F@z6B8THTx;!heP4}Zd)GyCOEw7#cR+vnI|T}- zg2zy1C$ud2pB79L-BC^iTL zL~d%%rDXSf5z+ba-=6eY?kx=R_Omm?Jx!dRmCJ-VnYSc7gk(De2|->hk_59{5*Fzt zK5Y5j9IG#+c|w8w?O!?b-ocMQRY}rE)m3?G;n$+2ncEl;h7p<0zrP6!yJKhGG?A7N z`-ePyPWW!%-sheyGp_Vi{@IjVPXwm;G1Cr)* z& zl7rmZP(ORoZ69}OyZd#+e3xA>?hbV=bunn+*~2(!OJv-5G3quT9C-cV8Dh)alAE=5 zZ?rQXA2EIJSfhtivt(ci6{Ao)-x6lS!G3&jKf>?m7`-I_fvjj+m(duuC-1uO1E!yT zVpPA{G~W=aklgaEEz7v?n|e14gOt~cgtfj2L?o=>VH@#<_fVOH!&pg5-Xe18gR4M;WLeQo>O2o_cMWu+m{@mFf>X z#rj$QPgv`;Ldxm5=6aWOjSpB2IIQFncxISOza|XHyNDWP%-J0**&jK zXMH~~nuIEJaTpEJDJ)l*`brTZQPf{)Op`*eZac0(frhu+tYb>6F%m_^3p~+vKRmVq z1~-va9Nr@HyVbB!W#X)a+>o^8P`t&I;mS(x-3I9bYZE_p7$&ieN7yn%i*+nZnS3=c zGcTxYp>Gf5L#cn}8z^xt#_Xw*Uk>DAb!{f@cG7Y#*1cBt87exuYZ{gA1z8NNVO;or zyJ|z-_Js3gh!BO$;E28#gw)HWya#b_N)P{sPH(0MFl#Jt0H8S-AAlFfVep~>J7||%wFOw> z5Jso;!NfqhNi9Qm^v(BjKlU(ZhTh5TimQw8y&v}28ex?^CqcK@cm21=mbnkz!J5lK zN%g?jt}Km&pH^}i@w~h%8vl6R(IFVx-AxPnNZAwd8C`q)wiA0U_xL57V_&uUPHml* zrlM|@@z!S=o8O~0ZR`2m1j1OzXskq0KrW4d3E^m|S9eMwf+O`p@O-_yn#wel>!JBR$up3m zfaaH{FQ4O7Ke27EIwR{;%1vi2#;yMAx?Y>>F=il}%ZszjlJct-=43QawWdRl z2>0=wTV`JPENC05M>W_Zy{izVD4r}hu5(8Qdu4Xxvsc3(qhSkJr98}^JZqgYN} z_HAjjV+V&rv$>97`C%I)iNs{pW>K2YKF42CH|LKR>x!o7X|7NGXke-lKa|hROE1KV zO_(}vb3`1n6tA}7GQyhK%EynzX$Xdm#Vy!b(&|;Qh{-rRuI6NkWBJUC^uqCjIjr>s z?77+)o669cEWZ+khN~>YiPd2NzigXHyRH38qKJlufGoPPx>6ufBx3hGFk29pzd>~< z{VP$T=w^o$vNo{Ecid2GP@>2jSAs7cki67-Pyd?A9AhKRMi8FIUh$?s1&zv8YDk6@ zsZptRb$0LEtI4p0tCcuC0&~b63XwgcWT@@wK8iWHSd+(rG&AVtfLlaFo+=&HB{$e{ zRv6{Ik@@DyD-Kl>UmZ)EnN-lx6y7v8s&RIqw?|g7b;T+(4w7?(nhSl^Y&nds>4TBY z5iAC|S@sd;`swBs2M3n?u%o7zzfe4X^_-Q|yw9!6tKH1*25ygZB!e2l7nNsIt>*-X=XM*$s9~OrV zyE7c3lS31sdKCTQ*)No1RFi^=UE5US$57?t&v|wVu>3JH5=RGsc-#+qRku>yr1D(} zIdSmh;jgxT?Y-Nh^u;`nZ%euv$nmq=|6cY|e+8q*1s}$rUmx;Zx^l(oD6nJW`YIjE z%k&k> zT%QUkRK=ci!CrTW$=YH7y>&Fbc=sXi%Xa94`?ZQcP~j@Ww&{gl8bXPM7mjMZ=NdZ@ zyeTpQEbmM0F#japp5nIp^M|!3U7CEk{kA9nWSyi7=+PaDUIPIG_?<-4{ z+9g!_G&^gJO6Cn2F_!nZF79oHO9ylH7-_Y5EJ9^C5v$>+&Zk$Ef6{D)_POI{!9TBH zY@Cg(%9TK_SU0JTGZi^oZZr6nBrJJEW;H6@XMOfU6Y;ft=9)l?`xnN+ZpY63rQLeJ zx<-7paPx8W1Q2vabN|?qt7(w{QS_!>@F~0JvQ}*@SEjzYC+#^SN>FT?d@$>_q*081 zo`2?)xlLQra45zfW)$gJ-2x*hUAJa^=4a95=Lex-`AOf|TdI0uYpTR$cM=1E4v~oE zJrB1BE|<3asnIHKUm`!yG`z#=zXWDeCK6Xz4t_{CQ?Du*Mh;|}<6dsXz*@12?7MGe!^_mW zmwv$R7(Ge(Mrhx=|5Zh*Omdu8-FmH;EZx_3`#cCVP+ZW-E$kBA-L^fm5nt5eG2@&W z(U)$C_$ZrlY2V|{w$>iJ{c%(^3_}-Qq27&EGQymz zRnOmK2uHJ9Yx|WX%qr6{TELt+#uGujvO{HF^F$eO#^?kBhiJGe)L zFy-Uu84Pr)2O5u>g5evJN;Nf4DNTKq83_@0tTc9$F!pILt!68PEqq-*Dk%oB%j{|- zeoEm|t~jBL1y>`F>8p+zxf$1+sGPr7JC%sa!Q&0;%O73lUw;T?Rjq3&3EKU=utWyo zOZ$Tt9-9o0udBn?VopIQe(lv8h70;`bUY`XunMRAobqt>C3s+?6;qJEV|oAosYIE| z@~0h&v&}b~{IJ!|XCh9KT+9i^rz>&F{)wFPOTf|Y51^!))(c*p_Q7<7^)_GF9gG{& zR`9iLpV#8fVJccb&$flBmnH5dq*oZ7%)RZ9Vy^~i#&h49e%k3-!m{kcM8%1d2h{OA zyr|1@*a`V3$0s@8Yz%7OAU@e4Y+fMTO>G98ZfnoCz3U1%}8LJ=c)VG-2)xOgDp9gxPW(Znu4L(7Ey22 z(`8g}G?2E=a#+;sgQv2BU?l%8@{l<38_qM+V@u9rfZB%|0MnS zWOGL6aOd3`nb16mMpPmf`TmY9lAArl;qKLUv6KgiHzx(nw^njVEal*Ih<@-$=oo4+ zlY-PaUwKr!1f!EPTjf??Pw_BAERm(QU7GoUTh@@aLI-8L&n9q1@uo#T$B#IF%o|#uw#I=M7AP7QDfS zM&FJ)hRINwXatIlgLs&onBDyP>*8->b*8HjQLx|fPkX7Q0)NV>@86Hc*29)O#0<{> zj;rg$y8SZ8y1`DCBxwGTll}};hn%L9Y_dLt?I@qIgg`bxasPNb@_nabv83fZh$d~J zB&rOp!M;eC&>8sP&2feAPtvw4iwcWt8iZjV5*-PZ)k|KDuHW$+h1DwX-lJQ@*@wH0 z%~DEkq!c#edY&Vd#-p31%~yc%D72oHAMTVbaTS`Hef&I3?x`MM;P2ZwZF)E#M{X&Cl^Z#*y90Pt zXR9c{eY1Z%mc9AKu@#`;@BpFLCwbN6%eYPl4#~`}m`_zG_Og?>=BMjNJD&#}*0F|H zT>QFDCbho2>dsY^`BS3^5ny^k7QW_?c8GLZ8nBN_^t=2$?~t&pHlLCHIO_bYoA(Lf zr`PSW*9Q>;HwAU$SEHz3o%A;Z6#EV7hdzn{j34)<^rt27h7d}s`7GTSXE*8$ub&^E zH*C&T@>v%ycOM>Ai9Y0ISiFA*e?5>FUVaihv2((@izGT)lTHjZFW76w z@%Wf&7G3-%M_mIxUss|lm;FTVdfx7+2T{}45y|sr{zqK!fWBVSW>k>^i6eRf$$s|i zho#uNSe@H@L8FBO_WI3EWMTm>(c#~AW}`L zVrzGt7<0OuulLUqS~Ik{K?U1Lb?FGK=rGql`@*T?rq1I1!iY*E!vuUO9*ZTMY#kU`YTsvqj_t%z^7xs};7gaQH zsr$dx?ZdM246BzssuDt)_&6ADa_IUVMb*sb-Yo5K!g-3KRYQdSWKL?~W>r{Iv5m~X~EtL0X$ z=vKNf#>kkeFZP2ostAawY<_bcfAy6cO8w80G~mo@_b(#_uDi-AdnDq)C-+ zl`)tK0XPuzyxOe!aKcC)v4t<^%@9Q-Tt^Y(1nBsK@0SqzOVkze#F7Y$J>-;?b(Ek( zg;gBi4Xq-^lBu9E=M`fl$BBH9iTlAL23m8BmhLr*`wPQ6IAG#OYQ8tjH>(^5i6Zyj z1-wZkc{zX)#2Q7_uZN0wUo1adq2$iln%Uo>!1J_0y{K*5_Dj`_ZZsEG;bl$zB!8Ov zseC}p$?xi)o^#y&JlLi1QSanT}J5u*Eie)B8;7a`>3eAJ>)0(!Q?~Z zD&Ng)Znx76`*%U{!P&8=dbx5Jxaf{oUaQkCu6V;YO9|Po z+@~Pli378Z{`WPJM+9PjRPuNK`6y1&yFB5}=dW>HINeWdw#+*Bj^0#^m2(9inRGz6 z$xvZUsJC=y=v$I*_0Ez`vmiIu&5n(FuVdQ1e}nVm$J0!Vk6m@l2mLkQT~;b_Il|^5 zkQ!QA1_m=DiR)?D4X^O+l9GZFR(VmK<^h!cb;j1b`rppv^LhBC15hve&XY)$TNgc7 z5Z_tWy0+-h@TtKtF1n_5t@VZSMMSgcFovNMGRQ3V)ihha3KxUv7-GIkez`k6R3fQ( z7HT)ubg|WOSzSF?*xpBIzp`*F=`kT=^0O$7%7>W2_G4x`4my*6{1WvrM+`Sj-HJt=Ng`~eqm89v!B4J)CQDNK_A{K zMy-zy1&dTVh-h}3t~J(gMW5mMmwC>3p6B==SPQaL*ku2%ie1(+c&D>v2GgjBpZ2R; zxR2|UPOlPR$zk^Bz*7Fiji=H2lH`;BrT?d z>Rt)OsP^Q2yj8+;%LDSh5E_vTzA2fXge%3IJP`EtQBqY7ZCrP|@uV!_-bl`QuUn?#^Y{+%Z@Ow!Hx{oz2D?^s zD!k7}avPjg&U)6ycQu&bRZHP#QlGpJhrX1H<)RQ+pRKp7-U6xR1?9|vH`Ul8D;qo-Vw1-XqR;TYU@U394nd!xGJAA1ikvzam{#WGp%fTbJ+FQv$xcG? z@$Q9SA$zz`)sg(n<*JrZsu$;)>;*aEt*rsZ} z{RJkCqO9MnMWq7#2Vu%DxF+m)pGjqSG6A}J`y%8G`U_RA@woHLU@f=rbKm-%EL0pC4@e9D(_H&l}!J+6g#s z?3tJ^)EREm_e8*cDF1VZVtK>V4nA$+QojTuexjdOB6OhMx_A=3|DfWJh!V~2K?5Fg zkaz7`wf#4Xa$CZVy<`RcSurxvN%~7k$eg9@Q~9eobm@6yZxqA0s7&*wR3`f1n(7}4 zL@p-U0n_R(2G}XRXnZL z&J+Uc!V=IfxV32BxPVBKr4QG;JYKe9{bl;` zG2&?e4TP_fJX8QH%M9^<3dGDASt(9;b`H%!5QfC4cr>OuvCP;GFt%!BEW|1{Fv~oi z=2!lSUp<$J+E~W%aLv76I{UN zq*GG&lfg08-01L$H7EFD2PHpH3;JWzF}d6nknclLm<+>H__3R;pT7MtV36rMW^OAq z?v8Y!e4g@C&f%5wSr=3YT2abv0X}n+M^plGZ=96}yhaV-S)X1R_6=$n--`9x%WjqQv36q5P?Iu`u_0r`Ed2lf;sm+ZM~; z0%8-iY+Y_a8IK7GIXqSlvkw=3xW#&FMLzW+xi3ClHd(*dTdYKhjZD)GIvU73dH$3f zHQ;-@InIbI+n+?w?5~#=2}V5aGwG=%w+bK<$BJX1@E`9ryX5sz$r%b{kKRlqy zsDW>pD~^c3OP|JgXEL_iqY>I0+?{`^@bVvEPV;-oHS9#LExX z&^ludl@H0opZL{3gxl9y)Oj_}eQ8U$|Dga{bFygwtVwBGCMm5t+ot)o8r@m-jxA&KBimbC$cZ5$uB46R2Z45 zad+^m!0sn?+v+z%3cZzdV9;I$eNO7QOG>Nj@iw?mV_Yr8O~{AXV?Xok(9ds}{RU7H z$?U~;Hz66PRPsa09GBm9OHOedDK95uK6$^oadoDF?tGjj?%C82z51$JsctLs3NbU1qufbLVp>J4||2kVg?nfG4Q$$V3Sw#_Z^RsnuwZ`?F+4| zNvPt)_oKoZdZ{SevS`KGWc=U>=*Q2>ZndHU$#n)A1co630#1Nq@QMny@#~pUpK^cX zu!JPGodK3Jx-)ihAG10pLzUiSzYv8B0 zKQcCiuFQ0m@o?z79yT<2B0vtgs~kMCEfRcJ#4i0Ch=nh~8RYwXT<7Uw{^7|+S>PXt zL_!%DC6}OIcRp!?uNtV;Zre$6&6#{`6eeLO+zKsFaKe#46SJn4-)h*gdZs&Tb%ygA z8vhsqGU}58aY&v}I(ytVPliESW7B!=2OC4}Dvf>=kX2LH5e0^sSB9?RvX@kPTQHF$ zMV@l|78uoEZd+0M9Nv;o)x$M0T|CW-^f+)tAW8~V^0f_x^TBE3Pf{Fo+ElL^3Ea&L zXC9v1%VEQh))WyFV`@$YeQ(cEH%E_2u31q+G=}mVr&9mVK1VvWS{=v=Th|)Zx7DAd zM}yyd6mAETg+dan=-a#&e%sd*CVk##My5Y9Fj*Owd|r$AcGG3`HWQooLu1<7n|GL~ z{@5t$6z6Tm*1>W*vnHDNy6KN>i44gj&G6qE{Pfv_B%zzXCzx}SF(1kPp2hvN>loTW zFd1goKn6MfD4tAbo^nm6j0>*AniZrt-{7k$b=4@{1r1n-OaoCZWE$geA3jOT7GW|O~ z(YUXjs6J>I5}(&+oNp+2&J73;BTh2VTy|Snu9AuPf_sWstx-Q-Y2sWmnro= ziY+PHd7m91-OE+XH_J?In&W*96Fs*JjPJR%X%~KyQhdRbZT(%NFtzM6qJbrMP3I=h zql5ef>MvSud!H9UxS-}wSq>rLS{Ay^iH}#Bocb-c&eM$ah`h_>r#8OSSKZJ9y>B0nEsuw|Lgtdhijt8Lh4{xgdl-LsSF^+k$PxxiJF@z0euU+AiSR^X2 zUu5@=Ihd-9HTM`0vf*>wm9RrpZ7?9P_Ji(A>M)`uk=wku4H;P{=M4r~8=SswTZS!+d1yxGJZ9f1Ze>RhCS->X#So5EVF z+`{OO#B8HAD(BPrGIl9Cl25=8IDRIkCoak$^6?d;@M|lW5jOQ}y?YDCvQB7%cn;Mf|(~&e;yy*e&+45Uw(TdG8;kC zcN$$>%8?IO&iokvtm*Y6u!iz@>gT6}Zq&`vowbyra-N8Vx!bnwrR|T#loQeil$qbC zI4<()J_mj#p*ZQ>elaqI!<996$`H{UmXpgrPZ7hV<%yi+W+UUIiE8-(G9^Y zQk`Zj;MzV}%U5j`fZLs6N~90TEARSD7oywYxh?(%dQ`qzQnSzgXb^RO!>GrIQ!3q? zRm!Qry093z>Rl*n`cY?8Cpliqf9^}Q61LIAea2JZtlOU6=Jy|_efdJFO>I|MjfCp) z7GnaeO~BW3Mp={lQ@L#&wJhjd=i$pBgXGDrGsPxjc4Hg(@FsGCq_4GUk7e1!)}OE! zUY11^u;yIj81-)^j>d$BNCD&Z(3Xm#0|*wf*m*{z1is9UaN1#usCbNMMGD>(r!Eby z=(~iEXL^)!2l^!ET}ROyOtE7dDB@wcPwTr0%}wuM29D^fv~tr-N}ySG8Z z4bz4V!%us7^@?Y(kl$g$WFIpWlF>S}s_5tXXjSC`Sh-BFpcu#>5;f+;6#hegKjy-R zMz%s+RzRMzi!+3|=^o-n1}fg@9}?1=j!GggbkT=AQbgJw+X;|TUG*eu0SR{oTP9XtU(j^$P)w$ zs6=*9$y$vj6EL69Y~*#Mw-J#zQgw&Ikyg`tUVx?5RC@Ea;h5wuNwzPEDIqHN^u z*sN!W&_5#zqjekKsF&3oXK$oPw_o}vL`p-cowfaW%_jLJN~051OLutb;MS1fz^W$M3?DHmt z!lP7)`lZZ9E98LdBjEXg_eQD)j~tRZE06X`EJGhNq0bLJ#ej)&QLrH$|ECdv3-*92 zaRuHirD)FO3{u!1O&t?BqBhP`JG#$N*}!t*CwSoSrTNSIqVU_~>nAqyWAgLKK!-fy(S9aZ?`CY~<6r zom$tfO4p;l^04->lsX`E_f`x0-e6{dX| zjY5TgC3Mfqh9b7Mcq=`Ju3ksh0Le(Eg|y)1ntGKeCDresKZ6yhgg zT(C&pYX|(_nNJhU$<;5$(4xOVK!8Bx2anGwbv)E%GMzt54$=OaQxg;1q?li3G{zOl z*URR9$JeLqzQshw`XHxjZ;N}xac*EW{HZb=F`S~X`%Qcoj8rB)FN8jbD)*D-9HUdU z15yEW)%hj*e#le~ovK|)v&mMCqDt+040-^O;%IDvpXAAvnZ%TpSK}Me45BsccJkgr z(nb<`h>PhiV)g9-)vt~8-Q)c+Y+Ft8nt4O;YQ0MP7k*C?ug@6yc@}d;*%iy$_LLIF zN}%#H_EH{(_fK7Rc)dzSEE*}kG2Sjtt2>9kz)?>Bf6e^q5X5yB|)@rkYgRGI~%^kd!MT(7@MY?fnTMW_2g$7Tl zuv0K<=O^oW#MXw>M|@J=3QKS@!T$dB+dqPZR+u||AkR|Q*Z0N>BD z>8ouiWTg~D8(N|#^5aSr`XemYL153zP3KgS*tzCR~2$$Zlgi6 z)!pZM<%O~D#x^8y1JTH#ZHR@sgN85?G*KPbgWt`e z@98=&|J`-wIXwayXmrXRkQ3 z`&nKDzx-ai>#WE(?2C@~Lv@tF!t?a4??%+A;fh*S7c=N(=&B~m4D#tMRz8W9T=y91 zN`9=+yVJC>^6_Sp-3x)0^k9g8E9mph7|?Kri@|wLDW#XWbqx(-d1HQXg~c`mq#8;; zYYWR-YQz-f4E*vmM)}Nffv54GSRX{GOycc9l1|EETw$55Yec^-U4ZZjDV!=lN9_@D zMV529Jq+`u+QP5;+-*3dyQc<<)axHfmTI%v*Ayss4Y=KO_#Id})nYRcBLw-ERr6}4w!I_H1)aKk`Ba&OMg6t_UE6Y0A^8GyH~pK~9!K(la@lXTsZDI{#^7 zq|yjmzR&#m?6C0OX;~SVS$R@O_G^_?4nAG=EkgFpE0wb*W_fiP^vX@JJ)Zo`3H#$W z9S?F~5C1gha?X;<`j8Cnsw>nEo9WkY3?`b@4W%7K;cm~#ikdM!Id#` zEi&qlI94@vB6!|%>FS`^g)>U6l(>AY_#@l6Ve%DGL)(|B^o%r!UH3m zYK@bf1uacVwKwVl>+u2dxlCx2V*(ql`#Qyk!2Jz1RtUOt-{+_Oqm$>;PTy_O^cD3M zAH}JKwZp2T0kZ>n@JA*M!k7Nboriitq^hI{u`~P=v>Z5 zXbnAul$|SC$XqQ@-jZ*!;>rJ?r4Uq*uX)(<(iX+CnlkJHUpDnwkOZ=A`?x!KCG^?pw3u zULzP>R2Z6rjbU&cyy?$qpw{9X_;9kLUxX9u4O=hKqXzSN-@*b8CK=d))dKKo8N+!6 zDl$~Y4IX`76zDTZDQv|vYAT5!3SrtV9{P;I*7^FrYpIuSGVZpU_ZHqcElg{6_K7M@ zD&)4k&$8#)HY<5+ccg&%c$6eq!XnwfX7SI#JoA{AQLoPyI_t10rv`BcSvs&s@o;%o zpv~tw@G^YC>mm6+xFT7)>p4TfBHctqPD}dVa1&FUVQSAy6+#xUf?O5?`>}eP7ZDwZ zg3hZ4oGndK>g`GvapyEo_)RVPg-QmR?zaWTa$}4qX{{tr z(@pn3hto#!n##m=>MH~F1vA#?R?-vfO%1pI_C^hkbg4yFvB{n_`4CYp8mhNtgL^+< zd)MSqrTv_<-Y67|Qb=!FOEnGo$t3Z&!|V-61?nCYJ063=+hm}u z#O0nqe(i6ZA!s992wR%yHOHws#fF(JH+_>?SH{-WD+-*#AK6mu~S;lsGZizHh>kGH21Lf0g?D>0q$Xv!%GN9C!d$;18FN|b|@jCC9fj#Y&6UU}nC+HNPF zljRXOTZdL~ui`4AmEGZ8wP;C^iZS z1qZJzR&kTF-;l$u|Df@2Y21LDq?crKXf)dzD2d812I35pZ5kg5})CZ7I$_;L`MO8d-@g9nktbCi4Hy2r^X6f{Pog8K8uxL6pAj;ZPy8wyc86f8X}Cj=^@kex_79-Q8rs3d<&I zS^PFrkkv?Wis00m_@1otY0s|-c&|-@XfR(jNIGUK_eXRW!a${#vGb#!p|w|ICSGIn zw{ng(4@VZas$sESGjgoivwQwKQFgVMZmAUg(;?=1?R14`T_zjgZIdyRa6Pn}R+oFD zK}~1ehHcBE9!Ikcbo)U6!&}{Qspmi6|F9NdyXpbKR(KA7`UHPMf$yh;#Di`!$fD)K zlL}_cKlTd$5d0eVY{?<*kp%|R^>a#7*cu57c$|C>jl~(ca++Ho^mE?vRdi@W@c$lWMgbA`qo`5v_d74v#^xaY!a#`D4N@lYIcBrkjYlp~Zs3O^tKYUYJo) z!7{1CLCRL7F8NRL(BaT)cUB&sP&RH^w4jQmgh%s4SNF3*gv^FEXG4Wjl1umuLAeP% zYA`plSUxb6>gVCg7FG%FJ~s3Bnt2PGHHAC4IJ+SOKN#tZ7rZakV^tu7yS=4^|?+;Et-SikK=$|xc9F5*!f z_o+ERw4d^@ufXVzu|l-D0Z7(eV|v2W>4}+_-OTM%p90=zl5{dV=DpDa?rA1skui44 zL@RU3lIhnTepvVv2NCL9q#DKY8hNrTxs_rS7gLJB(cm2p`)DxxeTpa+;^wC8`w<^` z*zt(_sE)2%W7=Lle?5Gc_(-976_LC(;6t?4yuM2Qp+|S1Zi2)a#t{eR@3fGMA1cxh ztKvsfhgeQy#{$|WLxnC8;+KNY`xkwymNJf95z%HD5|##|0vfCBC+{V@ZS*$;o$I-+ zV^=jweUA244eF)={Zaz9(3-vz*i$_C5+jJ2RTp8Ki&}C!=^$UJ6W!kNj#bfiOzE`> zgfIWT>2YvVDLbRvkT_!YT#2Ph9qvg*GB4-qB8J` z4LYe}oz|WGVw@$wkB|^kR7oj7OeSqAKQa#{eBRDwye^cKKjwMJn{LCbPISP4S+0{{ z*32YRcV1~}jZ43DSI(2vB=<3uh)a_z3fS6`aRPmaB>@a&5p*P=U??Ao_L*Rw{xa5n zyzS@k8()Oh0?m^R9}x+i%;!1U`CgxGyKWBUv4x-KiaZ%ay`eJwiEGinED-*BzEM}g zR-=lBHN`;9Ja}=e*!$iNekgO4&3*WLJ1T}e!YAfQYD+CrpQ)2G?7|adV5#ar0_N+I zIQiasu}8gPjCb^fYo`Yj2TxH!%6~N|;(e&hrm@b}8k`FS6%5RyPk29&fl606wC>x~ zp5bxwa9s0l&JrT4ezw{Kx-Z%H?8ecwy393eZQy0W^&8YRSC93AwSupo)&3Cbw9t7q z6imag5LahhYrSI3MVIl5@hmQP*Qgv6wDnW2n_aj>t)UWm$C)cKFI_8)K18cXNHwRk zXry0s@$Gq2^jML;`!!iJ2Dh^{_LG!1Xwg2~A4|V%vp%DvZKCuTx;*MmB#yl5sJ6xv zvSwt9Pyb66CRBjxRK}}kcp34#PCw3=OTtXAdC$+s}vj;vfz ze;`i@VGLzCDTSB0zIGoP`Al(#gg8LZfHFPF&IYx}cI01^wX>YzjHsu3{VlY3(Ek)w z@Y!qa*MsI5Wg;`}`m~Q0lq&_4XbVQP8>FzGpU6%dt7z$e$?O3i#m}bu6TA9w-%nHr#?VxPQaU4|^NV^&n>DNk8sp21z96qKR^9j~%0AxpDX_L1yAhiApq%VzI z{Jnhssc|?WO&C$xTfThfa*V`_mY3oZOi(MRiS+-+)LX|j{eJJ`LtlUnCa54V(gZ!LYWJ-6NJUKdy%vdl8AQeB+{0^))U;PC8+X z==h#f``bZ0HdV+w|6Y>4cyGw@6emR;#xuW3V(fBLhUwtQpb2Ye^t09m(N*!6%@TX; zs!@t3ol-@c=qG@NZK04XPgD`9!CnAza z?6Tmww?6iSU1V(UL3?635$k7qGg}FZIg$PW)3GpKzrSNt()Czv)oEe0nY^JpK~?;A z-m{NO>5IJPj4cJNBCDNUjLAp-N$a&~UZtfbj1_E0{`X3|)~dJS%Eax0x`Nnm)$xb+ ze>-D8^7NeI%vYaWRG!)eQH}$h*(k+agwj||Xg+!YA(Z@jQUm*zgqP)>F()4cy^uTH zwF(z<7v54fXm6*0_`>Mb=0ZVjhqmzlhb?bx%uyG=!u_Taq7)RK=ehB6i9ejZ@#U2+ zHR-r(5gEQY<{=4wsbu%Sm!4>Y3rfXZqnfCl_OVszvGHxL$FHM4A;#j&ormn~(gHA%*`G4?& zHbjkOHWbj=D~95;EP(H*v!4=QDlunmj48RakEXOd_(L>jlicA!o@>%zG}UNcs0IND z@_>%Up4#8oB-(n3)aE2WNDk!fZI{Uf{DgUM29c=)R=ybhZ;r=OcS6HwoNUDT3zYBJ zDwgESXjnBl-@9Bnoo7)K!b=P2Y@VO4*VI>K;O86U(LqfNgnp5#0T?^4 z-nE|@9j_yOZfk+l!OfhSR}n9uQpX)dx(t^Tcn1gw>O+Qn>QqYQ=VBiEt{ziC#S8JG zi-WXAvCRC7%KQn1lL_kS`+VFDTOVinLVqqv8(0ww(>2;tqA5i-{zZPD^M@z zd(z=N=Qvja8;Y#R2TRkHt>qhcORS~-;I3g7HZby{w=%b|BiGz;A;HaVNyc`{TWTef zxxa}5S9o9mSWB|#mXF@VJfHT4s2(NQh@Em4ZlHMaU&cYcB2~-3^#qsnyA?&Ic)5Nz z>ap}0h?jjAdC=MO!bt$^I|VHh0&8d48+CqwrZ8^i6Ddx%?_|LS0vFL*3vUu_k+# z9&ssHP`DH;ZKiDGU%?aegAfWEWJboU7&Wj-ZU3FOxcdU*LMEFz9|E$D|oV=&CR(?z)cu5V@2432{RA)5`mm zC+boQ{zEG=D9ZiCOEQ@15Edi*9b~dV^E3Ii1u&(Fhp746hxycrKmtU@QGHasedt&9 zviTmU*QcpUrP}(w<`x2V?*1VBALArLA`?&83y>u|nXE4|$Pu6z5I|TB1mP*8INxY^ z+Ia6_Kks=OO1t0Rn(h?3WJ+T?_uj%1R_Sb+61;Mf`-k~o<(#erm-1R` zIx*C$p4zSG;}hwm{h$hk?2Jb1ZgVoZ4C-|TqHPP# zHE4}g(bVa#Z9e({ig%6VCemej+%3C1Pw9oXAEC`;_w{VfeX+Tyah5~OkWEU)E`^G| zWw?~rS%jK*?t>84jP@H6$uKT))Zz8-C{d6Bef1%rQvlP9h~B`*>4LoIDI{Xy8gfA6 z=6ic%;TmtH*~O-nD{oPD`6E6(vv!1cGppHb@BzHpEe(`O^Su}V3lQg&{oGu2&MAI~ z-1dL95+4(B9W$#)C1}J^%az|U@hWcoV zHX`cspU7O2GJ~peQ9EH6?p$JMIY(8{mQw#c;>(&dhstO;BS8WrYLH-g(6EAZkBte6 zA7=susy(pqxSoX(}PqOEFe$2npo3yQ{{G;{j+8eK8254@kaA8k7Fq>R)UAZQ{{q-~_&UPNu;aFjD*Pl@2n<{W%~; z(fAdSGi0n~ejQVG72FWesGO0TAsv+7W=EZS>T~sGimMdQjK2veWc>^byhvkT9R79P z*hv+opnQuj;(gbjvV(2h3(6v zK22OY%52pVhq`y2>IS-WKXm5*?ok@Zo%?V#*|eVc14t?3?SnBYiw3lQ=pblzE2#d- z8EYDgwQU@44(zq;;t9tbwd%VV5Ihg92Nx;>UqWW@6#V~ z9VVwNBJ>|GaTLLY6r@Awo_M@7?-QtP>00&gpY%qJT&O=NXZ0i)N*;8mNhW%@Y)pKg zn&rZ%dM5}v$Svb-=3{axl~5*NH`nFZ{Ol=wd=4-e(T_#{DA&3QOWP|C`L$mlrm2t2 zNM^etixDCb2D>%lNcl|D)xTOuI*6RMm*$Lc+jw*cr68z5G>Wi7d^=%FT_u+Mbxnm< zpB=>2M@3*Y`_WoeE^JV{D}nSt;rw)VoHVn`GKx z7g5KY_Nos4SBvre19bSm#XAdV*2@3^ETks36sYxV+q7nHtaoT%4?nr#4xjbfkpc1K z9y^m6D2zP9*EtMNZI`(7UjBDusJ$;Ye+z^tFu{SiLXXHV`#g+4_(s(6JXCVKNJkfs z^|MQHME8RxMI`-2NMy0W^02KDZ#`k53X1< zIt+KSh{dE{1_Ix-Z<`M$*8Cq{2$Ln}qx-oGH3EmFNGc>a%F&at#yM}K0ap}yYG&n+}XD7_`z-pYPU7I<^g>HfFbo_S9E z7G1QJRLJgCwGO`1$ZfT}=$nOT4L5G#33F=i-ZM*XK^~pEv=D-}I#o?COb>r-|9CY5 zb)+#!-1gpP`|xr=SnFaF@>fsgi9bQED^?VeUet?Acvi7NouXtCS;atIPSWD}|E*RY zE@J`qhJ5F!r=%O*HToYsTTi^ppK(U%3f-0A-7h0~GqU0K$l2}`OsG2zCzo0JPlcNZ z#yR7-MBscVQ*TsYObF!p;#;y=1YW8=zE8&|X$)bTNr{o71viE`P^ALz)>jQ^mCJ$J z-Ykcs1BJt17Q<>{vNHFDkV8FqsNJVTAjYq@E@ETHOq33t=$+`kGymfIg+N08&4wiT zWSy()wkMIFfsZj`fqQvIMzbNh$z83)FMi5Y#MF`*!ol)S&Wm=P33FcSx@}wriW356 z*fFZk6Fh5cp8Qwmv7p>mAMJ*)%fXx{3yz%>*|!zwMc!l_>KNE^nW{QgjG$n6-V1); z?;h+|>>RQGAo}d(#P%JGswVmt-coCsirLu5_HMODIr+ zpdvDuM_0Ih(uRTwR~PxtW!H?P=C57M7;0|$XuEO`=#3!end<~vrOxI+`xl?RcV?IJ@7YoTjCc| z*IzM-m<$oPPcLF6XW(~BWN#IEW!XLNfvnHi;{uBV2($3bgULyDzmnEezdJJW=Oz?E zEh$I%pPxp9X6mKQ_M-Q#Q^@-G(mUB_?4sV=Eq+->R8*=AZ*&UA7$hS30w~CpO4pxg zZ((t_tA_%>`wr@CUDHkc~MKuF0-!la}`Nco6r6oPl=&Xem{Yh`YS4 z;Pg66I=vkJu2PK1s#g9rXzVNnVNi zPJVYzTRNZnrQO)1;$WSa(bWjo3ZI{l=JwZ3K{^HW;Cj4pvwb8WL;J2;h6D{<1{$>is*`>)@iv1KE`SFTEVK%NIP?Uui6fdxg4HLa9WVp$t@ zbnEm2#fi_6YU6)vtiwmlbr|ZK&NqkFIkMH>^T(J=7UWlo)?;qp2$;ll7ZOioy-%oz zx{LXJILp%btA0Wt&;Fru8OOsf7t4WMW4;roLeg{=P)dFrV6W}BeXdKZ=-_Kr#G5R5 z!zrkyC440=&3psbGPRlkzjl8`Py=j~Cu>a~PeF_rGCQiIYcab3y<(lGD#f2=2Kf&X zBf_2RM)FxKpk$&4xJ&byyHYHTrFSkV&fG?1gp|C)MqOz^l!XD;%#PM$^)Z|8USmPM z<;JBGv89AChG2e>Dv>c27>p6TSC6{?3!UF3EG`pP6}b=Zr)XzLA!%P}U0vS6c&qIj z%;IrxJ6ny_C8z9;Jf*Yo3yT}_l@Ce|qatU!L}p}bTmWj&@tk=C=KP*QZn?%LW7*DI z{&SHLViga_g5&l_KZ>CYa}**WLdahT^~mbi{;h!*weRE&V%r&Mx3rsjB!Hv9{Y9PC z%~+A5Jyx&~o}$#5Ek!Ob>KAHdkp0q}5Fe08Oe-&+A`aW!>f--hU zNC3wP0tBIsIZ-}9mX{|3qD<1k%$cIe#~CuNbX<8g~!rw^RAXO-qZjc)@T`^ ze0H9M1KVJRK=`47qT z>r;Qxz~9#|I~Rj~3n&iz-0fn0?kp=Y3{@S=;ATmvOuZ~Z$k#t%vBp0T!-E+1sOT-Y zAR9PlI4M7cjz;_a8ui~d1@(Rm2*hzXdd;(JOV;vtJQ z9HjN9VVC0(l9#Rp@sk5eex>DD)p`3?MUwv(=jz?AiscRW4`|UVqkzNjVnn@^=0s8c z&Y_nd_W`Z%K$f(jMV2|Wuzw@1!qLz^6q{_ps;aJk)%uW>MVc{YqWnG$kj5D&=RUUV zUloUP#$r6R99Dl83B1kOKC|BH%Vi3iZZu#c~M8w=SQm$Ek=R` z^rAl7kDI#B| zi(w+4!UvtUqMx3~%%UNJnA_v_^NspN?;$oRl$nvdylq(+iK;jG}?l@)o z_%GL1-;?lK^S9iOnSGL~uee%W#5xY;YNTpS#$$#kvV45FIB24QKyo6XXV%}JdZEtMKtg2A|UKj#;YGc2j z5J=Vky+lV4xRPqNB;RKhfRZFhBWviqcvDn(tJZ)^YHQhz6rAiw>3!=4ufO%2q%pJ` z9U-8%I1^MQC)SDuEimd8ADmwYITi|eyISrZrVb~=`Ko@}^{yR|Un%9Ku~#WDEx!e% znCrp4%;+<6f(EkL-eo~9Q#Cw=_fDiVGmmpHfAIo;NSq)^{KT(L;2ojzDC zk$L_sNk#_e=^MOv_|HV(Q@sLsP7bPnLW(qlM#e&k7LbVA0aY!j*7I8&eTKGrYn{fl zluaa$N#>`-g|cT$GiyASK!jCB*=*|H2Wv zVa>AaL#~kK-ynZ0BL&7O;#?C`mSpQj^7eokedMcj6urCS6XXvoUO95AU>Nj9>5=E9o1f#O)99h0yJbI<8^uwZE*z@tkxtY~XXM5KodrH;Dw7U& z>WBmar33?%(7>{ScQKyOQ6QSBeC46d1bE4&_I`o4we}lXC=%;NQE_9OR0)I&iur z&wT5($djLjlkIN7_91@~}usvH+idq`%pBpWd+M z$iJiWst!26&yKlC2ma+H*{L5q26ni9lsn}Ut1{0jxnG)^iDv#9}(+dRpri|O#)+^z4n z#}#vOC}j(2owE%-Oew=6V(O1@ePh;q-N+Af>k zS6yia%o(d(Kf3oe4Hhb-P6?6w@h?sme`Q{yvV{EriDE18LDnZNq}a2%?M7Z%B{rmz zokKR~pbFH~t_N2>;=kJpD~%mWQK2UV41hxR!ZiSsLZfLCZoZT0YNZhl&9)J!v$jO( zxQG<uw!S#me~3zouZx5P+6Y_yN55pIPKR9Dv__|F7Y{)%EZgq zl&`;wE5RFy0!