cloudflare · adamschwartz · Nov 11, 2020 · Nov 10, 2020
@@ -0,0 +1,43 @@
+MD001: false
+MD002: false
+MD003: false
+MD004: false
+MD005: false
+MD006: false
+MD007: false
+MD010: false
+MD011: false
+MD012: false
+MD013: false
+MD014: false
+MD018: false
+MD019: false
+MD020: false
+MD021: false
+MD022: false
+MD023: false
+MD024: false
+MD025: false
+MD026: false
+MD027: false
+MD028: false
+MD029: false
+MD030: false
+MD031: false
+MD032: false
+MD033: false
+MD034: false
+MD035: false
+MD036: false
+MD037: false
+MD038: false
+MD039: false
+MD040: false
+MD041: false
+MD042: false
+MD043: false
+MD044: false
+MD045: false
+MD046: false
+MD047: false
+MD048: false
@@ -6,11 +6,11 @@ order: 5
 You can send DNS queries in an encrypted fashion for 1.1.1.1 for Families. If you have DNS over HTTPS compliant client, use the following URLs to use 1.1.1.1 for Families.
 
 ## Block Malware
-To block all malware use the following URL 
+To block all malware use the following URL
 
 https://security.cloudflare-dns.com/dns-query
 
 ## Block Malware and Adult Content
-To block all malware and adult content use following URL 
+To block all malware and adult content use following URL
 
 https://family.cloudflare-dns.com/dns-query
@@ -63,7 +63,7 @@ UDP:53 on localhost as TCP packets using the following `socat` command:
 
 As explained in the blog post, our favorite way of using the hidden resolver is using DoH.
 
-1. First, start with downloading `cloudflared` by following the regular guide for 
+1. First, start with downloading `cloudflared` by following the regular guide for
 [Running a DNS over HTTPS Client](../../dns-over-https/cloudflared-proxy/).
 
 2. Start a Tor SOCKS proxy and use `socat` to forward port TCP:443 to localhost:

@@ -8,13 +8,13 @@ order: 1
 
 Cloudflare’s Commitment to Privacy: 1.1.1.1 Public DNS Resolver
 
-The 1.1.1.1 public DNS resolver is governed by our [Privacy Policy](https://www.cloudflare.com/privacypolicy/). This document provides additional details on our collection, use, and disclosure of the information collected from the 1.1.1.1 public DNS resolver. 
+The 1.1.1.1 public DNS resolver is governed by our [Privacy Policy](https://www.cloudflare.com/privacypolicy/). This document provides additional details on our collection, use, and disclosure of the information collected from the 1.1.1.1 public DNS resolver.
 
 -----
 
 Nearly everything on the Internet starts with a DNS request. DNS is the Internet’s directory. Click on a link, open an app, send an email, and the first thing your phone or computer does is ask its directory: where can I find this?
 
-Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it to target you with ads. 
+Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it to target you with ads.
 
 Given the current state of affairs, Cloudflare created a DNS resolver with your privacy and security in mind. Cloudflare, in partnership with APNIC, runs the 1.1.1.1 public resolver, a recursive DNS service that values user privacy and security. DNS requests sent to our public resolver are sent over a secure channel, significantly decreasing the odds of any unwanted spying or man in the middle attacks.
 
@@ -26,10 +26,10 @@ The 1.1.1.1 public DNS resolver was designed for privacy first, and Cloudflare c
 4. Cloudflare will retain only the limited transaction and debug log data (“Public Resolver Logs”) set forth below, for the legitimate operation of our Public Resolver and research purposes, and Cloudflare will delete the Public Resolver Logs within 25 hours.
 5. Cloudflare will not share the Public Resolver Logs with any third parties except for APNIC pursuant to a Research Cooperative Agreement. APNIC will only have limited access to query the anonymized data in the Public Resolver Logs and conduct research related to the operation of the DNS system.
 
-Frankly, we don’t want to know what any one person is doing on the Internet — it’s none of our business — and we’ve taken the technical steps to ensure we can’t. 
+Frankly, we don’t want to know what any one person is doing on the Internet — it’s none of our business — and we’ve taken the technical steps to ensure we can’t.
 
