diff --git a/.markdownlint.yml b/.markdownlint.yml
new file mode 100644
index 000000000000000..baa3b20da151d30
--- /dev/null
+++ b/.markdownlint.yml
@@ -0,0 +1,43 @@
+MD001: false
+MD002: false
+MD003: false
+MD004: false
+MD005: false
+MD006: false
+MD007: false
+MD010: false
+MD011: false
+MD012: false
+MD013: false
+MD014: false
+MD018: false
+MD019: false
+MD020: false
+MD021: false
+MD022: false
+MD023: false
+MD024: false
+MD025: false
+MD026: false
+MD027: false
+MD028: false
+MD029: false
+MD030: false
+MD031: false
+MD032: false
+MD033: false
+MD034: false
+MD035: false
+MD036: false
+MD037: false
+MD038: false
+MD039: false
+MD040: false
+MD041: false
+MD042: false
+MD043: false
+MD044: false
+MD045: false
+MD046: false
+MD047: false
+MD048: false
diff --git a/products/1.1.1.1/src/content/1.1.1.1-for-families/setup-instructions/dns-over-https.md b/products/1.1.1.1/src/content/1.1.1.1-for-families/setup-instructions/dns-over-https.md
index 7c1af19fc77273e..e37e0df3f6cb588 100644
--- a/products/1.1.1.1/src/content/1.1.1.1-for-families/setup-instructions/dns-over-https.md
+++ b/products/1.1.1.1/src/content/1.1.1.1-for-families/setup-instructions/dns-over-https.md
@@ -6,11 +6,11 @@ order: 5
You can send DNS queries in an encrypted fashion for 1.1.1.1 for Families. If you have DNS over HTTPS compliant client, use the following URLs to use 1.1.1.1 for Families.
## Block Malware
-To block all malware use the following URL
+To block all malware use the following URL
https://security.cloudflare-dns.com/dns-query
## Block Malware and Adult Content
-To block all malware and adult content use following URL
+To block all malware and adult content use following URL
https://family.cloudflare-dns.com/dns-query
\ No newline at end of file
diff --git a/products/1.1.1.1/src/content/fun-stuff/dns-over-tor.md b/products/1.1.1.1/src/content/fun-stuff/dns-over-tor.md
index 878a714c4cce9f8..8bc6ed27e053c45 100644
--- a/products/1.1.1.1/src/content/fun-stuff/dns-over-tor.md
+++ b/products/1.1.1.1/src/content/fun-stuff/dns-over-tor.md
@@ -63,7 +63,7 @@ UDP:53 on localhost as TCP packets using the following `socat` command:
As explained in the blog post, our favorite way of using the hidden resolver is using DoH.
-1. First, start with downloading `cloudflared` by following the regular guide for
+1. First, start with downloading `cloudflared` by following the regular guide for
[Running a DNS over HTTPS Client](../../dns-over-https/cloudflared-proxy/).
2. Start a Tor SOCKS proxy and use `socat` to forward port TCP:443 to localhost:
diff --git a/products/1.1.1.1/src/content/privacy/public-dns-resolver.md b/products/1.1.1.1/src/content/privacy/public-dns-resolver.md
index 03861cde32d62f3..a7398019050698b 100644
--- a/products/1.1.1.1/src/content/privacy/public-dns-resolver.md
+++ b/products/1.1.1.1/src/content/privacy/public-dns-resolver.md
@@ -8,13 +8,13 @@ order: 1
Cloudflare’s Commitment to Privacy: 1.1.1.1 Public DNS Resolver
-The 1.1.1.1 public DNS resolver is governed by our [Privacy Policy](https://www.cloudflare.com/privacypolicy/). This document provides additional details on our collection, use, and disclosure of the information collected from the 1.1.1.1 public DNS resolver.
+The 1.1.1.1 public DNS resolver is governed by our [Privacy Policy](https://www.cloudflare.com/privacypolicy/). This document provides additional details on our collection, use, and disclosure of the information collected from the 1.1.1.1 public DNS resolver.
-----
Nearly everything on the Internet starts with a DNS request. DNS is the Internet’s directory. Click on a link, open an app, send an email, and the first thing your phone or computer does is ask its directory: where can I find this?
-Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it to target you with ads.
+Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it to target you with ads.
Given the current state of affairs, Cloudflare created a DNS resolver with your privacy and security in mind. Cloudflare, in partnership with APNIC, runs the 1.1.1.1 public resolver, a recursive DNS service that values user privacy and security. DNS requests sent to our public resolver are sent over a secure channel, significantly decreasing the odds of any unwanted spying or man in the middle attacks.
@@ -26,10 +26,10 @@ The 1.1.1.1 public DNS resolver was designed for privacy first, and Cloudflare c
4. Cloudflare will retain only the limited transaction and debug log data (“Public Resolver Logs”) set forth below, for the legitimate operation of our Public Resolver and research purposes, and Cloudflare will delete the Public Resolver Logs within 25 hours.
5. Cloudflare will not share the Public Resolver Logs with any third parties except for APNIC pursuant to a Research Cooperative Agreement. APNIC will only have limited access to query the anonymized data in the Public Resolver Logs and conduct research related to the operation of the DNS system.
-Frankly, we don’t want to know what any one person is doing on the Internet — it’s none of our business — and we’ve taken the technical steps to ensure we can’t.
+Frankly, we don’t want to know what any one person is doing on the Internet — it’s none of our business — and we’ve taken the technical steps to ensure we can’t.
-We wanted to put our money where our mouth was, so we retained one of the top four accounting firms to audit our practices and publish a public report confirming we're doing what we said we would. The report is available [here](https://www.cloudflare.com/compliance/).
+We wanted to put our money where our mouth was, so we retained one of the top four accounting firms to audit our practices and publish a public report confirming we're doing what we said we would. The report is available [here](https://www.cloudflare.com/compliance/).
## LIMITED DATA SHARING WITH APNIC
@@ -81,7 +81,7 @@ Additionally, recursive resolvers perform outgoing queries to various authoritat
The following subrequest data is included in the Public Resolver Logs:
-* subrequest.ipv6 (authoritative nameserver)
+* subrequest.ipv6 (authoritative nameserver)
* subrequest.ipv4 (authoritative nameserver)
* subrequest.protocol
* subrequest.durationMs
@@ -93,7 +93,7 @@ The following subrequest data is included in the Public Resolver Logs:
* subrequest.recordData
* subrequest.error
-Except for the limited aggregated data generated using the Public Resolver Logs described below, all of the Public Resolver Logs are deleted within 25 hours of Cloudflare’s receipt of such information.
+Except for the limited aggregated data generated using the Public Resolver Logs described below, all of the Public Resolver Logs are deleted within 25 hours of Cloudflare’s receipt of such information.
Cloudflare will only store the following aggregated data:
@@ -109,8 +109,8 @@ Cloudflare may store the aggregated data described above indefinitely in order t
## WHAT ABOUT REQUESTS FOR CONTENT BLOCKING?
-Cloudflare does not block or filter any content through the 1.1.1.1 Public DNS Resolver, which is designed for direct, fast DNS resolution, not for blocking or filtering content. Cloudflare does block and filter malware and adult content through 1.1.1.1 for Families, which is designed to help individuals protect their home networks.
+Cloudflare does not block or filter any content through the 1.1.1.1 Public DNS Resolver, which is designed for direct, fast DNS resolution, not for blocking or filtering content. Cloudflare does block and filter malware and adult content through 1.1.1.1 for Families, which is designed to help individuals protect their home networks.
In general, Cloudflare views government or civil requests to block content at the DNS level as ineffective, inefficient, and overbroad. Because such a block would apply globally to all users of the resolver, regardless of where they are located, it would affect end users outside of the blocking government’s jurisdiction. A government request to block content through a globally available public recursive resolver like the 1.1.1.1 Public DNS Resolver and 1.1.1.1 for Families therefore should be evaluated as a request to block content globally.
-Given the broad extraterritorial effect, if Cloudflare were to receive written requests from law enforcement and government agencies to block access to domains or content through the 1.1.1.1 Public DNS Resolver or to block access to domains or content through 1.1.1.1 for Families that is outside the scope of the filtering in that product, Cloudflare would pursue its legal remedies before complying with such a request. We also commit to documenting any government request to block access in our semi-annual transparency report, unless legally prohibited from doing so.
\ No newline at end of file
+Given the broad extraterritorial effect, if Cloudflare were to receive written requests from law enforcement and government agencies to block access to domains or content through the 1.1.1.1 Public DNS Resolver or to block access to domains or content through 1.1.1.1 for Families that is outside the scope of the filtering in that product, Cloudflare would pursue its legal remedies before complying with such a request. We also commit to documenting any government request to block access in our semi-annual transparency report, unless legally prohibited from doing so.
\ No newline at end of file
diff --git a/products/access/src/content/advanced-management/revoking-user-sessions.md b/products/access/src/content/advanced-management/revoking-user-sessions.md
index 2471ede1ca9924d..e7723cd01023de8 100644
--- a/products/access/src/content/advanced-management/revoking-user-sessions.md
+++ b/products/access/src/content/advanced-management/revoking-user-sessions.md
@@ -11,7 +11,7 @@ The authentication process involves Cloudflare Access issuing a signed JSON Web
## Per-Application
-To immediately terminate all active sessions for a specific application:
+To immediately terminate all active sessions for a specific application:
1. On the Teams dashboard, navigate to **Access > Applications** and locate the application for which you would like to revoke active sessions.
diff --git a/products/access/src/content/advanced-management/session-management/index.md b/products/access/src/content/advanced-management/session-management/index.md
index 5071204907ab25f..12e66f5ffac8498 100644
--- a/products/access/src/content/advanced-management/session-management/index.md
+++ b/products/access/src/content/advanced-management/session-management/index.md
@@ -28,7 +28,7 @@ You can configure the duration of both tokens on the dashboard. When users log i
* If the global session duration is **shorter** than an application’s session length, users will be required to re-authenticate each time the global session time elapses.
-
+
This can be helpful to establish a maximum session duration across all applications.
* If the global session duration is **longer** than an application’s session length, a user’s application session will be automatically refreshed until the global session expires.
diff --git a/products/access/src/content/advanced-management/session-management/revoking-user-sessions.md b/products/access/src/content/advanced-management/session-management/revoking-user-sessions.md
index 14461cd42c04dd3..ae2c35dc5a1efde 100644
--- a/products/access/src/content/advanced-management/session-management/revoking-user-sessions.md
+++ b/products/access/src/content/advanced-management/session-management/revoking-user-sessions.md
@@ -10,7 +10,7 @@ The authentication process involves Cloudflare Access issuing a signed JSON Web
## Per-Application
-To immediately terminate all active sessions for a specific application:
+To immediately terminate all active sessions for a specific application:
1. On the Teams dashboard, navigate to **Access > Applications** and locate the application for which you would like to revoke active sessions.
diff --git a/products/access/src/content/advanced-management/validating-json.md b/products/access/src/content/advanced-management/validating-json.md
index 5404264625f4e29..e52ed7ebaf07052 100644
--- a/products/access/src/content/advanced-management/validating-json.md
+++ b/products/access/src/content/advanced-management/validating-json.md
@@ -6,7 +6,7 @@ order: 3
To fully secure your application, you must ensure that no one can access your origin server directly and bypass the zero trust security checks Cloudflare Access enforces for the hostname. For example, if someone discovers an exposed external IP they can bypass Cloudflare and attack the origin directly.
-Cloudflare signs a JSON Web Token (JWT) when users or services authenticate through Cloudflare Access.
+Cloudflare signs a JSON Web Token (JWT) when users or services authenticate through Cloudflare Access.
Two tokens are generated:
@@ -17,7 +17,7 @@ Two tokens are generated:
You can use the JWT created by Cloudflare Access to validate requests on your origin.
-If you want to learn more about how Access works with JWT, read our [Access with JSON web tokens](../../learning/json-web-tokens) Learning section.
+If you want to learn more about how Access works with JWT, read our [Access with JSON web tokens](../../learning/json-web-tokens) Learning section.
| Best practices | |
| -------------- | ------ |
diff --git a/products/access/src/content/api-and-terraform/access-with-terraform.md b/products/access/src/content/api-and-terraform/access-with-terraform.md
index f8b0bc40b7ad2a7..257c5cb33e67584 100644
--- a/products/access/src/content/api-and-terraform/access-with-terraform.md
+++ b/products/access/src/content/api-and-terraform/access-with-terraform.md
@@ -13,7 +13,7 @@ order: 3
## Create An Application with Terraform
1. Create an application.
-
+
Here is an example configuration:
```
@@ -107,7 +107,7 @@ To do so:
1. Run a `terraform plan`:
```
-$ terraform plan
+$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
diff --git a/products/access/src/content/authentication/configuring-identity-providers/azuread.md b/products/access/src/content/authentication/configuring-identity-providers/azuread.md
index a3f5ac80a880562..fd79f1b65bcb4f0 100644
--- a/products/access/src/content/authentication/configuring-identity-providers/azuread.md
+++ b/products/access/src/content/authentication/configuring-identity-providers/azuread.md
@@ -18,7 +18,7 @@ Azure AD integrates with the Office365 identity service as well as other SaaS ap
-3. On the **Azure AD** dashboard, click **App registrations** in the **Manage** section of the _Azure Active Directory_ pane.
+3. On the **Azure AD** dashboard, click **App registrations** in the **Manage** section of the _Azure Active Directory_ pane.
4. Click **+ New application registration**.
@@ -37,7 +37,7 @@ Azure AD integrates with the Office365 identity service as well as other SaaS ap
-9. Copy the value to the **Application Secret** field in your **Cloudflare** dashboard.
+9. Copy the value to the **Application Secret** field in your **Cloudflare** dashboard.
10. In the left hand panel, select **API permissions**, and then click **Add a permission**.
diff --git a/products/access/src/content/authentication/configuring-identity-providers/centrify.md b/products/access/src/content/authentication/configuring-identity-providers/centrify.md
index 5569d0912fa81a1..47d659fc988a9ca 100644
--- a/products/access/src/content/authentication/configuring-identity-providers/centrify.md
+++ b/products/access/src/content/authentication/configuring-identity-providers/centrify.md
@@ -46,7 +46,7 @@ These steps help you set up Centrify as your identity provider (IdP).
14. Copy the Client ID, Client Secret, and OpenID Connect Issuer URL.
diff --git a/products/access/src/content/configuring-identity-providers/azuread.md b/products/access/src/content/configuring-identity-providers/azuread.md
index 924aba206a64add..76a9783974771b1 100644
--- a/products/access/src/content/configuring-identity-providers/azuread.md
+++ b/products/access/src/content/configuring-identity-providers/azuread.md
@@ -18,7 +18,7 @@ Azure AD integrates with the Office365 identity service as well as other SaaS ap
-3. On the **Azure AD** dashboard, click **App registrations** in the **Manage** section of the _Azure Active Directory_ pane.
+3. On the **Azure AD** dashboard, click **App registrations** in the **Manage** section of the _Azure Active Directory_ pane.
