Skip to content

[Cloudflare One] Document TLS inspection requirement for authorization proxy endpoints#31125

Open
grstnhbr wants to merge 2 commits into
cloudflare:productionfrom
grstnhbr:proxy-endpoint-tls-requirement
Open

[Cloudflare One] Document TLS inspection requirement for authorization proxy endpoints#31125
grstnhbr wants to merge 2 commits into
cloudflare:productionfrom
grstnhbr:proxy-endpoint-tls-requirement

Conversation

@grstnhbr
Copy link
Copy Markdown
Contributor

@grstnhbr grstnhbr commented May 29, 2026

Summary

  • Adds a new "TLS inspection required" limitation under authorization endpoint limitations, documenting that TLS decryption is always performed to read the auth cookie - even if TLS decryption is turned off at the account level.
  • Clarifies the certificate installation step (3a) to explain that the Cloudflare certificate is mandatory for authorization endpoints to function, not just for HTTP policy enforcement.

Context: a customer discovered during testing that TLS decryption happens by default on authorization proxy endpoints despite being disabled at the account level. This is expected behavior - the auth cookie can only be read from decrypted requests - but it was not documented.

@ajgrstnhbr
[Cloudflare One] Document TLS inspection requirement for authorizatio…
14a85fc 
…n proxy endpoints

Authorization proxy endpoints always perform TLS decryption to read the
auth cookie, regardless of account-level TLS settings. Add this as a
documented limitation and clarify the certificate install step.
@grstnhbr grstnhbr requested review from a team and elithrar as code owners May 29, 2026 02:51
@cloudflare-docs-bot
Copy link
Copy Markdown

cloudflare-docs-bot Bot commented May 29, 2026
edited
Loading

Review

💡 3 suggestions found in commit ce10b99.

Suggestions (3)
File Issue
cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx line 317 Passive voice — Line uses passive voice: TLS inspection is always performed to read the authorization cookie Fix: Rewrite in active voice, for example: Gateway always performs TLS inspection to read the authorization cookie
cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx line 503 Passive voice — Line uses passive voice: TLS decryption is always performed for traffic routed through an authorization endpoint Fix: Rewrite in active voice, for example: Gateway always performs TLS decryption for traffic routed through an authorization endpoint
cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx line 503 Passive voice — Line uses passive voice: even if TLS decryption is turned off at the account level Fix: Rewrite in active voice, for example: even if you turn off TLS decryption at the account level
Commands

Only codeowners can run commands. Post a comment with the command to trigger it.

Command Description
/review Runs a review now. Incremental if a prior review exists, full if not.
/full-review Re-reviews the entire PR diff from scratch, ignoring incremental history. Useful after a rebase, when you want a fresh review, or if the bot gets out of sync and reports issues that no longer exist.

@grstnhbr
Copy link
Copy Markdown
Contributor Author

grstnhbr commented May 29, 2026

/bonk review this PR

@mvvmm
Copy link
Copy Markdown
Contributor

mvvmm commented May 29, 2026

/bonk review

ask-bonk[bot]
ask-bonk Bot reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ask-bonk ask-bonk Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor style suggestion. The new TLS inspection limitation section is accurate and well-structured.

Comment thread src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx
### 3a. Install Cloudflare certificate

To use Gateway HTTP policies with proxy endpoints, you must [install a Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your devices. This allows Gateway to inspect HTTPS traffic and apply policies such as blocking specific domains or displaying the Gateway block page.
You must [install a Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your devices. For [authorization endpoints](#authorization-endpoint), Gateway always performs TLS inspection to read the authorization cookie, so the certificate is required for the endpoint to function. For [source IP endpoints](#source-ip-endpoint), the certificate is required to apply Gateway HTTP policies such as blocking specific domains or displaying the Gateway block page.
Copy link
Copy Markdown
Contributor

@ask-bonk ask-bonk Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use active voice instead of passive ('is required'):

Suggested change
You must [install a Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your devices. For [authorization endpoints](#authorization-endpoint), Gateway always performs TLS inspection to read the authorization cookie, so the certificate is required for the endpoint to function. For [source IP endpoints](#source-ip-endpoint), the certificate is required to apply Gateway HTTP policies such as blocking specific domains or displaying the Gateway block page.
You must [install a Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your devices. For [authorization endpoints](#authorization-endpoint), Gateway always performs TLS inspection to read the authorization cookie, so the endpoint will not function without the certificate. For [source IP endpoints](#source-ip-endpoint), you must install the certificate to apply Gateway HTTP policies such as blocking specific domains or displaying the Gateway block page.

@ask-bonk
Copy link
Copy Markdown
Contributor

ask-bonk Bot commented May 29, 2026

Review submitted for PR #31125.

Verdict: 1 inline suggestion posted. The new content is technically accurate; the only remaining issue is minor passive voice on line 317.

Issue flagged:

  • LOWsrc/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx line 317
    Two instances of passive voice ("is required") remain after the automated bot review. I suggested an active-voice rewording that preserves the meaning while aligning with the style guide.

github run

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ask-bonk ask-bonk[bot] ask-bonk[bot] left review comments

@elithrar elithrar Awaiting requested review from elithrar elithrar is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@elithrar elithrar

Labels

product:cloudflare-one size/xs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@grstnhbr @mvvmm @elithrar @ajgrstnhbr