From cf425ac46860891efd3f1ff070515e571b4fa054 Mon Sep 17 00:00:00 2001 From: Maximo Guk <62088388+Maximo-Guk@users.noreply.github.com> Date: Thu, 24 Oct 2024 19:51:03 -0300 Subject: [PATCH 001/273] Update changelog and bun version in docs (#17784) --- src/content/changelogs/pages.yaml | 2 +- src/content/pages-build-environment/v2.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/changelogs/pages.yaml b/src/content/changelogs/pages.yaml index 2b6558e7649fd08..a8adde3f76f7179 100644 --- a/src/content/changelogs/pages.yaml +++ b/src/content/changelogs/pages.yaml @@ -8,7 +8,7 @@ entries: - publish_date: "2024-10-24" title: Updating Bun version to 1.1.33 in V2 build system description: |- - * Bun version is being updated from `1.0.1` to `1.1.33` in Pages V2 build system. This is a minor version change, please see details at [Bun](https://bun.sh/blog/bun-v1.1). + * Bun version is being updated from `1.0.1` to `1.1.33` in Pages V2 build system. This is a minor version change, please see details at [Bun](https://bun.sh/blog/bun-v1.1.33). * If you wish to use a previous Bun version, you can [override default version](/pages/configuration/build-image/#overriding-default-versions). - publish_date: "2023-09-13" title: Support for D1's new storage subsystem and build error message improvements diff --git a/src/content/pages-build-environment/v2.yaml b/src/content/pages-build-environment/v2.yaml index 90875f9fc7798ae..9cfeebf6303f943 100644 --- a/src/content/pages-build-environment/v2.yaml +++ b/src/content/pages-build-environment/v2.yaml @@ -59,7 +59,7 @@ tools: supported: "Any version" environment_variable: "YARN_VERSION" - name: Bun - default: "1.0.1" + default: "1.1.33" supported: "Any version" environment_variable: "BUN_VERSION" build_environment: From 80822c6633f295d2837512526de238fbb3083383 Mon Sep 17 00:00:00 2001 From: Anni Wang <54481763+aninibread@users.noreply.github.com> Date: Thu, 24 Oct 2024 22:06:25 -0400 Subject: [PATCH 002/273] Anni/wcicd new features (#17762) * Adding docs for Workers CI/CD in Closed Beta * Deleting redundant CI/CD related pages. Deleted content has been moved to the new CI/CD docs. * Update src/content/docs/workers/ci-cd/build-system/build-configuration.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/docs/workers/ci-cd/build-system/build-configuration.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/docs/workers/ci-cd/build-system/build-configuration.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/docs/workers/ci-cd/build-system/build-configuration.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/docs/workers/ci-cd/index.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/docs/workers/ci-cd/index.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Added link reference for Wrangler environments. * Added Build Limits to Overview Page. * added more to troubleshooting page * Update src/content/docs/workers/ci-cd/build-system/troubleshoot.mdx Co-authored-by: Brendan Irvine-Broque * Update src/content/docs/workers/ci-cd/build-system/troubleshoot.mdx Co-authored-by: Brendan Irvine-Broque * Update src/content/docs/workers/ci-cd/build-system/build-configuration.mdx Co-authored-by: Brendan Irvine-Broque * Remove wordy description in Builds index.mdx * remaning section to builds from build system * Referencing Builds instead of Build System * Adding reference for Wrangler Environments * Change reference of Workers build system to Workers Builds * Few tweaks * New change in release now includes non-'Main' branch support. * Improve instructions for monorepo and wrangler env support. * adding back some tweaks * Updating build image page and header * Update src/content/docs/workers/ci-cd/builds/build-configuration.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/docs/workers/ci-cd/builds/index.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * small tweaks + note in change log * small tweaks * Update src/content/docs/workers/ci-cd/index.mdx Co-authored-by: Brendan Irvine-Broque * Update src/content/docs/workers/ci-cd/builds/index.mdx Co-authored-by: Brendan Irvine-Broque * Update src/content/docs/workers/ci-cd/builds/troubleshoot.mdx Co-authored-by: Brendan Irvine-Broque * Update src/content/docs/workers/ci-cd/builds/troubleshoot.mdx Co-authored-by: Brendan Irvine-Broque * adding suggested changes * Update src/content/docs/workers/ci-cd/builds/index.mdx Co-authored-by: ToriLindsay * Update src/content/docs/workers/ci-cd/builds/index.mdx Co-authored-by: ToriLindsay * Update src/content/docs/workers/ci-cd/builds/build-configuration.mdx Co-authored-by: ToriLindsay * Update src/content/docs/workers/ci-cd/external-cicd.mdx Co-authored-by: ToriLindsay * Update src/content/docs/workers/ci-cd/builds/build-configuration.mdx Co-authored-by: ToriLindsay * Update src/content/docs/workers/ci-cd/builds/build-image.mdx Co-authored-by: ToriLindsay * why cicd changes * redirect and link updates * add pre-installed packages section * add images, diagrams, and examples * Build setting details and changes * adding in default version update message * adding troubleshooting view * nevi edits to anni's builds PR (#16962) * nevi edits to anni's builds PR * 9-20 changes * trigger builds * Update src/content/docs/workers/ci-cd/builds/build-configuration.mdx Co-authored-by: Brendan Irvine-Broque * added git integration + individual external ci/cd pages + small tweaks * Update src/content/docs/workers/ci-cd/builds/configuration.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Link fixes * Added a which ci/cd should i choose section. Added fix to git integration * Update src/content/docs/workers/ci-cd/builds/build-image.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * versions updates and added git troubleshooting * small edit * edit on getting started * removing enterprise from pricing plan * fix index * added change log for workers builds * spelling mistake * Update src/content/docs/pages/configuration/git-integration.mdx Co-authored-by: ToriLindsay * Update src/content/docs/pages/configuration/git-integration.mdx Co-authored-by: ToriLindsay * Update src/content/docs/pages/configuration/git-integration.mdx Co-authored-by: ToriLindsay * Update src/content/docs/pages/configuration/git-integration.mdx Co-authored-by: ToriLindsay * Update src/content/docs/workers/ci-cd/builds/advanced-setups.mdx Co-authored-by: ToriLindsay * Update src/content/docs/workers/ci-cd/index.mdx Co-authored-by: ToriLindsay * Update src/content/docs/workers/ci-cd/index.mdx Co-authored-by: ToriLindsay * Update src/content/docs/workers/ci-cd/index.mdx Co-authored-by: ToriLindsay * Update src/content/docs/workers/configuration/versions-and-deployments/index.mdx Co-authored-by: ToriLindsay * Update src/content/docs/workers/wrangler/deprecations.mdx Co-authored-by: ToriLindsay * existing Worker distinction * small fix * reverting github actions workflow change * change page setup * Added build caching and build watch paths for Workers and updated the same pages for Pages * fix merge conflict marker * Revert "change page setup" This reverts commit 9523cad7f9033eca8852f945b270dfc06920720c. * fix github actions merge conflict --------- Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> Co-authored-by: Brendan Irvine-Broque Co-authored-by: kodster28 Co-authored-by: ToriLindsay Co-authored-by: Nevi Shah <76798024+nevikashah@users.noreply.github.com> Co-authored-by: Daniel --- .../pages/configuration/build-caching.mdx | 12 ++-- .../pages/configuration/build-watch-paths.mdx | 34 ++++----- .../workers/ci-cd/builds/advanced-setups.mdx | 2 +- .../workers/ci-cd/builds/build-caching.mdx | 69 +++++++++++++++++++ .../ci-cd/builds/build-watch-paths.mdx | 61 ++++++++++++++++ .../ci-cd/builds/limits-and-pricing.mdx | 2 +- .../workers/ci-cd/builds/troubleshoot.mdx | 2 +- 7 files changed, 154 insertions(+), 28 deletions(-) create mode 100644 src/content/docs/workers/ci-cd/builds/build-caching.mdx create mode 100644 src/content/docs/workers/ci-cd/builds/build-watch-paths.mdx diff --git a/src/content/docs/pages/configuration/build-caching.mdx b/src/content/docs/pages/configuration/build-caching.mdx index e99d31819f6ea5d..10cbbaf633ecb7f 100644 --- a/src/content/docs/pages/configuration/build-caching.mdx +++ b/src/content/docs/pages/configuration/build-caching.mdx @@ -18,7 +18,7 @@ To enable build caching in the Cloudflare dashboard: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. 2. In Account Home, select **Workers & Pages**. 3. In **Overview**, select your Pages project. -4. Go to **Settings** > **Builds & deployments** > **Build cache** and select **Enable build cache**. +4. Go to **Settings** > **Build** > **Build cache** and select **Enable**. ### Clear cache @@ -27,8 +27,8 @@ The build cache can be cleared for a project if needed, such as when debugging b 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. 2. In Account Home, select **Workers & Pages**. 