*Qs&$afYr=7~U1KsPiZD3&g+StgIb5$g*DCSmZIVy)IF{n zdk5xmC1Yu-BA1kBs(yx^VZx}>q%H#gv0}AcOK-F1@zF|dYo%3@sJEr=ESqZ0$h=y~ zgA&cLm;z@1q@#N*oY5lLC(+Wld+iA){?=o&_Z!ZqyqlAa$M5?(chq6&Ka&+_#N7Y% zUAKRwI7R!58nbJ4$*W_1&@V{g9}u0F8xS0v5b6VFSIY{SQZYxdo#=I|GCxads{C*b zvFgdFx>Vw0mOhVH1qHPmbV;5@D%A;q=MKyCRm}xR_EV&Sj(99`b)Pd-CH&cpR^-aS z#}c?uYsR$(0x{N`cJ5Gm%a&s!C!1gp#3;chq2%MbjLsaIK211h{No zJb|H{VK0{P*9wWPbk{Wb@m1QtD*0Pl^Pf%-UmbCT%)!j0N_*D^_Rm^V;(zhHnQ`U% zp-RJ7n!JoZ`El#r&EP9W!}g+nZx-h3bne8B%XH(sw>CZ>vn08Bp{iS5;OStWHUHCP zr!xRsOCrlQecQRb@LtE=@3oYIbU%AwN91?Co_WLNy7ct)J}8=+0y_lwKr<2aY9$)W z(CmS;s~^zy#LYvGH~h7r;M&!Hj`>%sANIBbv8Yx;lGm~-ge73|)oW^ULAths?g@*r zg6(DkzI5U9!kwmue|8y`7HW~D(8USLGDWoUb_$at#Epi|bm?*_A|o$jb-Vq&5~ ze6DBHVsy39iT(QeE5fSb`G#O+HqYk8&ZKysI-WZie5#pp#x3)Le`Yt9Yc}9S6LxH zoK|j5V4t9e`H(Wbg3+c(>h+z;{~oy1V!av=_idz73ra3ci2*sxT6OdO@!@{!4*mpX zB>;b{9-v;I@dD>JU3rhHOZ})O#R5w+qnkn*Z>81uPQvo@B+p4X#jV^7 z0vO27ED;$9bzbT!GjERzrhw7aRpJKqKSs-6;WPN`#$?)J=0Ff|UhJ3`0z)RBSDhQx z=5+)kmg4e&ddk(lsN5F6w~b|2ZS8pm=5uX-#)*4)W(_T{Of)j6C$c-Zcvs+##ae!_Qg6HZe+SD26LhP-eg zdyyxOE5zZbvsb7#@P01*byyrB6N_i||2Vb&YW1tD9b>Ww%X^6n=))0k)Cctan-xbF z5O{%aZLvH6qjs>Yjd1ibh$GN*nC&NO}AQh zWa(Z8gPHJzDF6EX1rvg1(VP;Dfxab2c(jnc^D!(|>1ymG1#y*MXJ*rAB}w4z@H4HkSH-W_jOgN zlY1g3p!d%f&I{@;Tf9*<6qVYweGBy8ug@^X98ull*tSYh)-%8%<_5k;ti^1oLJ`KJCa_YFZ& zz-HO;ZVPPr3WdDXZH^iEBu~H$e7Q#d%GUCSgMx?RrVbg&tlc^I;~k{Wg<&|uY;ds>v)8A-S8g^5dSN+ z8AS%!=3%E-qq>>Xmkr>2uQ}2#l>!n|}Y^Lwt{?K~^pJ@jm-I^^sO(FS-zoEyASBasH z;+@(??yp`M@dg14kLL8XeC|NmH(;2akUj_*72#L(Le8+E%4fdjA>KQ%);3%atEYN; z|A$3qV&M|h@L=es-7~%Jn@{3~H)om(P$+IDm8}qkV>)rByA~=#FR|$Tz0XQW@mkEm ze&*mK6MA%ZcfV!chlf4I%{6z(pBOA$6f5GQ&fG`i4b$cpod?uGq#qJdYv063Ily_R z)-M-04h!PC8Ol}lqTG{Qj>ko-=F*q+vNG5A_#`n$R$ka`VaICEHdZpYG`^>@n||8bh$A>o4_sVMMU~y!&HE=T zO|^!azJvYgCdD;TyWt+(IQgxOp|TybG+%Nq)@R0q`peopOH>Y;)D*es zzi`PCJBj}7>NYp-W#xlt`zf2kh9PGR98?{b=`E+QFFJD`y8LzQ7CPI0n@t@nAq8e9 z{uYRk?Mav4xt%j(SQl4-dx^#G$DX-*Li;AK_KW-&7+m7+dD6WXs#PkLqL|p#$?TeT zR!*YK)KVY!T_XeI0tyJNgMK`RwWJ;gNdy{-dCU*aczw(Eq~A-fK=FX0UNXzt2S(uc zs=*l0l2n@8ipxsSE+!<6VY6RoV`W_vav_@Bza0bAT1@WI-)TdH%KEZ14eN(!O{|3|l~ zs4`xZG7`Jre;28X4dqgY%6K%<*gW5Wx981NRlGlJetTIl{#!s`h=GWhn7cRYO;8bi z=F$0C@cO+X6ubCnOFBmgd=1aso~Kb?K4yH_RAV%%26V==A?|vP!54VduU>Y#3c(f| z;4Uz*ILV(0z8q+!9|$Mry$aHI$8KkCw5GczNxD1eq&Kc}lHV$ocBq0n0@I8`QYo8* zp$p%NN6xFqw8)}|40?#R>xSm%-IHt6u&~^)y|-ih4z=Yab#*dTyz;e6QE7_<_p+SR zEAT83lAc23?f+*d61lttoFex6I_~6xq}s9ToEGp5L^ocBKVAWf(-aT8@q}t6mk~yQ z!Fu%f(R~$?3ZtJ661J^0XDuHC&<9-`qwk5K(0ke! zoEpfn68E6I2eRt)tmD&$#*Uwxo~-7(Vs;(;dbcpPj;`lam&!RcAGWZ&A!yA2dilNi zMvU&uy7O3`>sIPrs6(Y|UuMPMH-S8pgxPQAe@nD}-%neZpeTqh2XS?`t{l@|lXl#y zm4-EBcf3i1{c%o@y)(1B|LCCGx1z|arkfNN)5p2OGUQs2rsqvSr>+Z5G8UNYMHfSpM%Mo6Io95 zH-xrynl`o3n|z96sP64;N>)1Ym$1LM&xKw=R{oy*p+xuDDV_z%qPN%}kY zDhcC21^HQ;1rNn*v(lV|*Gxp0#3|(dCi}Yr{fg6b4749$Muq$cTHW~Vo9=sh2DIg$ z-deME@wFCz983MWp&~g#(ce+gli@;7CWVOHzP9YeUds3sCr*s@8MmGZ=#}6sa9mif9--YUe(c{++^~fMYZBxt_wkU2MkF71@ zwhJ|@TTU)>s;z0izG_^WI>`~#C^+g@0h3Q#ogj{K$|G;pE~)m^eF_N)aVR2WuoIWE z^5SL<>tx(}zdX3oQd8eF$Z5EF77`8^V#)1~Jk)L3UG=qQq<0e@ZNu1VZEWCLetKU* zr-dd+^YHhRhB^HU%-jLoR0qsuJjv4vWHxPuv~MVgE}fm7(s4`hzmg_o@3{J>jRz?E zL`wIcUiWfbzRGnj-HGp9x+})H!p{Fe42Q{T2IAeAV_|jRpnp>c4A`n_>WogHtQzJh zgAY99I;F5lfsigrn1gIhOhn%H%tWX>Qu$aqk-7QcVZ4BTEv0l#q&Ba(g);y(xRYS_}beEe4T$Tl=vx zxMYj`?4K5PcSgwWqkrTJBeU!^k7H&^YWl~pRrCOpL5y7F23np%q(vvDiCN9#U?#LC zHLte@#U;Li67|TtFAi16nGN*!Vf0_V{+Lz{>z(&Pyh^xjsQM^~&1>B-j_OXBY=6eI z;%6?CPd=EFUbo!7V5&k7>#@>F6yr?!RIhWeX5#^mD&2>!T$R{6IWA-zd~}UK=T}Ac zjU)@0x3<02@ozTN{BrO572C|v8zBw3OOhAnIfXx1C!oRw2|{NfpW4#gz5+b~t>gdQ z#~{ClPrHU<@V3~&KE?UPjsy(ys(j=&(n-N2f@AVA^h4qMnmn&w{gdu@3S?&)nl~LP z%188hn|^C)$jehPywC{vC0Q@~a+W6RK#|ueBR!bvtyO(xIO8M%?Q^(2Uw#-we<)sv z&hTC9GEVXTW^{T=Lm)qkJnKhH>t>tyeFQy5ZHJQVN6p_4a28@^-JZ<~rf=h7Z7-*l za1v^DQc^zO5>yet?Qs$**}36=6WMtkWfxa@T*qb?`kWPem>ft8JKYINa~Q*CxZ^Rc)mwMtbp! zi~X$6k(?UOAK;Neez4{Mt)gKFRrpNq!zw`{ZvcyEIoZ?-s?~P$6<1C@Elu^KDTg9gddULigL((6r zsrwikzmi{E5k*_MO(XsumhOO_q5|pZslz_Uo}ZjuwiCcPL-CK-Zt0tdu>N*U>47dl z!4*T$YX{6xH9*-IvSZV+0kh3%s8je4s%K@SquQ9)6MGKyA9_~n;S>!C$h6;8!=9m? zq!pUsX9FZ;UU)m@&Ejb+3k01xniq9###U6 zCUtu0V?1&-&vge&MJ_UqpIlE9b2NIzyz4m{fASa(ji>t{%P3?!m_P4k>kIM{?}*wZ zuR61mZZeKA1x8l}0|z;lvijQ8Q--7GNwh<>Oo0Nl+JYT-bnLpMuTA&a;}|o7%s^Bs z?0f|t9E*esX;T1b5?w58+RU~l-s0JdvQz#2^h!MgCO0VrfhU>_BK42`m3w=@Jc`df z6I2fkf`81@sHqSH?W$<+BX9NvU)%mQR%zUbx|8z*4WE{TvV;w4kX^vK73h_5-wQiK z0ln&xXYpU}$+ix?#`3kCzQ8lwP|8Yy00pYa&EQN=f_zlY@#*t8)e% zD?_DU5z6jYX)6O;X@reVp$j(Ozm*mLN=SC_JsuG9x<2Gf(lmheUdNepO^Fd17Iq2o zS+vjY_}n|Y-D$0XaF^F_7YVto={BrTwQ=bZ%d#l0cCGJby2NR7qbDM#tjsy&Y4Q=E zt6}OSqT&u~BhXzzgmL80RKpvJ^egz5Ao5x^23XkZuT;|FqoR%i_jkO4XrZPD)}Bzt z`_}i_=_DR8i1)lIi*5|$_QHZ@B<)pX^?UvZfnVf^zFxon>Ie5)Cas0j2F2`T)=k&D zUm#v`tr-mXA(wBY4RF8uhy8&RMIUJSeQ_(R*Fr8A9>thH7!XyWd~=8HNPNzyWJ^{R z2CAsy=e`_fr=)r&@G4jHJMW@b;_uDeIHgD4q=WvI;6wKo9+sVVZaSyI>(d{IUK9m6 zQ@O(gkRxxbCmO?co8mHB@RQxEFp;m_Zk{$CSZ?V`b8%2aku7*ua;r*JFBLveLxFdw zb7?roptku`{3?lqff;0^RDQ z4r|^1ENHtoEP%>5>Jjy>Q_!^)yC>A^(n=NewUbeWMC0E}BvnKGJy`+BLiCgl86@_3 z3v9yJ@u2S4Q$&xvkfHZfC1$Np8MK!h7y+HkN)c&C(Hj|Wvt?{W{q7$K8=+igh!M&a zoGtc}CthO=-rCKTn^T=e!`@r%NJbFKE761KSZxzbzDc4zFDb% z?%y+kj4-|m8G-11Nq-o%A!h42Li*?Vp`99DPK?(zLtSlX*SZ1GH42T$ALIMFt6A{D*V?eHVn>1z%z@HR5xO>ty&mabNh4cpkQy}GJ5Jq23Wfhrfyk}+Zl3`QT=1WM znsoI51N45JE1OSy@u1^(L$nVy+ zcUZ8K@SB|RKV|LdH?z2|9mKjGZyB{~4}`tdcJ5`RfaLg~LN4Bqv?BFq^F%DXi>!G% zL$x%zH4(&kLaVfMqNRJykhW1h<855?()h7S$-7x{1$eoQ5RQcY^z^)f`q(jA_XTVYIcj{*je+>nx--7|ud|HOn)QNhbvi zdQh#oW9wf3+-;`2b7M3P`pQhmD{MqF?QYHX+AhWl-A%Mc^*!h}cc>BaNg!R4`hUR! z{1vDuF_^)!;c$=L-ua7`2kY z>l1m%oWM6{7@#K0H52XZ<6)q4aS5P8;Vo&O;Jf#{>=-Xeb-T;H*Q<9y-YM;{9m-C% zEa_-XJPpw?|4wAmPY?S+k{*=9+G`?hNxcdPC#{3TBKGenGM8+_#{;nV&p=xEQ#sNI z1ImV;;Tdvq{KgIylU}yV!XIy`76(%?j3(c6{$O&p9+{`@DpEK!2j;kcNUnQo?X8oq zYocFnx3ZOb=D#O#cYXje?DDOLrX8OJnX)y~A1w8NN#fL78Pm;C=jgB1(tWS_y~FA^ zFswB_`{&0*wx-BeyLi_5VCmeM6P>3;*^w&2GRFgAfAI;1Vv}nvQ;Y5i75?L-TYy+= z{oioybTbJW>=V2ZesDlqfzfaWjr+h#7#RrZ`|D%*4lK0Ewa`UQQg61pl6xLf0|JlL zU!M)8(!wcRrIPih53AG(M#OwUp-{G)+GTC`GhzXSP7aiu0}mXk7UJgXpn1Z9FC}h4 zUzkD9n=6vhx_7wxAXwbdJp@;w{LS+vE7|Vs{!={Kv?#BPKUe%2Xe$xH?2j># ztjY1)5uE}nX`6B^~%KtW!1sd`6~ z?7dxFZp?4hx^UH|qtn;G0sE&g0=Fply7aW4>4R<0_9R2>?fV(P#(mst?3*`Mn^?5N z&;RTeYk?!kV8h}gB{5YN^W{URGAtCV2Ry176aopQ+ zUtr}=EYCW?1y5vbWUZ$>6}fn{^V7MNC;+Xhx*;aEoD5dovkGgv0C_24>ayhjkWrhX zz?s|U^>wLICHA8d%>~`A-sz>TQfhfQ$C%UOK8EQOqmteW*Qb3&M$a@+_MNNzS|eXT zPts>JNEicvyRRnpUu_x+Ye5(sXXhP3+FIKJ<2ST!xdzKHC48UY%qi+^Y%M@UqnS7_U*}h{g@FwHn}? zjFF11W9yPwA;MB#QWwl`(sTTfrBrs@b4j*)!fA)kxV_({zRI~$`Y?#wdy(_wI{#R4 z5u47PIrZXXyHO^V)R#i!BFCZ>|A}cy|29r(%*9&nVFF}1Q>T274>MJzr*sw~znh;} zfwK&JiV?P?KVGP!5r^K0ua?{(4sRpCx|b{$MXr3|+p4u0&MDj{(Of`-{Tsyy#MXN2 z5gU=M!fJqRvidJq#x*&^1*Mkyi3PMy8r{|2Jm8NMX?_E5&C{r}r7c>5bHbPG=Qr$y zv8+XZFBbOJ`AdkP+}n5flwkuRTn6c=%TO^7@=i`Z-RVVV7@iQhJF#?7arLqoT1U#~98(qL2> zgrk#WCOohw4=a3F9aCtGuxRuzBfl3Wvy5W69O_GybLyqZ6J@;O{j}N_Z?htc5R9fr zD-*4@hfsActqk+Qef0_E%KWRiacrH=cD)MenaX)-HJ?7)jVzjd7I%CriDWQO-!nD- zK_({Uc(!n=|GL#xg3M0Pyf@*pB2b)3FA z3X#)GAVtUN!TtoHq~B=BapYvw$f{&?KfQTjD8{J&=j4=?Va9*{pn~&dvoO1&w~pv5 z#%EPKb;=ysdKR8hMBIGG0U9>QXpXJG#I3vox%I@Mst1SBstEG)j^%!aReEVV58y|p$O$?^=#xw2EQ z$Iia)J#oND0+3g-(Os`GlL;S=6GidJ4o`Ip$- zt2N$Jz9DBQ0s2>$(FthmUGik!&dxM<82+B2|LrVqdqI6%h7BXs?qEMQ3v^a0rK!Do zsUV5!nH9P$Io&s}+kliTqnN$cVftJwGbt_jk|q`lBzeaM54>fXm^>w zG+Io`(ux(U@H(-q@;6wr8pYQ_G6@BytYUNOLZrqASG1h2aZz84J>!$+B`gRUocL>V zK|B^lkNI~_;x$c3s}l4s{C75(KUbKw=mGEq4g{qy4Vr+l$Q+nVfy?A${%4H|0g=NT zieo~NpOkPj2p^A4N#`5Cy>PQZxxZ;m$Vnme4Lm*XN4@(!o7xQ+2Uq$u>=D=VX*TrE zZI|g3HP{~7Bn(iadXAn$vSH;9Rx>DwlL0|F@G$p#CyxOcR<1w9Pp5bO%L0!<^@vEl0RK;;qAtRLI$Y7m;cL;eH_PA98-ws0=%@m!R<#w~G z_h`B`YB`CzePrkOvO&^buqq&IUy9}n&b`%s^Y+KJj%V&J-m(+-5H^1gxO6}wKyc-I zeW3{S|MAn7f}>GN?eF^~tWsTKKff|uEcI6p)*?M0$co0rf9H`-_1iTpQ}>kZi~d8G zIc>!rZ;fDIw=9Y)8#_-PjO8Z{+l;5X4pdjNT|lG7Q6_TLEoT94Pu~m%FoV`V$&Dg9 zO)h9~xP1@)6W}wih#gVUq3vTbiY=q)m#?Az*Kz5OVJN@%j(iartJKhoR=&sbl)bpO zM@L76w6BSY;T6}EX?3KV`K=_;*eVoUPmG+WS>NgYDmE&}A5Cwt8Ol(Lzi0UQ!I04x zgLdeL6?hzXXr=ugyR(1n#R@5`^ZLHQ5U&nkgd=tn61!}NneG;_bE#waH}9T2K@V>y?q{W=^#)j{h~>$hpF*E^JG1oN=&KGGnQKgwsA zRE>~)!DL>d;`sTES_bKHaj^V5w&jd+<7NG?2YsKUXPrRoPn8bA+=lMHKr{ubxO^1P ze;+8rpX2m8-k~n1#{j3Vf|EUBvGgwpC(3%|7PH2ZzAIyvb<61^`6Bm-q+ zF(Rm^8pvp_$0G@k9JwL{)^|6^-r%omN5{C#NEVq{y@)n{K=!URQBx7HQXm_B`oFE@ z^-q2bA6BzpNRmCice_BQ?=Eo8I#}-fNNy3inv*Ehe;gizZK}OzQh8^uK$ds2DWy zs-0JxdXkOvL9BG`YBo3P=;Yww;Jm7zLo;b_$gKdqqQ@~)5KJ)h!qwU#dLS1tIh-cq zrEIb*G`PAS^#pZj!H1H^&ZEc_~uPN>=A5ZAeL2qw{`N3`lixn=8*`ip_qYD zb8*b14HXnotlK)`BJDheG{@Eq*@>bD#*~JReRVrn{Qqn3t)rss{zuUzG?51q4vPS$m!!>3b;^BuF581FQ`*W@`bhYZCHy zba!L)`;+{#QTT0VyEXYTWTKBwRV{sLuyD^ zg!xeU4-|Va&!>Qci;kWr&^C7Bd-N3<-mX=mBC0gi^rt&EVeavFPSR~SmSzcY{55Vx zlP$k{(BXZM<=FK?tfIz;EvwVx@#9(pr5ZigXdveWh}6@)Ml3}1?Mv3DT_u?m;a!s=k9(bLC;t>OMlaJNp6HD)c$tV^*p zs&H&%udE|L$AC!xcjv~IHm9A(R(_g z@PY?=XFCch$Vgx(AIdmmOtW=M^M(XY_LYpb8!$eKyF16PTkF!Aji!S1V+dKNT}hRS zJ}IA6$Bo^x$cZAQmJSDhmY6Id=}UU|*R;Aj*7l`O6bFx5{dNdVP^7fReUOHu$PDKC zOHfG`f(yTDt>9;~cjk3Bmpwa6QJLlwGmmIwhSE@pu(#VgE`2g^M$Ko*++{e*=UQ2X z5<%vWr67!gks5^40f}h3@*CqT)Q}Dt+ZY-1+K(}@1ebQw3$Mb5H&4%3PAs{UY!I_l zRH~crN(WKiQkE%ecPy~9p(eMvasku2X(T8NLO^tN#?u7z@KAwJ_n(4ha6eEAl7J72)lJ7U>!h z?#lylx~(6+@MuN5jH;g?bI)=dL!6h*r2`xh03imQF;^vpz9SRwZfx5;ras-*DNWP2 zGGZHXNw@YjCa*?9!LtR8SqF5{YmJg_Cq1rvT8U~H$^DhuCNvS^I-P?=@krKj(@#sU zS{!;rfkuD3;8)J{oV~zKEs-?i!@Fhfu`d{Li4i%w!xFFh94fFpBU`fKS<*?rGA!8_P~vOa2TznOrBa`{|q4HgRf01U*Cm6gLs1goNQBM@RmHFa@UhvU_MU z;<*{CYc`DwGx@~`ISUI5zUp!E_g{4s{Fu8b6Qd9hg|nXeBu|%A`<0B#mJw4AbmaB$ ze?41mCO%B&ye(151VJ0AgA|LB4B{+~;Phi}bR!dy1GRUUr1yI$l74S~;$S7>E*^c_ z!$QKFEj!Yt8=`U(+o8vNt$Qv1vrzMEG)|YZKz3kTy6a6``|e=sQ`28=p3a(r>ObaE zuRRAw1$$Ih{5`Qy(^HN|yRKcp zv4kxX$s9e~wK~QDFf!}8O^$hks?=3Am8e0j-2~Nu<1|^E{>OQOkF!Aag5*+WT`>US z{4RU`+*l(7U)5LfI(g{P3tn01gJZ8XoXB+zm3;ww;eSk zR=r7O2eho7QicFQX_}K<{jOX3d+jGPB3jrs>4rho@OwE81uCc2N2g_a?x{}@Dgg^4 zr&ESgC~)Eq&7eH=K`HA)`sG>rX8N&b4H}V;ksj{Ft7k9W{N;Kjpk&1w0||N}Br75~ zfc3KF{O^<|TSQe@yL)1eUou5t&CR{*4_QpWv^#&>0J@LVR9o}Ou`3gljF4+K-gfN; zaQKB>y=X#JKm^sIHXt`{x47C?47kt4E-koV8`Ov?gDd{L1n0ZMGuEJIR6%rjtS`;k zi`R1$A@U__Nn_3k$eEfD^d$P}oB=f#=(tG?Inu+(N2lK-49s>Bp%aKOGsuLh;}PUq zOd(G;rAJXqOj=k*OY1`~6$uHAZ@k@IA)oH8t(BxR1B*QkeD3lc?} zA8$R}t(Ym#dI&ZMtrvNJ>jySxhoZY;UGL$=HB7} z@zkS+;Iz#A>DH-r5G`6$L-Ieu{c?EjS7{%V1fPIC{}W_2b8>k5{eV?$>uZLb$MoX; zi_4#%cPT(NK5JjOfl`a*j{zJw)r1+g_SWAD#wT*9h#U5@QzLj@uAexeda&bOxNpmN z3bvEvp} zZ;eJ(m<%;fYRE00tz-KGaV;8DZfYIsCU6dYte?L2^G!Ig!2h~O1Qq&p z;Ygwj-NIPfbt6b$h#LW2m^zDb!$J3YZ}PWUmkqUO8K5!&0{d~lcyw4Zh<61RD)}GY z3c3Nw>$sX%4gD{|^{2yN{?K)3(1OQvfmhP+fyPtFLX5!e5b^{Zn*1N;`N7so9LSTv z@sH+_kcWbq;CW2A22ibVp3OBl7CMoMkkWbnvjr^V*0JV-E{&^w!0%!?*6L3o&Id;m z;`Ifx)a+e*zLpCNHS?b)s{y+Si5E4e^BcJNT|GjcpwH*G)PJoZ&|siA=h=ToCoiEx zZU}^-VQf`lKZS%ADHJ^DDmb5TEE!nYAdbqAAC=*t5a`Fap|7BC=W!1R!xhg=s~ig~ zVvkDWd|JWntSd0*#7=yvqvI7$0(at2#Q3Ml=?q8xN`Q&#j25urUF6mtLUC^nK!_3G z_Rs$*?TbYmf}T( zf7l0)OKF^DuPpWA5bp{66I7X3o+d%k4qaAcxFb6~fG(^_frw|%edd(^j@sSHx%RB0 z;F&bn3M~+ELj#04D^0hKj`^bH9lRCQr@d6S`_GuJ$sMwNpfVCE4c>+4co{pX{cC^O zP8np+Av_*J>!bwsbHcp|H9+5!oTlyCVvcqKT150w@E@p6Q2NA1*y_-wmjvd28B0gT zm%b0E9ve%4AGH9cm^=s-fzn(pKu<+mnHk~jSP*f{M+2cco>cbK+>U}s^4yq6CRg;| z&q=u#FK;) ztAC4%7qCG51MPh|(mzpELZC1>gwPbV*zZe@l80PBRO-{IL%}Amko(txWTlY?;9&$F zQy7ETP9}_=&P{fLhUqXXBj#tY;|k}=P=M$U#Hp;w`j|Er)Is=Now z-q-PTQn^Xe3qX!#bY%z(7%{-E;}7FFg;UZA#Vrh^bV7p)%UcV{p&|ZwwB| zL#AVqK-HJhJArGa0j-+hjByb!i#w$3!NPy>9}6FhP#l9Qley#`wFQ181fWeNv7#-V zUJSovj?rC@Q4oTuof>uwrk>iHObkv?R#H+L(Ix)R2;!ot#d{Oyt=k~bt*&q}9WvAIyxQwW0(y}Xl|8pBF z9)A{TSp?w#4y_|V1#^$#G~6iPXMzkUO88Fonfl9UCRVgzZOcJCJG}7#6-CW$^$sWs!Lg0))X{%6cWb{Ndt_g^R%t z(;@j%*bKR-<1HIip37Y#Q*GWkQvNfLtJ3jWW@``b%vd~Ljsj=!B+umCjmJ6FpkH2! zvPXM*ZL!~f8tje~->L+la;ATYOD(`~jduW5^RtZSHEw93G~u3WKqq&#mZrfYj6{K9 zw~y;1s?f^W(FyKw)qiRYt?&ejXa?$qHT&KH7WmAXHw=Nwla`Bk4hJNxe#&Xvkl&uA z3DRkG(i(HkE3tlkKK)_k%%jILKh7g4sT9goWdzqvMIFCz%!VH46*ZuqI!$8C!81wL zx)YUc)hU7p?p8WQx8Obu+QE__5+69s@AwfYf&JAD_EZlZWh(~GQUIXGitl=&syu5t zi2?y{Fyj>0L_iU*wL}Wp#}vkpU)($7u}Yr{)}PI*fx<_F2(m}*3DqZ?#j%oVFn1*E zRz%QjXrnWl={OjOxT#`Rm$84h{zN<&p>Wg@g-dWCRWD+wrlK#s8sVX z3jx21hdVMCwA+9aTv_U-V8`}bVPLo^q>P>+v-^5BST=>{EnRQ9`6=y41bh0AN(7II z%(?~s+i#yDx$MF=?f6Imu=cIHxb@0ziDahpA~}Q2Jp4}FLeBKuzL}on(0$uluTXah zPzk}b{Hf?t*RdOYt!eF#(ra{9Sp#P}UCgR1eQ2!lqS~kMwwu3SyZVwzOVck=+6dRV zp4;JaG=sYocgD$#s)h~qJ)GO$v{vc%Is*-~@)6VlcOX5vtHmlcaYi9%H2Id4RxnE`>d5O37%R6C z$UF<5dw7h}W?T-X%OS&h8o##r862xV3!;%p0e>I2m|ihBab|e2wydc3EQd6MWU*3k zuft^ByTo;lm9Y7J)d*^C%$}>v1v<go&C_Rn->fnlK#>GNoLY^4NEC4IrHbGg z=Oig%@rgpvmB=r~+|)zad;UBnu%YEZtYv$d5^u+@5^o6si(HA_af7U)7UsJhdl|>& zs7M@~=;tkT3M4C9HnbkC{60{+^t!{v%;4);q*>J~%zXcgF$?T|#FdTDgXB*O4octf z47-%B*J~urky$1CfR@b}q;B7SlwRAKysnB>t%Wwl&{FpJ$9JBdFJd8iJZPU(%HL6% z!3~s55{UOkIVndui6^agmdUJ6-e?%((GTh?v=s2tGIkO$(aK>7nAs%0)E%HNeO%*J zIs&06kpDV@nWvC9QoU-d`8R3 z81j(%VUR10&as7RcE-op)17F|FB>Zu-?x45Y;Pl zjHne&{-NYq8hypkIJpc5&qU1`?YCmfCCTW@oKWB7m+y~XxH&gYX1B8~^Eh1w+p3WT z+`Z_dJ4{P*9;iCJ1NxBaXXe^OBo#wIf@wKY*0a{CBXS2_Y53!K%O$H1TW^s*@9}PG z6m>+p1+Aivl?`l<z@hrF;6z=ro*Ku*wN&q{gN=LA z$A`kYQkRAGQL;<1`|si5VFCRil#P1!Jk|Hc$m7RvQY0C^8CrfoEx>?rDUtGz?KANE z%bcQ`S(AcDuYy`gH{z|^!@Kp2m;}yi12Mw3Mtxfgx-TQtZq3~W786Qo>#D~tDGV)T zzL|);q&_V->%Z;hnE01tphNt^J_u6_QNbMS1SsZpDF13O7^`euJQ#Q$CGf{lhT?3d zLTmh()mBYB@HCj*468$nf7^b&h>@^zm(2H1{MN9p^1wlq5BM{mVN*lFSeDhFRr@ii z%Slt8B>4ALWi(PmoHYrc!&(bt2cwx`GsX_(UZJZhm{4QS_CAq3y#fc~}P6yS&--f@}qSUog&a9zPCGn7E zKfz(X3aa{&m4fcV?0Ggan9;qUPQ7R;-(ov2i$x~+AXFtaLq)`KU58^DW-rMGpCoKr0#T;`ER+vQkY)`XRnO^Iqq=D~ zn-HAQrh_m7JxTa@C=@Vi8#6X6vjtB;l1c=2V(&90-6S?|k5P4WB(&22H^Tao)!J_e zS`fv|yl&abWSLB!Ln`bYg0#fB+fY1R&8t46vn-=x;y8)<15BnG!AD#0SDySm-;-!PW(U%R7am!4fZMW;ed~9rNd1V$jr)0Eame72uE8qTM1Yoc`>2^O; zLSo`_n-|4m&r;T`JTm=jyV6qdAnkddbz{~7F^mc_nLOU0a7M(bmd^aka&|C_c{IlA z3x+NS>&t}rG){gGkVwb{IiL)E)7Y)M$S@^Jn!=k>{Hau;ZDr-P5|4=EBV z=eK)H@m41$)7PuT0K3o2vHudApF%Fp5t=xWCl4aADEpDZQqrW}5Zj>KE6-(|p5UmP z$UI1(@TKc25A~zV#mXE*2(oHdZQBbhMe`beOgz)qp+`1enRr@ArRXBJ{uf=9;_Cvx zw4(3yP*I&+@fX)63gL;V_q$P0ndRdjIiI=qkaK;e^?p`(kqj#_hPT5d_3YTx9c(XS z7t0_!$$+rvImoGOupy?8-lG#Mx@^r@Y&{aQ#c&~xTs!h?gP8{-y<>byU$CSwD#dsn zcRe#4S#vjQmIZW`!t{uOXOWtXziOcZv4rknochBDfdk|QIggzSt_kP@*?2uUWg|>g zn?%xy9$1yQP??8jHPeoAo;2TB&aMWQ{}sieKY+=h6|m18p=-uwkUNb4qCN5~kr?oF zlk&=_9#3;O7a+wFne!ZAgOY&xE9AUNwR%cxy(S2HlqjLz&ZN?gBxPsN*+) zf_hM3G$ikKgJ<9^cyTjWi(4-=G&K60{OG9aIu5$mVq#;%u@6}zb!AQi!ys!Fs;6j1 z*)H>u5oe0mZazEh$vIZr**X-hX{gY4&db2?TP_6$=N3Cx`cnH`C=s|wCHMh-+E1zkOgBT~+= z{aVIy<@>V|C)Alm``ewTg3xp0n=!{@!vBNpFrTVsr#pF?zJ?+boAS=eY!v82K^n)K zVh)TJuVePT@W0gZb)MFr?Cw@a(`Nj%X0v25DZY~X?7QGMDqe9xC6L-k}J=s=MKc)O6b>pd7|<8yKai=BF+*pe@>7+RY&mDqYZ*-bm(C`4Rv+0 zpuSi44|!ojUJra($&4i4N=owk?o=8$QDZ4Ko80kq@<;b!tbCn!9K^=K#IF!SUcz!t zTY&tJ`42G1VTJ;tFZm`ru)KWds_1h!DbJJJ5JWh0pEC$e29#D}6!qn*%`O@dl}cLM z=O;P6pt?FFkC<4t@x;E%sW{|?zd3uufM)`M`In5QrfC>l2qJXDrlaBTk2a^#aznQg>bgP+ zttlwYdFK||_gU#);!+d{9I(3{>;b|`!(cgw0ZySy@tp18QZ!T970vDm{@f(KFCU+N zTB6r(Q9SkNw*>VaD9hudj6V`0uPfNW-hfRDwsTc|BrJ;q7kEX^b6w4lWDs$m#tmNK8PjC9goZYLy_;`9 z&R6JZ)=6k6sQPLR&gW zSJ{nfH6lvv6uaHfYK`FRYubG$Ckrmp^==h0=Iv9MA|HMj*TnwrI{*D|o9Mpw>jheT z@syO5KWdcW65^QkEIAmgpjv-h z&}y(?T+ngELF@KP^@*%|Fqr(P24Ud=4~!0xE$IypndUqgFq=E>EcwQ|K6&IX*2YqSEF8^ZLf3J0OP4Yj?^9hL%gN8DTd{gWYND2jRvAOa8FO zw!n)8{zR0Pp8jmJKtsOB6FmLcj{M?qDZh33Qc*&_U;XMk_V{SphVP-Ex5;;pR&gT( zZp^+fuCl`!yN)kz-9mo$gg1NZfk&T5Z3t_pRUbaaEYelwBcIkG+tuA*KNQi>iVJ?w zMrQm#xj^!{=1;Ijh<`X%t;dz%53s(YjR`+dA(9@uSW=4HYmIFD)V!SS;@e+X>W|yG z={rwHw2aLPOJEoC^EsbR8ADPV`JSUGP@PwAO6tqIAeUbz=Q7t*${JXfHX0~Ac$FdS zX`uBpVN~_IQgpG684~BVbi#jVcYW6MYN*X%!8JfP@aGSEV3$_MeaYK)yYU;7AGq5r zb#9cl4%r|X%U>_OM`t4s)(%8Ukp^3sF-iM_+m1zv=GctvD$$J0%@t{P_htByRzu@f z-?Z&obPvt6h~3cc-s2z(rVP3$zpad|Zz0c`N-r848C|Zz<1p>oTFg<3RjIU-X8M;( zvql`kCW7~(1*auic~u6AXSN37cZ0jK^h6{?Jd}D??VAKOv+V_{Mw)GZanfvZ(mKc8 z8tV8~8Rt=DryGNcMkBUn`qld!{38c91+ZZ2;ZhHMBf+u^71?c>`yd`Wnn`*fUJa(N=LWG4EZkMTV~gHN~i3fTw`UQ(Gm@^a7XGccn5H@bbR?Tc3Z2cP+}KJUy84L#{nfrgw0*hiPq(FJ^bKsc+l_^WcH<&? zR7%PAsOzk*XAe5RLwLploZjmkxOcF*C6JA*@L%6q+Ur;b3P&#wf~gPjaJ|DbGz6Ry z><&ZJ=k&4nrF}U$ znq_n+g|;TW<)w_WputU%dzBJrB&Pq`G*5DoFqkat)3*@Itt3h64sq|(b8Mwc9_FrP zacJdjaz`Xc;rcZ+0zS=tD^46_N47a;S>LK9-!xPx%AjRxJP@oUt0cKKWs7de8tl@A z_Ze2|l`0iwh)66Q=h-yg;Cu5hF2AdEFvz&v!n8_IARD6|q{1KiC}^O+|1rQuNZ^YH ztM(dlG#wCy`j-AcFR-eA3#@iU#M7^qs9f^r-0W>XKU$VQT`u$RQ}g-}MTtjK_U60P zeS4Jlob%?bjGNGITW8|RpfE`Z97am;N<7Jj-jD9lY1 zv#H-3bNIeCyaOIV6{)t$vTa4IzA)i6W3SLmcfWU1a1kN*lmHo1^$Cb%M9qpE|re4DM%uOx&&3(wVn8`wGo&Nd)Rd_yR zl-JQct@#p;j?Iu~Y6`PwvPpWXn@e&^7PI#kX6DU$8Nys<^BPVgAh8N#XGYAF$G9nB zg0=tc^3Kvx*{Iz^T|=5rN=?#ZD}zb73DqY<-Qy&fLG?gMsdY~xBwRWS*o?N)W+>(x z$te$KZ#BK!YPJ8x&OUAGm7<-6JlHEb7TIn60PX&3)r$CDdY_AfmaJ!<=JvQEjANCx<**#sik?IohW}{6E zQxI1&N-C!A9cX@e&rYe^hWPfN-_1OOE7T$gmV0{qPQSlXg)O*e)ZfC!Hz49$SY(xl z+gE?B54)fe;p>lDe7u4e{=J zTE*4^1WMBu%Qmq46zZ9W`=-T zia3mgKsAF+_(9OYcDd}kX4w7m*}bKm(tt{vlhuI$k9hpB+7timo*P5i9aUaQ>l3X~ zDPC%&+}3VR^W<5Qo}WMIYm>Rj2rd23yAtfHvnW!1lft*p<$}%Oy6|J~f1lYi!0+{; z0E({vg<_9)nzXy}jv?D}NKJ+jg+g`OJP}D6JLbob_T1q;X~HYS%e=>}hM-N~1&`=i zndhjo19hK9`>E2HSqa;ln!k2K*v@?kbeb{2A{Zl{mwQk2ez^^o_I^(N{<%}aB@G&v zZ{R$RU!jy6=!