4. Click **+ New application registration**.
@@ -37,7 +37,7 @@ Azure AD integrates with the Office365 identity service as well as other SaaS ap
-9. Copy the value to the **Application Secret** field in your **Cloudflare** dashboard.
+9. Copy the value to the **Application Secret** field in your **Cloudflare** dashboard.
10. In the left hand panel, select **API permissions**, and then click **Add a permission**.
diff --git a/products/access/src/content/configuring-identity-providers/centrify.md b/products/access/src/content/configuring-identity-providers/centrify.md
index d4dad429c058fcb..9a09682f9834d73 100644
--- a/products/access/src/content/configuring-identity-providers/centrify.md
+++ b/products/access/src/content/configuring-identity-providers/centrify.md
@@ -46,7 +46,7 @@ These steps help you set up Centrify as your identity provider (IdP).
14. Copy the Client ID, Client Secret, and OpenID Connect Issuer URL.
diff --git a/products/access/src/content/configuring-identity-providers/keycloak.md b/products/access/src/content/configuring-identity-providers/keycloak.md
index 5ea7a7f723a1fa0..55640e754e9422a 100644
--- a/products/access/src/content/configuring-identity-providers/keycloak.md
+++ b/products/access/src/content/configuring-identity-providers/keycloak.md
@@ -19,7 +19,7 @@ Keycloak is an open source identity and access management solution built by JBos
Set the Client AD as the Access callback URL. The format will resemble the following URL; replace the `` value with your organization's authentication domain.
-
+
`https://.cloudflareaccess.com/cdn-cgi/access/callback`
Next, set the valid redirect URI to the Keycloak domain that you are using. For example, `https:///auth/realms/master/protocol/saml`.
@@ -52,7 +52,7 @@ Keycloak is an open source identity and access management solution built by JBos
## Optional: Custom SAML Attributes
-Keycloak can be configured to pass on custom SAML attributes for consumption by Access Policy. For example, role-based access policy.
+Keycloak can be configured to pass on custom SAML attributes for consumption by Access Policy. For example, role-based access policy.
1. Roles
@@ -81,7 +81,7 @@ Keycloak can be configured to pass on custom SAML attributes for consumption by
Solution: Disable "Client Signature Required " in Client Settings
**Access Test: Response uses a certificate that is not configured.**
-Solution: Use the X509 Certificate in the Realm Settings rather than from Client Setting.
+Solution: Use the X509 Certificate in the Realm Settings rather than from Client Setting.
**Access Test: Successful bu email property is empty**
diff --git a/products/access/src/content/faq/index.md b/products/access/src/content/faq/index.md
index 659dcda0e2b5bee..dc2733534b98b43 100644
--- a/products/access/src/content/faq/index.md
+++ b/products/access/src/content/faq/index.md
@@ -42,7 +42,7 @@ Answers to common questions about Cloudflare Access.
Access policies trigger in order based on their position in the policy table in the UI. The exception is Bypass policies, which Access evaluates first.
- For Allow and Deny policies, Access enforces the decision starting at the top of your list and continues down the list. You can modify the order by dragging and dropping individual policies in the UI.
+ For Allow and Deny policies, Access enforces the decision starting at the top of your list and continues down the list. You can modify the order by dragging and dropping individual policies in the UI.
* **Can I use Access to secure applications with a second-level subdomain URL?**
diff --git a/products/access/src/content/setting-up-access/access-applications/connecting-saas-apps.md b/products/access/src/content/setting-up-access/access-applications/connecting-saas-apps.md
index d14c28224e79435..a0109e40889f54b 100644
--- a/products/access/src/content/setting-up-access/access-applications/connecting-saas-apps.md
+++ b/products/access/src/content/setting-up-access/access-applications/connecting-saas-apps.md
@@ -5,7 +5,7 @@ order: 1
# Connecting SaaS Applications
-Cloudflare Access allows you to integrate your SaaS products by acting as an identity aggregator, or proxy. This way, we ensure that users cannot login to SaaS applications without first meeting the criteria you want to introduce.
+Cloudflare Access allows you to integrate your SaaS products by acting as an identity aggregator, or proxy. This way, we ensure that users cannot login to SaaS applications without first meeting the criteria you want to introduce.
## 1. Add and configure your app
diff --git a/products/access/src/content/setting-up-access/terraform.md b/products/access/src/content/setting-up-access/terraform.md
index e774b35ecd2b372..0243c6b23371de0 100644
--- a/products/access/src/content/setting-up-access/terraform.md
+++ b/products/access/src/content/setting-up-access/terraform.md
@@ -9,7 +9,7 @@ order: 2
## Create an Application
-__NOTE:__ If you haven't installed Terraform, you can do so [here](https://learn.hashicorp.com/terraform/getting-started/install.html).
+__NOTE:__ If you haven't installed Terraform, you can do so [here](https://learn.hashicorp.com/terraform/getting-started/install.html).
Before we can do anything, we'll need to create an Access application. Here is an example configuration:
```
@@ -102,7 +102,7 @@ resource "cloudflare_access_policy" "cf_policy" {
Next, we'll run a `terraform plan`:
```
-$ terraform plan
+$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
diff --git a/products/argo-tunnel/src/content/getting-started/setup.md b/products/argo-tunnel/src/content/getting-started/setup.md
index 31f9260d99686bb..0e4f4a0fe5b2e68 100644
--- a/products/argo-tunnel/src/content/getting-started/setup.md
+++ b/products/argo-tunnel/src/content/getting-started/setup.md
@@ -16,7 +16,7 @@ Follow these steps to set up Cloudflare Argo Tunnel:
1. Authenticate your instance `cloudflared` by logging in to your Cloudflare account with the following command:
-```sh
+```sh
$ cloudflared tunnel login
```
diff --git a/products/argo-tunnel/src/content/reference/common-errors.md b/products/argo-tunnel/src/content/reference/common-errors.md
index c8f855081153dbf..cd2396b1d9a92da 100644
--- a/products/argo-tunnel/src/content/reference/common-errors.md
+++ b/products/argo-tunnel/src/content/reference/common-errors.md
@@ -23,7 +23,7 @@ If you are pointing `cloudflared` to a locally-available URL that is different f
Find more information on the **no-tls-verify** flag [here](/reference/arguments/#no-tls-verify).
### Invalid TLS certificate
-If the TLS certificate used by the webserver is not valid, you may get a 502 Error.
+If the TLS certificate used by the webserver is not valid, you may get a 502 Error.
If you run:
```bash
diff --git a/products/argo-tunnel/src/content/reference/docker.md b/products/argo-tunnel/src/content/reference/docker.md
index cdea332b7f38849..3262f8728f21733 100644
--- a/products/argo-tunnel/src/content/reference/docker.md
+++ b/products/argo-tunnel/src/content/reference/docker.md
@@ -27,31 +27,31 @@ one container is preferred.
In this example, we'll create a Docker container which exposes a simple Flask application through Argo Tunnels. We'll start our Dockerfile with the following:
-```docker
-FROM debian
-RUN apt-get -yqq update
-COPY . /opt/flaskapp
-WORKDIR /opt/flaskapp
+```docker
+FROM debian
+RUN apt-get -yqq update
+COPY . /opt/flaskapp
+WORKDIR /opt/flaskapp
```
This will create a Debian image, update the package repo, and copy our files to a working
directory. Now, add the instructions to install Supervisord in your Dockerfile:
-```docker
-RUN apt-get install -y supervisor
-RUN mkdir -p /var/log/supervisor
-RUN mkdir -p /etc/supervisor/conf.d/
-COPY supervisord.conf /etc/supervisord.conf
+```docker
+RUN apt-get install -y supervisor
+RUN mkdir -p /var/log/supervisor
+RUN mkdir -p /etc/supervisor/conf.d/
+COPY supervisord.conf /etc/supervisord.conf
```
This will also create the appropriate directories for Supervisord, and copy the config file into the correct location. Now, add the following to install `cloudflared` in the Docker image:
-```docker
-RUN apt-get install -y wget
-RUN wget -O- https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.tgz | tar xz
-RUN mkdir -p /etc/cloudflared/
-COPY cert.pem /etc/cloudflared/
-COPY config.yaml /etc/cloudflared/
+```docker
+RUN apt-get install -y wget
+RUN wget -O- https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.tgz | tar xz
+RUN mkdir -p /etc/cloudflared/
+COPY cert.pem /etc/cloudflared/
+COPY config.yaml /etc/cloudflared/
```
Note that you will need a `config.yaml` and a `cert.pem` for `cloudflared` in the directory that you are working in. The instructions on how to install cloudflared and generate a certificate can be found [here](/quickstart/). For more info on how to setup a `cloudflared` config, see the [configuration
@@ -60,20 +60,20 @@ page](/reference/config/).
Now, we'll install Python and it's dependencies for our example app. This step may be different for
you depending on the application you want to expose securely with Argo Tunnel.
-```docker
-RUN apt-get -yqq install python3 python3-pip
-RUN pip3 install flask
+```docker
+RUN apt-get -yqq install python3 python3-pip
+RUN pip3 install flask
```
And the entrypoint into our container will be starting Supervisord:
-```docker
-CMD ["/usr/bin/supervisord"]
+```docker
+CMD ["/usr/bin/supervisord"]
```
For the purposes of this example, create a Python file `server.py` :
-```python
+```python
from flask import Flask
app = Flask(__name__)
@@ -89,61 +89,61 @@ if __name__ == '__main__': app.run() ```
Supervisord uses a config file, `supervisord.conf`, to configure options for each service it
manages. Create `supervisord.conf` and add the following:
-```
-[supervisord]
+```
+[supervisord]
nodaemon = true
-[program: cloudflared]
-command=/opt/flaskapp/cloudflared
-autostart=true
+[program: cloudflared]
+command=/opt/flaskapp/cloudflared
+autostart=true
autorestart=true
-startretries=3
-stdout_logfile=/dev/stdout
+startretries=3
+stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
-[program: flask]
-command=/usr/bin/python3.5 /opt/flaskapp/server.py
-autostart=true
+[program: flask]
+command=/usr/bin/python3.5 /opt/flaskapp/server.py
+autostart=true
autorestart=true
-startretries=3
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
+startretries=3
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
```
This defines 2 services (`cloudflared` and Flask) and configures some options for them like
autorestarting and logging to `stdout`. And that's it! This is what the full Dockerfile should look
like:
-```docker
+```docker
FROM debian
RUN apt-get -yqq update C
-OPY . /opt/flaskapp
+OPY . /opt/flaskapp
WORKDIR /opt/flaskapp
# Supervisord
-RUN apt-get install -y supervisor
-RUN mkdir -p /var/log/supervisor
-RUN mkdir -p /etc/supervisor/conf.d/
+RUN apt-get install -y supervisor
+RUN mkdir -p /var/log/supervisor
+RUN mkdir -p /etc/supervisor/conf.d/
COPY supervisord.conf /etc/supervisord.conf
# Cloudflared
-RUN apt-get install -y wget
-RUN wget -O- https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.tgz | tar xz
-RUN mkdir -p /etc/cloudflared/
-COPY cert.pem /etc/cloudflared/
+RUN apt-get install -y wget
+RUN wget -O- https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.tgz | tar xz
+RUN mkdir -p /etc/cloudflared/
+COPY cert.pem /etc/cloudflared/
COPY config.yaml /etc/cloudflared/
# Python and Flask
-RUN apt-get -yqq install python3 python3-pip
+RUN apt-get -yqq install python3 python3-pip
RUN pip3 install flask
# Main
-CMD ["/usr/bin/supervisord"]
+CMD ["/usr/bin/supervisord"]
```
You should be able to build and run the container, and have `cloudflared` create a tunnel from inside
diff --git a/products/firewall/src/content/cf-firewall-rules/index.md b/products/firewall/src/content/cf-firewall-rules/index.md
index 8e210e317afce56..1e603fb731f1971 100644
--- a/products/firewall/src/content/cf-firewall-rules/index.md
+++ b/products/firewall/src/content/cf-firewall-rules/index.md
@@ -47,7 +47,7 @@ Power users, particularly those who develop large numbers of firewall rules, can
## Entitlements
-Cloudflare Firewall Rules is available to all customers. Keep in mind that the number of firewall rules you can have active on your account is based on your type of plan, as is support for the _Log_ action and support for regular expressions.
+Cloudflare Firewall Rules is available to all customers. Keep in mind that the number of firewall rules you can have active on your account is based on your type of plan, as is support for the _Log_ action and support for regular expressions.
This table outlines the Firewall Rules features and entitlements available with each customer plan:
diff --git a/products/gateway/src/content/connecting-to-gateway/Installing the Cloudflare Certificate.md b/products/gateway/src/content/connecting-to-gateway/Installing the Cloudflare Certificate.md
index 3b443963412aea0..c8623bdfe8c1ea9 100644
--- a/products/gateway/src/content/connecting-to-gateway/Installing the Cloudflare Certificate.md
+++ b/products/gateway/src/content/connecting-to-gateway/Installing the Cloudflare Certificate.md
@@ -33,7 +33,7 @@ Installing a certificate in Keychain in macOS requires consideration of which us
| Local Items | Cached iCloud passwords |
| System | All users on the system |
-Installing the certificate in Login will result in only the logged in user trusting the Cloudflare certificate. Installing in System affects all users who use that machine.
+Installing the certificate in Login will result in only the logged in user trusting the Cloudflare certificate. Installing in System affects all users who use that machine.
1. Download the Cloudflare certificate [at this location](../static/Cloudflare_CA.crt)
diff --git a/products/gateway/src/content/connecting-to-gateway/Troubleshooting.md b/products/gateway/src/content/connecting-to-gateway/Troubleshooting.md
index fa6ae51bfb3a9d3..f35242ec2d0e143 100644
--- a/products/gateway/src/content/connecting-to-gateway/Troubleshooting.md
+++ b/products/gateway/src/content/connecting-to-gateway/Troubleshooting.md
@@ -12,11 +12,11 @@ To install the Cloudflare root certificate, follow the steps [found here](/conne
### Even though I installed the Cloudflare certificate on my system, mobile applications warn of an invalid certificate.
-The mobile application may leverage certificate pinning. This is a security mechanism used to prevent man-in-the-middle (MITM) attacks on the internet by hardcoding information about the certificate that the application expects to receive. If the wrong certificate is received, even if it's trusted by the system, the application will refuse to connect.
+The mobile application may leverage certificate pinning. This is a security mechanism used to prevent man-in-the-middle (MITM) attacks on the internet by hardcoding information about the certificate that the application expects to receive. If the wrong certificate is received, even if it's trusted by the system, the application will refuse to connect.
Cloudflare Gateway dynamically generates a certificate for all encrypted connections in order to inspect the content of HTTP traffic. This certificate will not match the expected certificate by applications that use certificate pinning.
-To allow these applications to function normally, administrators can configure bypass rules to exempt traffic to hosts associated with the application from being intercepted and inspected.
+To allow these applications to function normally, administrators can configure bypass rules to exempt traffic to hosts associated with the application from being intercepted and inspected.
### I browsed to a website and received a Cloudflare Gateway error page, not a block page.
@@ -47,7 +47,7 @@ For example in the event of a certificate common name mismatch.