3. In **Overview**, select your Pages project. -4. Go to **Settings** > **Builds & deployments** > **Build cache**. -5. Select **Clear cache** to clear the build cache. +4. Go to **Settings** > **Build** > **Build cache**. +5. Select **Clear Cache** to clear the build cache. ## How build caching works @@ -58,11 +58,7 @@ Caching the build output from frameworks can speed up subsequent build times. Th ## Limits -During this beta period, the following limits are imposed: +The following limits are imposed for build caching: - **Retention**: Cache is purged seven days after its last read date. Unread cache artifacts are purged seven days after creation. - **Storage**: Every project is allocated 10 GB. If the project cache exceeds this limit, the project will automatically start deleting artifacts that were read least recently. - -## Feedback - -If there are package managers or frameworks you want to see supported, let us know in the Pages channel of the [Cloudflare Developer Discord](https://discord.com/invite/cloudflaredev). diff --git a/src/content/docs/pages/configuration/build-watch-paths.mdx b/src/content/docs/pages/configuration/build-watch-paths.mdx index 6471ca5110713fe..39de1b7f43f61e0 100644 --- a/src/content/docs/pages/configuration/build-watch-paths.mdx +++ b/src/content/docs/pages/configuration/build-watch-paths.mdx @@ -1,38 +1,38 @@ --- pcx_content_type: concept title: Build watch paths - --- When you connect a git repository to Pages, by default a change to any file in the repository will trigger a Pages build. You can configure Pages to include or exclude specific paths to specify if Pages should skip a build for a given path. This can be especially helpful if you are using a monorepo project structure and want to limit the amount of builds being kicked off. ## Configure paths -To configure which paths are included and excluded, go to your Pages project > Settings > Builds & deployments > Build watch paths. Pages will default to setting your project’s includes paths to everything (\[\*]) and excludes paths to nothing (`[]`). +To configure which paths are included and excluded: + +1. In **Overview**, select your Pages project. +2. Go to **Settings** > **Build** > **Build watch paths**. Pages will default to setting your project’s includes paths to everything (\[\*]) and excludes paths to nothing (`[]`). The configuration fields can be filled in two ways: -* **Static filepaths**: Enter the precise name of the file you are looking to include or exclude (for example, `docs/README.md`). -* **Wildcard syntax:** Use wildcards to match multiple path directories. You can specify wildcards at the start or end of your rule. +- **Static filepaths**: Enter the precise name of the file you are looking to include or exclude (for example, `docs/README.md`). +- **Wildcard syntax:** Use wildcards to match multiple path directories. You can specify wildcards at the start or end of your rule. :::note[Wildcard syntax] - A wildcard (`*`) is a character that is used within rules. It can be placed alone to match anything or placed at the start or end of a rule to allow for better control over branch configuration. A wildcard will match zero or more characters.For example, if you wanted to match all branches that started with `fix/` then you would create the rule `fix/*` to match strings like `fix/1`, `fix/bugs`or `fix/`. - ::: For each path in a push event, build watch paths will be evaluated as follows: -* Paths satisfying excludes conditions are ignored first -* Any remaining paths are checked against includes conditions -* If any matching path is found, a build is triggered. Otherwise the build is skipped +- Paths satisfying excludes conditions are ignored first +- Any remaining paths are checked against includes conditions +- If any matching path is found, a build is triggered. Otherwise the build is skipped Pages will bypass the path matching for a push event and default to building the project if: -* A push event contains 0 file changes, in case a user pushes a empty push event to trigger a build -* A push event contains 3000+ file changes or 20+ commits +- A push event contains 0 file changes, in case a user pushes a empty push event to trigger a build +- A push event contains 3000+ file changes or 20+ commits ## Examples @@ -40,19 +40,19 @@ Pages will bypass the path matching for a push event and default to building the If you want to trigger a build from all changes within a set of directories, such as all changes in the folders `project-a/` and `packages/` -* Include paths: `project-a/*, packages/*` -* Exclude paths: \`\` +- Include paths: `project-a/*, packages/*` +- Exclude paths: \`\` ### Example 2 If you want to trigger a build for any changes, but want to exclude changes to a certain directory, such as all changes in a docs/ directory -* Include paths: `*` -* Exclude paths: `docs/*` +- Include paths: `*` +- Exclude paths: `docs/*` ### Example 3 If you want to trigger a build for a specific file or specific filetype, for example all files ending in `.md`. -* Include paths: `*.md` -* Exclude paths: \`\` +- Include paths: `*.md` +- Exclude paths: \`\` diff --git a/src/content/docs/workers/ci-cd/builds/advanced-setups.mdx b/src/content/docs/workers/ci-cd/builds/advanced-setups.mdx index 7dd4cd7ec2377f1..d8a8b56e9932830 100644 --- a/src/content/docs/workers/ci-cd/builds/advanced-setups.mdx +++ b/src/content/docs/workers/ci-cd/builds/advanced-setups.mdx @@ -3,7 +3,7 @@ pcx_content_type: reference title: Advanced Setups description: Learn how to use Workers Builds with more advanced setups sidebar: - order: 5 + order: 7 --- ## Monorepos diff --git a/src/content/docs/workers/ci-cd/builds/build-caching.mdx b/src/content/docs/workers/ci-cd/builds/build-caching.mdx new file mode 100644 index 000000000000000..e856bc87509654c --- /dev/null +++ b/src/content/docs/workers/ci-cd/builds/build-caching.mdx @@ -0,0 +1,69 @@ +--- +pcx_content_type: concept +title: Build caching +description: Improve build times by caching build outputs and dependencies +sidebar: + order: 5 +--- + +Improve Workers Builds build times by turning on build caching to restore dependencies and build output between builds. The first build to occur after enabling build caching on your Pages project will save to cache. Every subsequent build will restore from cache unless configured otherwise. + +## Configuration + +### Enable build caching + +To enable build caching in the Cloudflare dashboard: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. +2. In Account Home, select **Workers & Pages**. +3. In **Overview**, select your Workers project. +4. Go to **Settings** > **Build** > **Build cache** and select **Enable**. + +### Clear cache + +The build cache can be cleared for a project when needed, such as when debugging build issues. To clear the build cache: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. +2. In Account Home, select **Workers & Pages**. +3. In **Overview**, select your Workers project. +4. Go to **Settings** > **Build** > **Build cache**. +5. Select **Clear Cache** to clear the build cache. + +## How build caching works + +When enabled, build caching will automatically detect which package manager and framework the project is using from its `package.json` and cache data accordingly for the build. + +The following shows which package managers and frameworks are supported for dependency and build output caching respectively. + +### Package managers + +Workers build cache will cache the global cache directories of the following package managers: + +- [yarn](https://yarnpkg.com/) +- [npm](https://www.npmjs.com/) +- [pnpm](https://pnpm.io/) +- [node.js](https://nodejs.org/) + +### Frameworks + +The following frameworks support build output caching: + +| Framework | Directories cached | +| ---------- | --------------------------------------------- | +| Astro | `node_modules/.astro` | +| Docusaurus | `node_modules/.cache`, `.docusaurus`, `build` | +| Eleventy | `.cache` | +| Gatsby | `.cache`, `public` | +| Next.js | `.next/cache` | +| Nuxt | `node_modules/.cache/nuxt` | + +:::note +[Static assets](/workers/static-assets/) and [frameworks](/workers/frameworks/) are now supported in Cloudflare Workers. +::: + +## Limits + +The following limits are imposed for build caching: + +- **Retention**: Cache is purged 7 days after its last read date. Unread cache artifacts are purged 7 days after creation. +- **Storage**: Every project is allocated 10 GB. If the project cache exceeds this limit, the project will automatically start deleting artifacts that were read least recently. diff --git a/src/content/docs/workers/ci-cd/builds/build-watch-paths.mdx b/src/content/docs/workers/ci-cd/builds/build-watch-paths.mdx new file mode 100644 index 000000000000000..90200ff65bbbb0d --- /dev/null +++ b/src/content/docs/workers/ci-cd/builds/build-watch-paths.mdx @@ -0,0 +1,61 @@ +--- +pcx_content_type: concept +title: Build watch paths +description: Reduce compute for your monorepo by specifying paths for Workers Builds to skip +sidebar: + order: 6 +--- + +When you connect a git repository to Workers, by default a change to any file in the repository will trigger a build. You can configure Workers to include or exclude specific paths to specify if Workers should skip a build for a given path. This can be especially helpful if you are using a monorepo project structure and want to limit the amount of builds being kicked off. + +## Configure paths + +To configure which paths are included and excluded: + +1. In **Overview**, select your Workers project. +2. Go to **Settings** > **Build** > **Build watch paths**. Workers will default to setting your project’s includes paths to everything (\[\*]) and excludes paths to nothing (`[]`). + +The configuration fields can be filled in two ways: + +- **Static filepaths**: Enter the precise name of the file you are looking to include or exclude (for example, `docs/README.md`). +- **Wildcard syntax:** Use wildcards to match multiple path directories. You can specify wildcards at the start or end of your rule. + +:::note[Wildcard syntax] + +A wildcard (`*`) is a character that is used within rules. It can be placed alone to match anything or placed at the start or end of a rule to allow for better control over branch configuration. A wildcard will match zero or more characters.For example, if you wanted to match all branches that started with `fix/` then you would create the rule `fix/*` to match strings like `fix/1`, `fix/bugs`or `fix/`. + +::: + +For each path in a push event, build watch paths will be evaluated as follows: + +- Paths satisfying excludes conditions are ignored first +- Any remaining paths are checked against includes conditions +- If any matching path is found, a build is triggered. Otherwise