*y=UikBfw=SFSFAP+X8maS1g<1UqXKBziIqa5*S}%vQ26JwNWlP^w zk=UJ@R;1k(*tXaz3@05?H;$O~Sp9j48!m~&|BkA9wY%SnPSR6Nrlpv_b#v z`iD+St*VQ-DyDU}C!0yK<+hgkDk&)7C7$u~Z!|BZ!XUwzi=7TACszQ(v;Sx(`D|9~ zmw?Ok*+IfD`xd7=#V(F=`(8A?`Aa{K@l;v^HrDe}?xqb}yo)_>P}W8YdY%6mUW2AY z^5=AX=LieOqhBu%)B1iLh$j{AX2;H=zQD#ZzrRu~_QW5E3{BC9?~MEMQ?nx!DY+|F zYJQcOf2$YBxN73?{`s>YH;LMd&VlA|^N$`?%BAk&9bu`dsY&#-SJM&3Um22JkQYhv zZZ+Hr(IO&^`4O;Zn;+7Oe!&~F#OZ!RQ!&5NS*g2_zCmBThh~Elh^R<~{@C6E10I$P z9utZLyA5AWv+;?{PDdS^ITg7;N@gW|zVlYuB8HzGuq16rOmOVwty^2IEG>7K+>@!x z9wX2vc@3wg-fVsk2(>%D4G39@bzFac|1a5Xmvq)z7!Dy7n&`XB`NTvg&qaaw-kOEL zyaYDqMOSJ|_;`jn3ag&|=-IWzXi{I3@{HW3hSHluQTHp`cQ>oB%dxbxoDUu%Z!RpE zUkYsUy0?``D{IEyu2*=ixE*Jw*Hh%Cmw{4W%Fgly2;J&iR#?RE3c*-Z|NibmQD$p1 zJqW1K_zNA?XO@2)ID%al`dd-w#k8{w@LL{Vt>Q`Eyg^w>6PC*vj|27WpN;en2Dm%Q z-@euUHqR70sDb1-W3-{@ui@4Cal-2hi@s7>`@4x&bFypfb+bjdkKx<1kFps;DcADz zq}0?>VBZu_@2%Td!b8sYQ&JgVgUCa$7H=lM)R?It}cGo7n$ z+oZWiUU>hlO@n;GgeSozDAs+s`(V*nT&jaK>+2p005lC=K4DcWxK;C(hIHV@Mwd#v zF1(R)9{ zo$FCn?j*D(_;?W!M_l}k^MJpQpvZHVsk^`ZK(g3+YmdJR<(Pgd;-;cNJ9(hLmcH|| z=V~78BDoU9^I8IdKbzm}flYg|d+2dtIYPfP^Y(M5G^PWy=B5>hYWwa0NUo5XOuNvf zwrUyoMSe3L122~CCacH`*T1Q2T;+8B#mS?(>0Grndr+$MNaJVn$ktguvcaWTZ=at9 z7NJ>vdxZn{(rk5qiP#OtTqNN?2CKGvZ2yA5G6#B%9rVv~+9?g;et zkT{fT9y4sC#=LZlC=yPz-qps$1tYdFZ^>#BQo#^f1n-v=?t;pnr=!q5uhz-aw$zY?mggPxJLn(7d!+^i;9M<&w{EW-$Fx8T4GZr zfemRrHD-ki+v~VQ5Z8z{ldtvLK6;`NXxySI!WL56jk>8&zRYA$qJ65GB{n)b01C5k zHNbXnW8P^t&d~_Bx5+CgC`eh;I15_+SpSgzJXa~{IMVrS=LEsbvep!nRvFd(sy!7( zL-J(xauhHY5CZL(%Z9{Jj~!BP66lBP99%}0>bQwKh7TjL1c^=Lky(ggfcW10xFb_J z8z=|+Pr*@t{0)TBUp)lN+BxbYP{~@1X`^u_=%`^GhZdbsNf~Rq%SH`KyufQgmEacR zHTt)%3PyA6)NA>`%%HGvcZru;Q11T_c?Eg}p)YTZo@Zmn-mba{y-fH=lrLY`S0uk! zB_dxReEl`&jnl?%ClMad%N)KVp_zOKk3a9B(em7>qn@7^c<_{zm0)QG z+!+bu2uAFU#?wG6p*lq260mB9>e(Z#W$4PV?imfLKZ*?!qQzOR=SrThfgUG#W&xN* zNYPtM?M0l%w>R?xfB-MynG+CW1uzN`Oj<~1batl@aW_74sCR~ zj-so0J;@ua+kP$gWnZywgp!x1$ROlgq=4I4#zo6hMgdA?284Xy44VE z??C=b+6MM|nyro54)obp?yc27_bkAZf!E207P{Zh9kuHEJz|c9AB2IXd9Fnms6SQ0 zHGBE>nAC@`auU6`1K3gzC1O5mM#7;WIQk-aGUW6*tWX2GLx790Z zkb^JrFrcf>!Q(5f+asaeFfZ@ob#7<@`4bd$JmcqvsdKS2Tw^w46uFo-LLTVHkm!5q zts78&A&1;e2TLo$n`$YwW5E6Q;o6|VDV`*#X@(jU)r42j&tvC9aYS#Ouz{JP_{v{-+Vw`x_f<)OG(1s7@%UX-#d%%$CFx)b>0qsiGBHUGtTM z`8M2ydg65~jUXqi9v8Du#O($3{nu?ZQ1?~>sw2zpd|(PP<{ z`miVo@UD7%ZX=Oa#|D~jm|^4Ld-O)bUO1Al<%#Rwox}9JLcAu>vfuw8#rkXuzuQ_UQ0%uS(;;d6-S+kU;TX5-Kzpn-AHC+P9&SM&8n2#R^?}u@a^)qk7A8)B}e` z5;~ySf8TT{8?!M%2W6>VxC+&kQ622r>ERBkHVCHn-$U~+iE7;#`C~pMbB{m?d0Pp| z24-5}hsj6Dpu(DW(rGx_~8`N(e%oOd|Ek^{Celxt96zzrg1gH%hvs+wWh)-R9}GBkg3wEu8qYtuKw z508RFPe9_SBdi4Kfs(9sc1{Fgm^&m@aNluz0`I2(Fb!-h-Pk#X0*GLeS!eC0iXrpzn&N+_GOj>kDRmpfP}q zgkc+D+s~nY!(0E;PX6zMu>aGC|0^IQ5fbW+JA#F-eKqSte_&4lakdH|T+uuRbimC!6EHDnN`T^&JXHbgW?Q08uT5lZEl zLAXK+zHxa8(E6NGNo@z6X3Ou;RC>oU&p1Rof&8a1qe z08I`bpOY;h;`=;#vF;z#=-oR`LZv#0Ai0Pa?bzOnx+=I_U(pCn?&@HGjzp)+?V=)q z&rfjznGI0Jk;a^#yCFITDsCI)*~l;YZH0GeMh3C-0ic)Ad)NoUhSrUQ)9rT0o^Ox{ z^#0@>+@y3KyR55S!ghjvOnfw^B=`50iUi&&G&Rd4op_zG35+= z6_I%6>nW1XapD_;;~TRRI;l~aorTiqcCF%qtWxV~yhXWzwVopv&Qtebba${QW!rRY z!@ZV#lriw2L?OCGyk^ZdgeS`N%`|`D_UVujUYwY%{i{~+n6}9EjdGDq^Z_kW#!m(6 zV}dI*jnxbypQk@lo>yqAliC~X?Uk*vo;um`Wkv9=-DE>p(_HfpM;*#g;-;KUc6QCm zgX!g~H8Zk^B|ICk;udOZd3i6Ka@5*c0=nyuDvuS8!R<~?{D_9>L`h1HD4%ZWQ}B$` zQhu`}sQZ!fIypSpJMWW<_rV7(ZOW!o?_A$-4YOUB+&-;UqA*8J_pUPHZnJ`zr7+s0ehHy5{0<9HuzpQioQY}oW}ep^_-OyM*Ep3DV7 z8!f??)Q~_QD~~p*T$b4S5CPx#z4WFoW%+FF%U(=?qJGef*eOK9< z;TCAj%aEM?VK&_frbNkMwgNCgAw91{LQ&C}hf}W9yYWB47T?)2^&>DBUeoKYDh~jo z>?OA|B^k7ntRlZZk9@zAT`adaFdV}XO=)DU&%BC73b`h=H{iKlF0*Uy48Iq=+{50^XN+7&S(RzCy>0E1L}B7WcHWNFzi-LK9UyI#ZZ66n z4CCgJfx>$eh8rL#ROUP5UHl!PJV}w605VnJsv?L3$)a(KNE_Y|V z+xHUv4R!-K5--_>^!1?Sx`|zH%se0BezhzT>6<6%TuD}g>3&+Su#@b0adpx2Wr!-6 z&x&ETUo%Wkol6y>xv=&J#@naQ7NWyFJ6y6^Jr!m|)+z%evFaB4>r5|e}M8n1nFzLXe Q9tOK7r!1Rw$I$2h0$34f{Qv*} literal 0 HcmV?d00001 diff --git a/src/content/partials/magic-transit/mtu-mss/mt-dsr.mdx b/src/content/partials/magic-transit/mtu-mss/mt-dsr.mdx index f146e1b91d23fd..b61db301ed0617 100644 --- a/src/content/partials/magic-transit/mtu-mss/mt-dsr.mdx +++ b/src/content/partials/magic-transit/mtu-mss/mt-dsr.mdx @@ -6,7 +6,7 @@ Asymmetric routing is a common scenario especially with Magic Transit. Ingress t In an asymmetric scenario, we want to reduce the MSS value of packets sent by Magic Transit users to the Internet in order to reduce the size of packets sent from the Internet towards their network. To accomplish this, the configuration must be done either on the customer's end-hosts or through an MSS clamp on an intermediary device on the egress path of traffic leaving their network. How MSS values affect payload sizes on both routing paths is detailed below. -![A diagram how MSS works with Magic Transit and Direct Server Return.](~/assets/images/magic-transit/mtu-mss/dsr.png) +![A diagram showing how MSS works with Magic Transit and Direct Server Return.](~/assets/images/magic-transit/mtu-mss/dsr.png) _Key takeaway from the chart above: MSS clamping affects TCP packet payload sizes flowing in the opposite direction vs. where the clamp is applied._ @@ -14,4 +14,8 @@ _Key takeaway from the chart above: MSS clamping affects TCP packet payload size MSS clamping only affects TCP traffic. If, for example, you have a web server on your Magic Transit prefix, then the MSS clamp will take effect on the TCP data from direct server return traffic. However, be aware that you will have to take a different approach for any tunnels inside of your Magic Transit tunnel (tunnel-in-tunnel scenario). +![A diagram showing where the MSS clamp goes with TCP traffic.](~/assets/images/magic-transit/mtu-mss/tcp-mss.png) + For example, if you have a Magic Transit GRE tunnel set up, and then another IPsec or GRE tunnel running from third-party devices on your premises, MSS clamp will have no impact on the outer packets of the encapsulated traffic. This is because MSS clamping affects only TCP traffic, and IPsec/GRE encapsulated traffic is IP. For this scenario, you will have to lower the MTU of the internal tunnel interface further, both for your ingress and egress traffic. + +![A diagram showing where the MSS clamp goes with an IPsec tunnel inside a GRE tunnel.](~/assets/images/magic-transit/mtu-mss/ipsec-mss.png) From 37ff8b752946fbe85f2db7313efcabad37046539 Mon Sep 17 00:00:00 2001 From: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> Date: Tue, 24 Sep 2024 07:19:57 -0700 Subject: [PATCH 37/54] [API Shield] Fallthrough Action + SV2 for all (#17034) * plans page * plans table * fallthrough action * availabilities * Apply suggestions from code review Co-authored-by: Jun Lee --------- Co-authored-by: Jun Lee --- src/content/docs/api-shield/api-gateway.mdx | 2 +- src/content/docs/api-shield/changelog.mdx | 2 +- .../api-shield/frequently-asked-questions.mdx | 2 +- src/content/docs/api-shield/glossary.mdx | 2 +- .../management-and-monitoring/index.mdx | 6 ++-- src/content/docs/api-shield/plans.mdx | 22 +++++++++++++ .../docs/api-shield/reference/index.mdx | 2 +- .../docs/api-shield/security/index.mdx | 2 +- .../security/schema-validation/index.mdx | 32 +++++++++++++++++-- 9 files changed, 62 insertions(+), 10 deletions(-) create mode 100644 src/content/docs/api-shield/plans.mdx diff --git a/src/content/docs/api-shield/api-gateway.mdx b/src/content/docs/api-shield/api-gateway.mdx index 275e9d7dae4a23..603ea3f8d1e005 100644 --- a/src/content/docs/api-shield/api-gateway.mdx +++ b/src/content/docs/api-shield/api-gateway.mdx @@ -3,7 +3,7 @@ pcx_content_type: concept type: overview title: API Gateway sidebar: - order: 4 + order: 5 --- diff --git a/src/content/docs/api-shield/changelog.mdx b/src/content/docs/api-shield/changelog.mdx index 009ba9f1f144ea..d7ccea3f8bf3eb 100644 --- a/src/content/docs/api-shield/changelog.mdx +++ b/src/content/docs/api-shield/changelog.mdx @@ -4,7 +4,7 @@ title: Changelog changelog_file_name: - api-shield sidebar: - order: 9 + order: 10 --- diff --git a/src/content/docs/api-shield/frequently-asked-questions.mdx b/src/content/docs/api-shield/frequently-asked-questions.mdx index 891c36f5ac49cb..a51c69cb34a5ba 100644 --- a/src/content/docs/api-shield/frequently-asked-questions.mdx +++ b/src/content/docs/api-shield/frequently-asked-questions.mdx @@ -3,7 +3,7 @@ pcx_content_type: faq title: FAQ structured_data: true sidebar: - order: 7 + order: 8 --- diff --git a/src/content/docs/api-shield/glossary.mdx b/src/content/docs/api-shield/glossary.mdx index 0f07ca3de00082..7fca4a84d514b2 100644 --- a/src/content/docs/api-shield/glossary.mdx +++ b/src/content/docs/api-shield/glossary.mdx @@ -2,7 +2,7 @@ title: Glossary pcx_content_type: glossary sidebar: - order: 8 + order: 9 --- diff --git a/src/content/docs/api-shield/management-and-monitoring/index.mdx b/src/content/docs/api-shield/management-and-monitoring/index.mdx index e2158c632e0c05..79a7123bd579f3 100644 --- a/src/content/docs/api-shield/management-and-monitoring/index.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/index.mdx @@ -3,12 +3,14 @@ pcx_content_type: concept type: overview title: Management and Monitoring sidebar: - order: 5 + order: 6 label: Endpoint Management --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip, Plan } from "~/components" + + Monitor the health of your API endpoints by saving, updating, and monitoring performance metrics using API Shield’s Endpoint Management. diff --git a/src/content/docs/api-shield/plans.mdx b/src/content/docs/api-shield/plans.mdx new file mode 100644 index 00000000000000..b2da4e32dfdd90 --- /dev/null +++ b/src/content/docs/api-shield/plans.mdx @@ -0,0 +1,22 @@ +--- +title: Plans +pcx_content_type: overview +type: overview +sidebar: + order: 3 + +--- + +Free, Pro, Business, and Enterprise customers without an API Gateway subcription can access [Endpoint Management](/api-shield/management-and-monitoring/) and [Schema Validation](/api-shield/security/schema-validation/), but no other [API Gateway](/api-shield/api-gateway/) features. + +To subscribe to API Gateway, upgrade to an Enterprise plan and contact your account team. + +Limits to endpoints apply to Endpoint Management and Schema Validation. Refer to the table below for limits based on your zone plan. + +| Plan type | Saved endpoints | Uploaded schemas | Total uploaded schema size (MB) | Rule action | +| --- | --- | --- | --- | --- | +| **Free** | 100 | 3 | 1 | `Block` only | +| **Pro** | 200 | 4 | 2 | `Block` only | +| **Business** | 500 | 5 | 5 | `Block` only | +| **Enterprise without API Gateway** | 500 | 5 | 5 | `Log` or `Block` | +| **Enterprise with API Gateway** | 10,000 | 10+ | 10+ | `Log` or `Block` | \ No newline at end of file diff --git a/src/content/docs/api-shield/reference/index.mdx b/src/content/docs/api-shield/reference/index.mdx index 9d018516c283ec..440e14d60c687e 100644 --- a/src/content/docs/api-shield/reference/index.mdx +++ b/src/content/docs/api-shield/reference/index.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Reference sidebar: - order: 6 + order: 7 group: hideIndex: true diff --git a/src/content/docs/api-shield/security/index.mdx b/src/content/docs/api-shield/security/index.mdx index f99fd402ff5ce7..7b4b8b47aa9a1e 100644 --- a/src/content/docs/api-shield/security/index.mdx +++ b/src/content/docs/api-shield/security/index.mdx @@ -3,7 +3,7 @@ pcx_content_type: navigation type: overview title: Security sidebar: - order: 3 + order: 4 --- diff --git a/src/content/docs/api-shield/security/schema-validation/index.mdx b/src/content/docs/api-shield/security/schema-validation/index.mdx index 1c34f973e5a2d4..08ab20bee62077 100644 --- a/src/content/docs/api-shield/security/schema-validation/index.mdx +++ b/src/content/docs/api-shield/security/schema-validation/index.mdx @@ -6,7 +6,9 @@ sidebar: --- -import { GlossaryDefinition, GlossaryTooltip } from "~/components" +import { GlossaryDefinition, GlossaryTooltip, Plan } from "~/components" + + @@ -69,6 +71,30 @@ At this time, learned schemas will not overwrite customer-uploaded schemas. If a If an endpoint is currently protected by a learned schema, the date of the last applied learned schema will be shown in the current schema field. ::: +### Add validation by adding a fallthrough rule + +A fallthrough rule acts as a catch-all for requests that do not match endpoints in [Endpoint Management](/api-shield/management-and-monitoring/). + +By ensuring that all your endpoints in a schema are added to Endpoint Management, the fallthrough action can protect you against legacy or zombie endpoints that your team may be unaware of. + +To set up a fallthrough action: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account and domain. +2. Go to **Security** > **API Shield**. +3. Under **Settings**, go to **Fallthrough settings**. +4. Select **Use Template**. +5. Choose one or more hostnames from the drop down menu. The fallthrough rule will act on all traffic that does not match an existing endpoint in Endpoint Management to the selected hostnames. +6. Select **Continue to custom rule**. +7. Name your rule and select your action. +8. Select **Save as draft** to deploy later, or **Deploy** to deploy now. + +Your current fallthrough rules can be viewed in the custom rules list or in API Shield's settings under **Fallthrough settings**. + +:::note + +You can use the `cf.api_gateway.fallthrough_triggered` syntax in your own custom rule for a more customized logic check. This detection will evaluate as `true` when a request does not match an endpoint in Endpoint Management, so it is important to check against your API's hostname or root path to ensure that you are not blocking any non-API traffic on your zone. +::: + ### Change the action of an entire schema 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account and domain. @@ -159,7 +185,9 @@ Schema Validation supports [OpenAPI Version 3.0.x schemas](https://spec.openapis Currently, API Shield does not support some features of API schemas, including the following: all responses, external references, non-basic path templating, or unique items. -There is a limit of 10,000 total operations for enabled schemas. +There is a limit of 10,000 total operations for enabled schemas for Enterprise customers subscribed to [API Gateway](/api-shield/api-gateway/). To raise this limit, contact your account team. + +For limits on Free, Pro, Business, or Enterprise customers not subscribed to API Gateway, refer to [Plans](/api-shield/plans/). ### Required fields From d4526442e5b21bbe9d7f3ec908f766d2fda658c3 Mon Sep 17 00:00:00 2001 From: Kian Date: Tue, 24 Sep 2024 15:29:51 +0100 Subject: [PATCH 38/54] [Docs Site] Add components for type highlighting (#17056) --- src/components/MetaInfo.astro | 15 +++++++++ src/components/Type.astro | 26 ++++++++++++++++ src/components/index.ts | 2 ++ .../components/type-highlighting.mdx | 31 +++++++++++++++++++ 4 files changed, 74 insertions(+) create mode 100644 src/components/MetaInfo.astro create mode 100644 src/components/Type.astro create mode 100644 src/content/docs/style-guide/components/type-highlighting.mdx diff --git a/src/components/MetaInfo.astro b/src/components/MetaInfo.astro new file mode 100644 index 00000000000000..d302876d77b893 --- /dev/null +++ b/src/components/MetaInfo.astro @@ -0,0 +1,15 @@ +--- +import { z } from "astro:schema"; + +type Props = z.infer; + +const props = z + .object({ + text: z.string(), + }) + .strict(); + +const { text } = props.parse(Astro.props); +--- + +{text} diff --git a/src/components/Type.astro b/src/components/Type.astro new file mode 100644 index 00000000000000..1f18743c5f0b0a --- /dev/null +++ b/src/components/Type.astro @@ -0,0 +1,26 @@ +--- +import { z } from "astro:schema"; +import { Badge } from "@astrojs/starlight/components"; + +type Props = z.infer; + +const props = z + .object({ + text: z.string(), + }) + .strict(); + +const { text } = props.parse(Astro.props); +--- + + diff --git a/src/components/index.ts b/src/components/index.ts index fd6987b1d7ca01..17ac7887f0ee3c 100644 --- a/src/components/index.ts +++ b/src/components/index.ts @@ -26,6 +26,7 @@ export { default as LinkTitleCard } from "./LinkTitleCard.astro"; export { default as ListExamples } from "./ListExamples.astro"; export { default as ListTutorials } from "./ListTutorials.astro"; export { default as Markdown } from "./Markdown.astro"; +export { default as MetaInfo } from "./MetaInfo.astro"; export { default as NetworkMap } from "./NetworkMap.astro"; export { default as PagesBuildEnvironment } from "./PagesBuildEnvironment.astro"; export { default as PagesBuildEnvironmentLanguages } from "./PagesBuildEnvironmentLanguages.astro"; @@ -48,6 +49,7 @@ export { default as Stream } from "./Stream.astro"; export { default as ThreeCardGrid } from "./ThreeCardGrid.astro"; export { default as TroubleshootingList } from "./TroubleshootingList.astro"; export { default as TunnelCalculator } from "./TunnelCalculator.astro"; +export { default as Type } from "./Type.astro"; export { default as WorkersAIModels } from "./WorkersAIModels.astro"; export { default as WorkersArchitectureDiagram } from "./WorkersArchitectureDiagram.astro"; export { default as WorkersIsolateDiagram } from "./WorkersIsolateDiagram.astro"; diff --git a/src/content/docs/style-guide/components/type-highlighting.mdx b/src/content/docs/style-guide/components/type-highlighting.mdx new file mode 100644 index 00000000000000..8626e875b64675 --- /dev/null +++ b/src/content/docs/style-guide/components/type-highlighting.mdx @@ -0,0 +1,31 @@ +--- +title: Type highlighting +description: Components for styling type information for CLI/function parameters. +--- + +## Type + +```mdx live +import { Type } from "~/components"; + + +``` + +## MetaInfo + +```mdx live +import { MetaInfo } from "~/components"; + + +``` + +## Combined example + +```mdx live +import { Type, MetaInfo } from "~/components"; + +- `name` + - The name of your service. +- `local` + - If the service should run locally or not. +``` \ No newline at end of file From 3a6964202d3040bfc961fd36491b2986ebca83a7 Mon Sep 17 00:00:00 2001 From: jsoCloudflare <150061260+jsoCloudflare@users.noreply.github.com> Date: Tue, 24 Sep 2024 07:30:43 -0700 Subject: [PATCH 39/54] Update create-token.mdx (#17040) * Update create-token.mdx First change to create token calling out new type of account owned token. * Apply suggestions from code review --------- Co-authored-by: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> --- .../partials/fundamentals/create-token.mdx | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/src/content/partials/fundamentals/create-token.mdx b/src/content/partials/fundamentals/create-token.mdx index f1d31602d5d0e7..734f92d72ed093 100644 --- a/src/content/partials/fundamentals/create-token.mdx +++ b/src/content/partials/fundamentals/create-token.mdx @@ -13,31 +13,33 @@ Before you begin, [find your zone and account IDs](/fundamentals/setup/find-acco ::: -1. From the [Cloudflare dashboard](https://dash.cloudflare.com/profile/api-tokens/), go to **My Profile** > **API Tokens**. +1. Determine if you want a user token or an account owned token. If you are developing a new service that you want multiple superadministrators to use and the endpoints that you are calling are compatible with account owned tokens, the option exists to use account tokens that are not connected to a specific user. -2. Select **Create Token**. +2. From the [Cloudflare dashboard](https://dash.cloudflare.com/profile/api-tokens/), go to **My Profile** > **API Tokens** for user tokens. For Account Tokens, go to **Manage Account** > **API Tokens**. -3. Select a template from the available [API token templates](/fundamentals/api/reference/template/) or create a custom token. We use the **Edit zone DNS** template in the following examples. +3. Select **Create Token**. -4. Add or edit the token name to describe why or how the token is used. Templates are prefilled with a token name and permissions. +4. Select a template from the available [API token templates](/fundamentals/api/reference/template/) or create a custom token. The following example uses the **Edit zone DNS** template. + +5. Add or edit the token name to describe why or how the token is used. Templates are prefilled with a token name and permissions. ![Token template overview screen](~/assets/images/fundamentals/api/template-customize.png) -5. Modify the token's permissions. After selecting a permissions group (*Account*, *User*, or *Zone*), choose what level of access to grant the token. Most groups offer `Edit` or `Read` options. `Edit` is full CRUDL (create, read, update, delete, list) access, while `Read` is the read permission and list where appropriate. Refer to the [available token permissions](/fundamentals/api/reference/permissions/) for more information. +6. Modify the token's permissions. After selecting a permissions group (*Account*, *User*, or *Zone*), choose what level of access to grant the token. Most groups offer `Edit` or `Read` options. `Edit` is full CRUDL (create, read, update, delete, list) access, while `Read` is the read permission and list where appropriate. Refer to the [available token permissions](/fundamentals/api/reference/permissions/) for more information. -6. Select which resources the token is authorized to access. For example, granting `Zone DNS Read` access to a zone `example.com` will allow the token to read DNS records only for that specific zone. Any other zone will return an error for DNS record reads operations. Any other operation on that zone will also return an error. +7. Select which resources the token is authorized to access. For example, granting `Zone DNS Read` access to a zone `example.com` will allow the token to read DNS records only for that specific zone. Any other zone will return an error for DNS record reads operations. Any other operation on that zone will also return an error. -7. (Optional) Restrict how a token is used in the **Client IP Address Filtering** and **TTL (time to live)** fields. +8. (Optional) Restrict how a token is used in the **Client IP Address Filtering** and **TTL (time to live)** fields. -8. Select **Continue to summary**. +9. Select **Continue to summary**. -9. Review the token summary. Select **Edit token** to make adjustments. You can also edit a token after creation. +10. Review the token summary. Select **Edit token** to make adjustments. You can also edit a token after creation. ![Token summary screen displaying the resources and permissions selected](~/assets/images/fundamentals/api/token-summary.png) -10. Select **Create Token** to generate the token's secret. +11. Select **Create Token** to generate the token's secret. -11. Copy the secret to a secure place. +12. Copy the secret to a secure place. From 6d03dc8daad8c6971b802148b6fd285e50d49077 Mon Sep 17 00:00:00 2001 From: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> Date: Tue, 24 Sep 2024 07:58:58 -0700 Subject: [PATCH 40/54] [Bots] ATO detections + Detection Tags/IDs in Analytics (#17054) * ato detections * Update src/content/docs/bots/concepts/detection-ids.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Jun Lee * Apply suggestions from code review --------- Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> Co-authored-by: Jun Lee --- .../docs/bots/concepts/detection-ids.mdx | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/src/content/docs/bots/concepts/detection-ids.mdx b/src/content/docs/bots/concepts/detection-ids.mdx index 27213b222e7dbc..88743d3c5e46c3 100644 --- a/src/content/docs/bots/concepts/detection-ids.mdx +++ b/src/content/docs/bots/concepts/detection-ids.mdx @@ -22,6 +22,17 @@ You can use `cf.bot_management.detection_ids` fields in tools such as: - [Transform Rules](/rules/transform/) - [Workers](/workers/) (as `request.cf.botManagement.detectionIds`) +Bot Detection IDs and tags are also available in [Bot Analytics](/bots/bot-analytics/) and [Security Analytics](/waf/analytics/security-analytics/). + +## Detection tags + +Detection tags refer to the category associated with the detection ID at the time that Cloudflare has fingerprinted a bot. For example, if a detection tag is `go`, this means that Cloudflare has observed traffic from that detection ID from a Go programming language bot. + +:::note + +Detection tags are available in Security Analytics, but not in the Security Events. +::: + ## Bot Detection IDs via Logpush You can create or edit their existing Logpush jobs to include the new Bot Detection IDs field which will provide an array of IDs for each request that has heuristics match on it. The `BotDetectionIDs` field is available as part of the HTTP Requests dataset and you can add it to new or existing jobs via the Logpush API or on the Cloudflare dashboard. This is the primary method to discover Detection IDs. @@ -73,3 +84,37 @@ and not any(cf.bot_management.detection_ids[*] in {3355446 12577893}) ## Account takeover detections + +### Challenges for account takeover detections + +Cloudflare's [Managed Challenge](/waf/reference/cloudflare-challenges/) can limit brute-force attacks on your login endpoints. + +To access account takeover detections: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account and domain. +2. Go to ***Security** > **WAF**. +3. Under **Custom Rules**, select **Create rule**. +4. Fill out the form using **Bot Detection IDs** along with other necessary information. +5. Select **Save as draft** to return to it later, or **Deploy** to deploy the rule. + +```js title="Rule example" + +(any(cf.bot_management.detection_ids[*] eq 201326593)) +``` + +### Limit logins with account takeover detections + +Rate limiting rules can limit the number of logins from a particular IP, JA4 Fingerprint, or country. + +To use rate limiting rules with account takeover detections: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account and domain. +2. Go to ***Security** > **WAF**. +3. Under **Rate limiting rules**, select **Create rule**. +4. Fill out the form using the **Custom expression builder** and `cf.bot_management_detection_ids` along with other necessary information. +5. Select **Save as draft** to return to it later, or **Deploy** to deploy the rule. + +:::note +The rule can be enhanced with Leaked Credential Checks. Refer to the [WAF documentation](/waf/detections/leaked-credentials/) for more information on how to include leaked credentials and account takeover detections in a rate limiting rule. + +::: \ No newline at end of file From 9ba61ee2ced85c44dcf05d36c66e28902ef9bc3b Mon Sep 17 00:00:00 2001 From: Luke Valenta Date: Tue, 24 Sep 2024 11:05:10 -0400 Subject: [PATCH 41/54] Update auditor-information.mdx (#17060) Fix typo in plexi docs --- src/content/docs/key-transparency/api/auditor-information.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/key-transparency/api/auditor-information.mdx b/src/content/docs/key-transparency/api/auditor-information.mdx index 7f75d18dd5499f..9df2b2275ac1a7 100644 --- a/src/content/docs/key-transparency/api/auditor-information.mdx +++ b/src/content/docs/key-transparency/api/auditor-information.mdx @@ -5,7 +5,7 @@ sidebar: order: 1 --- -The Auditor is designed to sign epoch information, which includes the time at which the request is received by the Auditor, the epoch number, and the epoch digest. The Auditor serializes this information in binary using protobuf or bincode and checks whether the requested inclusion is valid, as in not satisfies [publication constraints](/key-transparency/api/epochs/#constraints). +The Auditor is designed to sign epoch information, which includes the time at which the request is received by the Auditor, the epoch number, and the epoch digest. The Auditor serializes this information in binary using protobuf or bincode and checks whether the requested inclusion is valid, as in it satisfies [publication constraints](/key-transparency/api/epochs/#constraints). If the Log is setup to provide [AKD](https://github.com/facebook/akd) audit proof, the Auditor verifies them asynchronously. From b0c383300b6532d8f7c65982bf9f0db545eadbd1 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> Date: Tue, 24 Sep 2024 16:33:00 +0100 Subject: [PATCH 42/54] [DNS] Add info on other record types and fix formatting (#17058) * Indent to improve separation between Tabs and following ol item * Refer URI record type among others and link to blog --- src/content/docs/dns/foundation-dns/setup.mdx | 44 +++++++++---------- .../reference/dns-record-types.mdx | 8 +++- 2 files changed, 28 insertions(+), 24 deletions(-) diff --git a/src/content/docs/dns/foundation-dns/setup.mdx b/src/content/docs/dns/foundation-dns/setup.mdx index 95703d70ee5b16..509142fe01a95f 100644 --- a/src/content/docs/dns/foundation-dns/setup.mdx +++ b/src/content/docs/dns/foundation-dns/setup.mdx @@ -16,37 +16,37 @@ To enable advanced nameservers on an existing zone: 1. Opt for advanced nameservers on your zone: - + -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and domain. -2. Go to **DNS** > **Records**. -3. In the **Cloudflare nameservers** card, enable **Advanced nameservers**. -4. After you refresh the page, the card will display the values for your advanced nameservers `NS` records. + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and domain. + 2. Go to **DNS** > **Records**. + 3. In the **Cloudflare nameservers** card, enable **Advanced nameservers**. + 4. After you refresh the page, the card will display the values for your advanced nameservers `NS` records. - + -Use the [Update DNS Settings](/api/operations/dns-settings-for-a-zone-update-dns-settings) endpoint to send a PATCH request like the following: + Use the [Update DNS Settings](/api/operations/dns-settings-for-a-zone-update-dns-settings) endpoint to send a PATCH request like the following: -```bash -curl --request PATCH \ -"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_settings" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ ---header "Content-Type: application/json" \ ---data '{ - "foundation_dns": true -}' -``` + ```bash + curl --request PATCH \ + "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_settings" \ + --header "X-Auth-Email: " \ + --header "X-Auth-Key: " \ + --header "Content-Type: application/json" \ + --data '{ + "foundation_dns": true + }' + ``` -The response body will contain your assigned namservers in the `nameservers` object. You will use these nameservers in the next step. + The response body will contain your assigned namservers in the `nameservers` object. You will use these nameservers in the next step. - + 2. Update the authoritative nameservers at your registrar. This step depends on whether you are using [Cloudflare Registrar](/registrar/): - If you are using Cloudflare Registrar, [contact Cloudflare Support](/support/contacting-cloudflare-support/) to have your nameservers updated. - If you are using a different registrar or if your zone is delegated to a parent zone, [manually update your nameservers](/dns/nameservers/update-nameservers/#specific-processes). -:::caution + :::caution -Make sure the values for your assigned nameservers are copied exactly. -::: + Make sure the values for your assigned nameservers are copied exactly. + ::: diff --git a/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx b/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx index 769ba6e0552c78..ceb271853c88a5 100644 --- a/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx +++ b/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx @@ -26,13 +26,13 @@ These records include the following fields: * Be 63 characters or less * Start with a letter and end with a letter or digit * Only contain letters, digits, or hyphens (underscores allowed but discouraged) -* **IPv4/IPv6 address**: Your origin server address (cannot be a [Cloudflare IP](https://www.cloudflare.com/ips)) +* **IPv4/IPv6 address**: Your origin server address (cannot be a [Cloudflare IP](https://www.cloudflare.com/ips)) :::note Cloudflare uses the [canonical notation](https://www.rfc-editor.org/rfc/rfc5952.html#section-4.2) to store DNS records. This means that an `AAAA` record with content `fe80::0:0:1` is stored and returned as `fe80::1`, for example. - Alternative notations of IPv4 addresses (`1.1` for `1.0.0.1`, for example) are not supported for `A` records. + Alternative notations of IPv4 addresses (`1.1` for `1.0.0.1`, for example) are not supported for `A` records. ::: * **TTL**: Time to live, which controls how long DNS resolvers should cache a response before revalidating it. @@ -337,3 +337,7 @@ You only need to add NS records when you are [creating custom or vanity nameserv Most Cloudflare domains do not need to add these records and should instead follow our [DNSSEC setup guide](/dns/dnssec/). + +### Other + +Cloudflare also supports other record types that are less common, such as URI, NAPTR, and certificate-related record types (SSHFP, TLSA, SMIMEA, and CERT). Refer to our [blog post](https://blog.cloudflare.com/additional-record-types-available-with-cloudflare-dns/) for more information. \ No newline at end of file From 3bcaeb99075e9d3963aadac072edf941d36f88db Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Tue, 24 Sep 2024 16:46:36 +0100 Subject: [PATCH 43/54] [Docs] Fix links with broken anchors (#17059) --------- Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> --- src/content/changelogs/r2.yaml | 8 +- .../dynamic-dispatch-tunnel-exceptions.md | 2 +- .../no-cfbotmanagement-default.md | 2 +- .../compatibility-dates/python-workers.md | 2 +- .../cache/troubleshooting/always-online.mdx | 34 +-- .../route-traffic/warp-architecture.mdx | 2 +- .../warp/configure-warp/warp-sessions.mdx | 2 +- .../configure-warp/warp-settings/index.mdx | 2 +- .../private-net/warp-connector.mdx | 2 +- .../faq/teams-troubleshooting.mdx | 2 +- .../managed-rulesets/http/index.mdx | 10 +- src/content/docs/kv/concepts/kv-bindings.mdx | 37 ++- .../docs/kv/reference/environments.mdx | 2 +- .../connect-networks/choose-on-ramp.mdx | 8 +- .../reference/tunnel-health-checks.mdx | 14 +- src/content/docs/magic-wan/on-ramps.mdx | 3 +- .../zero-trust/cloudflare-gateway.mdx | 2 +- .../docs/magic-wan/zero-trust/warp.mdx | 2 +- .../manage-video-library/creator-id.mdx | 253 +++++++++--------- .../direct-creator-uploads.mdx | 81 +++--- .../docs/workers-ai/tutorials/index.mdx | 5 +- .../gradual-deployments.mdx | 2 +- src/content/docs/workers/examples/index.mdx | 2 +- .../docs/workers/observability/errors.mdx | 172 ++++++------ src/content/docs/workers/tutorials/index.mdx | 5 +- src/content/glossary/cloudflare-one.yaml | 2 +- .../product-limitations.mdx | 2 +- 27 files changed, 334 insertions(+), 326 deletions(-) diff --git a/src/content/changelogs/r2.yaml b/src/content/changelogs/r2.yaml index 6b6dfe446cca80..8db20a049ad2fa 100644 --- a/src/content/changelogs/r2.yaml +++ b/src/content/changelogs/r2.yaml @@ -1,5 +1,5 @@ --- -link: "/r2/reference/changelog/" +link: "/r2/platform/changelog/" productName: R2 productLink: "/r2/" productArea: Developer platform @@ -16,8 +16,8 @@ entries: - When an `OPTIONS` request against the public entrypoint does not include an `origin` header, an `HTTP 400` instead of an `HTTP 401` is returned. - publish_date: "2024-02-06" description: |- - - The response shape of `GET /buckets/:bucket/sippy` has changed. - - The `/buckets/:bucket/sippy/validate` endpoint is exposed over APIGW to validate Sippy's configuration. + - The response shape of `GET /buckets/:bucket/sippy` has changed. + - The `/buckets/:bucket/sippy/validate` endpoint is exposed over APIGW to validate Sippy's configuration. - The shape of the configuration object when modifying Sippy's configuration has changed. - publish_date: "2024-01-30" description: |- @@ -30,7 +30,7 @@ entries: - Sippy is available for Google Cloud Storage (GCS) beta. - publish_date: "2023-12-11" description: |- - - The `x-id` query param for `S3 ListBuckets` action is now ignored. + - The `x-id` query param for `S3 ListBuckets` action is now ignored. - The `x-id` query param is now ignored for all S3 actions. - publish_date: "2023-10-23" description: |- diff --git a/src/content/compatibility-dates/dynamic-dispatch-tunnel-exceptions.md b/src/content/compatibility-dates/dynamic-dispatch-tunnel-exceptions.md index e0e747cfb8d337..0dd4539961ec51 100644 --- a/src/content/compatibility-dates/dynamic-dispatch-tunnel-exceptions.md +++ b/src/content/compatibility-dates/dynamic-dispatch-tunnel-exceptions.md @@ -11,4 +11,4 @@ enable_flag: "dynamic_dispatch_tunnel_exceptions" disable_flag: "dynamic_dispatch_treat_exceptions_as_500" --- -Previously, when using Workers for Platforms' [dynamic dispatch API](/cloudflare-for-platforms/workers-for-platforms/get-started/dynamic-dispatch/) to send an HTTP request to a user Worker, if the user Worker threw an exception, the dynamic dispatch Worker would receive an HTTP `500` error with no body. When the `dynamic_dispatch_tunnel_exceptions` compatibility flag is enabled, the exception will instead propagate back to the dynamic dispatch Worker. The `fetch()` call in the dynamic dispatch Worker will throw the same exception. This matches the similar behavior of [service bindings](/workers/runtime-apis/bindings/service-bindings/#service-bindings) and [Durable Objects](/durable-objects/). \ No newline at end of file +Previously, when using Workers for Platforms' [dynamic dispatch API](/cloudflare-for-platforms/workers-for-platforms/get-started/dynamic-dispatch/) to send an HTTP request to a user Worker, if the user Worker threw an exception, the dynamic dispatch Worker would receive an HTTP `500` error with no body. When the `dynamic_dispatch_tunnel_exceptions` compatibility flag is enabled, the exception will instead propagate back to the dynamic dispatch Worker. The `fetch()` call in the dynamic dispatch Worker will throw the same exception. This matches the similar behavior of [service bindings](/workers/runtime-apis/bindings/service-bindings/) and [Durable Objects](/durable-objects/). \ No newline at end of file diff --git a/src/content/compatibility-dates/no-cfbotmanagement-default.md b/src/content/compatibility-dates/no-cfbotmanagement-default.md index 53a7f3d362d913..0cf40d5817b56c 100644 --- a/src/content/compatibility-dates/no-cfbotmanagement-default.md +++ b/src/content/compatibility-dates/no-cfbotmanagement-default.md @@ -14,6 +14,6 @@ disable_flag: "cf_botmanagement_default" This flag streamlines Workers requests by reducing unnecessary properties in the `request.cf` object. -With the flag enabled - either by default after 2023-08-01 or by setting the `no_cf_botmanagement_default` flag - Cloudflare will only include the [Bot Management object](/bots/reference/bot-management-variables/#bot-management-variables) in a Worker's `request.cf` if the account has access to Bot Management. +With the flag enabled - either by default after 2023-08-01 or by setting the `no_cf_botmanagement_default` flag - Cloudflare will only include the [Bot Management object](/bots/reference/bot-management-variables/) in a Worker's `request.cf` if the account has access to Bot Management. With the flag disabled, Cloudflare will include a default Bot Management object, regardless of whether the account is entitled to Bot Management. diff --git a/src/content/compatibility-dates/python-workers.md b/src/content/compatibility-dates/python-workers.md index a3a2a615c39bb9..c523e7229a9f85 100644 --- a/src/content/compatibility-dates/python-workers.md +++ b/src/content/compatibility-dates/python-workers.md @@ -10,4 +10,4 @@ enable_date: "2024-01-29" enable_flag: "python_workers" --- -This flag enables first class support for Python. [Python Workers](/workers/languages/python/#python) implement the majority of Python's [standard library](/workers/languages/python/stdlib), support all [bindings](/workers/runtime-apis/bindings), [environment variable](/workers/configuration/environment-variables), and [secrets](/workers/configuration/secrets), and integration with JavaScript objects and functions via a [foreign function interface](/workers/languages/python/ffi). +This flag enables first class support for Python. [Python Workers](/workers/languages/python/) implement the majority of Python's [standard library](/workers/languages/python/stdlib), support all [bindings](/workers/runtime-apis/bindings), [environment variable](/workers/configuration/environment-variables), and [secrets](/workers/configuration/secrets), and integration with JavaScript objects and functions via a [foreign function interface](/workers/languages/python/ffi). diff --git a/src/content/docs/cache/troubleshooting/always-online.mdx b/src/content/docs/cache/troubleshooting/always-online.mdx index 7ab05d315e1dab..7c141b58c8d38a 100644 --- a/src/content/docs/cache/troubleshooting/always-online.mdx +++ b/src/content/docs/cache/troubleshooting/always-online.mdx @@ -4,44 +4,46 @@ pcx_content_type: troubleshooting head: - tag: title content: Always Online - Troubleshooting - --- Observe the following best practices when enabling Always Online with Internet Archive integration. -* **Allow requests from the Internet Archive IP addresses.** Origin servers receive requests from the Internet Archive IPs. Make sure you are not blocking requests from the Internet Archive IP range: `207.241.224.0/20` and `208.70.24.0/21`. -* **The Internet Archive does not consider your origin server’s cache-control header.** When the Internet Archive is crawling sites, it will crawl sites regardless of their cache-control, since the Internet Archive does not cache assets, but archives them. -* **Consider potential conflicts with Cloudflare features that transform URIs.** Always Online with Internet Archive integration may cause issues with Cache Rules and other Cloudflare features that transform URIs due to the way the Internet Archive crawls pages to archive. Specifically, some redirects that take place at the edge may cause the Internet Archive's crawler not to archive the target URL. Before enabling Origin Cache Control, review [how Cloudflare caches resources by default](/cache/concepts/default-cache-behavior/) as well as any Cache Rules you have configured so that you can avoid these issues. If you experience problems, disable Always Online. -* **Do not block Known Bots or Verified Bots via a WAF custom rule.** If you block either of these bot lists, the Internet Archive will not be able to crawl. +- **Allow requests from the Internet Archive IP addresses.** Origin servers receive requests from the Internet Archive IPs. Make sure you are not blocking requests from the Internet Archive IP range: `207.241.224.0/20` and `208.70.24.0/21`. +- **The Internet Archive does not consider your origin server's cache-control header.** When the Internet Archive is crawling sites, it will crawl sites regardless of their cache-control, since the Internet Archive does not cache assets, but archives them. +- **Consider potential conflicts with Cloudflare features that transform URIs.** Always Online with Internet Archive integration may cause issues with Cache Rules and other Cloudflare features that transform URIs due to the way the Internet Archive crawls pages to archive. Specifically, some redirects that take place at the edge may cause the Internet Archive's crawler not to archive the target URL. Before enabling Origin Cache Control, review [how Cloudflare caches resources by default](/cache/concepts/default-cache-behavior/) as well as any Cache Rules you have configured so that you can avoid these issues. If you experience problems, disable Always Online. +- **Do not block Known Bots or Verified Bots via a WAF custom rule.** If you block either of these bot lists, the Internet Archive will not be able to crawl. Do not use Always Online with: -* API traffic. -* An [IP Access rule](/waf/tools/ip-access-rules/) or a [WAF custom rule](/waf/custom-rules/) that blocks the United States or -* Bypass Cache cache rules. Always Online ignores Bypass Cache cache rules and serves Always Online cached assets. +- API traffic. +- An [IP Access rule](/waf/tools/ip-access-rules/) or a [WAF custom rule](/waf/custom-rules/) that blocks the United States or +- Bypass Cache cache rules. Always Online ignores Bypass Cache cache rules and serves Always Online cached assets. ## Limitations There are limitations with the Always Online functionality: 1. Always Online is not immediately active for sites recently added due to: - * DNS record propagation, which can take 24-72 hours - * Always Online has not initially crawled the website + - DNS record propagation, which can take 24-72 hours + - Always Online has not initially crawled the website 2. Cloudflare cannot show private content behind logins or handle form submission (POSTs) if your origin web server is offline. -Always Online does not trigger for HTTP response codes such as [404](/support/troubleshooting/http-status-codes/4xx-client-error/#404-not-foundrfc7231httpstoolsietforghtmlrfc7231), [503](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-5xx-errors/#error-503-service-temporarily-unavailable), or [500](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-5xx-errors/#error-500-internal-server-error) errors such as database connection errors or internal server errors. +Always Online does not trigger for HTTP response codes such as [404](/support/troubleshooting/http-status-codes/4xx-client-error/#404-not-foundrfc7231-), [503](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-5xx-errors/#error-503-service-temporarily-unavailable), or [500](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-5xx-errors/#error-500-internal-server-error) errors such as database connection errors or internal server errors. ## Frequently asked questions 1. How can I know if a page has been crawled? - * You can go to the [Internet Archive](https://web.archive.org/) and search for the page URL to see if it has been crawled or not. - * You can also check this via the [Internet Archive Availability API](https://archive.org/help/wayback_api.php). + + - You can go to the [Internet Archive](https://web.archive.org/) and search for the page URL to see if it has been crawled or not. + - You can also check this via the [Internet Archive Availability API](https://archive.org/help/wayback_api.php). 2. Why were not pages x, y, and z crawled? - * Since Cloudflare only requests to crawl the most popular pages on the site, it is possible that there will be missing pages. If you really want to archive a page, then you can visit the [Internet Archive](https://web.archive.org/save) save page and ask them to crawl a particular page. + + - Since Cloudflare only requests to crawl the most popular pages on the site, it is possible that there will be missing pages. If you really want to archive a page, then you can visit the [Internet Archive](https://web.archive.org/save) save page and ask them to crawl a particular page. 3. What IP addresses do we need to allowlist to make sure crawling works? - * IP Range: `207.241.224.0/20` and `208.70.24.0/21`. Note that this ip range belongs to Internet Archive and NOT Cloudflare, since it is the Internet Archive that does the crawling. + + - IP Range: `207.241.224.0/20` and `208.70.24.0/21`. Note that this ip range belongs to Internet Archive and NOT Cloudflare, since it is the Internet Archive that does the crawling. 4. What user agent should the origin expect to see? - * Currently the Internet Archive uses: `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/605.1.15 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/605.1.15`. + - Currently the Internet Archive uses: `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/605.1.15 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/605.1.15`. diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture.mdx index a376764f9e5be2..642ae1ed407ebb 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture.mdx @@ -174,7 +174,7 @@ S -- No --> U["Virtual interface