 
-We wanted to put our money where our mouth was, so we retained one of the top four accounting firms to audit our practices and publish a public report confirming we're doing what we said we would. The report is available [here](https://www.cloudflare.com/compliance/). 
+We wanted to put our money where our mouth was, so we retained one of the top four accounting firms to audit our practices and publish a public report confirming we're doing what we said we would. The report is available [here](https://www.cloudflare.com/compliance/).
 
 ## LIMITED DATA SHARING WITH APNIC
 
@@ -81,7 +81,7 @@ Additionally, recursive resolvers perform outgoing queries to various authoritat
 
 The following subrequest data is included in the Public Resolver Logs:
 
-* subrequest.ipv6 (authoritative nameserver) 
+* subrequest.ipv6 (authoritative nameserver)
 * subrequest.ipv4 (authoritative nameserver)
 * subrequest.protocol
 * subrequest.durationMs
@@ -93,7 +93,7 @@ The following subrequest data is included in the Public Resolver Logs:
 * subrequest.recordData
 * subrequest.error
 
-Except for the limited aggregated data generated using the Public Resolver Logs described below, all of the Public Resolver Logs are deleted within 25 hours of Cloudflare’s receipt of such information. 
+Except for the limited aggregated data generated using the Public Resolver Logs described below, all of the Public Resolver Logs are deleted within 25 hours of Cloudflare’s receipt of such information.
 
 Cloudflare will only store the following aggregated data:
 
@@ -109,8 +109,8 @@ Cloudflare may store the aggregated data described above indefinitely in order t
 
 ## WHAT ABOUT REQUESTS FOR CONTENT BLOCKING?
 
-Cloudflare does not block or filter any content through the 1.1.1.1 Public DNS Resolver, which is designed for direct, fast DNS resolution, not for blocking or filtering content. Cloudflare does block and filter malware and adult content through 1.1.1.1 for Families, which is designed to help individuals protect their home networks. 
+Cloudflare does not block or filter any content through the 1.1.1.1 Public DNS Resolver, which is designed for direct, fast DNS resolution, not for blocking or filtering content. Cloudflare does block and filter malware and adult content through 1.1.1.1 for Families, which is designed to help individuals protect their home networks.
 
 In general, Cloudflare views government or civil requests to block content at the DNS level as  ineffective, inefficient, and overbroad. Because such a block would apply globally to all users of the resolver, regardless of where they are located, it would affect end users outside of the blocking government’s jurisdiction. A government request to block content through a globally available public recursive resolver like the 1.1.1.1 Public DNS Resolver and 1.1.1.1 for Families therefore should be evaluated as a request to block content globally.  
 
-Given the broad extraterritorial effect, if Cloudflare were to receive written requests from law enforcement and government agencies to block access to domains or content through the 1.1.1.1 Public DNS Resolver or to block access to domains or content through 1.1.1.1 for Families that is outside the scope of the filtering in that product, Cloudflare would pursue its legal remedies before complying with such a request. We also commit to documenting any government request to block access in our semi-annual transparency report, unless legally prohibited from doing so. 
+Given the broad extraterritorial effect, if Cloudflare were to receive written requests from law enforcement and government agencies to block access to domains or content through the 1.1.1.1 Public DNS Resolver or to block access to domains or content through 1.1.1.1 for Families that is outside the scope of the filtering in that product, Cloudflare would pursue its legal remedies before complying with such a request. We also commit to documenting any government request to block access in our semi-annual transparency report, unless legally prohibited from doing so.
@@ -11,7 +11,7 @@ The authentication process involves Cloudflare Access issuing a signed JSON Web
 
 ## Per-Application
 
-To immediately terminate all active sessions for a specific application: 
+To immediately terminate all active sessions for a specific application:
 
 1. On the Teams dashboard, navigate to **Access > Applications** and locate the application for which you would like to revoke active sessions.
 

@@ -28,7 +28,7 @@ You can configure the duration of both tokens on the dashboard. When users log i
 ![Global session](../../static/global-session.png)
 
 * If the global session duration is **shorter** than an application’s session length, users will be required to re-authenticate each time the global session time elapses.
- 
+
  This can be helpful to establish a maximum session duration across all applications.
 
 * If the global session duration is **longer** than an application’s session length, a user’s application session will be automatically refreshed until the global session expires.

@@ -10,7 +10,7 @@ The authentication process involves Cloudflare Access issuing a signed JSON Web
 
 ## Per-Application
 
-To immediately terminate all active sessions for a specific application: 
+To immediately terminate all active sessions for a specific application:
 
 1. On the Teams dashboard, navigate to **Access > Applications** and locate the application for which you would like to revoke active sessions.
 