When the connection from Cloudflare Gateway to an upstream server is insecure (e.g, uses an insecure cipher such as rc4, rc4-md5, 3des, etc.)
-We do support upstream connections that require a connection over TLS that is prior to TLS 1.3. We will support the ability for an administrator to configure whether to trust insecure connections in the very near future.
+We do support upstream connections that require a connection over TLS that is prior to TLS 1.3. We will support the ability for an administrator to configure whether to trust insecure connections in the very near future.
#### I created a bypass rule or disabled TLS interception completely and inspection seems to still be occuring.
@@ -64,13 +64,13 @@ Value: cloudflareclient.com
Action: bypass
```
-This allows the WARP client to connect to Cloudflare and determine if the Cloudflare certificate is not present and trusted on the local device; and if not, then the client will alert the user.
+This allows the WARP client to connect to Cloudflare and determine if the Cloudflare certificate is not present and trusted on the local device; and if not, then the client will alert the user.
-### I'm using a common application and it seems unable to connect when I inspect HTTP traffic or presents an untrusted certificate error.
+### I'm using a common application and it seems unable to connect when I inspect HTTP traffic or presents an untrusted certificate error.
-The application may use certificate pinning. This is a process used by applications to verify that the TLS certificate presented from the origin server matches a known, specified list of certificates hardcoded in the application. This is a countermeasure to man-in-the-middle attacks where an attacker presents a trusted, but false, certificate on behalf of the origin in oder to decrypt the traffic. Unfortunately, this is exactly what TLS interception in a Secure Web Gateway does although for the purposes of securing a user's web traffic.
+The application may use certificate pinning. This is a process used by applications to verify that the TLS certificate presented from the origin server matches a known, specified list of certificates hardcoded in the application. This is a countermeasure to man-in-the-middle attacks where an attacker presents a trusted, but false, certificate on behalf of the origin in oder to decrypt the traffic. Unfortunately, this is exactly what TLS interception in a Secure Web Gateway does although for the purposes of securing a user's web traffic.
-In order to accomodate applications that take advantage of certificate pinning, a bypass for the hostnames associated with the application must be configured in the Gateway L7 firewall. In the future, Gateway will provide the ability for organizations to simply select the name or type of application in order to configure rules.
+In order to accomodate applications that take advantage of certificate pinning, a bypass for the hostnames associated with the application must be configured in the Gateway L7 firewall. In the future, Gateway will provide the ability for organizations to simply select the name or type of application in order to configure rules.
Some common applications that make use of certificate pinning include:
diff --git a/products/gateway/src/content/connecting-to-gateway/install-cloudflare-cert.md b/products/gateway/src/content/connecting-to-gateway/install-cloudflare-cert.md
index f4a6549407220fe..463a044d4a539a8 100644
--- a/products/gateway/src/content/connecting-to-gateway/install-cloudflare-cert.md
+++ b/products/gateway/src/content/connecting-to-gateway/install-cloudflare-cert.md
@@ -36,7 +36,7 @@ You will need to install the root certificate in the Keychain Access application
| Local Items | Cached iCloud passwords |
| System | All users on the system |
-Installing the certificate in the Login keychain will result in only the logged in user trusting the Cloudflare certificate. Installing it in the System keychain affects all users who have access to that machine.
+Installing the certificate in the Login keychain will result in only the logged in user trusting the Cloudflare certificate. Installing it in the System keychain affects all users who have access to that machine.
To install the certificate in Keychain Access:
@@ -77,15 +77,15 @@ The root certificate is now installed and ready to be used.
-4. Tap **Install**. If the iOS device is passcode-protected, you will be prompted to enter the passcode.
+4. Tap **Install**. If the iOS device is passcode-protected, you will be prompted to enter the passcode.
5. Next, a certificate warning will appear. Tap **Install**.
If a second prompt is displayed, tap **Install** again.
-
+
6. Next, the **Profile Installed** screen will appear. Tap **Done**.
- The certificate is now installed. However, before it can be used, it must be trusted by the device.
+ The certificate is now installed. However, before it can be used, it must be trusted by the device.
7. On the device, go to **Settings** > **General** > **About** > **Certificate Trust Settings**.
@@ -93,7 +93,7 @@ The root certificate is now installed and ready to be used.
-8. Tap the slide button next to the Cloudflare certificate you just installed.
+8. Tap the slide button next to the Cloudflare certificate you just installed.
9. A confirmation dialogue will appear. Tap **Continue**.
@@ -169,7 +169,7 @@ The root certificate is now installed and ready to be used.
8. Verify your identity through the fingerprint, or by inserting the pin code.
-9. Select the certificate you want to install.
+9. Select the certificate you want to install.
diff --git a/products/gateway/src/content/connecting-to-gateway/without-client/DNS/linux.md b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/linux.md
index 68833013f6aa6f0..9307af9965a6078 100644
--- a/products/gateway/src/content/connecting-to-gateway/without-client/DNS/linux.md
+++ b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/linux.md
@@ -32,11 +32,11 @@ Remove any IP addresses that may already be listed.
3. Replace the nameserver lines with:
* **172.64.36.1**
* **172.64.36.2**
-4. Press the **ESC** key on your keyboard to save and exit vim.
+4. Press the **ESC** key on your keyboard to save and exit vim.
5. Type `:wq`.
### IPv6
1. In the command line, type: `sudo vim /etc/resolv.conf`
2. Add the IPv6 address from that we listed based on your location configuration.
-3. Press the **ESC** key on your keyboard to save and exit vim.
+3. Press the **ESC** key on your keyboard to save and exit vim.
4. Type `:wq`.
diff --git a/products/gateway/src/content/faq/free-program.md b/products/gateway/src/content/faq/free-program.md
index cb07be6d64b161c..adf8e4cc8b663b0 100644
--- a/products/gateway/src/content/faq/free-program.md
+++ b/products/gateway/src/content/faq/free-program.md
@@ -13,9 +13,9 @@ If you are already a Cloudflare for Teams customer, we have removed the caps on
### Program details
The program includes the following features:
-* Up to 3 locations
-* Unlimited security and content filters
-* The ability to assign multiple policies to one location
+* Up to 3 locations
+* Unlimited security and content filters
+* The ability to assign multiple policies to one location
* The ability to update IPs for locations
-As September 2nd draws closer, users will be prompted to select a paid plan. Pricing for these plans can be found [here](https://www.cloudflare.com/teams-pricing/). Teams that exceed the limit of the Teams Free plan will not be immediately downgraded; however, they will not be able to expand protection to additional users or locations from their current deployment.
\ No newline at end of file
+As September 2nd draws closer, users will be prompted to select a paid plan. Pricing for these plans can be found [here](https://www.cloudflare.com/teams-pricing/). Teams that exceed the limit of the Teams Free plan will not be immediately downgraded; however, they will not be able to expand protection to additional users or locations from their current deployment.
\ No newline at end of file
diff --git a/products/gateway/src/content/faq/index.md b/products/gateway/src/content/faq/index.md
index cb698717bfaa6ce..f52af2cb4e5f9f4 100644
--- a/products/gateway/src/content/faq/index.md
+++ b/products/gateway/src/content/faq/index.md
@@ -5,13 +5,13 @@ order: 12
# Troubleshooting and FAQ
## I have a dynamic IP address assigned to me by my ISP. How can I still use Gateway?
-There are two ways to connect to Cloudflare Gateway: with the Cloudflare WARP client and without the client.
+There are two ways to connect to Cloudflare Gateway: with the Cloudflare WARP client and without the client.
-You can filter DNS traffic without using the client by registering the source IP of your network and configuring Gateway as your upstream DNS resolver; however, if your IP address changes then Gateway will not know which policy to apply to your queries. This can be solved by using the DoH subdomain associated with the location for which you've configured a policy. When queries reach Gateway over DoH, only the DoH subdomain is used to determine which organization and policy to apply to the query--the source IP of the query is not considered. There are a several of DoH clients available for a variety of operating systems, and we recommend using cloudflared to send queries to Gateway via DoH if not using the Cloudflare WARP client. Simply install cloudflared and configure the DoH subdomain for a chosen location as the upstream resolver in cloudflared.
+You can filter DNS traffic without using the client by registering the source IP of your network and configuring Gateway as your upstream DNS resolver; however, if your IP address changes then Gateway will not know which policy to apply to your queries. This can be solved by using the DoH subdomain associated with the location for which you've configured a policy. When queries reach Gateway over DoH, only the DoH subdomain is used to determine which organization and policy to apply to the query--the source IP of the query is not considered. There are a several of DoH clients available for a variety of operating systems, and we recommend using cloudflared to send queries to Gateway via DoH if not using the Cloudflare WARP client. Simply install cloudflared and configure the DoH subdomain for a chosen location as the upstream resolver in cloudflared.
[Install and configure cloudflared](https://developers.cloudflare.com/1.1.1.1/dns-over-https/cloudflared-proxy)
-Connecting to Gateway with the Cloudflare WARP client creates a secure connection to the Cloudflare edge and also affords you the ability to send queries to Gateway over DoH. Using the Cloudflare WARP client allows you to apply security for your users wherever they are regardless of location or source IP address.
+Connecting to Gateway with the Cloudflare WARP client creates a secure connection to the Cloudflare edge and also affords you the ability to send queries to Gateway over DoH. Using the Cloudflare WARP client allows you to apply security for your users wherever they are regardless of location or source IP address.
[Learn more about the Cloudflare WARP client](https://developers.cloudflare.com/warpclient/)
diff --git a/products/gateway/src/content/getting-started/configuring-block-page.md b/products/gateway/src/content/getting-started/configuring-block-page.md
index 80d3be9f34cbf73..d91bee91eb54800 100644
--- a/products/gateway/src/content/getting-started/configuring-block-page.md
+++ b/products/gateway/src/content/getting-started/configuring-block-page.md
@@ -27,7 +27,7 @@ To enable a block page using Gateway's policy engine, you will have to follow a
2. Find the policy for which you would like to set up a block page.
3. Click **Edit**.
4. Scroll down to find the **Block page** card.
-5. Toggle the **Enable** switch.
+5. Toggle the **Enable** switch.
@@ -37,13 +37,13 @@ Enabling block page alone will not work for HTTPS connections. When your users t
-To fix the browser error, you need to download and add a certificate to your system.
+To fix the browser error, you need to download and add a certificate to your system.
## 2. Download certificate
1. Navigate to the **Settings** tab on your [Teams dashboard](https://dash.teams.cloudflare.com).
1. Click on **Account**.
1. Scroll down to find the **Certificates** card.
-1. Click on **Download**.
+1. Click on **Download**.
@@ -69,7 +69,7 @@ You will now need to add the certificate to your system to ensure your web brows
If your system asks for admin permission, enter your password or use your fingerprint ID to confirm the changes.
### Firefox
-If you are not using Firefox, you can skip this section.
+If you are not using Firefox, you can skip this section.
Follow the instructions below to finish configuring the block page:
diff --git a/products/gateway/src/content/getting-started/configuring-dns-policy.md b/products/gateway/src/content/getting-started/configuring-dns-policy.md
index 5d0c011e4a989a3..0cd4efb67faa7d9 100644
--- a/products/gateway/src/content/getting-started/configuring-dns-policy.md
+++ b/products/gateway/src/content/getting-started/configuring-dns-policy.md
@@ -11,7 +11,7 @@ order: 2
-3. Add a **policy name**.
+3. Add a **policy name**.
@@ -20,9 +20,9 @@ order: 2
5. Navigate to **Security Threats** to choose which security categories you want to block. Click on **Block all** if you want to select all categories.
-6. Navigate to **Content Categories** to choose which content categories you want to block.
+6. Navigate to **Content Categories** to choose which content categories you want to block.
-7. Navigate to **Custom** to allow, block, or override domains. The ability to override lists of URLs and IP addresses will be released in the future.
+7. Navigate to **Custom** to allow, block, or override domains. The ability to override lists of URLs and IP addresses will be released in the future.
* Click on **Add a destination**.
diff --git a/products/gateway/src/content/getting-started/onboarding-gateway.md b/products/gateway/src/content/getting-started/onboarding-gateway.md
index dcf376563558381..f29ef95d0e257fe 100644
--- a/products/gateway/src/content/getting-started/onboarding-gateway.md
+++ b/products/gateway/src/content/getting-started/onboarding-gateway.md
@@ -33,7 +33,7 @@ To start using Gateway, set up your first **location** and your DNS resolvers.
9. Click **Finish setup**.
- This will take you to the [Teams dashboard](https://dash.teams.cloudflare.com), where you can start customizing your location, or you can add your first [DNS](https://developers.cloudflare.com/gateway/getting-started/configuring-dns-policy) or [HTTP policy](https://developers.cloudflare.com/gateway/getting-started/configuring-http-policy).
+ This will take you to the [Teams dashboard](https://dash.teams.cloudflare.com), where you can start customizing your location, or you can add your first [DNS](https://developers.cloudflare.com/gateway/getting-started/configuring-dns-policy) or [HTTP policy](https://developers.cloudflare.com/gateway/getting-started/configuring-http-policy).
diff --git a/products/gateway/src/content/getting-started/troubleshooting-policies.md b/products/gateway/src/content/getting-started/troubleshooting-policies.md
index a8efdfc7663dc1d..50ec82e293715b2 100644
--- a/products/gateway/src/content/getting-started/troubleshooting-policies.md
+++ b/products/gateway/src/content/getting-started/troubleshooting-policies.md
@@ -30,7 +30,7 @@ Navigate to the **Locations** page to visualize your location.
### Your source IPv4 address is taken
-If you are seeing this, you may be connected to a network where someone else in the same network signed up for Cloudflare Gateway before you did.
+If you are seeing this, you may be connected to a network where someone else in the same network signed up for Cloudflare Gateway before you did.
If your network supports IPv6, you can still use Cloudflare Gateway's DNS filtering by sending DNS queries over IPv6. You can also use the DNS over HTTPS hostname to send queries using a DNS over HTTPS client.
@@ -42,12 +42,12 @@ If your network supports IPv6, you can still use Cloudflare Gateway's DNS filter
You may not see analytics on the Overview page for the following reasons:
##### 1. You are not sending DNS queries to Gateway
-Verify that the destination IP addresses you are sending DNS queries to are correct. You can check the destination IP addresses for your location by going to your locations page and then expanding the location:
+Verify that the destination IP addresses you are sending DNS queries to are correct. You can check the destination IP addresses for your location by going to your locations page and then expanding the location:
##### 2. You are using other DNS resolvers
-If you have other DNS resolvers in your DNS settings, your device could be using IP addresses for resolvers that are not part of Gateway. Please make sure to remove all other IP addresses from your DNS settings and only include Gateway's DNS resolver IP addresses.
+If you have other DNS resolvers in your DNS settings, your device could be using IP addresses for resolvers that are not part of Gateway. Please make sure to remove all other IP addresses from your DNS settings and only include Gateway's DNS resolver IP addresses.
##### 3. The source IPv4 address for your location is incorrect
If you are using IPv4, check the source IPv4 address that you entered for the location matches with the network's source IPv4 address.