(172.16.0.2)"] --> G[Cloudflare Gateway] #### Virtual interface -Virtual interfaces allow the operating system to logically subdivide a physical interface, such as a network interface controller (NIC), into separate interfaces for the purposes of routing IP traffic. WARP's virtual interface is what maintains the WireGuard/MASQUE connection between the device and Cloudflare. By default, its IP address is hardcoded as `172.16.0.2`. You can use [**Override local interface IP**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip) to assign unique IPs per device. +Virtual interfaces allow the operating system to logically subdivide a physical interface, such as a network interface controller (NIC), into separate interfaces for the purposes of routing IP traffic. WARP's virtual interface is what maintains the WireGuard/MASQUE connection between the device and Cloudflare. By default, its IP address is hardcoded as `172.16.0.2`. You can use [**Override local interface IP**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip-) to assign unique IPs per device. To view a list of all network interfaces on the operating system: diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions.mdx index c8d2f2b1559d59..1d9ada775b2a46 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions.mdx @@ -7,7 +7,7 @@ sidebar: import { Render, Badge } from "~/components"; -Cloudflare Zero Trust enforces WARP client reauthentication on a per-application basis, unlike legacy VPNs which treat it as a global setting. You can configure WARP session timeouts for your [Access applications](#configure-warp-sessions-in-access) or as part of your [Gateway policies](#configure-warp-sessions-in-gateway). +Cloudflare Zero Trust enforces WARP client reauthentication on a per-application basis, unlike legacy VPNs which treat it as a global setting. You can configure WARP session timeouts for your [Access applications](#configure-warp-sessions-in-access-) or as part of your [Gateway policies](#configure-warp-sessions-in-gateway). diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx index 20fe27df64bfce..f3d24f665a084e 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx @@ -131,7 +131,7 @@ Configures the protocol used to route IP traffic from the device to Cloudflare G **Value**: - **WireGuard**: (default) Establishes a [WireGuard](https://www.wireguard.com/) connection to Cloudflare. The WARP client will encrypt traffic using a non-FIPs compliant cipher suite, `TLS_CHACHA20_POLY1305_SHA256`. When switching from MASQUE to WireGuard, users may lose Internet connectivity if their Wi-Fi network blocks the [ports and IPs](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip) required for WireGuard to function. -- **MASQUE** : Establishes an HTTP/3 connection to Cloudflare. To use MASQUE, [Override local interface IP](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip) must be `Enabled`. The WARP client will encrypt traffic using TLS 1.3 and a [FIPS 140-2](https://csrc.nist.gov/pubs/fips/140-2/upd2/final) compliant cipher suite, `TLS_AES_256_GCM_SHA384`. +- **MASQUE** : Establishes an HTTP/3 connection to Cloudflare. To use MASQUE, [Override local interface IP](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip-) must be `Enabled`. The WARP client will encrypt traffic using TLS 1.3 and a [FIPS 140-2](https://csrc.nist.gov/pubs/fips/140-2/upd2/final) compliant cipher suite, `TLS_AES_256_GCM_SHA384`. For more details on WireGuard versus MASQUE, refer to our [blog post](https://blog.cloudflare.com/zero-trust-warp-with-a-masque). diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector.mdx index 71bfdd074dc56b..4f14f851976f4b 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector.mdx @@ -81,7 +81,7 @@ All WARP Connector and WARP client devices in your Zero Trust organization have 2. Enable **Proxy**. 3. Enable **Warp to Warp**. This allows Cloudflare to route traffic to the CGNAT IP space. 4. Next, go to **Settings** > **WARP Client**. -5. Enable [**Override local interface IP**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip). +5. Enable [**Override local interface IP**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip-). 6. [Check your Split Tunnel configuration](/cloudflare-one/connections/connect-networks/private-net/cloudflared/#3-route-private-network-ips-through-warp) and ensure that the CGNAT IP space (`100.96.0.0/12`) routes through WARP. For example, if you are using **Exclude** mode, delete `100.64.0.0/10` from the list and re-add `100.64.0.0/11` and `100.112.0.0/12`. diff --git a/src/content/docs/cloudflare-one/faq/teams-troubleshooting.mdx b/src/content/docs/cloudflare-one/faq/teams-troubleshooting.mdx index f893749e33ac66..9ae984f81dbfdf 100644 --- a/src/content/docs/cloudflare-one/faq/teams-troubleshooting.mdx +++ b/src/content/docs/cloudflare-one/faq/teams-troubleshooting.mdx @@ -106,7 +106,7 @@ Certain web browsers (such as Chrome and Microsoft Edge) load and cache root cer ## I see `Access api error auth_domain_cannot_be_updated_dash_sso`. -This error appears if you try to change your [team domain](/cloudflare-one/faq/teams-getting-started-faq/#whats-a-team-domain/team-name) while the [Cloudflare dashboard SSO](/cloudflare-one/applications/configure-apps/dash-sso-apps/) feature is enabled on your account. +This error appears if you try to change your [team domain](/cloudflare-one/faq/teams-getting-started-faq/#whats-a-team-domainteam-name) while the [Cloudflare dashboard SSO](/cloudflare-one/applications/configure-apps/dash-sso-apps/) feature is enabled on your account. Cloudflare dashboard SSO does not currently support team domain changes. Contact your account team for more details. ## WARP on Linux shows `DNS connectivity check failed`. diff --git a/src/content/docs/ddos-protection/managed-rulesets/http/index.mdx b/src/content/docs/ddos-protection/managed-rulesets/http/index.mdx index c44da38a21ba96..f4666835f1e048 100644 --- a/src/content/docs/ddos-protection/managed-rulesets/http/index.mdx +++ b/src/content/docs/ddos-protection/managed-rulesets/http/index.mdx @@ -29,6 +29,7 @@ You can adjust the behavior of the rules in the managed ruleset by modifying the - Certain actions or sensitivity levels may not be available to all Cloudflare plans. - Currently, you can only define account-level configurations (or overrides) for the HTTP DDoS Attack Protection managed ruleset via API. + ::: To adjust rule behavior, do one of the following: @@ -43,18 +44,17 @@ For more information on the available configuration parameters, refer to [Manage Cloudflare HTTP DDoS Protection can also initiate mitigation based on the origin health. Floods of requests that cause a high number of zone errors (default sensitivity level is 1,000 errors per second) can initiate mitigation to alleviate the strain on the zone. -| Rule ID | Description | -| --- | --- | +| Rule ID | Description | +| ---------------------------------- | ----------------------------------------------------- | | `dd42da7baabe4e518eaf11c393596a9d` | HTTP requests causing a high number of origin errors. | :::note - -This rule is available for zones on any plan. +This rule is available for zones on any plan. ::: The rule is adaptive for zones on the Pro, Business, or Enterprise plan. It performs an additional check for better detection accuracy: the errors-per-second rate must also be at least five times the normal traffic levels. -All HTTP errors in the 52x range (Internal Server Error) and all errors in the 53x range excluding [530](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-5xx-errors/#530error) are considered when factoring in the error rate. +All HTTP errors in the 52x range (Internal Server Error) and all errors in the 53x range excluding [530](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-5xx-errors/#error-530) are considered when factoring in the error rate. ## Availability diff --git a/src/content/docs/kv/concepts/kv-bindings.mdx b/src/content/docs/kv/concepts/kv-bindings.mdx index 11e6f78d02c27b..8d83ffddf2cb88 100644 --- a/src/content/docs/kv/concepts/kv-bindings.mdx +++ b/src/content/docs/kv/concepts/kv-bindings.mdx @@ -3,12 +3,11 @@ pcx_content_type: concept title: KV bindings sidebar: order: 7 - --- KV [bindings](/workers/runtime-apis/bindings/) allow for communication between a Worker and a KV namespace. -Configure KV bindings in the [wrangler.toml file](/workers/wrangler/configuration/#configure-wranglertoml). +Configure KV bindings in the [wrangler.toml file](/workers/wrangler/configuration/). ## Access KV from Workers @@ -38,14 +37,14 @@ With this, the deployed Worker will have a `TODO` field in their environment obj ```js export default { - async fetch(request, env, ctx) { - // Get the value for the "to-do:123" key - // NOTE: Relies on the `TODO` KV binding that maps to the "My Tasks" namespace. - let value = await env.TODO.get("to-do:123"); - - // Return the value, as is, for the Response - return new Response(value); - }, + async fetch(request, env, ctx) { + // Get the value for the "to-do:123" key + // NOTE: Relies on the `TODO` KV binding that maps to the "My Tasks" namespace. + let value = await env.TODO.get("to-do:123"); + + // Return the value, as is, for the Response + return new Response(value); + }, }; ``` @@ -73,14 +72,14 @@ An example might look like: ```js export class DurableObject { - constructor(state, env) { - this.state = state; - this.env = env; - } - - async fetch(request) { - const valueFromKV = await this.env.NAMESPACE.get("someKey"); - return new Response(valueFromKV); - } + constructor(state, env) { + this.state = state; + this.env = env; + } + + async fetch(request) { + const valueFromKV = await this.env.NAMESPACE.get("someKey"); + return new Response(valueFromKV); + } } ``` diff --git a/src/content/docs/kv/reference/environments.mdx b/src/content/docs/kv/reference/environments.mdx index 906daeb09e5e53..780990cc4aa8a5 100644 --- a/src/content/docs/kv/reference/environments.mdx +++ b/src/content/docs/kv/reference/environments.mdx @@ -5,7 +5,7 @@ sidebar: order: 3 --- -KV namespaces can be used with [environments](/workers/wrangler/environments/#environments). This is useful when you have code in your Worker that refers to a KV binding like `MY_KV`, and you want to have these bindings point to different KV namespaces (for example, one for staging and one for production). +KV namespaces can be used with [environments](/workers/wrangler/environments/). This is useful when you have code in your Worker that refers to a KV binding like `MY_KV`, and you want to have these bindings point to different KV namespaces (for example, one for staging and one for production). The following code in the `wrangler.toml` file shows you how to have two environments that have two different KV namespaces but the same binding name: diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-networks/choose-on-ramp.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-networks/choose-on-ramp.mdx index 794ae5fe785436..a88d79f549d745 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/connect-networks/choose-on-ramp.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/connect-networks/choose-on-ramp.mdx @@ -3,16 +3,15 @@ title: Choose an on-ramp pcx_content_type: learning-unit sidebar: order: 2 - --- -import { GlossaryDefinition, GlossaryTooltip, Badge } from "~/components" +import { GlossaryDefinition, GlossaryTooltip, Badge } from "~/components"; Similar to the network onboarding practices in the [Replace your VPN](/learning-paths/replace-vpn/connect-private-network/) implementation guide, there are a number of ways to on-ramp your network traffic to the Cloudflare global network. In our recommended approach to security, you will source traffic from devices that would otherwise go to the Internet through a default route. Relevant targets for this may be branch offices, network subnets that need a secure path to the Internet, or anywhere that you control the Internet paths for groups of devices. ## Available on-ramps -The primary ways to source multi-device or network traffic to the Cloudflare network are via the [WARP Connector](#warp-connector) as an all-ports traffic proxy, or via upstream DNS for a whole network using [DNS filtering locations](#dns-filtering-locations). Alternatively, Enterprise users can add [Magic WAN](#magic-wan) to their plan and configure Magic WAN Connector or a dedicated third-party device. +The primary ways to source multi-device or network traffic to the Cloudflare network are via the [WARP Connector](#warp-connector-) as an all-ports traffic proxy, or via upstream DNS for a whole network using [DNS filtering locations](#dns-filtering-locations). Alternatively, Enterprise users can add [Magic WAN](#magic-wan) to their plan and configure Magic WAN Connector or a dedicated third-party device. ### WARP Connector @@ -33,11 +32,10 @@ For more information on setting up DNS locations, refer to [Add locations](/clou ### Magic WAN :::note - Only available on Enterprise plans. ::: -[Magic WAN](/magic-wan/) is Cloudflare's offering most analogous to a traditional SD-WAN. Magic WAN is typically deployed via an IPSec or GRE tunnel terminating on customer devices (such as firewalls or routers), or via our Magic WAN Connector hardware device. You can also be deploy Magic WAN using [Cloudflare Network Interconnect](/network-interconnect/) (CNI) at private peering locations or some public cloud instances (where compatible). +[Magic WAN](/magic-wan/) is Cloudflare's offering most analogous to a traditional SD-WAN. Magic WAN is typically deployed via an IPsec or GRE tunnel terminating on customer devices (such as firewalls or routers), or via our Magic WAN Connector hardware device. You can also be deploy Magic WAN using [Cloudflare Network Interconnect](/network-interconnect/) (CNI) at private peering locations or some public cloud instances (where compatible). Magic WAN on-ramps and off-ramps traffic via your connections after transiting the Cloudflare global network. Gateway can also apply network and HTTP policies to this traffic for secure egress. diff --git a/src/content/docs/magic-transit/reference/tunnel-health-checks.mdx b/src/content/docs/magic-transit/reference/tunnel-health-checks.mdx index 6518ad70a95604..37b21fa9f50458 100644 --- a/src/content/docs/magic-transit/reference/tunnel-health-checks.mdx +++ b/src/content/docs/magic-transit/reference/tunnel-health-checks.mdx @@ -4,9 +4,17 @@ pcx_content_type: concept head: [] description: Magic Transit uses probes to check for tunnel health. Review information on this page to learn more. - --- -import { Render } from "~/components" +import { Render } from "~/components"; - + diff --git a/src/content/docs/magic-wan/on-ramps.mdx b/src/content/docs/magic-wan/on-ramps.mdx index 658a37048acc30..98d4c249c98bed 100644 --- a/src/content/docs/magic-wan/on-ramps.mdx +++ b/src/content/docs/magic-wan/on-ramps.mdx @@ -3,7 +3,6 @@ title: On-ramps pcx_content_type: reference sidebar: order: 4 - --- To on-ramp your network traffic to Magic WAN, you can use [Magic WAN Connector](/magic-wan/configuration/connector/), a lightweight software package you can install in corporate network locations to automatically connect, steer, and shape any IP traffic. @@ -13,7 +12,7 @@ You can also use any device that supports [GRE or IPsec](/magic-wan/configuratio Additional compatible on-ramps include: - [Cloudflare Network Interconnect (CNI)](/magic-wan/network-interconnect/): Connect your network infrastructure directly with Cloudflare – rather than using the public Internet – for a more reliable and secure experience. -- [Cloudflare Tunnel](/magic-wan/zero-trust/cloudflare-tunnel/#cloudflare-tunnel): Magic WAN can be used together with Cloudflare Tunnel for easy access between your networks and applications. +- [Cloudflare Tunnel](/magic-wan/zero-trust/cloudflare-tunnel/): Magic WAN can be used together with Cloudflare Tunnel for easy access between your networks and applications. - [WARP](/cloudflare-one/connections/connect-devices/warp/): Protect corporate devices by securely and privately sending traffic from those devices to Cloudflare’s global network, where Cloudflare Gateway can apply advanced web filtering. - [Magic Cloud Networking](/magic-wan/configuration/magic-cloud-networking/): Automatically create on-ramps from your cloud networks to Magic WAN. - [Network on-ramp partnerships](https://www.cloudflare.com/network-onramp-partners/): Refer to our [third-party integration tutorials](/magic-wan/configuration/manually/third-party/) for guidance on configuring the most asked for third-party products. diff --git a/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx b/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx index ffe1d633e38a7c..18e33c619059dc 100644 --- a/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx +++ b/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx @@ -45,7 +45,7 @@ This traffic will egress from Cloudflare according to the [egress policies](/clo ## Private traffic -By default, TCP, UDP, and ICMP traffic routed through Magic WAN tunnels and destined to routes behind [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/#cloudflare-tunnel) will be proxied/filtered through Cloudflare Gateway. +By default, TCP, UDP, and ICMP traffic routed through Magic WAN tunnels and destined to routes behind [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/) will be proxied/filtered through Cloudflare Gateway. Contact your account team to enable Gateway filtering for traffic destined to routes behind Magic WAN tunnels. If enabled, by default, TCP and UDP traffic sourced from and destined to [RFC1918](https://datatracker.ietf.org/doc/html/rfc1918) space, [WARP](/cloudflare-one/connections/connect-devices/warp/), or [BYO](/byoip/) or [Leased IPs](/magic-transit/cloudflare-ips/) with source port higher than `1023` and destination port lower than `1024` will be proxied/filtered by Cloudflare Gateway. diff --git a/src/content/docs/magic-wan/zero-trust/warp.mdx b/src/content/docs/magic-wan/zero-trust/warp.mdx index d45796c2b40720..5feaa6e733a15d 100644 --- a/src/content/docs/magic-wan/zero-trust/warp.mdx +++ b/src/content/docs/magic-wan/zero-trust/warp.mdx @@ -57,7 +57,7 @@ You must log out and log back in with at least one WARP device to ensure the con ## Test WARP integration -Before testing, be sure to [configure domain fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/#configure-local-domain-fallback) for the server or service in WARP settings. This is needed because by default Cloudflare Zero Trust excludes common top level domains used for local resolution from being sent to Gateway for processing. +Before testing, be sure to [configure domain fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/#add-a-domain) for the server or service in WARP settings. This is needed because by default Cloudflare Zero Trust excludes common top level domains used for local resolution from being sent to Gateway for processing. If WARP integration has been enabled for the account within the last day, log off and on again in the WARP client before testing. diff --git a/src/content/docs/stream/manage-video-library/creator-id.mdx b/src/content/docs/stream/manage-video-library/creator-id.mdx index 02d4ede48d8a03..9bb8b1e10e3a3c 100644 --- a/src/content/docs/stream/manage-video-library/creator-id.mdx +++ b/src/content/docs/stream/manage-video-library/creator-id.mdx @@ -1,7 +1,6 @@ --- pcx_content_type: how-to title: Manage creators - --- You can set the creator field with an internal user ID at the time a tokenized upload URL is requested. When the video is uploaded, the creator property is automatically set to the internal user ID which can be used for analytics data or when searching for videos by a specific creator. @@ -21,57 +20,55 @@ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/stream/copy" \ ```json null {35} { - "success": true, - "errors": [], - "messages": [], - "result": { - "allowedOrigins": [ - "example.com" - ], - "created": "2014-01-02T02:20:00Z", - "duration": 300, - "input": { - "height": 1080, - "width": 1920 - }, - "maxDurationSeconds": 300, - "meta": {}, - "modified": "2014-01-02T02:20:00Z", - "uploadExpiry": "2014-01-02T02:20:00Z", - "playback": { - "hls": "https://customer-f33zs165nr7gyfy4.cloudflarestream.com/6b9e68b07dfee8cc2d116e4c51d6a957/manifest/video.m3u8", - "dash": "https://customer-f33zs165nr7gyfy4.cloudflarestream.com/6b9e68b07dfee8cc2d116e4c51d6a957/manifest/video.mpd" - }, - "preview": "https://customer-f33zs165nr7gyfy4.cloudflarestream.com/6b9e68b07dfee8cc2d116e4c51d6a957/watch", - "readyToStream": true, - "requireSignedURLs": true, - "size": 4190963, - "status": { - "state": "ready", - "pctComplete": "100.000000", - "errorReasonCode": "", - "errorReasonText": "" - }, - "thumbnail": "https://customer-f33zs165nr7gyfy4.cloudflarestream.com/6b9e68b07dfee8cc2d116e4c51d6a957/thumbnails/thumbnail.jpg", - "thumbnailTimestampPct": 0.529241, - "creator": "", - "uid": "6b9e68b07dfee8cc2d116e4c51d6a957", - "liveInput": "fc0a8dc887b16759bfd9ad922230a014", - "uploaded": "2014-01-02T02:20:00Z", - "watermark": { - "uid": "6b9e68b07dfee8cc2d116e4c51d6a957", - "size": 29472, - "height": 600, - "width": 400, - "created": "2014-01-02T02:20:00Z", - "downloadedFrom": "https://company.com/logo.png", - "name": "Marketing Videos", - "opacity": 0.75, - "padding": 0.1, - "scale": 0.1, - "position": "center" - } - } + "success": true, + "errors": [], + "messages": [], + "result": { + "allowedOrigins": ["example.com"], + "created": "2014-01-02T02:20:00Z", + "duration": 300, + "input": { + "height": 1080, + "width": 1920 + }, + "maxDurationSeconds": 300, + "meta": {}, + "modified": "2014-01-02T02:20:00Z", + "uploadExpiry": "2014-01-02T02:20:00Z", + "playback": { + "hls": "https://customer-f33zs165nr7gyfy4.cloudflarestream.com/6b9e68b07dfee8cc2d116e4c51d6a957/manifest/video.m3u8", + "dash": "https://customer-f33zs165nr7gyfy4.cloudflarestream.com/6b9e68b07dfee8cc2d116e4c51d6a957/manifest/video.mpd" + }, + "preview": "https://customer-f33zs165nr7gyfy4.cloudflarestream.com/6b9e68b07dfee8cc2d116e4c51d6a957/watch", + "readyToStream": true, + "requireSignedURLs": true, + "size": 4190963, + "status": { + "state": "ready", + "pctComplete": "100.000000", + "errorReasonCode": "", + "errorReasonText": "" + }, + "thumbnail": "https://customer-f33zs165nr7gyfy4.cloudflarestream.com/6b9e68b07dfee8cc2d116e4c51d6a957/thumbnails/thumbnail.jpg", + "thumbnailTimestampPct": 0.529241, + "creator": "", + "uid": "6b9e68b07dfee8cc2d116e4c51d6a957", + "liveInput": "fc0a8dc887b16759bfd9ad922230a014", + "uploaded": "2014-01-02T02:20:00Z", + "watermark": { + "uid": "6b9e68b07dfee8cc2d116e4c51d6a957", + "size": 29472, + "height": 600, + "width": 400, + "created": "2014-01-02T02:20:00Z", + "downloadedFrom": "https://company.com/logo.png", + "name": "Marketing Videos", + "opacity": 0.75, + "padding": 0.1, + "scale": 0.1, + "position": "center" + } + } } ``` @@ -114,27 +111,27 @@ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/stream/direct_u ```json null {8} { - "success": true, - "errors": [], - "messages": [], - "result": { - "uploadURL": "www.example.com/samplepath", - "uid": "ea95132c15732412d22c1476fa83f27a", - "creator": "", - "watermark": { - "uid": "ea95132c15732412d22c1476fa83f27a", - "size": 29472, - "height": 600, - "width": 400, - "created": "2014-01-02T02:20:00Z", - "downloadedFrom": "https://company.com/logo.png", - "name": "Marketing Videos", - "opacity": 0.75, - "padding": 0.1, - "scale": 0.1, - "position": "center" - } - } + "success": true, + "errors": [], + "messages": [], + "result": { + "uploadURL": "www.example.com/samplepath", + "uid": "ea95132c15732412d22c1476fa83f27a", + "creator": "", + "watermark": { + "uid": "ea95132c15732412d22c1476fa83f27a", + "size": 29472, + "height": 600, + "width": 400, + "created": "2014-01-02T02:20:00Z", + "downloadedFrom": "https://company.com/logo.png", + "name": "Marketing Videos", + "opacity": 0.75, + "padding": 0.1, + "scale": 0.1, + "position": "center" + } + } } ``` @@ -149,67 +146,65 @@ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/stream?after=20 ```json null {36} { - "success": true, - "errors": [], - "messages": [], - "result": [ - { - "allowedOrigins": [ - "example.com" - ], - "created": "2014-01-02T02:20:00Z", - "duration": 300, - "input": { - "height": 1080, - "width": 1920 - }, - "maxDurationSeconds": 300, - "meta": {}, - "modified": "2014-01-02T02:20:00Z", - "uploadExpiry": "2014-01-02T02:20:00Z", - "playback": { - "hls": "https://customer-.cloudflarestream.com/ea95132c15732412d22c1476fa83f27a/manifest/video.m3u8", - "dash": "https://customer-.cloudflarestream.com/ea95132c15732412d22c1476fa83f27a/manifest/video.mpd" - }, - "preview": "https://customer-.cloudflarestream.com/ea95132c15732412d22c1476fa83f27a/watch", - "readyToStream": true, - "requireSignedURLs": true, - "size": 4190963, - "status": { - "state": "ready", - "pctComplete": "100.000000", - "errorReasonCode": "", - "errorReasonText": "" - }, - "thumbnail": "https://customer-.cloudflarestream.com/ea95132c15732412d22c1476fa83f27a/thumbnails/thumbnail.jpg", - "thumbnailTimestampPct": 0.529241, - "creator": "some-creator-id", - "uid": "ea95132c15732412d22c1476fa83f27a", - "liveInput": "fc0a8dc887b16759bfd9ad922230a014", - "uploaded": "2014-01-02T02:20:00Z", - "watermark": { - "uid": "ea95132c15732412d22c1476fa83f27a", - "size": 29472, - "height": 600, - "width": 400, - "created": "2014-01-02T02:20:00Z", - "downloadedFrom": "https://company.com/logo.png", - "name": "Marketing Videos", - "opacity": 0.75, - "padding": 0.1, - "scale": 0.1, - "position": "center" - } - } - ], - "total": "35586", - "range": "1000" + "success": true, + "errors": [], + "messages": [], + "result": [ + { + "allowedOrigins": ["example.com"], + "created": "2014-01-02T02:20:00Z", + "duration": 300, + "input": { + "height": 1080, + "width": 1920 + }, + "maxDurationSeconds": 300, + "meta": {}, + "modified": "2014-01-02T02:20:00Z", + "uploadExpiry": "2014-01-02T02:20:00Z", + "playback": { + "hls": "https://customer-.cloudflarestream.com/ea95132c15732412d22c1476fa83f27a/manifest/video.m3u8", + "dash": "https://customer-.cloudflarestream.com/ea95132c15732412d22c1476fa83f27a/manifest/video.mpd" + }, + "preview": "https://customer-.cloudflarestream.com/ea95132c15732412d22c1476fa83f27a/watch", + "readyToStream": true, + "requireSignedURLs": true, + "size": 4190963, + "status": { + "state": "ready", + "pctComplete": "100.000000", + "errorReasonCode": "", + "errorReasonText": "" + }, + "thumbnail": "https://customer-.cloudflarestream.com/ea95132c15732412d22c1476fa83f27a/thumbnails/thumbnail.jpg", + "thumbnailTimestampPct": 0.529241, + "creator": "some-creator-id", + "uid": "ea95132c15732412d22c1476fa83f27a", + "liveInput": "fc0a8dc887b16759bfd9ad922230a014", + "uploaded": "2014-01-02T02:20:00Z", + "watermark": { + "uid": "ea95132c15732412d22c1476fa83f27a", + "size": 29472, + "height": 600, + "width": 400, + "created": "2014-01-02T02:20:00Z", + "downloadedFrom": "https://company.com/logo.png", + "name": "Marketing Videos", + "opacity": 0.75, + "padding": 0.1, + "scale": 0.1, + "position": "center" + } + } + ], + "total": "35586", + "range": "1000" } ``` ## tus -Add the Creator ID via the `Upload-Creator` header. For more information, refer to [Using tus](/stream/uploading-videos/direct-creator-uploads/#advanced-upload-flow-using-tus-for-large-videos). +Add the Creator ID via the `Upload-Creator` header. For more information, refer to [Resumable and large files (tus)](/stream/uploading-videos/resumable-uploads/#set-creator-property). ## Query by Creator ID with GraphQL diff --git a/src/content/docs/stream/uploading-videos/direct-creator-uploads.mdx b/src/content/docs/stream/uploading-videos/direct-creator-uploads.mdx index df8460df3cf698..6488392ed50084 100644 --- a/src/content/docs/stream/uploading-videos/direct-creator-uploads.mdx +++ b/src/content/docs/stream/uploading-videos/direct-creator-uploads.mdx @@ -17,7 +17,7 @@ In either case, you must specify a maximum duration to reserve for the user's up Use this option if your users upload videos under 200 MB, and you do not need to allow resumable uploads. -1. Generate a unique, one-time upload URL using the [Direct upload API](/api/operations/stream-videos-upload-videos-via-direct-upload-ur-ls). +1. Generate a unique, one-time upload URL using the [Direct upload API](/api/operations/stream-videos-upload-videos-via-direct-upload-ur-ls). ```sh title="Generate upload" curl https://api.cloudflare.com/client/v4/accounts/{account_id}/stream/direct_upload \ @@ -31,13 +31,13 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/stream/direct_up ```json output {3} { - "result": { - "uploadURL": "https://upload.videodelivery.net/f65014bc6ff5419ea86e7972a047ba22", - "uid": "f65014bc6ff5419ea86e7972a047ba22" - }, - "success": true, - "errors": [], - "messages": [] + "result": { + "uploadURL": "https://upload.videodelivery.net/f65014bc6ff5419ea86e7972a047ba22", + "uid": "f65014bc6ff5419ea86e7972a047ba22" + }, + "success": true, + "errors": [], + "messages": [] } ``` @@ -45,7 +45,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/stream/direct_up {/* */} -```bash {3} title="Upload a video to the unique one-time upload URL" +```bash {3} title="Upload a video to the unique one-time upload URL" curl --request POST \ --form file=@/Users/mickie/Downloads/example_video.mp4 \ https://upload.videodelivery.net/f65014bc6ff5419ea86e7972a047ba22 @@ -67,23 +67,23 @@ export async function onRequest(context) { const endpoint = `https://api.cloudflare.com/client/v4/accounts/${CLOUDFLARE_ACCOUNT_ID}/stream?direct_user=true`; const response = await fetch(endpoint, { - method: 'POST', + method: "POST", headers: { - 'Authorization': `bearer ${CLOUDFLARE_API_TOKEN}`, - 'Tus-Resumable': '1.0.0', - 'Upload-Length': request.headers.get('Upload-Length'), - 'Upload-Metadata': request.headers.get('Upload-Metadata'), + Authorization: `bearer ${CLOUDFLARE_API_TOKEN}`, + "Tus-Resumable": "1.0.0", + "Upload-Length": request.headers.get("Upload-Length"), + "Upload-Metadata": request.headers.get("Upload-Metadata"), }, }); - const destination = response.headers.get('Location'); + const destination = response.headers.get("Location"); return new Response(null, { headers: { - 'Access-Control-Expose-Headers': 'Location', - 'Access-Control-Allow-Headers': '*', - 'Access-Control-Allow-Origin': '*', - 'Location': destination, + "Access-Control-Expose-Headers": "Location", + "Access-Control-Allow-Headers": "*", + "Access-Control-Allow-Origin": "*", + Location: destination, }, }); } @@ -94,12 +94,17 @@ export async function onRequest(context) { ```html {35} title="Upload a video using the uppy tus client" - +

- +
    @@ -109,15 +114,15 @@ export async function onRequest(context) { Tus, DragDrop, ProgressBar, - } from 'https://releases.transloadit.com/uppy/v3.0.1/uppy.min.mjs'; + } from "https://releases.transloadit.com/uppy/v3.0.1/uppy.min.mjs"; const uppy = new Uppy({ debug: true, autoProceed: true }); - const onUploadSuccess = el => (file, response) => { - const li = document.createElement('li'); - const a = document.createElement('a'); + const onUploadSuccess = (el) => (file, response) => { + const li = document.createElement("li"); + const a = document.createElement("a"); a.href = response.uploadURL; - a.target = '_blank'; + a.target = "_blank"; a.appendChild(document.createTextNode(file.name)); li.appendChild(a); @@ -125,25 +130,31 @@ export async function onRequest(context) { }; uppy - .use(DragDrop, { target: '#drag-drop-area' }) - .use(Tus, { endpoint: '/api/get-upload-url', chunkSize: 150 * 1024 * 1024 }) - .use(ProgressBar, { target: '.for-ProgressBar', hideAfterFinish: false }) - .on('upload-success', onUploadSuccess('.uploaded-files ol')); - - const uploadBtn = document.querySelector('button.upload-button'); - uploadBtn.addEventListener('click', () => uppy.upload()); + .use(DragDrop, { target: "#drag-drop-area" }) + .use(Tus, { + endpoint: "/api/get-upload-url", + chunkSize: 150 * 1024 * 1024, + }) + .use(ProgressBar, { + target: ".for-ProgressBar", + hideAfterFinish: false, + }) + .on("upload-success", onUploadSuccess(".uploaded-files ol")); + + const uploadBtn = document.querySelector("button.upload-button"); + uploadBtn.addEventListener("click", () => uppy.upload()); ``` -For more details on using tus and example client code, refer to [Resumable uploads with tus](/stream/uploading-videos/upload-video-file/#resumable-uploads-with-tus-for-large-files). +For more details on using tus and example client code, refer to [Resumable and large files (tus)](/stream/uploading-videos/resumable-uploads/). ## Upload-Metadata header syntax You can apply the [same constraints](/api/operations/stream-videos-upload-videos-via-direct-upload-ur-ls) as Direct Creator Upload via basic upload when using tus. To do so, you must pass the `expiry` and `maxDurationSeconds` as part of the `Upload-Metadata` request header as part of the first request (made by the Worker in the example above.) The `Upload-Metadata` values are ignored from subsequent requests that do the actual file upload. -The `Upload-Metadata` header should contain key-value pairs. The keys are text and the values should be encoded in base64. Separate the key and values by a space, *not* an equal sign. To join multiple key-value pairs, include a comma with no additional spaces. +The `Upload-Metadata` header should contain key-value pairs. The keys are text and the values should be encoded in base64. Separate the key and values by a space, _not_ an equal sign. To join multiple key-value pairs, include a comma with no additional spaces. In the example below, the `Upload-Metadata` header is instructing Stream to only accept uploads with max video duration of 10 minutes, uploaded prior to the expiry timestamp, and to make this video private: diff --git a/src/content/docs/workers-ai/tutorials/index.mdx b/src/content/docs/workers-ai/tutorials/index.mdx index bc7f7e55681150..50376b9ddb723a 100644 --- a/src/content/docs/workers-ai/tutorials/index.mdx +++ b/src/content/docs/workers-ai/tutorials/index.mdx @@ -4,13 +4,12 @@ title: Tutorials hideChildren: true sidebar: order: 5 - --- -import { GlossaryTooltip, ListTutorials } from "~/components" +import { GlossaryTooltip, ListTutorials } from "~/components"; :::note -[Explore our community-written tutorials contributed through the Developer Spotlight program.](/developer-spotlight/#developer-spotlight-program) +[Explore our community-written tutorials contributed through the Developer Spotlight program.](/developer-spotlight/) ::: View tutorials to help you get started with Workers AI. diff --git a/src/content/docs/workers/configuration/versions-and-deployments/gradual-deployments.mdx b/src/content/docs/workers/configuration/versions-and-deployments/gradual-deployments.mdx index 904e8685239290..2c6238874fdae5 100644 --- a/src/content/docs/workers/configuration/versions-and-deployments/gradual-deployments.mdx +++ b/src/content/docs/workers/configuration/versions-and-deployments/gradual-deployments.mdx @@ -157,7 +157,7 @@ curl -s https://$SCRIPT_NAME.