the build is skipped + +Workers will bypass the path matching for a push event and default to building the project if: + +- A push event contains 0 file changes, in case a user pushes a empty push event to trigger a build +- A push event contains 3000+ file changes or 20+ commits + +## Examples + +### Example 1 + +If you want to trigger a build from all changes within a set of directories, such as all changes in the folders `project-a/` and `packages/` + +- Include paths: `project-a/*, packages/*` +- Exclude paths: \`\` + +### Example 2 + +If you want to trigger a build for any changes, but want to exclude changes to a certain directory, such as all changes in a docs/ directory + +- Include paths: `*` +- Exclude paths: `docs/*` + +### Example 3 + +If you want to trigger a build for a specific file or specific filetype, for example all files ending in `.md`. + +- Include paths: `*.md` +- Exclude paths: \`\` diff --git a/src/content/docs/workers/ci-cd/builds/limits-and-pricing.mdx b/src/content/docs/workers/ci-cd/builds/limits-and-pricing.mdx index 1bee50c720280ec..dd743b8326f3779 100644 --- a/src/content/docs/workers/ci-cd/builds/limits-and-pricing.mdx +++ b/src/content/docs/workers/ci-cd/builds/limits-and-pricing.mdx @@ -3,7 +3,7 @@ pcx_content_type: concept title: Limits & Pricing description: Limits & pricing for Workers Builds sidebar: - order: 6 + order: 8 --- ## Limits diff --git a/src/content/docs/workers/ci-cd/builds/troubleshoot.mdx b/src/content/docs/workers/ci-cd/builds/troubleshoot.mdx index 9f2095f8568dfd0..1a367c2d24ffb0a 100644 --- a/src/content/docs/workers/ci-cd/builds/troubleshoot.mdx +++ b/src/content/docs/workers/ci-cd/builds/troubleshoot.mdx @@ -3,7 +3,7 @@ pcx_content_type: troubleshooting title: Troubleshooting description: Learn about troubleshooting and known issues in Workers Builds. sidebar: - order: 7 + order: 9 --- Workers Builds provides build logs for every build started. You can view build logs by navigating to your **Worker project** > **Deployments** > **View Build History** > **View Build**. From b613b032a91e92879e37a97fc5bbe4d8e7dc5ce6 Mon Sep 17 00:00:00 2001 From: Brendan Irvine-Broque Date: Thu, 24 Oct 2024 23:26:23 -0700 Subject: [PATCH 003/273] Simplify limits to remove Bundled and Unbound references (#17574) * Simplify limits to remove Bundled and Unbound references So that people don't get mixed up, our docs are confusing right now https://x.com/MicheleRivaCode/status/1846489096547713274 * Added bundled and unbound section --------- Co-authored-by: ToriLindsay --- src/content/docs/workers/platform/limits.mdx | 46 ++++++++++++++------ 1 file changed, 32 insertions(+), 14 deletions(-) diff --git a/src/content/docs/workers/platform/limits.mdx b/src/content/docs/workers/platform/limits.mdx index 6e974ae76d6c81d..ddeddb828e22ad7 100644 --- a/src/content/docs/workers/platform/limits.mdx +++ b/src/content/docs/workers/platform/limits.mdx @@ -11,9 +11,9 @@ import { Render } from "~/components"; ## Account plan limits -| Feature | Workers Free | Workers Paid ([Bundled](/workers/platform/pricing/#example-pricing-bundled-usage-model), [Unbound](/workers/platform/pricing/#example-pricing-unbound-usage-model)) and [Standard](/workers/platform/pricing/#example-pricing-standard-usage-model) | +| Feature | Workers Free | Workers Paid | | -------------------------------------------------------------------------------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| [Subrequests](#subrequests) | 50/request | 50/request ([Bundled](/workers/platform/pricing/#example-pricing-bundled-usage-model)),
1000/request ([Unbound](/workers/platform/pricing/#example-pricing-unbound-usage-model), [Standard](/workers/platform/pricing/#example-pricing-standard-usage-model)) | +| [Subrequests](#subrequests) | 50/request | 1000/request | | [Simultaneous outgoing
connections/request](#simultaneous-open-connections) | 6 | 6 | | [Environment variables](#environment-variables) | 64/Worker | 128/Worker | | [Environment variable
size](#environment-variables) | 5 KB | 5 KB | @@ -56,12 +56,12 @@ Cloudflare does not enforce response limits, but cache limits for [Cloudflare's ## Worker limits -| Feature | Free | [Bundled usage model](/workers/platform/pricing/#example-pricing-bundled-usage-model) | [Unbound](/workers/platform/pricing/#example-pricing-unbound-usage-model) and [Standard](/workers/platform/pricing/#example-pricing-standard-usage-model) usage model | -| ------------------------ | ------------------------------------------ | ------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Request](#request) | 100,000 requests/day
1000 requests/min | none | none | -| [Worker memory](#memory) | 128 MB | 128 MB | 128 MB | -| [CPU time](#cpu-time) | 10 ms | 50 ms HTTP request
50 ms [Cron Trigger](/workers/configuration/cron-triggers/) | 30 s HTTP request
15 min [Cron Trigger](/workers/configuration/cron-triggers/) | -| [Duration](#duration) | None | none | 15 min [Cron Trigger](/workers/configuration/cron-triggers/)
15 min [Durable Object Alarm](/durable-objects/api/alarms/)
15 min [Queue Consumer](/queues/configuration/javascript-apis/#consumer) | +| Feature | Workers Free | Workers Paid | +| ------------------------ | ------------------------------------------ | ---------------- | +| [Request](#request) | 100,000 requests/day
1000 requests/min | No limit | +| [Worker memory](#memory) | 128 MB | 128 MB | +| [CPU time](#cpu-time) | 10 ms | 30 s HTTP request
15 min [Cron Trigger](/workers/configuration/cron-triggers/) | +| [Duration](#duration) | No limit | No limit for Workers.
15 min duration limit for [Cron Triggers](/workers/configuration/cron-triggers/), [Durable Object Alarms](/durable-objects/api/alarms/) and [Queue Consumers](/queues/configuration/javascript-apis/#consumer) | ### Duration @@ -91,12 +91,12 @@ Scheduled Workers ([Cron Triggers](/workers/configuration/cron-triggers/)) have ## Cache API limits -| Feature | Workers Free | [Bundled](/workers/platform/pricing/#example-pricing-bundled-usage-model) | [Unbound](/workers/platform/pricing/#example-pricing-unbound-usage-model) and [Standard](/workers/platform/pricing/#example-pricing-standard-usage-model) | -| ---------------------------------------- | ------------ | ------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Maximum object size](#cache-api-limits) | 512 MB | 512 MB | 512 MB | -| [Calls/request](#cache-api-limits) | 50 | 50 | 1,000 | +| Feature | Workers Free | Workers Paid +| ---------------------------------------- | ------------ | ------------ | +| [Maximum object size](#cache-api-limits) | 512 MB | 512 MB | +| [Calls/request](#cache-api-limits) | 50 | 1,000 | -- 50 total `put()`, `match()`, or `delete()` calls per-request, using the same quota as `fetch()`. +Calls/request means the number of calls to `put()`, `match()`, or `delete()` Cache API method per-request, using the same quota as subrequests (`fetch()`). :::note @@ -176,7 +176,7 @@ If you make a subrequest from your Worker to a target Worker that runs on a [Cus ### How many subrequests can I make? -The limit for subrequests a Worker can make is 50 per request on the Bundled usage model or 1,000 per request on the Unbound usage model. Each subrequest in a redirect chain counts against this limit. This means that the number of subrequests a Worker makes could be greater than the number of `fetch(request)` calls in the Worker. +You can make 50 subrequests per request on Workers Free, and 1,000 subrequests per request on Workers Paid. Each subrequest in a redirect chain counts against this limit. This means that the number of subrequests a Worker makes could be greater than the number of `fetch(request)` calls in the Worker. For subrequests to internal services like Workers KV and Durable Objects, the subrequest limit is 1,000 per request, regardless of the [usage model](/workers/platform/pricing/#workers) configured for the Worker. @@ -304,6 +304,24 @@ You can emit a maximum of 128 KB of data (across `console.log()` statements, exc Refer to the [Workers Trace Event Logpush documentation](/workers/observability/logs/logpush/#limits) for information on the maximum size of fields sent to logpush destinations. +--- + +## Unbound and Bundled plan limits + +:::note +Unbound and Bundled plans have been deprecated and are no longer available for new accounts. +::: + +If your Worker is on an Unbound plan, your limits are exactly the same as the Workers Paid plan. + +If your Worker is on a Bundled plan, your limits are the same as the Workers Paid plan except for the following differences: +* Your limit for [subrequests](/workers/platform/limits/#subrequests) is 50/request +* Your limit for [CPU time](/workers/platform/limits/#cpu-time) is 50ms for HTTP requests and 50ms for [Cron Triggers](/workers/configuration/cron-triggers/) +* You have no [Duration](/workers/platform/limits/#duration) limits for [Cron Triggers](/workers/configuration/cron-triggers/), [Durable Object alarms](/durable-objects/api/alarms/), or [Queue consumers](/queues/configuration/javascript-apis/#consumer) +* Your Cache API limits for calls/requests is 50 + +--- + ## Related resources Review other developer platform resource limits. From a3d19319955d49b462124d4cc9e102050322830b Mon Sep 17 00:00:00 2001 From: angelampcosta <92738954+angelampcosta@users.noreply.github.com> Date: Fri, 25 Oct 2024 09:31:36 +0100 Subject: [PATCH 004/273] Adds change log for Logs (#17760) --- src/content/changelogs/logs.yaml | 18 ++++++++++++++++++ src/content/docs/logs/changelog.mdx | 14 ++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 src/content/changelogs/logs.yaml create mode 100644 src/content/docs/logs/changelog.mdx diff --git a/src/content/changelogs/logs.yaml b/src/content/changelogs/logs.yaml new file mode 100644 index 000000000000000..bebf40608eefc5c --- /dev/null +++ b/src/content/changelogs/logs.yaml @@ -0,0 +1,18 @@ +--- +link: "/logs/changelog/" +productName: Logs +productLink: "/logs/" +productArea: Core platform +productAreaLink: /fundamentals/reference/changelog/platform/ +entries: + - publish_date: "2024-10-08" + description: |- + - Cloudflare has introduced new fields two Gateway-related datasets in Cloudflare Logs: + + - **Gateway HTTP**: `ApplicationIDs`, `ApplicationNames`, `CategoryIDs`, `CategoryNames`, `DestinationIPContinentCode`, `DestinationIPCountryCode`, `ProxyEndpoint`, `SourceIPContinentCode`, `SourceIPCountryCode`, `VirtualNetworkID`, and `VirtualNetworkName`. + + - **Gateway Network**: `ApplicationIDs`, `ApplicationNames`, `DestinationIPContinentCode`, `DestinationIPCountryCode`, `ProxyEndpoint`, `SourceIPContinentCode`, `SourceIPCountryCode`, `TransportProtocol`, `VirtualNetworkID`, and `VirtualNetworkName`. + + + + diff --git a/src/content/docs/logs/changelog.mdx b/src/content/docs/logs/changelog.mdx new file mode 100644 index 000000000000000..3c538098dcdb122 --- /dev/null +++ b/src/content/docs/logs/changelog.mdx @@ -0,0 +1,14 @@ +--- +pcx_content_type: changelog +title: Changelog +changelog_file_name: + - logs +sidebar: + order: 140 +--- + +import { ProductChangelog } from "~/components"; + +{/* */} + + \ No newline at end of file From 52775e077af4908a80b88ea012341e3db36b80af Mon Sep 17 00:00:00 2001 From: angelampcosta <92738954+angelampcosta@users.noreply.github.com> Date: Fri, 25 Oct 2024 10:31:47 +0100 Subject: [PATCH 005/273] [Speed] Updates deprecation notice (#17763) * Updates deprecation notice * Changes after review. * Update src/content/docs/speed/optimization/content/compression.mdx Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> * Removes note. * Update src/content/changelogs/api-deprecations.yaml --------- Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> --- src/content/changelogs/api-deprecations.yaml | 2 +- src/content/docs/rules/compression-rules/settings.mdx | 6 +----- src/content/docs/speed/optimization/content/compression.mdx | 2 +- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/src/content/changelogs/api-deprecations.yaml b/src/content/changelogs/api-deprecations.yaml index a73cb0d5c7a8873..d85d6fa4fd08f6a 100644 --- a/src/content/changelogs/api-deprecations.yaml +++ b/src/content/changelogs/api-deprecations.yaml @@ -216,7 +216,7 @@ entries: description: |- Deprecation date: August 15, 2024 - The Brotli setting and its API endpoints are deprecated. After the end of life date, Brotli compression will be enabled by default for all zones. + The Brotli setting and its API endpoints are deprecated. Brotli compression is available for all non-Enterprise zones, and it will be extended to Enterprise zones in the coming year. Deprecated APIs: diff --git a/src/content/docs/rules/compression-rules/settings.mdx b/src/content/docs/rules/compression-rules/settings.mdx index 0ea721d3a9c9ec9..8f578637bb57de6 100644 --- a/src/content/docs/rules/compression-rules/settings.mdx +++ b/src/content/docs/rules/compression-rules/settings.mdx @@ -41,7 +41,7 @@ Allowed values are the following: If you specify only _Gzip_, _Brotli_, or _Zstandard_ and no algorithm matches, the response will have no compression. To configure a fallback compression mechanism, add _Auto_ to the list. :::note -The compression applied by the _Default_ option takes into account global configuration settings such as [Enable Brotli compression](/speed/optimization/content/compression/). +The compression applied by the _Default_ option takes into account any configured compression rules that match incoming requests. ::: --- @@ -75,8 +75,4 @@ If you include `none`, `default`, or `auto` in the list, it must be the last val When you specify only the `gzip`, `brotli`, or `zstd` algorithms, if no algorithm matches then the response will have no compression. To configure a fallback compression mechanism, add `auto` to the list. -:::note -The compression applied by the `default` algorithm takes into account global configuration settings such as [Enable Brotli compression](/speed/optimization/content/compression/). -::: - For API examples, refer to the [Examples gallery](/rules/compression-rules/examples/). diff --git a/src/content/docs/speed/optimization/content/compression.mdx b/src/content/docs/speed/optimization/content/compression.mdx index 857687f164658b2..f9b6e847438a6c9 100644 --- a/src/content/docs/speed/optimization/content/compression.mdx +++ b/src/content/docs/speed/optimization/content/compression.mdx @@ -94,7 +94,7 @@ application/geo+json Cloudflare's global network can deliver content to website visitors using Gzip compression, Brotli compression, Zstandard compression, or no compression, depending on: - The values visitors provide in the `accept-encoding` request header. -- The value of the [Brotli setting](/speed/optimization/content/compression/) at the zone level. +- Your [Cloudflare plan](#between-visitors-and-cloudflare). - Any configured [compression rule](/rules/compression-rules/) that matches incoming requests. For responses with error status codes, Cloudflare will only compress responses if their error status code is `403` or `404`. For successful response status codes, Cloudflare will only compress responses if their status code is `200`. Responses with other status codes will not be compressed. From 5bf4cc112b9155015bcf3ae2c44cdab024e19dd8 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Fri, 25 Oct 2024 12:11:03 +0100 Subject: [PATCH 006/273] [LP] Update custom rules page (#17790) --- .../firewall/custom-rules.mdx | 19 ++++++------------- src/content/docs/waf/custom-rules/index.mdx | 7 ++----- .../docs/waf/custom-rules/skip/options.mdx | 6 ++---- .../partials/waf/custom-rules-intro.mdx | 10 ++++++++++ 4 files changed, 20 insertions(+), 22 deletions(-) create mode 100644 src/content/partials/waf/custom-rules-intro.mdx diff --git a/src/content/docs/learning-paths/application-security/firewall/custom-rules.mdx b/src/content/docs/learning-paths/application-security/firewall/custom-rules.mdx index e1a912916a0ea23..13b2d9ef89bf045 100644 --- a/src/content/docs/learning-paths/application-security/firewall/custom-rules.mdx +++ b/src/content/docs/learning-paths/application-security/firewall/custom-rules.mdx @@ -1,23 +1,16 @@ --- -title: Custom Rules +title: Custom rules pcx_content_type: overview sidebar: order: 3 - --- -Cloudflare Rules allows you to make adjustments to requests and responses, configure Cloudflare settings, and trigger specific actions for matching requests. In addition, you can increase your security posture by including security headers to the browser or augmenting request headers with security intelligence. Cloudflare offers many ways to manipulate your traffic: - -1. [**Transform Rules**](/rules/transform/) enable the modification of the URI path, query string, and HTTP headers for both requests and responses on its global network. This feature provides extensive control over HTTP traffic, allowing users to rewrite URLs, modify request and response headers, and apply common adjustments easily. - -2. [**URL normalization rules**](/rules/normalization/) normalizes all requests before they pass to subsequent global network features that accept a URL input, such as WAF custom rules, Workers, and Access. Rule expressions that filter traffic based on URLs will therefore trigger correctly, regardless of the format of the incoming URL. When URL normalization is disabled, Cloudflare forwards the URL to origin in its original form. - -3. [**Redirect rules**](/rules/url-forwarding/) navigates the user from a source URL to a target URL with a specific HTTP status code. This can be done using [single redirects](/rules/url-forwarding/single-redirects/) (per domain) or [bulk redirects](/rules/url-forwarding/bulk-redirects/) (per account). +import { Render } from "~/components"; -4. [**Origin rules**](/rules/origin-rules/) allows you to customize where the incoming traffic will go and with which parameters. Currently you can perform the following overrides: host header, Server Name Indication, DNS record, and destination port. + -5. [**Configuration rules**](/rules/configuration-rules/) allows you to customize certain Cloudflare configuration settings for matching incoming requests. +The [custom rules documentation](/waf/custom-rules/) includes examples for common use cases. -6. [**Compression rules**](/rules/compression-rules/) allows you to customize the default behavior, which includes defining preferred compression algorithms for particular file types. +## Skip rules -7. [**Snippets**](/rules/snippets/) provides a flexible way to customize the behavior of your website or application using short pieces of JavaScript code. Use snippets to customize HTTP response headers, implement JWT validation, define complex redirect functionality, and more. +You can skip one or more Cloudflare security features using a custom rule [configured with the _Skip_ action](/waf/custom-rules/skip/). These rules are also known as skip rules. Refer to [Skip options](/waf/custom-rules/skip/options/) for more information on the features you can skip. diff --git a/src/content/docs/waf/custom-rules/index.mdx b/src/content/docs/waf/custom-rules/index.mdx index e401598e63af741..53fca3183eeaa2c 100644 --- a/src/content/docs/waf/custom-rules/index.mdx +++ b/src/content/docs/waf/custom-rules/index.mdx @@ -5,12 +5,9 @@ sidebar: order: 5 --- -Custom rules allow you to control incoming traffic by filtering requests to a zone. You can perform actions like _Block_ or _Managed Challenge_ on incoming requests according to rules you define. +import { Render } from "~/components"; -Like other rules evaluated by Cloudflare's [Ruleset Engine](/ruleset-engine/), custom rules have the following basic parameters: - -- An [expression](/ruleset-engine/rules-language/expressions/) that specifies the criteria you are matching traffic on using the [Rules language](/ruleset-engine/rules-language/). -- An [action](/ruleset-engine/rules-language/actions/) that specifies what to perform when there is a match for the rule. + Custom rules are evaluated in order, and some actions like _Block_ will stop the evaluation of other rules. For more details on actions and their behavior, refer to the [actions reference](/ruleset-engine/rules-language/actions/). diff --git a/src/content/docs/waf/custom-rules/skip/options.mdx b/src/content/docs/waf/custom-rules/skip/options.mdx index 87925809a379482..97de64c7cd9d0a6 100644 --- a/src/content/docs/waf/custom-rules/skip/options.mdx +++ b/src/content/docs/waf/custom-rules/skip/options.mdx @@ -1,11 +1,9 @@ --- -title: Skip options +title: Available skip options pcx_content_type: reference sidebar: order: 4 -head: - - tag: title - content: Available skip options + label: Skip options --- The available skip options in custom rules are the following: diff --git a/src/content/partials/waf/custom-rules-intro.mdx b/src/content/partials/waf/custom-rules-intro.mdx new file mode 100644 index 000000000000000..8b989f5bca6366e --- /dev/null +++ b/src/content/partials/waf/custom-rules-intro.mdx @@ -0,0 +1,10 @@ +--- +{} +--- + +Custom rules allow you to control incoming traffic by filtering requests to a zone. You can perform actions like _Block_ or _Managed Challenge_ on incoming requests according to rules you define. + +Like other rules evaluated by Cloudflare's [Ruleset Engine](/ruleset-engine/), custom rules have the following basic parameters: + +- An [expression](/ruleset-engine/rules-language/expressions/) that specifies the criteria you are matching traffic on using the [Rules language](/ruleset-engine/rules-language/). +- An [action](/ruleset-engine/rules-language/actions/) that specifies what to perform when there is a match for the rule. From 7e72822846b1ceea45bcd475b94221f6c030a80f Mon Sep 17 00:00:00 2001 From: Jun Lee Date: Fri, 25 Oct 2024 13:13:09 +0100 Subject: [PATCH 007/273] Putting links into text to improve table formatting. (#17791) --- .../hyperdrive/configuration/connect-to-postgres.mdx | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/content/docs/hyperdrive/configuration/connect-to-postgres.mdx b/src/content/docs/hyperdrive/configuration/connect-to-postgres.mdx index b1e3ebb4b2491d1..f1665cf9177119b 100644 --- a/src/content/docs/hyperdrive/configuration/connect-to-postgres.mdx +++ b/src/content/docs/hyperdrive/configuration/connect-to-postgres.mdx @@ -48,11 +48,11 @@ Hyperdrive uses Workers [TCP socket support](/workers/runtime-apis/tcp-sockets/# | Driver | Documentation | Minimum Version Required | Notes | | ----------------------------- | ---------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| Postgres.js (**recommended**) | [https://github.com/porsager/postgres](https://github.com/porsager/postgres) | `postgres@3.4.4` | Supported in both Workers & Pages. | -| node-postgres - `pg` | [https://node-postgres.com/](https://node-postgres.com/) | `pg@8.13.0` | `8.11.4` introduced a bug with URL parsing and will not work. `8.11.5` fixes this. Requires `compatibility_flags = ["nodejs_compat"]` and `compatibility_date = "2024-09-23"` - refer to [Node.js compatibility](/workers/runtime-apis/nodejs). Requires wrangler `3.78.7` or later. | -| Drizzle | [https://orm.drizzle.team/](https://orm.drizzle.team/) | `0.26.2`^ | | -| Kysely | [https://kysely.dev/](https://kysely.dev/) | `0.26.3`^ | | -| [rust-postgres](https://github.com/sfackler/rust-postgres) | [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/) | `v0.19.8` | Use the [`query_typed`](https://docs.rs/postgres/latest/postgres/struct.Client.html#method.query_typed) method for best performance. | +| Postgres.js (**recommended**) | [Postgres.js documentation](https://github.com/porsager/postgres) | `postgres@3.4.4` | Supported in both Workers & Pages. | +| node-postgres - `pg` | [node-postgres - `pg` documentation](https://node-postgres.com/) | `pg@8.13.0` | `8.11.4` introduced a bug with URL parsing and will not work. `8.11.5` fixes this. Requires `compatibility_flags = ["nodejs_compat"]` and `compatibility_date = "2024-09-23"` - refer to [Node.js compatibility](/workers/runtime-apis/nodejs). Requires wrangler `3.78.7` or later. | +| Drizzle | [Drizzle documentation](https://orm.drizzle.team/) | `0.26.2`^ | | +| Kysely | [Kysely documentation](https://kysely.dev/) | `0.26.3`^ | | +| [rust-postgres](https://github.com/sfackler/rust-postgres) | [rust-postgres documentation](https://docs.rs/postgres/latest/postgres/) | `v0.19.8` | Use the [`query_typed`](https://docs.rs/postgres/latest/postgres/struct.Client.html#method.query_typed) method for best performance. | ^ _The marked libraries use `node-postgres` as a dependency._ From 7514d5c5494a689486e1662ffe2e234a1029a698 Mon Sep 17 00:00:00 2001 From: Thomas Gauvin <35609369+thomasgauvin@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:51:54 -0400 Subject: [PATCH 008/273] Update limits for KV (#17772) * Update limits.mdx * Update src/content/docs/kv/platform/limits.mdx * Update src/content/docs/kv/platform/limits.mdx * Update limits_increase.mdx --- src/content/docs/kv/platform/limits.mdx | 1 + src/content/partials/workers/limits_increase.mdx | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/content/docs/kv/platform/limits.mdx b/src/content/docs/kv/platform/limits.mdx index 668e17267944727..38166ad8b87608e 100644 --- a/src/content/docs/kv/platform/limits.mdx +++ b/src/content/docs/kv/platform/limits.mdx @@ -23,6 +23,7 @@ import { Render } from "~/components" | Key size | 512 bytes | 512 bytes | | Key metadata | 1024 bytes | 1024 bytes | | Value size | 25 MiB | 25 MiB | +| Minimum [`cacheTtl`](/kv/api/read-key-value-pairs/#cachettl-parameter) | 60 seconds | 60 seconds | diff --git a/src/content/partials/workers/limits_increase.mdx b/src/content/partials/workers/limits_increase.mdx index 22efe9495603e52..e5fa0351f7a8510 100644 --- a/src/content/partials/workers/limits_increase.mdx +++ b/src/content/partials/workers/limits_increase.mdx @@ -6,7 +6,7 @@ :::note[Need a higher limit?] -To request an increase to a limit, complete the [Limit Increase Request Form](https://forms.gle/ukpeZVLWLnKeixDu7). If the limit can be increased, Cloudflare will contact you with next steps. +To request an adjustment to a limit, complete the [Limit Increase Request Form](https://forms.gle/ukpeZVLWLnKeixDu7). If the limit can be increased, Cloudflare will contact you with next steps. ::: From 3a799642c71b71e53c9ad6ea53e5379898d28675 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> Date: Fri, 25 Oct 2024 14:20:40 +0100 Subject: [PATCH 009/273] [BYOIP] Introduce service bindings and link to API (#17220) * Bring index.md from previous full-fledged PR * Move index.mdx into its own page and remove reference to guide * Apply suggestions from code review Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> --------- Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> --- src/content/docs/byoip/service-bindings.mdx | 32 +++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 src/content/docs/byoip/service-bindings.mdx diff --git a/src/content/docs/byoip/service-bindings.mdx b/src/content/docs/byoip/service-bindings.mdx new file mode 100644 index 000000000000000..c5af3466f07df93 --- /dev/null +++ b/src/content/docs/byoip/service-bindings.mdx @@ -0,0 +1,32 @@ +--- +title: IP address service bindings +pcx_content_type: concept +sidebar: + order: 6 + label: Service bindings +description: In IP address management, service binding refers to the association of IPs to specific Cloudflare services. Review the available options and the API endpoints to set up service bindings. +--- + +Within IP address management, service binding refers to the association of an IP (or a range of IPs) to specific Cloudflare services. + +:::note +Service binding operations are currently only available via API. You can find all endpoints and their specifications in the [Cloudflare API documentation](/api/operations/ip-address-management-service-bindings-list-service-bindings). +::: + +## Scope + +Currently, if you have BYOIP configured with [Magic Transit](/magic-transit/), you can use the [service binding API](/api/operations/ip-address-management-service-bindings-list-service-bindings) endpoints to add CDN or Spectrum capabilities on top of Magic Transit. + +### CDN (Cache) + +When you add the CDN service binding, any HTTP requests received via designated IPs are directed into the CDN pipeline (for [Layer 7 processing](/fundamentals/concepts/how-cloudflare-works/#how-cloudflare-works-as-a-reverse-proxy)) as they reach the Cloudflare network. + +### Spectrum + +Adding [Spectrum](/spectrum/) allows you to benefit from Cloudflare security and performance for Layer 4 traffic. + +## Limitations + +- It is currently not possible to use both Spectrum and CDN together with the Magic Transit service. You must choose one or the other when upgrading your IPs. +- You must keep Magic Transit as a common base service, spanning all addresses in your prefix. +- Once a service binding is created, its propagation across the Cloudflare network will take four to six hours to complete. \ No newline at end of file From ea604b03ac2b828b4d77547fc751e7e46d44cd75 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:53:23 +0100 Subject: [PATCH 010/273] [Docs Site] Bump @cloudflare/vitest-pool-workers from 0.5.20 to 0.5.22 (#17777) Bumps [@cloudflare/vitest-pool-workers](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/vitest-pool-workers) from 0.5.20 to 0.5.22. - [Release