@@ -91,7 +91,7 @@ If it takes longer than 60 seconds and you are still seeing that you can success
##### Safari
-Use the instructions in the Mac section to flush the DNS cache for Safari.
+Use the instructions in the Mac section to flush the DNS cache for Safari.
##### Google Chrome
diff --git a/products/gateway/src/content/glossary/index.md b/products/gateway/src/content/glossary/index.md
index aff552431f567d9..21048ae835213a8 100644
--- a/products/gateway/src/content/glossary/index.md
+++ b/products/gateway/src/content/glossary/index.md
@@ -14,7 +14,7 @@ Cloudflare Access replaces corporate VPNs with Cloudflare’s network. Instead o
Cloudflare Gateway is a modern next generation firewall between your user, device or network and the public Internet. Once you setup Cloudflare Gateway, Gateway's DNS filtering service will inspect all Internet bound DNS queries, log them and apply corresponding policies.
## [Argo Tunnel](https://developers.cloudflare.com/argo-tunnel/)
-A secure outbound connection which runs in your infrastructure to connect the applications and machines to Cloudflare.
+A secure outbound connection which runs in your infrastructure to connect the applications and machines to Cloudflare.
## [Cloudflare Workers](https://developers.cloudflare.com/workers/)
Cloudflare Workers provides a serverless execution environment that allows you to create entirely new applications or augment existing ones without configuring or maintaining infrastructure.
@@ -41,7 +41,7 @@ The resource being protected by Cloudflare Access. An application can be a subdo
|---|---|
-## Auth Domain
+## Auth Domain
The unique subdomain assigned to your Cloudflare account; for example, https://example.cloudflareaccess.com
| Related products: | [Access](https://developers.cloudflare.com/access/) |
@@ -49,35 +49,35 @@ The unique subdomain assigned to your Cloudflare account; for example, https://e
## Authenticated Origin Pulls
-Authenticated Origin Pulls let origin web servers validate that a web request came from Cloudflare. Cloudflare uses TLS client certificate authentication, a feature supported by most web servers, to present a Cloudflare certificate when establishing a connection between Cloudflare and the origin web server.
+Authenticated Origin Pulls let origin web servers validate that a web request came from Cloudflare. Cloudflare uses TLS client certificate authentication, a feature supported by most web servers, to present a Cloudflare certificate when establishing a connection between Cloudflare and the origin web server.
-| Related products: | [Cloudflare SSL](https://developers.cloudflare.com/ssl/) |
+| Related products: | [Cloudflare SSL](https://developers.cloudflare.com/ssl/) |
|---|---|
## cloudflared
-`cloudflared` is the software that powers Argo Tunnel. `cloudflared` runs alongside origin servers to connect to Cloudflare's network, as well as client devices for non-HTTP traffic from user endpoints.
+`cloudflared` is the software that powers Argo Tunnel. `cloudflared` runs alongside origin servers to connect to Cloudflare's network, as well as client devices for non-HTTP traffic from user endpoints.
-| Related products: | [Argo Tunnel](https://developers.cloudflare.com/argo-tunnel/) |
+| Related products: | [Argo Tunnel](https://developers.cloudflare.com/argo-tunnel/) |
|---|---|
## daemon
A program that performs tasks without active management or maintenance.
-| Related products: | [Argo Tunnel](https://developers.cloudflare.com/argo-tunnel/) |
+| Related products: | [Argo Tunnel](https://developers.cloudflare.com/argo-tunnel/) |
|---|---|
## DoH
*DNS over HTTPS*
-With DoH, DNS queries and responses are encrypted, and they are sent via the HTTP or HTTP/2 protocols. Like [DoT](#DoT), DoH ensures that attackers can't forge or alter DNS traffic. DoH traffic looks like other HTTPS traffic – e.g. normal user-driven interactions with websites and web apps – from a network administrator's perspective.
+With DoH, DNS queries and responses are encrypted, and they are sent via the HTTP or HTTP/2 protocols. Like [DoT](#DoT), DoH ensures that attackers can't forge or alter DNS traffic. DoH traffic looks like other HTTPS traffic – e.g. normal user-driven interactions with websites and web apps – from a network administrator's perspective.
| Related products: | [Gateway](https://developers.cloudflare.com/gateway/) |
|---|---|
## DNS filtering
-DNS filtering is the process of using the Domain Name System to block malicious websites and filter out harmful or inappropriate content. This ensures that company data remains secure and allows companies to have control over what their employees can access on company-managed networks. DNS filtering is often part of a larger access control strategy.
+DNS filtering is the process of using the Domain Name System to block malicious websites and filter out harmful or inappropriate content. This ensures that company data remains secure and allows companies to have control over what their employees can access on company-managed networks. DNS filtering is often part of a larger access control strategy.
| Related products: | [Gateway](https://developers.cloudflare.com/gateway/) |
|---|---|
@@ -92,18 +92,18 @@ Each device connected to the Internet has a unique IP address which other machin
## DoT
*DNS over TLS*
-DNS over TLS, or DoT, is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications. (TLS is also known as "SSL.") DoT adds TLS encryption on top of the user datagram protocol (UDP), which is used for DNS queries. Additionally, it ensures that DNS requests and responses are not tampered with or forged via on-path attacks.
+DNS over TLS, or DoT, is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications. (TLS is also known as "SSL.") DoT adds TLS encryption on top of the user datagram protocol (UDP), which is used for DNS queries. Additionally, it ensures that DNS requests and responses are not tampered with or forged via on-path attacks.
| Related products: | [Gateway](https://developers.cloudflare.com/gateway/) |
|---|---|
## hostname
-The name given to a server or node on a network. In most cases, the public DNS name of a server.
+The name given to a server or node on a network. In most cases, the public DNS name of a server.
## IdP
*identity provider*
-An identity provider (IdP or IDP) stores and manages users' digital identities. Think of an IdP as being like a guest list, but for digital and cloud-hosted applications instead of an event. An IdP may check user identities via username-password combinations and other factors, or it may simply provide a list of user identities that another service provider (like an SSO) checks.
+An identity provider (IdP or IDP) stores and manages users' digital identities. Think of an IdP as being like a guest list, but for digital and cloud-hosted applications instead of an event. An IdP may check user identities via username-password combinations and other factors, or it may simply provide a list of user identities that another service provider (like an SSO) checks.
| Related products: | [Access](https://developers.cloudflare.com/access/) |
|---|---|
@@ -111,30 +111,30 @@ An identity provider (IdP or IDP) stores and manages users' digital identities.
## JWT
*JSON web token*
-An open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
+An open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
| Related products: | [Access](https://developers.cloudflare.com/access/) |
|---|---|
## location
-Locations are physical entities like offices, homes, retail stores, movie theatres or a data center.
+Locations are physical entities like offices, homes, retail stores, movie theatres or a data center.
| Related products: | [Gateway](https://developers.cloudflare.com/gateway/) |
|---|---|
## mTLS
-*mutual TLS*
+*mutual TLS*
-The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network.
+The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network.
## Next-generation firewall
-A next-generation firewall (NGFW) is more powerful than a traditional firewall. NGFWs have the capabilities of traditional firewalls, but they also have a host of added features to address a greater variety of organizational needs. NGFWs can run either in the cloud or on-premises.
+A next-generation firewall (NGFW) is more powerful than a traditional firewall. NGFWs have the capabilities of traditional firewalls, but they also have a host of added features to address a greater variety of organizational needs. NGFWs can run either in the cloud or on-premises.
| Related products: | [Gateway](https://developers.cloudflare.com/gateway/) |
|---|---|
## OAuth
-OAuth is a technical standard for authorizing users. It is a protocol for passing authorization from one service to another without sharing the actual user credentials, such as a username and password. With OAuth, a user can sign in on one platform and then be authorized to perform actions and view data on another platform.
+OAuth is a technical standard for authorizing users. It is a protocol for passing authorization from one service to another without sharing the actual user credentials, such as a username and password. With OAuth, a user can sign in on one platform and then be authorized to perform actions and view data on another platform.
| Related products: | [Access](https://developers.cloudflare.com/access/) |
|---|---|
@@ -147,7 +147,7 @@ A simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to v
|---|---|
## Origin certificate
-Cloudflare Origin Certificates are free SSL certificates issued by Cloudflare for installation on your origin server to facilitate end-to-end encryption for your visitors using HTTPS.
+Cloudflare Origin Certificates are free SSL certificates issued by Cloudflare for installation on your origin server to facilitate end-to-end encryption for your visitors using HTTPS.
| Related products: | [Argo Tunnel](https://developers.cloudflare.com/argo-tunnel/) |
|---|---|
@@ -160,9 +160,9 @@ Cloudflare Origin Certificates are free SSL certificates issued by Cloudflare fo
|---|---|---|
## RDP
-*Remote Desktop Protocol*
+*Remote Desktop Protocol*
-A protocol, or technical standard, for using a desktop computer remotely. RDP was initially released by Microsoft and is available for most Windows operating systems, but it can be used with Mac operating systems too.
+A protocol, or technical standard, for using a desktop computer remotely. RDP was initially released by Microsoft and is available for most Windows operating systems, but it can be used with Mac operating systems too.
## SafeSearch
@@ -174,13 +174,13 @@ A feature of search engines that can help you filter explicit or offensive conte
## SAML
*Security Assertion Markup Language*
-A standardized way to tell external applications and services that a user is who they say they are. SAML makes single sign-on ([SSO](#SSO)) technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications.
+A standardized way to tell external applications and services that a user is who they say they are. SAML makes single sign-on ([SSO](#SSO)) technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications.
| Related products: | [Access](https://developers.cloudflare.com/access/) |
|---|---|
## SASE
-*Secure Access Service Edge*
+*Secure Access Service Edge*
A cloud-based security model which bundles software-defined networking with network security functions and delivers them from a single service provider. SASE packages software-defined wide area networking (SD-WAN) capabilities with other network security functions (like secure web gateways, Zero Trust network access, firewall-as-a-service, and cloud access security brokers) and is delivered from and managed on a single cloud platform.
@@ -188,13 +188,13 @@ A cloud-based security model which bundles software-defined networking with netw
|---|---|
## seat
-A unique user who authenticates to connect to an application protected by Cloudflare Access, or to use a Gateway service.
+A unique user who authenticates to connect to an application protected by Cloudflare Access, or to use a Gateway service.
| Related products: | [Gateway](https://developers.cloudflare.com/gateway/) | [Access](https://developers.cloudflare.com/access/) |
|---|---|---|
## service token
-Service tokens consist of an ID and Secret generated by Cloudflare Access that can be used by an automated system or application to reach an application protected by Cloudflare Access. Service tokens allow systems to authenticate without identity provider credentials in an automated way.
+Service tokens consist of an ID and Secret generated by Cloudflare Access that can be used by an automated system or application to reach an application protected by Cloudflare Access. Service tokens allow systems to authenticate without identity provider credentials in an automated way.
| Related products: | [Access](https://developers.cloudflare.com/access/) |
|---|---|
@@ -226,7 +226,7 @@ Secure Shell (SSH) protocol allows users to connect to infrastructure to perform
|---|---|
## SSO
-A technology which combines several different application login screens into one. With SSO, a user only has to enter their login credentials (username, password, etc.) one time on a single page to access all of their SaaS applications.
+A technology which combines several different application login screens into one. With SSO, a user only has to enter their login credentials (username, password, etc.) one time on a single page to access all of their SaaS applications.
| Related products: | [Access](https://developers.cloudflare.com/access/) |
|---|---|
@@ -250,7 +250,7 @@ WARP is a mobile app designed for everyone. It uses Cloudflare's global network
|---|---|
## Zero Trust Security
-An IT security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter. No single specific technology is associated with zero trust architecture; it is a holistic approach to network security that incorporates several different principles and technologies.
+An IT security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter. No single specific technology is associated with zero trust architecture; it is a holistic approach to network security that incorporates several different principles and technologies.
| Related products: | [Access](https://developers.cloudflare.com/access/) |
|---|---|
diff --git a/products/gateway/src/content/locations/setup-instructions/android/manual.md b/products/gateway/src/content/locations/setup-instructions/android/manual.md
index 5a2d5e8216fa90e..d6fc12b927023c2 100644
--- a/products/gateway/src/content/locations/setup-instructions/android/manual.md
+++ b/products/gateway/src/content/locations/setup-instructions/android/manual.md
@@ -10,7 +10,7 @@ Note that if you were using 1.1.1.1 for Families in the mobile app, you will at
## Install the 1.1.1.1 mobile app
-Install the 1.1.1.1 mobile app by visiting the [play store](https://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone) on your Android device.
+Install the 1.1.1.1 mobile app by visiting the [play store](https://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone) on your Android device.
If you already have the app on your phone, make sure you have the latest version of the app and then skip to the next step.
@@ -30,7 +30,7 @@ Click on 'DNS Settings'. This will take you to the screen where you can configur
## Enter unique id from Gateway
-When you are on this screen on your phone, you will need to enter the unique subdomain of the location you created for your mobile phone.
+When you are on this screen on your phone, you will need to enter the unique subdomain of the location you created for your mobile phone.
1. Visit your teams dashboard to fetch the unique id from your location.
@@ -50,4 +50,4 @@ When you are on this screen on your phone, you will need to enter the unique sub
6. Enter the subdomain inside the field.
-If 1.1.1.1 DNS, WARP or WARP+ was already enabled, the 1.1.1.1 app should be using Gateway now.
\ No newline at end of file
+If 1.1.1.1 DNS, WARP or WARP+ was already enabled, the 1.1.1.1 app should be using Gateway now.
\ No newline at end of file
diff --git a/products/gateway/src/content/locations/setup-instructions/android/mdm.md b/products/gateway/src/content/locations/setup-instructions/android/mdm.md
index 83c7e78e530aadb..dd7045fec60fd7d 100644
--- a/products/gateway/src/content/locations/setup-instructions/android/mdm.md
+++ b/products/gateway/src/content/locations/setup-instructions/android/mdm.md
@@ -6,15 +6,15 @@ order: 2
You can deploy Gateway to your corporate Android devices in bulk. Use an MDM solution to deploy your Gateway configuration to all corporate devices. If you want to learn how to use Gateway on your personal Android device please use the setup instructions from [this page](../manual/) instead.
## Unique Gateway Id
-When you are on this screen on your phone, you will need to enter the unique subdomain of the location you created for your mobile phone.
+When you are on this screen on your phone, you will need to enter the unique subdomain of the location you created for your mobile phone.
1. Visit your teams dashboard to fetch the unique id from your location.
@@ -53,4 +53,4 @@ You can read more about using mdm on Android [here](https://developer.android.co
After you save the file, use your preferred MDM tool to deploy the configuration change to your fleet of corporate mobile devices.
-If 1.1.1.1 DNS, WARP or WARP+ was already enabled, the 1.1.1.1 app should be using Gateway now.
\ No newline at end of file
+If 1.1.1.1 DNS, WARP or WARP+ was already enabled, the 1.1.1.1 app should be using Gateway now.