@@ -6,7 +6,7 @@ order: 3
 
 To fully secure your application, you must ensure that no one can access your origin server directly and bypass the zero trust security checks Cloudflare Access enforces for the hostname. For example, if someone discovers an exposed external IP they can bypass Cloudflare and attack the origin directly.
 
-Cloudflare signs a JSON Web Token (JWT) when users or services authenticate through Cloudflare Access. 
+Cloudflare signs a JSON Web Token (JWT) when users or services authenticate through Cloudflare Access.
 
 Two tokens are generated:
 
@@ -17,7 +17,7 @@ Two tokens are generated:
 
 You can use the JWT created by Cloudflare Access to validate requests on your origin.
 
-If you want to learn more about how Access works with JWT, read our [Access with JSON web tokens](../../learning/json-web-tokens) Learning section. 
+If you want to learn more about how Access works with JWT, read our [Access with JSON web tokens](../../learning/json-web-tokens) Learning section.
 
 | Best practices |  |
 | -------------- | ------ |

@@ -13,7 +13,7 @@ order: 3
 ## Create An Application with Terraform
 
 1. Create an application.
- 
+
  Here is an example configuration:
 
 ```
@@ -107,7 +107,7 @@ To do so:
 
 1. Run a `terraform plan`:
 ```
-$ terraform plan 
+$ terraform plan
 
 Refreshing Terraform state in-memory prior to plan...
 The refreshed state will be used to calculate this plan, but will not be

@@ -18,7 +18,7 @@ Azure AD integrates with the Office365 identity service as well as other SaaS ap
 
     ![Azure AD Services](../../static/azure/azuread-1.png)
 
-3. On the **Azure AD** dashboard, click **App registrations** in the **Manage** section of the _Azure Active Directory_ pane. 
+3. On the **Azure AD** dashboard, click **App registrations** in the **Manage** section of the _Azure Active Directory_ pane.
 4. Click **+ New application registration**.
 
     ![New Azure AD App Registration](../../static/azure/azuread-2.png)
@@ -37,7 +37,7 @@ Azure AD integrates with the Office365 identity service as well as other SaaS ap
 
      ![Azure AD Client Secret](../../static/azure/azuread-6.png)
 
-9. Copy the value to the **Application Secret** field in your **Cloudflare** dashboard.    
+9. Copy the value to the **Application Secret** field in your **Cloudflare** dashboard.
 
 10. In the left hand panel, select **API permissions**, and then click **Add a permission**.
 

@@ -46,7 +46,7 @@ These steps help you set up Centrify as your identity provider (IdP).
 14. Copy the Client ID, Client Secret, and OpenID Connect Issuer URL.
 
     <Aside>
-    
+
     Do not use the forward slash from the <strong>Settings</strong> tab.
     </Aside>
 

@@ -18,7 +18,7 @@ Azure AD integrates with the Office365 identity service as well as other SaaS ap
 
     ![Azure AD Services](../static/azure/azuread-1.png)
 
-3. On the **Azure AD** dashboard, click **App registrations** in the **Manage** section of the _Azure Active Directory_ pane. 
+3. On the **Azure AD** dashboard, click **App registrations** in the **Manage** section of the _Azure Active Directory_ pane.
 4. Click **+ New application registration**.
 
     ![New Azure AD App Registration](../static/azure/azuread-2.png)
@@ -37,7 +37,7 @@ Azure AD integrates with the Office365 identity service as well as other SaaS ap
 
      ![Azure AD Client Secret](../static/azure/azuread-6.png)
 
-9. Copy the value to the **Application Secret** field in your **Cloudflare** dashboard.    
+9. Copy the value to the **Application Secret** field in your **Cloudflare** dashboard.
 
 10. In the left hand panel, select **API permissions**, and then click **Add a permission**.
 

@@ -46,7 +46,7 @@ These steps help you set up Centrify as your identity provider (IdP).
 14. Copy the Client ID, Client Secret, and OpenID Connect Issuer URL.
 