notes](https://github.com/cloudflare/workers-sdk/releases) - [Changelog](https://github.com/cloudflare/workers-sdk/blob/main/packages/vitest-pool-workers/CHANGELOG.md) - [Commits](https://github.com/cloudflare/workers-sdk/commits/@cloudflare/vitest-pool-workers@0.5.22/packages/vitest-pool-workers) --- updated-dependencies: - dependency-name: "@cloudflare/vitest-pool-workers" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 110 ++++++++++++++++++++++++---------------------- package.json | 2 +- 2 files changed, 58 insertions(+), 54 deletions(-) diff --git a/package-lock.json b/package-lock.json index 336c4643169400f..fd3ad03ba8a7c30 100644 --- a/package-lock.json +++ b/package-lock.json @@ -18,7 +18,7 @@ "@astrojs/starlight-tailwind": "^2.0.3", "@astrojs/tailwind": "^5.1.2", "@cloudflare/puppeteer": "^0.0.14", - "@cloudflare/vitest-pool-workers": "^0.5.20", + "@cloudflare/vitest-pool-workers": "^0.5.22", "@cloudflare/workers-types": "^4.20241022.0", "@codingheads/sticky-header": "^1.0.2", "@stoplight/json-schema-tree": "^4.0.0", @@ -1669,18 +1669,18 @@ } }, "node_modules/@cloudflare/vitest-pool-workers": { - "version": "0.5.20", - "resolved": "https://registry.npmjs.org/@cloudflare/vitest-pool-workers/-/vitest-pool-workers-0.5.20.tgz", - "integrity": "sha512-azNr2+lQaoGoUul678tEIX/Ptj38M+AlUqKac1gMAsVGozexr6F5/CuIoz1I355hXumlEE/nqKl9VlhiqArJtQ==", + "version": "0.5.22", + "resolved": "https://registry.npmjs.org/@cloudflare/vitest-pool-workers/-/vitest-pool-workers-0.5.22.tgz", + "integrity": "sha512-Zynt47hQbITDGDVjuI11/NlLuKCByooIVKbCPG0kIu3C4Wr1QcNmzZyhGVxVWKjQDRjXDgbqVN605G+SXy8twg==", "dev": true, "dependencies": { "birpc": "0.2.14", "cjs-module-lexer": "^1.2.3", "devalue": "^4.3.0", "esbuild": "0.17.19", - "miniflare": "3.20241011.0", + "miniflare": "3.20241022.0", "semver": "^7.5.1", - "wrangler": "3.81.0", + "wrangler": "3.83.0", "zod": "^3.22.3" }, "peerDependencies": { @@ -2109,9 +2109,9 @@ } }, "node_modules/@cloudflare/workerd-darwin-64": { - "version": "1.20241011.1", - "resolved": "https://registry.npmjs.org/@cloudflare/workerd-darwin-64/-/workerd-darwin-64-1.20241011.1.tgz", - "integrity": "sha512-gZ2PrMCQ4WdDCB+V6vsB2U2SyYcmgaGMEa3GGjcUfC79L/8so3Vp/bO0eCoLmvttRs39wascZ+JiWL0HpcZUgA==", + "version": "1.20241022.0", + "resolved": "https://registry.npmjs.org/@cloudflare/workerd-darwin-64/-/workerd-darwin-64-1.20241022.0.tgz", + "integrity": "sha512-1NNYun37myMTgCUiPQEJ0cMal4mKZVTpkD0b2tx9hV70xji+frVJcSK8YVLeUm1P+Rw1d/ct8DMgQuCpsz3Fsw==", "cpu": [ "x64" ], @@ -2125,9 +2125,9 @@ } }, "node_modules/@cloudflare/workerd-darwin-arm64": { - "version": "1.20241011.1", - "resolved": "https://registry.npmjs.org/@cloudflare/workerd-darwin-arm64/-/workerd-darwin-arm64-1.20241011.1.tgz", - "integrity": "sha512-c26TYtS0e3WZ09nL/a8YaEqveCsTlgDm12ehPMNua9u68sh1KzETMl2G45O934m8UrI3Rhpv2TTecO0S5b9exA==", + "version": "1.20241022.0", + "resolved": "https://registry.npmjs.org/@cloudflare/workerd-darwin-arm64/-/workerd-darwin-arm64-1.20241022.0.tgz", + "integrity": "sha512-FOO/0P0U82EsTLTdweNVgw+4VOk5nghExLPLSppdOziq6IR5HVgP44Kmq5LdsUeHUhwUmfOh9hzaTpkNzUqKvw==", "cpu": [ "arm64" ], @@ -2141,9 +2141,9 @@ } }, "node_modules/@cloudflare/workerd-linux-64": { - "version": "1.20241011.1", - "resolved": "https://registry.npmjs.org/@cloudflare/workerd-linux-64/-/workerd-linux-64-1.20241011.1.tgz", - "integrity": "sha512-pl4xvHNXnm3cYh5GwHadOTQRWt4Ih/gzCOb6RW4n78oNQQydFvpwqYAjbYk32y485feLhdTKXut/MgZAyWnKyQ==", + "version": "1.20241022.0", + "resolved": "https://registry.npmjs.org/@cloudflare/workerd-linux-64/-/workerd-linux-64-1.20241022.0.tgz", + "integrity": "sha512-RsNc19BQJG9yd+ngnjuDeG9ywZG+7t1L4JeglgceyY5ViMNMKVO7Zpbsu69kXslU9h6xyQG+lrmclg3cBpnhYA==", "cpu": [ "x64" ], @@ -2157,9 +2157,9 @@ } }, "node_modules/@cloudflare/workerd-linux-arm64": { - "version": "1.20241011.1", - "resolved": "https://registry.npmjs.org/@cloudflare/workerd-linux-arm64/-/workerd-linux-arm64-1.20241011.1.tgz", - "integrity": "sha512-I4HAF2Qe8xgIjAdE53viT2fDdHXkrb3Be0L3eWeeP5SEkOtQ4cHLqsOV7yhUWOJpHiI1XCDcf+wdfn0PB/EngQ==", + "version": "1.20241022.0", + "resolved": "https://registry.npmjs.org/@cloudflare/workerd-linux-arm64/-/workerd-linux-arm64-1.20241022.0.tgz", + "integrity": "sha512-x5mUXpKxfsosxcFmcq5DaqLs37PejHYVRsNz1cWI59ma7aC4y4Qn6Tf3i0r9MwQTF/MccP4SjVslMU6m4W7IaA==", "cpu": [ "arm64" ], @@ -2173,9 +2173,9 @@ } }, "node_modules/@cloudflare/workerd-windows-64": { - "version": "1.20241011.1", - "resolved": "https://registry.npmjs.org/@cloudflare/workerd-windows-64/-/workerd-windows-64-1.20241011.1.tgz", - "integrity": "sha512-oVr1Cb7NkDpukd7v68FdxOH8vaHRSzHkX9uE/IttHd2yPK6mwOS220nIxK9UMcx5CwZmrgphRwtZwSYVk/lREQ==", + "version": "1.20241022.0", + "resolved": "https://registry.npmjs.org/@cloudflare/workerd-windows-64/-/workerd-windows-64-1.20241022.0.tgz", + "integrity": "sha512-eBCClx4szCOgKqOlxxbdNszMqQf3MRG1B9BRIqEM/diDfdR9IrZ8l3FaEm+l9gXgPmS6m1NBn40aWuGBl8UTSw==", "cpu": [ "x64" ], @@ -2189,11 +2189,10 @@ } }, "node_modules/@cloudflare/workers-shared": { - "version": "0.6.0", - "resolved": "https://registry.npmjs.org/@cloudflare/workers-shared/-/workers-shared-0.6.0.tgz", - "integrity": "sha512-rfUCvb3hx4AsvdUZsxgk9lmgEnQehqV3jdtXLP/Xr0+P56n11T/0nXNMzmn7Nnv+IJFOV6X9NmFhuMz4sBPw7w==", + "version": "0.7.0", + "resolved": "https://registry.npmjs.org/@cloudflare/workers-shared/-/workers-shared-0.7.0.tgz", + "integrity": "sha512-LLQRTqx7lKC7o2eCYMpyc5FXV8d0pUX6r3A+agzhqS9aoR5A6zCPefwQGcvbKx83ozX22ATZcemwxQXn12UofQ==", "dev": true, - "license": "MIT OR Apache-2.0", "dependencies": { "mime": "^3.0.0", "zod": "^3.22.3" @@ -7147,8 +7146,7 @@ "version": "6.1.4", "resolved": "https://registry.npmjs.org/defu/-/defu-6.1.4.tgz", "integrity": "sha512-mEQCMmwJu317oSz8CwdIOdwf3xMif1ttiM8LTufzc3g6kR+9Pe236twL8j3IYT1F7GfRgGcW6MWxzZjLIkuHIg==", - "dev": true, - "license": "MIT" + "dev": true }, "node_modules/degenerator": { "version": "5.0.1", @@ -9791,6 +9789,12 @@ "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==", "dev": true }, + "node_modules/itty-time": { + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/itty-time/-/itty-time-1.0.6.tgz", + "integrity": "sha512-+P8IZaLLBtFv8hCkIjcymZOp4UJ+xW6bSlQsXGqrkmJh7vSiMFSlNne0mCYagEE0N7HDNR5jJBRxwN0oYv61Rw==", + "dev": true + }, "node_modules/jackspeak": { "version": "3.4.0", "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.0.tgz", @@ -11517,9 +11521,9 @@ } }, "node_modules/miniflare": { - "version": "3.20241011.0", - "resolved": "https://registry.npmjs.org/miniflare/-/miniflare-3.20241011.0.tgz", - "integrity": "sha512-Mb3U9+QvKgIUl9LgHwBxEz8WajMRYqO5mMHRtO8yHjNCLGh24I6Ts9z13zRAYGPDd1xBQ1o983fHT9S+tn6r+A==", + "version": "3.20241022.0", + "resolved": "https://registry.npmjs.org/miniflare/-/miniflare-3.20241022.0.tgz", + "integrity": "sha512-x9Fbq1Hmz1f0osIT9Qmj78iX4UpCP2EqlZnA/tzj/3+I49vc3Kq0fNqSSKplcdf6HlCHdL3fOBicmreQF4BUUQ==", "dev": true, "dependencies": { "@cspotcode/source-map-support": "0.8.1", @@ -11530,7 +11534,7 @@ "glob-to-regexp": "^0.4.1", "stoppable": "^1.1.0", "undici": "^5.28.4", - "workerd": "1.20241011.1", + "workerd": "1.20241022.0", "ws": "^8.17.1", "youch": "^3.2.2", "zod": "^3.22.3" @@ -11919,8 +11923,7 @@ "version": "1.1.4", "resolved": "https://registry.npmjs.org/ohash/-/ohash-1.1.4.tgz", "integrity": "sha512-FlDryZAahJmEF3VR3w1KogSEdWX3WhA5GPakFx4J81kEAiHyLMpdLLElS8n8dfNadMgAne/MywcvmogzscVt4g==", - "dev": true, - "license": "MIT" + "dev": true }, "node_modules/once": { "version": "1.4.0", @@ -15762,11 +15765,10 @@ }, "node_modules/unenv": { "name": "unenv-nightly", - "version": "2.0.0-20241009-125958-e8ea22f", - "resolved": "https://registry.npmjs.org/unenv-nightly/-/unenv-nightly-2.0.0-20241009-125958-e8ea22f.tgz", - "integrity": "sha512-hRxmKz1iSVRmuFx/vBdPsx7rX4o7Cas9vdjDNeUeWpQTK2LzU3Xy3Jz0zbo7MJX0bpqo/LEFCA+GPwsbl6zKEQ==", + "version": "2.0.0-20241018-011344-e666fcf", + "resolved": "https://registry.npmjs.org/unenv-nightly/-/unenv-nightly-2.0.0-20241018-011344-e666fcf.tgz", + "integrity": "sha512-D00bYn8rzkCBOlLx+k1iHQlc69jvtJRT7Eek4yIGQ6461a2tUBjngGZdRpqsoXAJCz/qBW0NgPting7Zvg+ysg==", "dev": true, - "license": "MIT", "dependencies": { "defu": "^6.1.4", "ohash": "^1.1.4", @@ -16699,9 +16701,9 @@ "license": "Unlicense" }, "node_modules/workerd": { - "version": "1.20241011.1", - "resolved": "https://registry.npmjs.org/workerd/-/workerd-1.20241011.1.tgz", - "integrity": "sha512-ORobT1XDkE+p+36yk6Szyw68bWuGSmuwIlDnAeUOfnYunb/Txt0jg7ydzfwr4UIsof7AH5F1nqZms5PWLu05yw==", + "version": "1.20241022.0", + "resolved": "https://registry.npmjs.org/workerd/-/workerd-1.20241022.0.tgz", + "integrity": "sha512-jyGXsgO9DRcJyx6Ovv7gUyDPc3UYC2i/E0p9GFUg6GUzpldw4Y93y9kOmdfsOnKZ3+lY53veSiUniiBPE6Q2NQ==", "dev": true, "hasInstallScript": true, "bin": { @@ -16711,35 +16713,37 @@ "node": ">=16" }, "optionalDependencies": { - "@cloudflare/workerd-darwin-64": "1.20241011.1", - "@cloudflare/workerd-darwin-arm64": "1.20241011.1", - "@cloudflare/workerd-linux-64": "1.20241011.1", - "@cloudflare/workerd-linux-arm64": "1.20241011.1", - "@cloudflare/workerd-windows-64": "1.20241011.1" + "@cloudflare/workerd-darwin-64": "1.20241022.0", + "@cloudflare/workerd-darwin-arm64": "1.20241022.0", + "@cloudflare/workerd-linux-64": "1.20241022.0", + "@cloudflare/workerd-linux-arm64": "1.20241022.0", + "@cloudflare/workerd-windows-64": "1.20241022.0" } }, "node_modules/wrangler": { - "version": "3.81.0", - "resolved": "https://registry.npmjs.org/wrangler/-/wrangler-3.81.0.tgz", - "integrity": "sha512-sa5dhLJAMmYtl/dJWDJ92sdnKj0VUC0DYBfGqbhd5xn7CDdn1oGhICDXtx2E6BNhQ1L+4d9oAcP/oQvOs5gKLA==", + "version": "3.83.0", + "resolved": "https://registry.npmjs.org/wrangler/-/wrangler-3.83.0.tgz", + "integrity": "sha512-qDzdUuTngKqmm2OJUZm7Gk4+Hv37F2nNNAHuhIgItEIhxBdOVDsgKmvpd+f41MFxyuGg3fbGWYANHI+0V2Z5yw==", "dev": true, "dependencies": { "@cloudflare/kv-asset-handler": "0.3.4", - "@cloudflare/workers-shared": "0.6.0", + "@cloudflare/workers-shared": "0.7.0", "@esbuild-plugins/node-globals-polyfill": "^0.2.3", "@esbuild-plugins/node-modules-polyfill": "^0.2.2", "blake3-wasm": "^2.1.5", "chokidar": "^3.5.3", + "date-fns": "^4.1.0", "esbuild": "0.17.19", - "miniflare": "3.20241011.0", + "itty-time": "^1.0.6", + "miniflare": "3.20241022.0", "nanoid": "^3.3.3", "path-to-regexp": "^6.3.0", "resolve": "^1.22.8", "resolve.exports": "^2.0.2", "selfsigned": "^2.0.1", "source-map": "^0.6.1", - "unenv": "npm:unenv-nightly@2.0.0-20241009-125958-e8ea22f", - "workerd": "1.20241011.1", + "unenv": "npm:unenv-nightly@2.0.0-20241018-011344-e666fcf", + "workerd": "1.20241022.0", "xxhash-wasm": "^1.0.1" }, "bin": { @@ -16753,7 +16757,7 @@ "fsevents": "~2.3.2" }, "peerDependencies": { - "@cloudflare/workers-types": "^4.20241011.0" + "@cloudflare/workers-types": "^4.20241022.0" }, "peerDependenciesMeta": { "@cloudflare/workers-types": { diff --git a/package.json b/package.json index a83e3144603b2ba..4d21b64f96a85bc 100644 --- a/package.json +++ b/package.json @@ -30,7 +30,7 @@ "@astrojs/starlight-tailwind": "^2.0.3", "@astrojs/tailwind": "^5.1.2", "@cloudflare/puppeteer": "^0.0.14", - "@cloudflare/vitest-pool-workers": "^0.5.20", + "@cloudflare/vitest-pool-workers": "^0.5.22", "@cloudflare/workers-types": "^4.20241022.0", "@codingheads/sticky-header": "^1.0.2", "@stoplight/json-schema-tree": "^4.0.0", From 62a7eff75ec7d05dd9eb7e9835ef6d551cc19d60 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:53:59 +0100 Subject: [PATCH 011/273] [Docs Site] Bump astro from 4.16.6 to 4.16.7 (#17737) Bumps [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) from 4.16.6 to 4.16.7. - [Release notes](https://github.com/withastro/astro/releases) - [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md) - [Commits](https://github.com/withastro/astro/commits/astro@4.16.7/packages/astro) --- updated-dependencies: - dependency-name: astro dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 27 +++++++++++++-------------- package.json | 2 +- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/package-lock.json b/package-lock.json index fd3ad03ba8a7c30..db52de2fc938a95 100644 --- a/package-lock.json +++ b/package-lock.json @@ -28,7 +28,7 @@ "@types/react": "^18.3.12", "@types/react-dom": "^18.3.1", "algoliasearch": "^5.10.2", - "astro": "^4.16.6", + "astro": "^4.16.7", "astro-breadcrumbs": "^3.2.0", "astro-icon": "^1.1.1", "astro-live-code": "^0.0.3", @@ -4722,9 +4722,9 @@ "dev": true }, "node_modules/acorn": { - "version": "8.12.1", - "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.12.1.tgz", - "integrity": "sha512-tcpGyI9zbizT9JbV6oYE477V6mTlXvvi0T0G3SNIYE2apm/G5huBa1+K89VGeovbg+jycCrfhl3ADxErOuO6Jg==", + "version": "8.13.0", + "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.13.0.tgz", + "integrity": "sha512-8zSiw54Oxrdym50NlZ9sUusyO1Z1ZchgRLWRaK6c86XJFClyCgFKetdowBg5bKxyp/u+CDBJG4Mpp0m3HLZl9w==", "dev": true, "bin": { "acorn": "bin/acorn" @@ -5058,9 +5058,9 @@ } }, "node_modules/astro": { - "version": "4.16.6", - "resolved": "https://registry.npmjs.org/astro/-/astro-4.16.6.tgz", - "integrity": "sha512-LMMbjr+4aN26MOyJzTdjM+Y+srpAIkx7IX9IcdF3eHQLGr8PgkioZp+VQExRfioDIyA2HY6ottVg3QccTzJqYA==", + "version": "4.16.7", + "resolved": "https://registry.npmjs.org/astro/-/astro-4.16.7.tgz", + "integrity": "sha512-nON+8MUEkWTFwXbS4zsQIq4t0Fs42eulM4x236AL+qNnWfqNAOOqAnFxO1dxfJ1q+XopIBbbT9Mtev+0zH47PQ==", "dev": true, "dependencies": { "@astrojs/compiler": "^2.10.3", @@ -5074,7 +5074,7 @@ "@rollup/pluginutils": "^5.1.2", "@types/babel__core": "^7.20.5", "@types/cookie": "^0.6.0", - "acorn": "^8.12.1", + "acorn": "^8.13.0", "aria-query": "^5.3.2", "axobject-query": "^4.1.0", "boxen": "8.0.1", @@ -5113,7 +5113,7 @@ "rehype": "^13.0.2", "semver": "^7.6.3", "shiki": "^1.22.0", - "tinyexec": "^0.3.0", + "tinyexec": "^0.3.1", "tsconfck": "^3.1.4", "unist-util-visit": "^5.0.0", "vfile": "^6.0.3", @@ -14985,11 +14985,10 @@ "license": "MIT" }, "node_modules/tinyexec": { - "version": "0.3.0", - "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-0.3.0.tgz", - "integrity": "sha512-tVGE0mVJPGb0chKhqmsoosjsS+qUnJVGJpZgsHYQcGoPlG3B51R3PouqTgEGH2Dc9jjFyOqOpix6ZHNMXp1FZg==", - "dev": true, - "license": "MIT" + "version": "0.3.1", + "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-0.3.1.tgz", + "integrity": "sha512-WiCJLEECkO18gwqIp6+hJg0//p23HXp4S+gGtAKu3mI2F2/sXC4FvHvXvB0zJVVaTPhx1/tOwdbRsa1sOBIKqQ==", + "dev": true }, "node_modules/tinypool": { "version": "1.0.1", diff --git a/package.json b/package.json index 4d21b64f96a85bc..1e680b999be6d9f 100644 --- a/package.json +++ b/package.json @@ -40,7 +40,7 @@ "@types/react": "^18.3.12", "@types/react-dom": "^18.3.1", "algoliasearch": "^5.10.2", - "astro": "^4.16.6", + "astro": "^4.16.7", "astro-breadcrumbs": "^3.2.0", "astro-icon": "^1.1.1", "astro-live-code": "^0.0.3", From b1bba94f1e4364e5ac822b3201ed4614e57b82e4 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:55:50 +0100 Subject: [PATCH 012/273] [BYOIP] Clarify same prefix individual IPs can have either CDN or Spectrum (#17792) --- src/content/docs/byoip/service-bindings.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/content/docs/byoip/service-bindings.mdx b/src/content/docs/byoip/service-bindings.mdx index c5af3466f07df93..90a4f0674a36769 100644 --- a/src/content/docs/byoip/service-bindings.mdx +++ b/src/content/docs/byoip/service-bindings.mdx @@ -17,6 +17,8 @@ Service binding operations are currently only available via API. You can find al Currently, if you have BYOIP configured with [Magic Transit](/magic-transit/), you can use the [service binding API](/api/operations/ip-address-management-service-bindings-list-service-bindings) endpoints to add CDN or Spectrum capabilities on top of Magic Transit. +You can upgrade individual IPs within a Magic Transit prefix to either a CDN IP or a Spectrum IP. For example, if you have `203.0.113.0/24`, you can upgrade `203.0.113.1` to CDN and `203.0.113.2` to Spectrum. + ### CDN (Cache) When you add the CDN service binding, any HTTP requests received via designated IPs are directed into the CDN pipeline (for [Layer 7 processing](/fundamentals/concepts/how-cloudflare-works/#how-cloudflare-works-as-a-reverse-proxy)) as they reach the Cloudflare network. @@ -27,6 +29,5 @@ Adding [Spectrum](/spectrum/) allows you to benefit from Cloudflare security and ## Limitations -- It is currently not possible to use both Spectrum and CDN together with the Magic Transit service. You must choose one or the other when upgrading your IPs. - You must keep Magic Transit as a common base service, spanning all addresses in your prefix. - Once a service binding is created, its propagation across the Cloudflare network will take four to six hours to complete. \ No newline at end of file From 5ae0ef68b18e0a1047cf0e16db8570f595c8d478 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> Date: Fri, 25 Oct 2024 17:37:42 +0100 Subject: [PATCH 013/273] [DNS] Step-by-step instructions to DNS records how-to (#17697) * Add Tabs and fill in Dash and API steps for create-zone-apex * Create dns-record-steps partial and apply to create-subdomain-record * Replace repeated text in create-zone-apex by new partial * Specify product to fix render of api-field-definitions in LP * Clarify subdomain examples adding www and leverage GlossaryTooltip * Consistently indicate FQDN as CNAME target and remove mention to hostname * Reword to be more generic --- .../how-to/create-zone-apex.mdx | 9 +++++-- .../partials/dns/create-subdomain-record.mdx | 14 +++++++--- src/content/partials/dns/dns-record-steps.mdx | 27 +++++++++++++++++++ 3 files changed, 44 insertions(+), 6 deletions(-) create mode 100644 src/content/partials/dns/dns-record-steps.mdx diff --git a/src/content/docs/dns/manage-dns-records/how-to/create-zone-apex.mdx b/src/content/docs/dns/manage-dns-records/how-to/create-zone-apex.mdx index baa6399fe72da94..d7d37770b8a6881 100644 --- a/src/content/docs/dns/manage-dns-records/how-to/create-zone-apex.mdx +++ b/src/content/docs/dns/manage-dns-records/how-to/create-zone-apex.mdx @@ -6,11 +6,11 @@ sidebar: --- -import { Example } from "~/components" +import { Example, Render } from "~/components" When you add a domain to Cloudflare, you may also need to create a DNS record on your zone apex (`example.com`). -To do this, create a corresponding [`A`, `AAAA`, or `CNAME` record](/dns/manage-dns-records/how-to/create-dns-records/) using `@` for the **Name**. +To do this, create an [IP address resolution record](/dns/manage-dns-records/reference/dns-record-types/#ip-address-resolution) (`A`, `AAAA`, or `CNAME`) using `@` for the **Name**, as in the following example. @@ -20,6 +20,11 @@ To do this, create a corresponding [`A`, `AAAA`, or `CNAME` record](/dns/manage- + + ## Domain redirects Once you create a domain, you may want to route that traffic to other places. diff --git a/src/content/partials/dns/create-subdomain-record.mdx b/src/content/partials/dns/create-subdomain-record.mdx index f2f0537227b9d2c..b61185f81a4cf05 100644 --- a/src/content/partials/dns/create-subdomain-record.mdx +++ b/src/content/partials/dns/create-subdomain-record.mdx @@ -3,20 +3,26 @@ --- -import { Example } from "~/components" +import { Example, Render } from "~/components"; Most subdomains serve a specific purpose within the overall context of your website. For example, `blog.example.com` might be your blog, `support.example.com` could be your customer help portal, and `store.example.com` would be your e-commerce site. ## Subdomain records -To create a new subdomain, you would first add the subdomain content at your host. +To create a new subdomain, you would first add the subdomain content at your [host](/fundamentals/setup/manage-domains/#host-your-domain). -Then, you would create a corresponding [`A`, `AAAA`, or `CNAME` record](/dns/manage-dns-records/how-to/create-dns-records/) for that subdomain (`blog`, `store`). +Then, you would create a