\ No newline at end of file
diff --git a/products/gateway/src/content/locations/setup-instructions/iOS/manual.md b/products/gateway/src/content/locations/setup-instructions/iOS/manual.md
index d436764171adf97..9503a1b0f4df6ad 100644
--- a/products/gateway/src/content/locations/setup-instructions/iOS/manual.md
+++ b/products/gateway/src/content/locations/setup-instructions/iOS/manual.md
@@ -10,7 +10,7 @@ Note that if you were using 1.1.1.1 for Families in the mobile app, you will at
## Install the 1.1.1.1 mobile app
-Install the 1.1.1.1 mobile app by visiting the [app store](https://itunes.apple.com/us/app/1-1-1-1-faster-internet/id1423538627) on your iOS device.
+Install the 1.1.1.1 mobile app by visiting the [app store](https://itunes.apple.com/us/app/1-1-1-1-faster-internet/id1423538627) on your iOS device.
If you already have the app on your phone, make sure you have the latest version of the app and then skip to the next step.
@@ -33,7 +33,7 @@ Click on 'DNS Settings'. This will take you to the screen where you can configur
## Enter unique id from Gateway
-When you are on this screen on your phone, you will need to enter the unique subdomain of the location you created for your mobile phone.
+When you are on this screen on your phone, you will need to enter the unique subdomain of the location you created for your mobile phone.
1. Visit your teams dashboard to fetch the unique id from your location.
@@ -50,4 +50,4 @@ When you are on this screen on your phone, you will need to enter the unique sub
5. Enter the subdomain inside the field **GATEWAY UNIQUE ID**
-If 1.1.1.1 DNS, WARP or WARP+ was already enabled, the 1.1.1.1 app should be using Gateway now.
\ No newline at end of file
+If 1.1.1.1 DNS, WARP or WARP+ was already enabled, the 1.1.1.1 app should be using Gateway now.
\ No newline at end of file
diff --git a/products/gateway/src/content/locations/troubleshooting-locations.md b/products/gateway/src/content/locations/troubleshooting-locations.md
index cc67af959b425a8..078b6a7f1fd21fd 100644
--- a/products/gateway/src/content/locations/troubleshooting-locations.md
+++ b/products/gateway/src/content/locations/troubleshooting-locations.md
@@ -6,7 +6,7 @@ order: 3
### Your source IPv4 address is taken
-You may see this if you are connected to a network where someone else in the same network signed up for Cloudflare Gateway before you did.
+You may see this if you are connected to a network where someone else in the same network signed up for Cloudflare Gateway before you did.
If your network supports IPv6, you can still use Cloudflare Gateway's DNS filtering by sending DNS queries over IPv6. You can also use the DNS over HTTPS hostname to send queries using a DNS over HTTPS client.
@@ -18,12 +18,12 @@ If you think someone else is wrongfully using this IPv4 address, please [let us
You may not see analytics on the Overview page for the following reasons:
##### 1. You are not sending DNS queries to Gateway
-Verify that the destination IP addresses you are sending DNS queries to are correct. You can check the destination IP addresses for your location by going to your locations page and then expanding the location:
+Verify that the destination IP addresses you are sending DNS queries to are correct. You can check the destination IP addresses for your location by going to your locations page and then expanding the location:
##### 2. You are using other DNS resolvers
-If you have other DNS resolvers in your DNS settings, your device could be using IP addresses for resolvers that are not part of Gateway. Please make sure to remove all other IP addresses from your DNS settings and only include Gateway's DNS resolver IP addresses.
+If you have other DNS resolvers in your DNS settings, your device could be using IP addresses for resolvers that are not part of Gateway. Please make sure to remove all other IP addresses from your DNS settings and only include Gateway's DNS resolver IP addresses.
##### 3. The source IPv4 address for your location is incorrect
If you are using IPv4, check the source IPv4 address that you entered for the location matches with the network's source IPv4 address.
diff --git a/products/gateway/src/content/policies/adding-a-domain-to-the-allow-list.md b/products/gateway/src/content/policies/adding-a-domain-to-the-allow-list.md
index cd6ab908684e8f5..2efec6f1375ab98 100644
--- a/products/gateway/src/content/policies/adding-a-domain-to-the-allow-list.md
+++ b/products/gateway/src/content/policies/adding-a-domain-to-the-allow-list.md
@@ -5,7 +5,7 @@ order: 4
# Adding a domain to the allow list
## Why add a domain to the Allow list
-Sometimes you may want to allow a domain when that domain belongs to a category you are blocking.
+Sometimes you may want to allow a domain when that domain belongs to a category you are blocking.
For example: if you are blocking the category `Sports` and want to allow the domain `arsenal.com` (which belongs to the category), add the domain to the list of allowed domains.
diff --git a/products/gateway/src/content/policies/blocking-all-subdomains.md b/products/gateway/src/content/policies/blocking-all-subdomains.md
index 5251dbaa0b2c444..f75f4f53edb3675 100644
--- a/products/gateway/src/content/policies/blocking-all-subdomains.md
+++ b/products/gateway/src/content/policies/blocking-all-subdomains.md
@@ -4,6 +4,6 @@ order: 5
# Blocking All Subdomains
-When you manually block a domain, you automatically block all of its subdomains. For example, if you are blocking `example.com`, our policy engine will also block a.example.com, a.b.example.com.
+When you manually block a domain, you automatically block all of its subdomains. For example, if you are blocking `example.com`, our policy engine will also block a.example.com, a.b.example.com.
If you only want to block a subdomain `a.example.com`, then instead of adding `example.com` to the list, you will add `a.example.com`. Note that once you add `a.example.com` to the block list, Cloudflare Gateway will also block all subdomains of `a.example.com`.
\ No newline at end of file
diff --git a/products/gateway/src/content/policies/blocking-domains-by-category.md b/products/gateway/src/content/policies/blocking-domains-by-category.md
index ec38d5b5df2845c..971ae6d36660450 100644
--- a/products/gateway/src/content/policies/blocking-domains-by-category.md
+++ b/products/gateway/src/content/policies/blocking-domains-by-category.md
@@ -4,7 +4,7 @@ order: 3
# Blocking Domains by Category
-You can block domains by selecting a category or multiple categories. When the requested domain mathces the category you are blocking, Gateway will block that domain.
+You can block domains by selecting a category or multiple categories. When the requested domain mathces the category you are blocking, Gateway will block that domain.
diff --git a/products/gateway/src/content/policies/configure-block-page.md b/products/gateway/src/content/policies/configure-block-page.md
index 9a2cc9e869880cc..61c4704909b37b2 100644
--- a/products/gateway/src/content/policies/configure-block-page.md
+++ b/products/gateway/src/content/policies/configure-block-page.md
@@ -13,9 +13,9 @@ order: 3
When you try to visit a blocked website, by default you will see a browser error like the page you see below:
-You will see this page because Gateway is not returning the IP address for the blocked domain. As a result, your browser cannot take you to that website.
+You will see this page because Gateway is not returning the IP address for the blocked domain. As a result, your browser cannot take you to that website.
-However, this may be confusing for some people as they may think that their Internet is not working.
+However, this may be confusing for some people as they may think that their Internet is not working.
You can remove this confusion by show Cloudflare Gateway's block page to explain to the end user why a website is blocked.
@@ -51,7 +51,7 @@ From the drop down menu for **When using this certificate** select ***Always Tru
Now close the menu and if your system asks for admin permission enter your password or use your fingerprint ID to confirm the changes.
## Firefox
-If you are not using Firefox, you can skip to the next section.
+If you are not using Firefox, you can skip to the next section.
Follow the instructions below to finish configuring the block page:
diff --git a/products/gateway/src/content/policies/troubleshooting-policies.md b/products/gateway/src/content/policies/troubleshooting-policies.md
index cec84792d7a1607..d5ba099e4535740 100644
--- a/products/gateway/src/content/policies/troubleshooting-policies.md
+++ b/products/gateway/src/content/policies/troubleshooting-policies.md
@@ -38,7 +38,7 @@ If it takes longer than 60 seconds and you are still seeing that you can success
###### Safari
-Use the instructions in the Mac section to flush the DNS cache for Safari.
+Use the instructions in the Mac section to flush the DNS cache for Safari.
###### Google Chrome
diff --git a/products/gateway/src/content/privacy/index.md b/products/gateway/src/content/privacy/index.md
index 3687c13ab18d4c3..be770212f248f63 100644
--- a/products/gateway/src/content/privacy/index.md
+++ b/products/gateway/src/content/privacy/index.md
@@ -11,54 +11,54 @@ DNS logs corresponding to DNS filtering: up to six months
HTTP logs corresponding to HTTP traffic filtering: up to 30 days
-Teams Free users will have the visibility into the last 24 hours of DNS activity logs. Teams Standard and Enterprise users have 30 days of visibility into both DNS and HTTP activity logs.
+Teams Free users will have the visibility into the last 24 hours of DNS activity logs. Teams Standard and Enterprise users have 30 days of visibility into both DNS and HTTP activity logs.
## What fields are logged for HTTP sessions if using the L7 firewall?
-### Request ID
+### Request ID
The ID of the HTTP request
-### Timestamp
+### Timestamp
The timestamp of the HTTP request
-### Account ID
+### Account ID
The Cloudflare Account Tag
-### User ID
+### User ID
UUID of user in User Registry--this is generated by the WARP client on the device that created the request
-### Device ID
+### Device ID
UUID of device in Device Registry (the ID of the device that made the request)--this is generated by the WARP client on the device that created the request
-### Rule ID
+### Rule ID
UUID of matching Gateway rule
-### Action
+### Action
The Gateway action taken based on the first rule that matched. For example: Allowed, Blocked, Bypass, etc.
### HTTP Host
The hostname in the HTTP header for the HTTP request
-### HTTP Method
+### HTTP Method
The HTTP method used for the request (e.g., GET, POST, etc.)
-### HTTP Version
+### HTTP Version
The HTTP version of the origin that Gateway connected to on behalf of the user
-### URL
+### URL
The full URL of the HTTP request
-### Referer
+### Referer
The Referer request header contains the address of the page making the request
-### User Agent
+### User Agent
The user agent header sent in the request by the originating device
-### Uploaded Filenames
+### Uploaded Filenames
List of file name strings if a file upload occurred
-### Downloaded Filenames
+### Downloaded Filenames
List of file name strings if a file download occurred
-### Blocked Filename
+### Blocked Filename
The name of the blocked file
diff --git a/products/gateway/src/content/reference/policy.md b/products/gateway/src/content/reference/policy.md
index 8ad8aa91281024a..0abc5e6a008455e 100644
--- a/products/gateway/src/content/reference/policy.md
+++ b/products/gateway/src/content/reference/policy.md
@@ -6,7 +6,7 @@ order: 2
Internet-bound traffic from a client is evaluated in the following way:
-If the WARP client is configured to send DNS requests over DoH to Gateway, the DNS queries are evaluated against content and security policies configured for the organization. If the domain is allowed, the client receives the DNS resolution and initiates an HTTP connection.
+If the WARP client is configured to send DNS requests over DoH to Gateway, the DNS queries are evaluated against content and security policies configured for the organization. If the domain is allowed, the client receives the DNS resolution and initiates an HTTP connection.
Cloudflare Gateway currently filters HTTP traffic over port 80 and 443. If the HTTP connection is within a TLS connection, the TLS connection will be terminated at Cloudflare Gateway so the HTTP traffic can be inspected (unless an administrator configures a bypass rule). If the HTTP connection does not violate any policies configured by an administrator, the traffic is allowed through to the origin server.
@@ -15,12 +15,12 @@ Cloudflare Gateway currently filters HTTP traffic over port 80 and 443. If the H
### What is a Policy?
-A policy is a set of rules you can set up for one specific location or for multiple locations. Through Cloudflare Gateway's policy engine, you can filter domains by categories, manually block domains by specifying them in a list, and override domains to allow them even if those domains are getting blocked by a category.
+A policy is a set of rules you can set up for one specific location or for multiple locations. Through Cloudflare Gateway's policy engine, you can filter domains by categories, manually block domains by specifying them in a list, and override domains to allow them even if those domains are getting blocked by a category.
-When setting up a policy, you can also enable features such as SafeSearch or YouTube Restricted Mode.
+When setting up a policy, you can also enable features such as SafeSearch or YouTube Restricted Mode.
### Blocking a Subdomain
-When you manually block a domain, you automatically block all of its subdomains. For example, if you are blocking `example.com`, our policy engine will also block `a.example.com`, `a.b.example.com`.
+When you manually block a domain, you automatically block all of its subdomains. For example, if you are blocking `example.com`, our policy engine will also block `a.example.com`, `a.b.example.com`.
If you only want to block a subdomain `a.example.com`, then instead of adding `example.com` to the list, you will add `a.example.com`. Note that once you add `a.example.com` to the block list, Cloudflare Gateway will also block all subdomains of `a.example.com`.
@@ -53,25 +53,25 @@ Cloudflare Gateway allows users to match against the following HTTP traffic crit
* Uploaded and Downloaded File Extension
* Uploaded and Downloaded Mime Type
-Like with DNS filtering, Cloudflare also maintains URLs associated with content categories and security threats. Organizations can choose to match against some or all of these categories to complement filtering at the DNS layer.
+Like with DNS filtering, Cloudflare also maintains URLs associated with content categories and security threats. Organizations can choose to match against some or all of these categories to complement filtering at the DNS layer.
### How can a match be configured?
-Depending on the criteria selected, administrators can choose to match in a variety of ways:
+Depending on the criteria selected, administrators can choose to match in a variety of ways:
-| Operator | Meaning
+| Operator | Meaning
|:---------------------:|:---------------------------:|
-| is | exact match, equals |
-| is not | all except exact match |
-| in | in any of defined entries |
+| is | exact match, equals |
+| is not | all except exact match |
+| in | in any of defined entries |
| not in | not in defined entries |
-| matches regex | regex evaluates to true |
+| matches regex | regex evaluates to true |
| does not match regex | all except when regex evals to true |
### What actions can be taken when a match is made?
-All rules support **allow** and **block** actions. However, administrators may wish to bypass certain sites from inspection. Cloudflare Gateway uses the hostname in the HTTP CONNECT header to identify the destination of the request. Administrators who wish to bypass a site must match against the host in order to prevent HTTP inspection from occuring on both encrypted and plaintext traffic. The **bypass** action is only available when matching against the **host** criteria.
+All rules support **allow** and **block** actions. However, administrators may wish to bypass certain sites from inspection. Cloudflare Gateway uses the hostname in the HTTP CONNECT header to identify the destination of the request. Administrators who wish to bypass a site must match against the host in order to prevent HTTP inspection from occuring on both encrypted and plaintext traffic. The **bypass** action is only available when matching against the **host** criteria.
### How can I bypass the L7 firewall for a website?
@@ -81,7 +81,7 @@ Bypassing the L7 firewall results in no HTTP traffic inspection and logging is d
### In what order are rules evaluated?
-The L7 firewall evaluates rules starting with the rule containing the lowest precedence (e.g., rule number one). Rules with a higher value precedence are evaluated after those with a lower value.