     <Aside>
-    
+
     Do not use the forward slash from the <strong>Settings</strong> tab.
     </Aside>
 

@@ -19,7 +19,7 @@ Keycloak is an open source identity and access management solution built by JBos
     ![SAML Client](../static/keycloak/configure-client.png)
 
     Set the Client AD as the Access callback URL. The format will resemble the following URL; replace the `<auth_domain>` value with your organization's authentication domain.
-    
+
     `https://<auth_domain>.cloudflareaccess.com/cdn-cgi/access/callback`
 
     Next, set the valid redirect URI to the Keycloak domain that you are using. For example, `https://<keycloak_domain>/auth/realms/master/protocol/saml`.
@@ -52,7 +52,7 @@ Keycloak is an open source identity and access management solution built by JBos
 
 ## Optional: Custom SAML Attributes
 
-Keycloak can be configured to pass on custom SAML attributes for consumption by Access Policy. For example, role-based access policy. 
+Keycloak can be configured to pass on custom SAML attributes for consumption by Access Policy. For example, role-based access policy.
 
 1. Roles
 
@@ -81,7 +81,7 @@ Keycloak can be configured to pass on custom SAML attributes for consumption by
 Solution: Disable "Client Signature Required " in Client Settings
 
 **Access Test: Response uses a certificate that is not configured.**
-Solution: Use the X509 Certificate in the Realm Settings  rather than from Client Setting. 
+Solution: Use the X509 Certificate in the Realm Settings  rather than from Client Setting.
 
 **Access Test: Successful bu email property is empty**
 

@@ -42,7 +42,7 @@ Answers to common questions about Cloudflare Access.
 
     Access policies trigger in order based on their position in the policy table in the UI. The exception is Bypass policies, which Access evaluates first.
 
-    For Allow and Deny policies, Access enforces the decision starting at the top of your list and continues down the list. You can modify the order by dragging and dropping individual policies in the UI.    
+    For Allow and Deny policies, Access enforces the decision starting at the top of your list and continues down the list. You can modify the order by dragging and dropping individual policies in the UI.
 
 * **Can I use Access to secure applications with a second-level subdomain URL?**
 

@@ -5,7 +5,7 @@ order: 1
 
 # Connecting SaaS Applications
 
-Cloudflare Access allows you to integrate your SaaS products by acting as an identity aggregator, or proxy. This way, we ensure that users cannot login to SaaS applications without first meeting the criteria you want to introduce. 
+Cloudflare Access allows you to integrate your SaaS products by acting as an identity aggregator, or proxy. This way, we ensure that users cannot login to SaaS applications without first meeting the criteria you want to introduce.
 
 ## 1. Add and configure your app
 

@@ -9,7 +9,7 @@ order: 2
 
 ## Create an Application
 
-__NOTE:__ If you haven't installed Terraform, you can do so [here](https://learn.hashicorp.com/terraform/getting-started/install.html). 
+__NOTE:__ If you haven't installed Terraform, you can do so [here](https://learn.hashicorp.com/terraform/getting-started/install.html).
 
 Before we can do anything, we'll need to create an Access application. Here is an example configuration:
 ```
@@ -102,7 +102,7 @@ resource "cloudflare_access_policy" "cf_policy" {
 
 Next, we'll run a `terraform plan`:
 ```
-$ terraform plan 
+$ terraform plan
 
 Refreshing Terraform state in-memory prior to plan...
 The refreshed state will be used to calculate this plan, but will not be

@@ -16,7 +16,7 @@ Follow these steps to set up Cloudflare Argo Tunnel:
 
 1. Authenticate your instance `cloudflared` by logging in to your Cloudflare account with the following command:
 
-```sh 
+```sh
 $ cloudflared tunnel login
 ```
 

@@ -23,7 +23,7 @@ If you are pointing `cloudflared` to a locally-available URL that is different f
 Find more information on the **no-tls-verify** flag [here](/reference/arguments/#no-tls-verify).
 
 ### <a name="invalid-tls"></a> Invalid TLS certificate
-If the TLS certificate used by the webserver is not valid, you may get a 502 Error.   
+If the TLS certificate used by the webserver is not valid, you may get a 502 Error.
 If you run:
 
 ```bash
-Original file line number
+Diff line change
@@ Expand Up @@
 . Copy the Client ID, Client Secret, and OpenID Connect Issuer URL.
         <Aside>
         Do not use the forward slash from the <strong>Settings</strong> tab.
         </Aside>
@@ Expand Down @@