$SUBDOMAIN.workers.dev -H 'Cloudflare-Workers-Versi The dictionary can contain multiple key-value pairs. Each key indicates the name of the Worker the override should be applied to. The value indicates the version ID that should be used and must be a [String](https://www.rfc-editor.org/rfc/rfc8941#name-strings). -A version override will only be applied if the specified version is in the current deployment. The versions in the current deployment can be found using the [`wrangler deployments list`](/workers/wrangler/commands/#list#TODO) command or on the [Workers Dashboard](https://dash.cloudflare.com/?to=/:account/workers) under Worker > Deployments > Active Deployment. +A version override will only be applied if the specified version is in the current deployment. The versions in the current deployment can be found using the [`wrangler deployments list`](/workers/wrangler/commands/#list-6) command or on the [Workers Dashboard](https://dash.cloudflare.com/?to=/:account/workers) under Worker > Deployments > Active Deployment. :::note[Verifying that the version override was applied] diff --git a/src/content/docs/workers/examples/index.mdx b/src/content/docs/workers/examples/index.mdx index c0392ea341dfc7..d9d3b9628e6026 100644 --- a/src/content/docs/workers/examples/index.mdx +++ b/src/content/docs/workers/examples/index.mdx @@ -10,7 +10,7 @@ sidebar: import { GlossaryTooltip, ListExamples } from "~/components"; :::note -[Explore our community-written tutorials contributed through the Developer Spotlight program.](/developer-spotlight/#developer-spotlight-program) +[Explore our community-written tutorials contributed through the Developer Spotlight program.](/developer-spotlight/) ::: Explore the following examples for Workers. diff --git a/src/content/docs/workers/observability/errors.mdx b/src/content/docs/workers/observability/errors.mdx index 321e299080bd7e..13ac47b80d3558 100644 --- a/src/content/docs/workers/observability/errors.mdx +++ b/src/content/docs/workers/observability/errors.mdx @@ -3,10 +3,9 @@ pcx_content_type: concept title: Errors and exceptions head: [] description: Review Workers errors and exceptions. - --- -import { TabItem, Tabs } from "~/components" +import { TabItem, Tabs } from "~/components"; Review Workers errors and exceptions. @@ -31,7 +30,7 @@ Other `11xx` errors generally indicate a problem with the Workers runtime itself ### Loop limit -A Worker cannot call itself or another Worker more than 16 times. In order to prevent infinite loops between Workers, the [`CF-EW-Via`](/fundamentals/reference/http-request-headers/#cf-ew-via) header's value is an integer that indicates how many invocations are left. Every time a Worker is invoked, the integer will decrement by 1. If the count reaches zero, a [`1019`](#error-pages-generated-by-workers) error is returned. +A Worker cannot call itself or another Worker more than 16 times. In order to prevent infinite loops between Workers, the [`CF-EW-Via`](/fundamentals/reference/http-request-headers/#cf-ew-via) header's value is an integer that indicates how many invocations are left. Every time a Worker is invoked, the integer will decrement by 1. If the count reaches zero, a [`1019`](#error-pages-generated-by-workers) error is returned. ### "The script will never generate a response" errors @@ -47,17 +46,17 @@ In the example below, the Response relies on a Promise resolution that never hap ```js null {9} export default { - fetch(req) { - let response = new Response("Example response"); - let { promise, resolve } = Promise.withResolvers(); + fetch(req) { + let response = new Response("Example response"); + let { promise, resolve } = Promise.withResolvers(); - // If the promise is not resolved, the Workers runtime will - // recognize this and throw an error. + // If the promise is not resolved, the Workers runtime will + // recognize this and throw an error. - // setTimeout(resolve, 0) + // setTimeout(resolve, 0) - return promise.then(() => response); - }, + return promise.then(() => response); + }, }; ``` @@ -67,21 +66,20 @@ If a WebSocket is missing the proper code to close its server-side connection, t ```js null {10} async function handleRequest(request) { - let webSocketPair = new WebSocketPair(); - let [client, server] = Object.values(webSocketPair); - server.accept(); - - server.addEventListener('close', () => { - // This missing line would keep a WebSocket connection open indefinitely - // and results in "The script will never generate a response" errors - - // server.close(); - }); - - return new Response(null, { - status: 101, - webSocket: client, - }); + let webSocketPair = new WebSocketPair(); + let [client, server] = Object.values(webSocketPair); + server.accept(); + + server.addEventListener("close", () => { + // This missing line would keep a WebSocket connection open indefinitely + // and results in "The script will never generate a response" errors + // server.close(); + }); + + return new Response(null, { + status: 101, + webSocket: client, + }); } ``` @@ -99,15 +97,15 @@ The following code will error: ```js export default { - async fetch(request, env, ctx) { - // destructuring ctx makes waitUntil lose its 'this' reference - const { waitUntil } = ctx; - // waitUntil errors, as it has no 'this' - waitUntil(somePromise); - - return fetch(request); - } -} + async fetch(request, env, ctx) { + // destructuring ctx makes waitUntil lose its 'this' reference + const { waitUntil } = ctx; + // waitUntil errors, as it has no 'this' + waitUntil(somePromise); + + return fetch(request); + }, +}; ``` Avoid destructuring or re-bind the function to the original context to avoid the error. @@ -116,20 +114,20 @@ The following code will run properly: ```js export default { - async fetch(request, env, ctx) { - // directly calling the method on ctx avoids the error - ctx.waitUntil(somePromise); - - // alternatively re-binding to ctx via apply, call, or bind avoids the error - const { waitUntil } = ctx; - waitUntil.apply(ctx, [somePromise]); - waitUntil.call(ctx, somePromise); - const reboundWaitUntil = waitUntil.bind(ctx); - reboundWaitUntil(somePromise); - - return fetch(request); - } -} + async fetch(request, env, ctx) { + // directly calling the method on ctx avoids the error + ctx.waitUntil(somePromise); + + // alternatively re-binding to ctx via apply, call, or bind avoids the error + const { waitUntil } = ctx; + waitUntil.apply(ctx, [somePromise]); + waitUntil.call(ctx, somePromise); + const reboundWaitUntil = waitUntil.bind(ctx); + reboundWaitUntil(somePromise); + + return fetch(request); + }, +}; ``` ## Errors on Worker upload @@ -150,7 +148,7 @@ These errors occur when a Worker is uploaded or modified. | `10052` | A [binding](/workers/runtime-apis/bindings/) is uploaded without a name. | | `10054` | A environment variable or secret exceeds the [size limit](/workers/platform/limits/#environment-variables). | | `10055` | The number of environment variables or secrets exceeds the [limit/Worker](/workers/platform/limits/#environment-variables). | -| `10056` | [Binding](/workers/runtime-apis/bindings/) not found. | +| `10056` | [Binding](/workers/runtime-apis/bindings/) not found. | | `10068` | The uploaded Worker has no registered [event handlers](/workers/runtime-apis/handlers/). | | `10069` | The uploaded Worker contains [event handlers](/workers/runtime-apis/handlers/) unsupported by the Workers runtime. | @@ -166,7 +164,7 @@ A Worker can be up to 10 MB in size after compression on the Workers Paid plan, To reduce the upload size of a Worker, you should consider removing unnecessary dependencies and/or using Workers KV, a D1 database or R2 to store configuration files, static assets and binary data instead of attempting to bundle them within your Worker code. -Another method to reduce a Worker's filzesize is to split its functionality across multiple Workers and connect them using [Service bindings](/workers/runtime-apis/bindings/service-bindings/#service-bindings). +Another method to reduce a Worker's file size is to split its functionality across multiple Workers and connect them using [Service bindings](/workers/runtime-apis/bindings/service-bindings/). #### Script startup exceeded CPU time limit @@ -214,41 +212,41 @@ When using an external logging strategy, remember that outstanding asynchronous ```js export default { - async fetch(request, env, ctx) { - function postLog(data) { - return fetch("https://log-service.example.com/", { - method: "POST", - body: data, - }); - } - - // Without ctx.waitUntil(), the `postLog` function may or may not complete. - ctx.waitUntil(postLog(stack)); - return fetch(request); - } -} + async fetch(request, env, ctx) { + function postLog(data) { + return fetch("https://log-service.example.com/", { + method: "POST", + body: data, + }); + } + + // Without ctx.waitUntil(), the `postLog` function may or may not complete. + ctx.waitUntil(postLog(stack)); + return fetch(request); + }, +}; ```     ```js addEventListener("fetch", (event) => { - event.respondWith(handleEvent(event)); + event.respondWith(handleEvent(event)); }); async function handleEvent(event) { - // ... + // ... - // Without event.waitUntil(), the `postLog` function may or may not complete. - event.waitUntil(postLog(stack)); - return fetch(event.request); + // Without event.waitUntil(), the `postLog` function may or may not complete. + event.waitUntil(postLog(stack)); + return fetch(event.request); } function postLog(data) { - return fetch("https://log-service.example.com/", { - method: "POST", - body: data, - }); + return fetch("https://log-service.example.com/", { + method: "POST", + body: data, + }); } ``` @@ -262,26 +260,26 @@ By using [`event.passThroughOnException`](/workers/runtime-apis/context/#passthr ```js export default { - async fetch(request, env, ctx) { - ctx.passThroughOnException(); - // an error here will return the origin response, as if the Worker wasn't present - return fetch(request); - } -} + async fetch(request, env, ctx) { + ctx.passThroughOnException(); + // an error here will return the origin response, as if the Worker wasn't present + return fetch(request); + }, +}; ``` ```js addEventListener("fetch", (event) => { - event.passThroughOnException(); - event.respondWith(handleRequest(event.request)); + event.passThroughOnException(); + event.respondWith(handleRequest(event.request)); }); async function handleRequest(request) { - // An error here will return the origin response, as if the Worker wasn’t present. - // ... - return fetch(request); + // An error here will return the origin response, as if the Worker wasn’t present. + // ... + return fetch(request); } ``` @@ -289,6 +287,6 @@ async function handleRequest(request) { ## Related resources -* [Log from Workers](/workers/observability/logging/) - Learn how to log your Workers. -* [Logpush](/workers/observability/logging/logpush/) - Learn how to push Workers Trace Event Logs to supported destinations. -* [RPC error handling](/workers/runtime-apis/rpc/error-handling/) - Learn how to handle errors from remote-procedure calls. +- [Log from Workers](/workers/observability/logging/) - Learn how to log your Workers. +- [Logpush](/workers/observability/logging/logpush/) - Learn how to push Workers Trace Event Logs to supported destinations. +- [RPC error handling](/workers/runtime-apis/rpc/error-handling/) - Learn how to handle errors from remote-procedure calls. diff --git a/src/content/docs/workers/tutorials/index.mdx b/src/content/docs/workers/tutorials/index.mdx index 500870958231e5..245c739fe0f97d 100644 --- a/src/content/docs/workers/tutorials/index.mdx +++ b/src/content/docs/workers/tutorials/index.mdx @@ -5,13 +5,12 @@ pcx_content_type: navigation title: Tutorials sidebar: order: 4 - --- -import { GlossaryTooltip, ListTutorials } from "~/components" +import { GlossaryTooltip, ListTutorials } from "~/components"; :::note -[Explore our community-written tutorials contributed through the Developer Spotlight program.](/developer-spotlight/#developer-spotlight-program) +[Explore our community-written tutorials contributed through the Developer Spotlight program.](/developer-spotlight/) ::: View tutorials to help you get started with Workers. diff --git a/src/content/glossary/cloudflare-one.yaml b/src/content/glossary/cloudflare-one.yaml index e9121f40ae4fe9..cc3d3f7508cba5 100644 --- a/src/content/glossary/cloudflare-one.yaml +++ b/src/content/glossary/cloudflare-one.yaml @@ -215,7 +215,7 @@ entries: | --------------------------------------- | ---------------- | | `.cloudflareaccess.com` | `your-team-name` | - To learn about the consequences of changing your team name, refer to the [FAQ](/cloudflare-one/faq/teams-getting-started-faq/#whats-a-team-domain/team-name). + To learn about the consequences of changing your team name, refer to the [FAQ](/cloudflare-one/faq/teams-getting-started-faq/#whats-a-team-domainteam-name). - term: Terraform general_definition: |- diff --git a/src/content/partials/version-management/product-limitations.mdx b/src/content/partials/version-management/product-limitations.mdx index 2c91147ea04f6d..7e438a84a3284b 100644 --- a/src/content/partials/version-management/product-limitations.mdx +++ b/src/content/partials/version-management/product-limitations.mdx @@ -66,7 +66,7 @@ Version Management does not currently support or have limited support for the fo
    -- Changes made to [Image Transformations](/images/transform-images/#transform-images) are not cloned when a new zone version is created. +- Changes made to [Image Transformations](/images/transform-images/) are not cloned when a new zone version is created.
    From 5d2077919434e0adc26c7ac244fabccf1493d878 Mon Sep 17 00:00:00 2001 From: Ben Foxall Date: Tue, 24 Sep 2024 16:56:48 +0100 Subject: [PATCH 44/54] [Calls / TURN] Add note about RTCPeerConnection structure (#17007) * Add note about RTCPeerConnection structure * Reword not sure how I managed to make a grammar mistake in something so short! --- src/content/docs/calls/turn/generate-credentials.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/calls/turn/generate-credentials.mdx b/src/content/docs/calls/turn/generate-credentials.mdx index 2a927bd303e8a8..5f902d2f561c73 100644 --- a/src/content/docs/calls/turn/generate-credentials.mdx +++ b/src/content/docs/calls/turn/generate-credentials.mdx @@ -47,7 +47,7 @@ The JSON response below can then be passed on to your front-end application: } ``` -Use `username` and `credential` as follows when instantiating the `RTCPeerConnection`: +Use `username` and `credential` as follows when instantiating the `RTCPeerConnection` (note, `iceServers` is now an array): ```js const myPeerConnection = new RTCPeerConnection({ From 0ac01012ca701c53bf18b754065f8bb0013e942a Mon Sep 17 00:00:00 2001 From: Kian Date: Tue, 24 Sep 2024 17:05:17 +0100 Subject: [PATCH 45/54] [Docs Site] Homepage footer styling overhaul (#17037) * [Docs Site] Homepage footer styling overhaul * Only add basis-1/2 on small viewports * make sure cookie preferences is styled the same * White logos in dark mode --- src/components/homepage/FooterHeroBlock.astro | 30 ++- src/components/overrides/Footer.astro | 234 +++++++++--------- 2 files changed, 140 insertions(+), 124 deletions(-) diff --git a/src/components/homepage/FooterHeroBlock.astro b/src/components/homepage/FooterHeroBlock.astro index 8e9da79abed9aa..41f29f5148b1f1 100644 --- a/src/components/homepage/FooterHeroBlock.astro +++ b/src/components/homepage/FooterHeroBlock.astro @@ -4,7 +4,7 @@ import { Icon } from "@astrojs/starlight/components"; const blocks = [ { title: "Community", - text: "The Cloudflare community is a place for Cloudflare users to share ideas, answers, code and compare notes.", + text: "Share ideas, answers, code and compare notes with the Cloudflare community.", links: [ { text: "Discord", @@ -17,8 +17,8 @@ const blocks = [ href: "https://x.com/CloudflareDev", }, { - text: "Community Forum", - icon: "discourse", + text: "Community forum", + icon: "cloudflare", href: "https://community.cloudflare.com/", }, ], @@ -28,18 +28,18 @@ const blocks = [ text: "Cloudflare contributes to the open-source ecosystem in a variety of ways, including:", links: [ { - text: "GitHub Projects", + text: "GitHub projects", icon: "github", href: "https://github.com/cloudflare", }, { - text: "Sponsorship Projects", + text: "Sponsorship projects", icon: "seti:shell", href: "/sponsorships/", }, { - text: "Style Guide", - icon: "open-book", + text: "Style guide", + icon: "document", href: "/style-guide/", }, ], @@ -50,7 +50,7 @@ const blocks = [ links: [ { text: "Read the blog", - icon: "seti:notebook", + icon: "open-book", href: "https://blog.cloudflare.com/", }, ], @@ -59,20 +59,24 @@ const blocks = [ ---
    { blocks.map(({ title, text, links }) => (
    -

    {title}

    + {title}

    {text}