+The L7 firewall evaluates rules starting with the rule containing the lowest precedence (e.g., rule number one). Rules with a higher value precedence are evaluated after those with a lower value.
### What file extensions can I match against?
diff --git a/products/gateway/src/content/reporting/activity-log.md b/products/gateway/src/content/reporting/activity-log.md
index ac927049ff2b4fb..f18760a801c39de 100644
--- a/products/gateway/src/content/reporting/activity-log.md
+++ b/products/gateway/src/content/reporting/activity-log.md
@@ -10,7 +10,7 @@ The Activity log allows you to see individual DNS queries made from your locatio
-When you click on the row, you can see information related to the identity that is making the DNS request and attributes relevant to the DNS queries.
+When you click on the row, you can see information related to the identity that is making the DNS request and attributes relevant to the DNS queries.
@@ -25,7 +25,7 @@ The DNS query type. [This page](https://en.wikipedia.org/wiki/List_of_DNS_record
#### Action
What Action Gateway applied. For example: Allowed, Blocked etc.
-#### Source IP
+#### Source IP
The public source IP of the DNS request.
#### Time
@@ -65,14 +65,14 @@ The timestamp of the HTTP request
#### URL
The full URL of the HTTP request
-#### Device
+#### Device
The ID of the device that made the request. This is generated by the WARP client on the device that created the request.
#### Referer
The Referer request header contains the address of the page making the request.
#### User Agent
-The user agent header sent in the request by the originating device.
+The user agent header sent in the request by the originating device.
#### File Name
File name string if a file transfer occurred or was attempted.
@@ -81,4 +81,4 @@ File name string if a file transfer occurred or was attempted.
The HTTP version of the origin that Gateway connected to on behalf of the user.
#### Policy Details
-The policy corresponding to the decision Gateway made based on the traffic critera of the request.
+The policy corresponding to the decision Gateway made based on the traffic critera of the request.
diff --git a/products/logs/src/content/analytics-integrations/graylog/index.md b/products/logs/src/content/analytics-integrations/graylog/index.md
index 4ec45bc679edcfa..3625a9ec3846b1e 100644
--- a/products/logs/src/content/analytics-integrations/graylog/index.md
+++ b/products/logs/src/content/analytics-integrations/graylog/index.md
@@ -28,7 +28,7 @@ Cloudflare logs are HTTP/HTTPS request logs in JSON format and are gathered from
## Task 1 - Preparation
-Before getting Cloudflare logs into Graylog:
+Before getting Cloudflare logs into Graylog:
1. Configure Cloudflare [Logpush](https://developers.cloudflare.com/logs/logpush/) to push logs with all desired fields to an AWS S3 bucket of your choice.
2. Download the latest Graylog Integration for Cloudflare from the Graylog website: [https://go.graylog.com/cloudflare](https://go.graylog.com/cloudflare).
diff --git a/products/mobile-sdk/src/content/cordova/index.md b/products/mobile-sdk/src/content/cordova/index.md
index 33880d79936be9b..d70a64fec1878e8 100644
--- a/products/mobile-sdk/src/content/cordova/index.md
+++ b/products/mobile-sdk/src/content/cordova/index.md
@@ -17,7 +17,7 @@ To integrate the plugin, run the following command in your project directory:
## Initializing Neumob ##
-Initialization is the process of modifying your application in order to communicate with Neumob. You will need to register your iOS and/or Android application and obtain an ``appID`` from the Neumob portal.
+Initialization is the process of modifying your application in order to communicate with Neumob. You will need to register your iOS and/or Android application and obtain an ``appID`` from the Neumob portal.
**Initialize** Neumob after the plugins are finished loading. To initialize Neumob use the following API in either your **onDeviceReady** event or whenever your app plugins are loaded.
@@ -28,7 +28,7 @@ Initialization is the process of modifying your application in order to communic
- - **callback** - The callback is a optional function that can be used to verify initialization. It should accept 2 parameters:
- ``initialized`` is a boolean indicating Neumob is enabled and ready to accelerate your network requests.
- ``accelerated`` is a boolean indicating whether Neumob is currently accelerating your requests. You may configure whether or not Neumob is accelerated by adjusting the % accelerated slider through the portal (click the **settings** button for the app version on your app details page). If you plan to A / B test accelerated vs unaccelerated Neumob sessions, we recommend using the ``accelerated`` API in the ``completionHandler``. Please note that ``accelerated`` is **sticky**- meaning a user who is **accelerated** will remain accelerated until the % accelerated slider value is changed. The ``accelerated`` boolean value can be used to populate a property or dimension within your mobile analytics platform.
-
+
Here's an example of how you might verify Neumob initialization and check whether a session is accelerated.
@@ -49,7 +49,7 @@ Initialization is the process of modifying your application in order to communic
>
{`}`} else {`{`}
>
> #### // Neumob is OFF. Change log settings for more details. ####
- >
+ >
> >
> >
{`}`}
> >
@@ -71,19 +71,19 @@ The logging levels available in order of verbosity are as follows
2. ``Neumob.LOG_WARNING`` - Only print warning and error messages
3. ``Neumob.LOG_ERROR`` - Only print error messages
4. ``Neumob.LOG_NONE`` - Turn off all Neumob log messages
-
+
## Considerations ##
-
+
5. The Cordova SDK uses allows you to accelerate only certain domains by implementing a blacklist or whitelist in the portal for your SDK Version and App Version. If you use 3rd party APIs like Google Analytics, we recommend adding those hosts to the blacklist.
-
+
iOS
~~~
### 1. If you are building a bitcode NOT enabled application, you will need to replace the Neumob.framework dependency in **platform/ios/NeumobSDK**. You can find a bitcode not enabled framework on the portal by navigating to any iOS application you've created and downloading the SDK with the format x.x.x.1 where 1 indicates bitcode disabled and 2 indicated bitcode enabled. ***
1. The Cordova iOS SDK has a native dependency which causes the Xcode debugger to stop on SIGPIPEs. These SIGPIPEs will not negatively affect your application and you can ignore them by adding a breakpoint with the debugger command ``process handle SIGPIPE -n false -s false``
-
-
+
+
1. The Cordova iOS SDK does not currently support ``WKWebView``.
\ No newline at end of file
diff --git a/products/mobile-sdk/src/content/integrations/analytics.md b/products/mobile-sdk/src/content/integrations/analytics.md
index ac4efbaeff785ba..21325900ce01ee7 100644
--- a/products/mobile-sdk/src/content/integrations/analytics.md
+++ b/products/mobile-sdk/src/content/integrations/analytics.md
@@ -16,7 +16,7 @@ iOS – Objective C.
[mixpanel registerSuperProperties:@{@”Neumob Accelerated”: @accelerated}];
-iOS – Swift.
+iOS – Swift.
Mixpanel.mainInstance().registerSuperProperties([“Neumob Accelerated”: accelerated])
@@ -33,7 +33,7 @@ iOS – Objective C.
[Localytics setValue:@accelerated forCustomDimension:0];
-iOS – Swift.
+iOS – Swift.
Localytics.setValue(accelerated, forCustomDimension: 0)
diff --git a/products/mobile-sdk/src/content/old-faq/index.md b/products/mobile-sdk/src/content/old-faq/index.md
index 2cd2448d1cf93e6..df848a6304b6079 100644
--- a/products/mobile-sdk/src/content/old-faq/index.md
+++ b/products/mobile-sdk/src/content/old-faq/index.md
@@ -14,11 +14,11 @@ These are normal. Neumob uses real-time measurements from mobile operators and t
## My company uses a CDN, firewall, WAF, or other filter for incoming requests. Can we still integrate Neumob SDK into our app? ##
1. Neumob SDK can integrate into your existing setup. To aid with the integration, we have the following features available:
-
+
### Neumob Headers ###
-With Neumob SDK version 3.2.4+ (iOS) and 3.2.7+ (Android), the Neumob SDK adds a custom header to all requests sent through the Neumob Acceleration Network. The custom header is called "X-Neumob" with a base-64 encoded hash of the app client key, which can be generated using the following *nix/MacOS command sequence: echo -n {clientkey} | shasum -a 1 | xxd -r -p | base64.
+With Neumob SDK version 3.2.4+ (iOS) and 3.2.7+ (Android), the Neumob SDK adds a custom header to all requests sent through the Neumob Acceleration Network. The custom header is called "X-Neumob" with a base-64 encoded hash of the app client key, which can be generated using the following *nix/MacOS command sequence: echo -n {clientkey} | shasum -a 1 | xxd -r -p | base64.
**Requests with the "X-Neumob" header should be allowed through existing filters.**
@@ -35,19 +35,19 @@ It is *strongly* encouraged to filter based on HTTP header as listed above rathe
## Does Neumob support monitoring of network traffic through a web proxy like Charles Proxy? ##
1. The Neumob SDK uses a UDP-based custom protocol to provide acceleration over the "mobile" mile. Charles Proxy supports http/https over TCP, so traffic that is being accelerated through the Neumob SDK will not be visible within Charles Proxy.
-
+
## Is there any way for my origin to know the client IP address that a request was made from? ##
1. As data transmitted through the Neumob SDK is sent via our proxy servers, the source IP address shown when the request arrives at the origin server will be that of a Neumob proxy server. However, within the request the Neumob SDK adds a header, called "X-Forwarded-For", to the request that can be used to determine the client's original IP address.
-
+
X-Forwarded-For: 1.1.1.1
## Your website says that the service takes 2 days to learn, customize, and then accelerate our network calls. Does it also require a certain volume of calls? ##
1. The Neumob Global Acceleration Network relies on machine learning to learn your app domains, types of content, and routing. This process can take up to 2 days depending on traffic volumes. If Neumob hasn't learned the route, it may choose to bypass the Neumob Protocol and go directly to origin.
-
+
In cases where Neumob pulls from your existing CDN instead of directly from your origin, this is especially necessary because we have to learn the best CDN location to pull from each of our pops.
@@ -60,9 +60,9 @@ If you are using other libraries with native binaries, you may encounter the abo
1. Decompile your APK (apktool) or extract the contents (change .apk -> .zip).
2. The resulting directory will contain a lib/ folder containing native binaries for different architectures.
3. Neumob includes a native binary called libcproxy built for arm64-v8a, armeabi, armeabi-v7a, and x86.
-
-3.1) If the lib/ folder for your APK includes more folders than the above (often mips, mips64, x86_64), then the Neumob SDK will not initialize on those machines but the app will continue to run fine. If you are using a 3rd-party library with an x86_64 native binary and testing on a Mac simulator (x86_64), please send a message to support@neumob.com.
+
+3.1) If the lib/ folder for your APK includes more folders than the above (often mips, mips64, x86_64), then the Neumob SDK will not initialize on those machines but the app will continue to run fine. If you are using a 3rd-party library with an x86_64 native binary and testing on a Mac simulator (x86_64), please send a message to support@neumob.com.
3.2) If you are encountering the issue and Neumob is building for additional architectures (often armeabi-v7a and x86), you can modify the Neumob jar file for compatibility with ``zip -d neumob-android-X.X.X.jar lib/arch_to_remove/libcproxy.so lib/arch_to_remove/``
diff --git a/products/mobile-sdk/src/content/server/index.md b/products/mobile-sdk/src/content/server/index.md
index 28e91716e3ad0d4..cce78a5a969c721 100644
--- a/products/mobile-sdk/src/content/server/index.md
+++ b/products/mobile-sdk/src/content/server/index.md
@@ -13,7 +13,7 @@ Typically the only change required on the server-side to enable the Neumob servi
### Neumob Headers ###
-With Neumob SDK version 3.2.4+ (iOS) and 3.2.7+ (Android), the Neumob SDK adds a custom header to all requests sent through the Neumob Acceleration Network. The custom header is called "X-Neumob" with a base-64 encoded hash of the app client key.
+With Neumob SDK version 3.2.4+ (iOS) and 3.2.7+ (Android), the Neumob SDK adds a custom header to all requests sent through the Neumob Acceleration Network. The custom header is called "X-Neumob" with a base-64 encoded hash of the app client key.
**Requests with the "X-Neumob" header should be allowed through existing filters.**
@@ -25,29 +25,29 @@ An example Neumob custom header can be found below.
**PLEASE NOTE THAT OUR IP ADDRESS LIST CHANGES OFTEN!**
-It is *strongly* encouraged to filter based on HTTP header as listed above rather than IP address, but it is understood that sometimes this is not possible,
-so Neumob makes available a real-time list of IP blocks and addresses used at every Point of Presence (PoP) within the Neumob Global Network.
+It is *strongly* encouraged to filter based on HTTP header as listed above rather than IP address, but it is understood that sometimes this is not possible,
+so Neumob makes available a real-time list of IP blocks and addresses used at every Point of Presence (PoP) within the Neumob Global Network.
These can be found by navigating to the following web address, which requires a portal account: `https://portal.neumob.com/v2s/ip-addresses `_
## Monitoring with Neumob ##
-The Neumob SDK uses a UDP-based custom protocol to provide acceleration over the "mobile" mile.
-As a result, any monitor that tracks http/https over TCP will not see accelerated traffic between the device and Neumob's proxy service.
+The Neumob SDK uses a UDP-based custom protocol to provide acceleration over the "mobile" mile.
+As a result, any monitor that tracks http/https over TCP will not see accelerated traffic between the device and Neumob's proxy service.
An example of one is Charles Proxy, but also packet analyzers like Wireshark will not be able to parse Neumob packets above the IP layer.
-Neumob does, however, provide metrics and charting capabilities of its own, including by site, country, app version, network carrier, etc.
+Neumob does, however, provide metrics and charting capabilities of its own, including by site, country, app version, network carrier, etc.
1. simple guide is here: `Portal Brochure `_
-
+
## Other Notes ##
### NeumobBot ###
-Neumob uses real-time measurements from our servers to find the best path to fetch content.
+Neumob uses real-time measurements from our servers to find the best path to fetch content.
These measurements will be visible to your existing monitors.
-1. distributed network of agents with User-Agent = NeumobBot are used to conduct these measurements, so they can be ignored.
+1. distributed network of agents with User-Agent = NeumobBot are used to conduct these measurements, so they can be ignored.
The rate of NeumobBot UDP requests is once per pop, per domain, per hour. This rate does not increase with traffic.
-
+
### Client IP Address ###
diff --git a/products/randomness-beacon/src/content/about/Drand.md b/products/randomness-beacon/src/content/about/Drand.md
index 1515e4476648a88..1c954cba6289bb9 100644
--- a/products/randomness-beacon/src/content/about/Drand.md
+++ b/products/randomness-beacon/src/content/about/Drand.md
@@ -5,6 +5,6 @@ order: 0
# What is drand?
-The drand project aims to address the current lack of services providing distributed public randomness. Distributed to increase the reasilience and trustworthiness. drand provides a standalone randomness-as-a-service network that is application agnostic. For example, similar to NTP networks serving timing information accross the globe. drand follows the [KISS principle](https://en.wikipedia.org/wiki/KISS_principle), relying on well-researched cryptographic building blocks and open-source software design principles and libraries, such as protobuf and gRPC, to ensure high performance and interoperability. drand also attempts to use sane security defaults, such as having TLS enabled by default.
+The drand project aims to address the current lack of services providing distributed public randomness. Distributed to increase the reasilience and trustworthiness. drand provides a standalone randomness-as-a-service network that is application agnostic. For example, similar to NTP networks serving timing information accross the globe. drand follows the [KISS principle](https://en.wikipedia.org/wiki/KISS_principle), relying on well-researched cryptographic building blocks and open-source software design principles and libraries, such as protobuf and gRPC, to ensure high performance and interoperability. drand also attempts to use sane security defaults, such as having TLS enabled by default.
Beyond that, drand adds new features important for its practical deployment, such as being able to securely add and remove members of the network through [resharing](https://ieeexplore.ieee.org/document/1183515) while keeping the same shared public key necessary for randomness verification.
\ No newline at end of file
diff --git a/products/randomness-beacon/src/content/about/Future.md b/products/randomness-beacon/src/content/about/Future.md
index 7c62417a324f354..fc0c90dafd27755 100644
--- a/products/randomness-beacon/src/content/about/Future.md
+++ b/products/randomness-beacon/src/content/about/Future.md
@@ -5,7 +5,7 @@ order: 2
# What do you see as the future of this project?
-As of spring 2020, the drand network is production-ready, and we believe that it can now be considered foundational Internet infrastructure, much like DNS or BGP.
+As of spring 2020, the drand network is production-ready, and we believe that it can now be considered foundational Internet infrastructure, much like DNS or BGP.
While the project has reached a mature state, we believe there are several ways for drand to continue to evolve.
diff --git a/products/ssl/src/content/client-certificates/configure-your-mobile-app-or-iot-device.md b/products/ssl/src/content/client-certificates/configure-your-mobile-app-or-iot-device.md
index 70f7bae55bff11a..2a87ef15ddbee0c 100644
--- a/products/ssl/src/content/client-certificates/configure-your-mobile-app-or-iot-device.md
+++ b/products/ssl/src/content/client-certificates/configure-your-mobile-app-or-iot-device.md
@@ -303,7 +303,7 @@ from datetime import datetime
def readSensor():
- # Takes a reading from a temperature sensor and store it to temp_measurement
+ # Takes a reading from a temperature sensor and store it to temp_measurement
dateTimeObj = datetime.now()
timestampStr = dateTimeObj.strftime(‘%Y-%m-%dT%H:%M:%SZ’)
@@ -317,13 +317,13 @@ def main():
temperature = readSensor()
payload = json.dumps(temperature)
-
+
url = 'https://shield.upinatoms.com/temps'
json_headers = {'Content-Type': 'application/json'}
cert_file = ('/etc/ssl/certs/sensor.pem', '/etc/ssl/private/sensor-key.pem')
-
+
r = requests.post(url, headers = json_headers, data = payload, cert = cert_file)
-
+
print("Request body: ", r.request.body)
print("Response status code: %d" % r.status_code)
```
diff --git a/products/ssl/src/content/keyless-ssl/configuration.md b/products/ssl/src/content/keyless-ssl/configuration.md
index 45de0613dc8e342..f12679c1366a409 100644
--- a/products/ssl/src/content/keyless-ssl/configuration.md
+++ b/products/ssl/src/content/keyless-ssl/configuration.md
@@ -42,7 +42,7 @@ Note: You will need to create a public DNS record for your key server. If you ar
Before your key server(s) can be configured, you must next upload the corresponding SSL certificates to Cloudflare’s edge. During TLS termination, Cloudflare will present these certificates to connecting browsers and then (for non-resumed sessions) communicate with the specified key server to complete the handshake.
-It is recommended that you upload certificates to Cloudflare with only SANs that you wish to use with Cloudflare Keyless SSL. All hostnames you wish to use with Keyless SSL must be “orange clouded” (proxied) on Cloudflare.
+It is recommended that you upload certificates to Cloudflare with only SANs that you wish to use with Cloudflare Keyless SSL. All hostnames you wish to use with Keyless SSL must be “orange clouded” (proxied) on Cloudflare.
For each certificate you wish to use with Keyless SSL:
diff --git a/products/ssl/src/content/keyless-ssl/hardware-security-modules/azure-dedicated-hsm.md b/products/ssl/src/content/keyless-ssl/hardware-security-modules/azure-dedicated-hsm.md
index d805885929cb941..29c8cf982b56569 100644
--- a/products/ssl/src/content/keyless-ssl/hardware-security-modules/azure-dedicated-hsm.md
+++ b/products/ssl/src/content/keyless-ssl/hardware-security-modules/azure-dedicated-hsm.md
@@ -20,7 +20,7 @@ The first step we’ll take is creating an HSM partition, which can be thought o
vm$ ssh tenantadmin@hsm
[local_host] lunash:>hsm login
- Please enter the HSM Administrators' password:
+ Please enter the HSM Administrators' password:
> ********
@@ -32,7 +32,7 @@ Command Result : 0 (Success)
[local_host] lunash:>partition create -partition KeylessSSL
- Type 'proceed' to create the partition, or
+ Type 'proceed' to create the partition, or
'quit' to quit now.
> proceed
'partition create' successful.
@@ -62,11 +62,11 @@ lunacm (64-bit) v7.2.0-220. Copyright (c) 2018 SafeNet. All rights reserved.
Available HSMs:
- Slot Id -> 0
- Label ->
- Serial Number -> XXXXXXXXXXXXX
- Model -> LunaSA 7.2.0
- Firmware Version -> 7.0.3
+ Slot Id -> 0
+ Label ->
+ Serial Number -> XXXXXXXXXXXXX
+ Model -> LunaSA 7.2.0
+ Firmware Version -> 7.0.3
Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description -> Net Token Slot
@@ -86,7 +86,7 @@ lunacm:>partition init -label KeylessSSL -domain cloudflare
Type 'proceed' to continue, or 'quit' to quit now ->proceed
-Command Result : No Error
+Command Result : No Error
```
--------
@@ -99,7 +99,7 @@ Before running the commands below, check with your information security and/or c
# cmu generatekeypair -keyType=RSA -modulusBits=2048 -publicExponent=65537 -sign=1 -verify=1 -labelpublic=myrsakey -labelprivate=myrsakey -keygenmech=1
Please enter password for token in slot 0 : ********
-
+
# cmu list
Please enter password for token in slot 0 : ********
@@ -120,7 +120,7 @@ Using "CKM_SHA256_RSA_PKCS" Mechanism
## 3. Obtain and upload a signed certificate from your Certificate Authority (CA)
-Provide the CSR created in the previous step to your organization’s preferred CA, demonstrate control of your domain as requested, and then download the signed SSL certificates. Follow the instructions provided in [Uploading “Keyless” SSL Certificates](/keyless-ssl/configuration/#uploading-keyless-ssl-certificates).
+Provide the CSR created in the previous step to your organization’s preferred CA, demonstrate control of your domain as requested, and then download the signed SSL certificates. Follow the instructions provided in [Uploading “Keyless” SSL Certificates](/keyless-ssl/configuration/#uploading-keyless-ssl-certificates).
--------
diff --git a/products/ssl/src/content/keyless-ssl/hardware-security-modules/ibm-cloud-hsm.md b/products/ssl/src/content/keyless-ssl/hardware-security-modules/ibm-cloud-hsm.md
index 8334c9bd26eaf3a..cda1a0d22d65381 100644
--- a/products/ssl/src/content/keyless-ssl/hardware-security-modules/ibm-cloud-hsm.md
+++ b/products/ssl/src/content/keyless-ssl/hardware-security-modules/ibm-cloud-hsm.md
@@ -19,14 +19,14 @@ The first step we’ll take is creating an HSM partition, which can be thought o
vm$ ssh admin@hsm
[cloudflare-hsm.softlayer.com] lunash:>partition create -partition KeylessSSL
-
-
+
+
Type 'proceed' to create the partition, or
'quit' to quit now.
> proceed
'partition create' successful.
-
-
+
+
Command Result : 0 (Success)
```
@@ -34,11 +34,11 @@ Next, the partition needs to be assigned to the client, i.e., your key server.
```bash
[cloudflare-hsm.softlayer.com] lunash:>client assignpartition -client cloudflare-vm.softlayer.com -partition KeylessSSL
-
-
+
+
'client assignPartition' successful.
-
-
+
+
Command Result : 0 (Success)
```
@@ -47,18 +47,18 @@ After the partition has been assigned, run `lunacm` from your virtual server and
```txt
vm$ lunacm
LunaCM v7.1.0-379. Copyright (c) 2006-2017 SafeNet.
-
+
Available HSMs:
-
+
Slot Id -> 0
- Label ->
+ Label ->
Serial Number -> XXXXXXXXXXXXX
Model -> LunaSA 7.0.0
Firmware Version -> 7.0.1
Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description -> Net Token Slot
-
-
+
+
Current Slot Id: 0
lunacm:>partition init -label KeylessSSL -domain cloudflare
@@ -74,7 +74,7 @@ lunacm:>partition init -label KeylessSSL -domain cloudflare
Type 'proceed' to continue, or 'quit' to quit now ->proceed
-Command Result : No Error
+Command Result : No Error
```
--------
@@ -86,10 +86,10 @@ Before running the commands below, check with your information security and/or c
```txt
vm$ cmu generatekeypair -keyType=RSA -modulusBits=2048 -publicExponent=65537 -sign=1 -verify=1 -labelpublic=myrsakey -labelprivate=myrsakey -keygenmech=1
Please enter password for token in slot 0 : ********
-
+
# cmu generatekeypair -keyType=ECDSA -curvetype=3 -sign=1 -verify=1 -labelpublic=myecdsakey -labelprivate=myecdsakey
Please enter password for token in slot 0 : ********
-
+
# cmu list
Please enter password for token in slot 0 : ********
handle=61 label=myecdsakey
@@ -104,7 +104,7 @@ Using the keys created in the previous step, generate CSRs that can be sent to a
# cmu requestCertificate -c="US" -o="Example, Inc." -cn="ibm-cloudhsm.example.com" -s="California" -l="San Francisco" -publichandle=45 -privatehandle=48 -outputfile="rsa.csr" -sha256withrsa
Please enter password for token in slot 0 : ********
Using "CKM_SHA256_RSA_PKCS" Mechanism
-
+
# cmu requestCertificate -c="US" -o="Example, Inc." -cn="ibm-cloudhsm.example.com" -s="California" -l="San Francisco" -publichandle=60 -privatehandle=61 -outputfile="ecdsa.csr" -sha256withecdsa
Please enter password for token in slot 0 : ********
Using "CKM_ECDSA_SHA256" Mechanism
@@ -114,7 +114,7 @@ Using "CKM_ECDSA_SHA256" Mechanism
## 3. Obtain and upload signed certificates from your Certificate Authority (CA)
-Provide the CSRs created in the previous step to your organization’s preferred CA, demonstrate control of your domain as requested, and then download the signed SSL certificates. Follow the instructions provided in [Uploading “Keyless” SSL Certificates](/keyless-ssl/configuration/#uploading-keyless-ssl-certificates).
+Provide the CSRs created in the previous step to your organization’s preferred CA, demonstrate control of your domain as requested, and then download the signed SSL certificates. Follow the instructions provided in [Uploading “Keyless” SSL Certificates](/keyless-ssl/configuration/#uploading-keyless-ssl-certificates).
--------
diff --git a/products/ssl/src/content/keyless-ssl/hardware-security-modules/ncipher-thales-nshield-connect.md b/products/ssl/src/content/keyless-ssl/hardware-security-modules/ncipher-thales-nshield-connect.md
index f948d5fceea49ea..0445c6a65d31926 100644
--- a/products/ssl/src/content/keyless-ssl/hardware-security-modules/ncipher-thales-nshield-connect.md
+++ b/products/ssl/src/content/keyless-ssl/hardware-security-modules/ncipher-thales-nshield-connect.md
@@ -17,7 +17,7 @@ We ask `pkcs11-tool` (provided by the `opensc` package) to display the objects s
```txt
$ pkcs11-tool --module /opt/nfast/toolkits/pkcs11/libcknfast.so -O
Using slot 0 with a present token (0x1d622495)
-Private Key Object; RSA
+Private Key Object; RSA
label: rsa-privkey
ID: 105013281578de42ea45f5bfac46d302fb006687
Usage: decrypt, sign, unwrap
diff --git a/products/ssl/src/content/keyless-ssl/scaling-and-benchmarking.md b/products/ssl/src/content/keyless-ssl/scaling-and-benchmarking.md
index ce3449ebd3ef7aa..81f39cf8e6b8c14 100644
--- a/products/ssl/src/content/keyless-ssl/scaling-and-benchmarking.md
+++ b/products/ssl/src/content/keyless-ssl/scaling-and-benchmarking.md
@@ -6,7 +6,7 @@ order: 3
Cloudflare’s Keyless SSL technology was designed to scale to accommodate any sized workload using vertical and horizontal scaling, and pre-computation techniques wherever possible, e.g., ECDSA. The goals of the architectural design of the key server are to minimize latency while maximizing signing operations per second.
-Each key server uses a worker pool model, with incoming client connections handled by its own pair of reader/writer goroutines and cryptographic work done in separate worker goroutines pulled from a a global pool.
+Each key server uses a worker pool model, with incoming client connections handled by its own pair of reader/writer goroutines and cryptographic work done in separate worker goroutines pulled from a a global pool.
Where needed, multiple key servers can be deployed and balanced between using your preferred ingress load balancing configuration; for full HA, you should make sure to deploy sufficient key servers to handle twice the expected workload.
diff --git a/products/ssl/src/content/keyless-ssl/troubleshooting.md b/products/ssl/src/content/keyless-ssl/troubleshooting.md
index a561ddaa30a1e01..4bf99c031a0c21a 100644
--- a/products/ssl/src/content/keyless-ssl/troubleshooting.md
+++ b/products/ssl/src/content/keyless-ssl/troubleshooting.md
@@ -18,7 +18,7 @@ $ sudo -u keyless gokeyless --loglevel 0
## Browsers are seeing a TLS connection failure after trying to connect
1. Make sure your key server is accessible from outside your network (tcp/2407)
-2. Provide a packet capture:
+2. Provide a packet capture:
`$ sudo tcpdump -nni -s 0 -w keyless-$(date +%s).pcap port 2407`
## Clients are connecting, but immediately aborting
diff --git a/products/ssl/src/content/ssl-for-saas/certificate-signing-requests.md b/products/ssl/src/content/ssl-for-saas/certificate-signing-requests.md
index e0a40c0c96469ba..a0b55a1b082baca 100644
--- a/products/ssl/src/content/ssl-for-saas/certificate-signing-requests.md
+++ b/products/ssl/src/content/ssl-for-saas/certificate-signing-requests.md
@@ -21,7 +21,7 @@ All fields except for organizational_unit and key_type are required. If you do n
```bash
$ request_body=$(< <(cat </custom_hostnames/fallback_origin"\
--H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}"\
--H "Content-Type: application/json"\
+"https://api.cloudflare.com/client/v4/zones//custom_hostnames/fallback_origin"\
+-H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}"\
+-H "Content-Type: application/json"\
-d '{"origin":"proxy-fallback.saasprovider.com"}'
```
diff --git a/products/ssl/src/content/ssl-for-saas/hostname-verification-backoff-schedule.md b/products/ssl/src/content/ssl-for-saas/hostname-verification-backoff-schedule.md
index 6f05c9d9feea364..6a3415e0d2934fe 100644
--- a/products/ssl/src/content/ssl-for-saas/hostname-verification-backoff-schedule.md
+++ b/products/ssl/src/content/ssl-for-saas/hostname-verification-backoff-schedule.md
@@ -9,7 +9,7 @@ Attempts to verify a Custom Hostname are distributed over 7 days (a total of 75
* For the first 10 attempts:
```txt
-now() + min((floor(60 * pow(1.05, retry_attempt)) * INTERVAL '1 second'), INTERVAL '4 hours')
+now() + min((floor(60 * pow(1.05, retry_attempt)) * INTERVAL '1 second'), INTERVAL '4 hours')
```
* For the remaining 65 attempts:
diff --git a/products/ssl/src/content/ssl-for-saas/hostname-verification.md b/products/ssl/src/content/ssl-for-saas/hostname-verification.md
index 8e2b565f3f4198b..f62a6bad858cab3 100644
--- a/products/ssl/src/content/ssl-for-saas/hostname-verification.md
+++ b/products/ssl/src/content/ssl-for-saas/hostname-verification.md
@@ -33,7 +33,7 @@ To prevent unresolvable CNAME loops, only 10 consecutive CNAMES are followed to
For verification, the account that owns the custom hostname must also own all A and AAAA records for the apex. To verify ownership, the IP returned for the hostname must reside in the IP prefix allocated to the account.
-The few seconds Cloudflare requires to iterate over the CNAME can cause a slight downtime. This is likely acceptable for CNAME verification of Custom Hostnames for staging or development sites. However, Cloudflare recommends verification of Custom Hostnames via TXT record or HTTP token for live production traffic. When TXT or HTTP verification completes and the Custom Hostname shows __Active__ in the Cloudflare __SSL/TLS__ app under the __Custom Hostnames__ tab, inform your customer to CNAME traffic to Cloudflare.
+The few seconds Cloudflare requires to iterate over the CNAME can cause a slight downtime. This is likely acceptable for CNAME verification of Custom Hostnames for staging or development sites. However, Cloudflare recommends verification of Custom Hostnames via TXT record or HTTP token for live production traffic. When TXT or HTTP verification completes and the Custom Hostname shows __Active__ in the Cloudflare __SSL/TLS__ app under the __Custom Hostnames__ tab, inform your customer to CNAME traffic to Cloudflare.
### TXT
diff --git a/products/ssl/src/content/ssl-for-saas/status-codes/custom-csrs.md b/products/ssl/src/content/ssl-for-saas/status-codes/custom-csrs.md
index c7a43b7162e4909..ceb25ef0244fc93 100644
--- a/products/ssl/src/content/ssl-for-saas/status-codes/custom-csrs.md
+++ b/products/ssl/src/content/ssl-for-saas/status-codes/custom-csrs.md
@@ -32,7 +32,7 @@ HTTP Status Code|API Error Code|Error Message
400|1412|Invalid subject alternative name(s) (SAN). SANs have to be smaller than 256 characters in length, cannot be IP addresses, cannot contain any special characters such as ~`!@#$%^&*()=+{}[]|\\;:'\",<>/? and cannot begin or end with a ‘-’ character. Please check your input and try again.
400|1413|Subject Alternative Names (SANs) with non-ASCII characters are not supported. Please check your input and try again.
400|1414|Reserved top domain subject alternative names (SAN), such as 'test', 'example', 'invalid' or 'localhost', is not supported. Please check your input and try again.
-400|1415|Unable to parse subject alternative name(s) (SAN) - :reason. Please check your input and try again. Reasons: publicsuffix: cannot derive eTLD+1 for domain %q; publicsuffix: invalid public suffix %q for domain %q;
+400|1415|Unable to parse subject alternative name(s) (SAN) - :reason. Please check your input and try again. Reasons: publicsuffix: cannot derive eTLD+1 for domain %q; publicsuffix: invalid public suffix %q for domain %q;
400|1416|Subject Alternative Names (SANs) ending in example.com, example.net, or example.org are prohibited. Please check your input and try again.
400|1417|Invalid key type. Only 'rsa2048' or 'p256v1' is accepted. Please check your input and try again.
400|1418|The custom CSR ID is invalid. Please check your input and try again.
diff --git a/products/ssl/src/content/ssl-for-saas/troubleshooting.md b/products/ssl/src/content/ssl-for-saas/troubleshooting.md
index 77999f9aa86f78e..c6a49edbac93b3e 100644
--- a/products/ssl/src/content/ssl-for-saas/troubleshooting.md
+++ b/products/ssl/src/content/ssl-for-saas/troubleshooting.md
@@ -56,7 +56,7 @@ You can send a `PATCH` request to request an immediate validation check on any c
```bash
$ curl -sXPATCH https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_hostnames/7f09bb24-9ee0-49b3-98bb-11cccd664edb\
-H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}"\
- -H 'Content-Type: application/json' -d '{"ssl":{"method":"cname", "type":"dv"}}'
+ -H 'Content-Type: application/json' -d '{"ssl":{"method":"cname", "type":"dv"}}'
{
"result": {
@@ -96,7 +96,7 @@ There are two main causes of error 1016:
1. Custom Hostname ownership verification is not complete.
To check, run an API call to [search for a certificate by hostname](https://developers.cloudflare.com/ssl/ssl-for-saas/api-calls/) and check the verification error field: `"verification_errors": ["custom hostname does not CNAME to this zone."],`
2. Fallback Origin is not correctly set.
-[Check via API if the fallback Origin is correctly set](https://developers.cloudflare.com/ssl/ssl-for-saas/api-calls/)
+[Check via API if the fallback Origin is correctly set](https://developers.cloudflare.com/ssl/ssl-for-saas/api-calls/)
Check that the fallback origin DNS record exists in the DNS ([see step 2 of Getting Started](https://developers.cloudflare.com/ssl/ssl-for-saas/getting-started/)).
--------
diff --git a/products/ssl/src/content/ssl-for-saas/uploading-certificates.md b/products/ssl/src/content/ssl-for-saas/uploading-certificates.md
index 9f3a0b17c6a2a48..a486df3f8a5b2ce 100644
--- a/products/ssl/src/content/ssl-for-saas/uploading-certificates.md
+++ b/products/ssl/src/content/ssl-for-saas/uploading-certificates.md
@@ -49,7 +49,7 @@ $ echo $MYCERT
$ request_body=$(< <(cat <float default: 0.05
- Whitespace between the adjacent edges (determined by position) of the video and the watermark. 0.0 means no padding, and 1.0 means padded full video width or length.
-
+
- Stream will make sure that the watermark will be at about the same position across videos with different dimensions.
- `scale` floatdefault: 0.15
diff --git a/products/stream/src/content/uploading-videos/direct-creator-uploads.md b/products/stream/src/content/uploading-videos/direct-creator-uploads.md
index 51186cf21c5767f..6415d7c0442759a 100644
--- a/products/stream/src/content/uploading-videos/direct-creator-uploads.md
+++ b/products/stream/src/content/uploading-videos/direct-creator-uploads.md
@@ -22,10 +22,10 @@ body of the `POST` request:
- - `maxDurationSeconds` integerrequired
+ - `maxDurationSeconds` integerrequired
- Enforces the maximum duration in seconds for a video the user uploads. For direct uploads, Stream requires videos are at least 1 second in length, and restricts to a maximum of 6 hours. Therefore, this field must be greater than 1 and less than 21,600.
- - `expiry` string (date)default: now + 6 hours
+ - `expiry` string (date)default: now + 6 hours
- Optional string field that enforces the time after which the unique one-time upload URL is invalid. The time value must be formatted in RFC3339 layout and will be interpretted against UTC time zone. If an expiry is set, it must be no less than two minutes in the future, and not more than 6 hours in the future. If an expiry is not set, the upload URL will expire 30 minutes after it's creation.
@@ -34,13 +34,13 @@ Additionally, you can control securiy features through these fields:
- - `requireSignedURLs` booleandefault: false
+ - `requireSignedURLs` booleandefault: false
- Limits the permission to view the video to only [signed URLs](/viewing-videos/securing-your-stream).
- `allowedOrigins` array of stringsdefault: _empty_
- Limit the domains this video can be embedded on. Learn more about [allowed origins](/viewing-videos/securing-your-stream).
- - `thumbnailTimestampPct` floatdefault: 0
+ - `thumbnailTimestampPct` floatdefault: 0
- Sets the timestamp location of [thumbnail](/viewing-videos/displaying-thumbnails) image to a percentage location of the video from 0 to 1.
- `watermark` stringdefault: _none_
diff --git a/products/stream/src/content/uploading-videos/using-webhooks.md b/products/stream/src/content/uploading-videos/using-webhooks.md
index 9dd121ed1f10f19..b0a88e743cb5a95 100644
--- a/products/stream/src/content/uploading-videos/using-webhooks.md
+++ b/products/stream/src/content/uploading-videos/using-webhooks.md
@@ -104,7 +104,7 @@ Compare the signature in the request header to the expected signature. Preferabl
If the signatures match, you can trust that the webhook was sent by Cloudflare.
-## Limitations
+## Limitations
- Webhooks will only be sent after the processing of a video is complete,
and the body will indicate whether the processing of the video succeeded or failed.
diff --git a/products/stream/src/content/uploading-videos/ways-to-upload.md b/products/stream/src/content/uploading-videos/ways-to-upload.md
index 64295b7b1d53234..ec51dc139c8602b 100644
--- a/products/stream/src/content/uploading-videos/ways-to-upload.md
+++ b/products/stream/src/content/uploading-videos/ways-to-upload.md
@@ -9,11 +9,11 @@ Stream provides four ways to upload videos to cover a diverse set of use cases.
-| Upload method | When to use |
+| Upload method | When to use |
|------------------|-------------|
| [Stream Dashboard](https://dash.cloudflare.com?to=/:account/stream) | Quick, one time uploads where automation is not required |
| [Copy via link](/uploading-videos/upload-via-link) | The video library is stored in a cloud storage bucket |
-| [Direct creator uploads](/uploading-videos/direct-creator-uploads) | The end user is uploading videos but does not have access to your API tokens, for example if you have your users uploading content to your website or mobile app |
+| [Direct creator uploads](/uploading-videos/direct-creator-uploads) | The end user is uploading videos but does not have access to your API tokens, for example if you have your users uploading content to your website or mobile app |
| [Upload video file](/uploading-videos/upload-video-file) | When the video file is stored on a computer with access to your API tokens |
\ No newline at end of file
diff --git a/products/stream/src/content/viewing-videos/using-own-player.md b/products/stream/src/content/viewing-videos/using-own-player.md
index c9b081e041b0913..002adfb634639e4 100644
--- a/products/stream/src/content/viewing-videos/using-own-player.md
+++ b/products/stream/src/content/viewing-videos/using-own-player.md
@@ -66,5 +66,5 @@ In this case, a customer is expressing their preference to have their content di
## Limitations
-- [Analytics](/getting-analytics/) are not collected by third-party players, information such as minutes viewed and number of views will not be available on the Stream dashboard.
+- [Analytics](/getting-analytics/) are not collected by third-party players, information such as minutes viewed and number of views will not be available on the Stream dashboard.
- Automatic error reporting is not available to third-party players. Please reach out to Cloudflare Support if you experience playback issues with Stream manifest files.
diff --git a/products/time-services/src/content/ntp/usage.md b/products/time-services/src/content/ntp/usage.md
index f2553166879a992..c642d2acbc1e4cf 100644
--- a/products/time-services/src/content/ntp/usage.md
+++ b/products/time-services/src/content/ntp/usage.md
@@ -10,7 +10,7 @@ Cloudflare offers a free public time service that allows you to use our anycast
We do not implement leap smearing: NTP includes a Leap Indicator field [spec](https://tools.ietf.org/html/rfc5905#section-7.3) and the kernel will apply the leap second correction at the appropriate time. This is the behavior servers
in pool.ntp.org share. Using servers that smear time along with servers that do not may lead to unpredictable and anomalous results.
-Here is an example of how to configure your Mac to synchronize time from time.cloudflare.com:
+Here is an example of how to configure your Mac to synchronize time from time.cloudflare.com:
1. Go to System Preferences
2. Go to Date & Time
@@ -20,9 +20,9 @@ Here is an example of how to configure your Mac to synchronize time from time.cl
-... and you're all set!
+... and you're all set!
-Here is an example of how to configure your Windows computer to synchronize time from time.cloudflare.com:
+Here is an example of how to configure your Windows computer to synchronize time from time.cloudflare.com:
1. Go to Control Panel
2. Go to Clock and Region
@@ -34,6 +34,6 @@ Here is an example of how to configure your Windows computer to synchronize time
-You should receive the following message, letting you know that you have successfully synchronized your time.
+You should receive the following message, letting you know that you have successfully synchronized your time.
diff --git a/products/time-services/src/content/nts/index.md b/products/time-services/src/content/nts/index.md
index c46ffb654fe119e..531d9fdc7f6fbcc 100644
--- a/products/time-services/src/content/nts/index.md
+++ b/products/time-services/src/content/nts/index.md
@@ -4,6 +4,6 @@ order: 2
# Network Time Security
-Network Time Security (NTS) provides cryptographic security for the client-server mode of the Network Time Protocol (NTP). This enables users to obtain time in an authenticated manner.
+Network Time Security (NTS) provides cryptographic security for the client-server mode of the Network Time Protocol (NTP). This enables users to obtain time in an authenticated manner.
The NTS protocol is divided into two-phases. The first phase is the NTS key exchange that establishes the necessary key material between the NTP client and the server. This phase uses the Transport Layer Security (TLS) handshake and relies on the same public key infrastructure as the web. Once the keys are exchanged, the TLS channel is closed and the protocol enters the second phase. In this phase the results of that TLS handshake are used to authenticate NTP time synchronization packets via extension fields. For more information, read [RFC 8915](https://tools.ietf.org/html/rfc8915).
diff --git a/products/workers/src/content/learning/using-durable-objects.md b/products/workers/src/content/learning/using-durable-objects.md
index 7c074d3f431e82d..7b12c6480814f9e 100644
--- a/products/workers/src/content/learning/using-durable-objects.md
+++ b/products/workers/src/content/learning/using-durable-objects.md
@@ -102,7 +102,7 @@ export class DurableObjectExample {
let currentValue = await txn.get(key);
if (currentValue != ifMatch && ifMatch != '*') {
txn.rollback();
- return;
+ return;
}
changedValue = true;
await txn.put(key, newValue);
@@ -134,7 +134,7 @@ export class Counter {
constructor(state, env) {
this.storage = state.storage;
}
-
+
async initialize() {
let stored = await this.storage.get("value");
// after initialization, future reads don't need to access storage!