corresponding [IP address resolution record](/dns/manage-dns-records/reference/dns-record-types/#ip-address-resolution) (`A`, `AAAA`, or `CNAME`), specifying the subdomain (`blog`, `www`, or `store`, for example) as the record **Name**. | Type | Name | IPv4 address | Proxy status | | ---- | ----- | ------------ | ------------ | -| A | `www` | `192.0.2.1` | Proxied | +| A | `blog` | `192.0.2.1` | Proxied | + + + \ No newline at end of file diff --git a/src/content/partials/dns/dns-record-steps.mdx b/src/content/partials/dns/dns-record-steps.mdx new file mode 100644 index 000000000000000..5b7cf2f4a1cda4e --- /dev/null +++ b/src/content/partials/dns/dns-record-steps.mdx @@ -0,0 +1,27 @@ +--- +params: + - name + - example +--- + +import { Tabs, TabItem, Render, GlossaryTooltip } from "~/components"; + + + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account and zone. +2. Go to **DNS** > **Records** and select **Add record**. +3. Select `A`, `AAAA`, or `CNAME` as the record **Type**, according to your needs: + - To point to an IPv4 address, select `A`, use {props.name} ({props.example}) for the record **Name**, and insert the IPv4 address in the respective field. + - To point to an IPv6 address, select `AAAA`, use {props.name} ({props.example}) for the record **Name**, and insert the IPv6 address in the respective field. + - To point to a [fully qualified domain name (FQDN)](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) (such as `your-site.host.example.com`), select `CNAME`, use {props.name} ({props.example}) for the record **Name**, and insert the fully qualified domain name in the **Target** field. +4. Specify the **Proxy status** and **TTL** according to your needs. +5. Select **Save** to confirm. + + +Use the [Create DNS Record API endpoint](/api/operations/dns-records-for-a-zone-create-dns-record). + + - To point to an IPv4 address, select **A Record**, use {props.name} ({props.example}) for the field `name`, and use the IPv4 address for the field `content`. + - To point to an IPv6 address, select **AAAA Record**, use {props.name} ({props.example}) for the field `name`, and use the IPv6 address for the field `content`. + - To point to a [fully qualified domain name (FQDN)](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) (such as `your-site.host.example.com`), select **CNAME Record**, use {props.name} ({props.example}) for the field `name`, and use the fully qualified domain name for the field `content`. + + \ No newline at end of file From 13d76277e4c3163928752dd4026c8f3d0b4929a8 Mon Sep 17 00:00:00 2001 From: emily-shen <69125074+emily-shen@users.noreply.github.com> Date: Fri, 25 Oct 2024 23:25:27 +0100 Subject: [PATCH 014/273] add info about `.dev.vars.` (#17594) --- src/content/partials/workers/secrets-in-dev.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/content/partials/workers/secrets-in-dev.mdx b/src/content/partials/workers/secrets-in-dev.mdx index f9f2f53c9e34d8d..9f95cf6c5cee8ad 100644 --- a/src/content/partials/workers/secrets-in-dev.mdx +++ b/src/content/partials/workers/secrets-in-dev.mdx @@ -11,3 +11,5 @@ The `.dev.vars` file should be formatted like a `dotenv` file, such as `KEY="VAL SECRET_KEY="value" API_TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" ``` + +You can set secrets per environment by creating additional files with the naming convention `.dev.vars.`. Like other environment variables, secrets are [non-inheritable](/workers/wrangler/configuration/#non-inheritable-keys) and must be defined per environment. From 6ee98a5ab2d4f148e86946eebae4abc92715833a Mon Sep 17 00:00:00 2001 From: Matt Silverlock Date: Sat, 26 Oct 2024 07:21:05 -0400 Subject: [PATCH 015/273] workflows: fix variable name (#17799) --- src/content/docs/workflows/build/trigger-workflows.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/workflows/build/trigger-workflows.mdx b/src/content/docs/workflows/build/trigger-workflows.mdx index 3dbf0b7790a5f44..df902086155b387 100644 --- a/src/content/docs/workflows/build/trigger-workflows.mdx +++ b/src/content/docs/workflows/build/trigger-workflows.mdx @@ -68,7 +68,7 @@ export default { // If an ?instanceId= query parameter is provided, fetch the status // of an existing Workflow by its ID. if (instanceId) { - let instance = await env.MY_WORKFLOW.get(id); + let instance = await env.MY_WORKFLOW.get(instanceId); return Response.json({ status: await instance.status(), }); From fa2df6ed472cea7563a07df0a555240f7dcd0a5f Mon Sep 17 00:00:00 2001 From: nenizera Date: Mon, 28 Oct 2024 04:48:16 -0300 Subject: [PATCH 016/273] Update troubleshooting-other-errors.mdx (#17808) Origin web server. --- .../cloudflare-errors/troubleshooting-other-errors.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/content/docs/support/troubleshooting/cloudflare-errors/troubleshooting-other-errors.mdx b/src/content/docs/support/troubleshooting/cloudflare-errors/troubleshooting-other-errors.mdx index c8a800a9c954a01..87505263fa588b6 100644 --- a/src/content/docs/support/troubleshooting/cloudflare-errors/troubleshooting-other-errors.mdx +++ b/src/content/docs/support/troubleshooting/cloudflare-errors/troubleshooting-other-errors.mdx @@ -5,7 +5,7 @@ source: null --- -Some other type of errors might be returned to visitors for proxied requests depending on the origin configuration. +Some other type of errors might be returned to visitors for proxied requests depending on the origin web server configuration. :::caution @@ -30,10 +30,10 @@ These errors are usually due to an issue on the origin web server configuration, * A malformed HTTP response header on the origin web server. -**Resolution**: Make a request directly to your origin server and take a look at the HTTP response headers and see if you can see anything that looks abnormal. +**Resolution**: Make a request directly to your origin web server and take a look at the HTTP response headers and see if you can see anything that looks abnormal. Make sure that the field values are respecting the following requirements: [RFC 9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.5), [RFC 9113](https://www.rfc-editor.org/rfc/rfc9113.html#section-8.2.1) and [RFC 5234](https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1). -* A compression issue, for example the origin server is serving gzip encoded compressed content but is not updating the `content-length` header, or the origin is serving broken gzip compressed content. +* A compression issue, for example the origin web server is serving gzip encoded compressed content but is not updating the `content-length` header, or the origin web server is serving broken gzip compressed content. -**Resolution**: In this case you can try to disable compression at your origin and rely on Cloudflare to [compress content](/speed/optimization/content/compression/) +**Resolution**: In this case you can try to disable compression at your origin web server and rely on Cloudflare to [compress content](/speed/optimization/content/compression/) You can also investigate the configuration of your origin server to make sure the compression is working as expected. From a8c34258ac39bb7ad900994e514652c2c725c9d3 Mon Sep 17 00:00:00 2001 From: Bill Chambers Date: Mon, 28 Oct 2024 03:01:00 -0700 Subject: [PATCH 017/273] [Docs] Clarify NonStandardQuotes validation rule message (#17795) --- .github/styles/cloudflare/NonStandardQuotes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/styles/cloudflare/NonStandardQuotes.yml b/.github/styles/cloudflare/NonStandardQuotes.yml index 36a76b8006cf0ce..360882d1ede6b8e 100644 --- a/.github/styles/cloudflare/NonStandardQuotes.yml +++ b/.github/styles/cloudflare/NonStandardQuotes.yml @@ -5,7 +5,7 @@ # # For a list of all options, see https://vale.sh/docs/topics/styles/ extends: existence -message: "Use standard single quotes or double quotes only. Do not use left or right quotes." +message: "Use standard single quotes or double quotes only. Do not use any of the following quote mark types: ‘ ’ “ ”. In the text, we found this character: %s" level: warning ignorecase: true link: https://developers.cloudflare.com/style-guide/grammar/punctuation-marks-and-symbols/quotation-marks/ From 3f551388f1be683df6fe5b0fd47f8a6520cf06f2 Mon Sep 17 00:00:00 2001 From: Nathan Clevenger Date: Mon, 28 Oct 2024 05:14:06 -0500 Subject: [PATCH 018/273] [Workflows] Fixed typo (#17803) Changed `ad` to `and` --- src/content/docs/workflows/build/trigger-workflows.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/workflows/build/trigger-workflows.mdx b/src/content/docs/workflows/build/trigger-workflows.mdx index df902086155b387..8efa29646664f75 100644 --- a/src/content/docs/workflows/build/trigger-workflows.mdx +++ b/src/content/docs/workflows/build/trigger-workflows.mdx @@ -151,7 +151,7 @@ Once stopped, the Workflow instance *cannot* be resumed. :::caution -**Known issue**: Restarting a Workflow via the `restart()` method is not currently supported ad will throw an exception (error). +**Known issue**: Restarting a Workflow via the `restart()` method is not currently supported and will throw an exception (error). ::: From cffe157d6d6b7f1cdeaf224a95ed814c4eb8c8a2 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Mon, 28 Oct 2024 10:55:45 +0000 Subject: [PATCH 019/273] [Page Shield] Update page titles (#17813) --- .../best-practices/handle-an-alert.mdx | 6 +-- .../detection/configure-alerts.mdx | 12 ++---- .../detection/monitor-connections-scripts.mdx | 3 -- src/content/docs/page-shield/get-started.mdx | 12 +++--- .../docs/page-shield/how-it-works/index.mdx | 14 +++---- .../page-shield/policies/create-dashboard.mdx | 18 ++++----- .../docs/page-shield/policies/index.mdx | 17 +++----- .../docs/page-shield/reference/alerts.mdx | 40 ++++++++++++++----- .../docs/page-shield/reference/pci-dss.mdx | 6 +-- 9 files changed, 62 insertions(+), 66 deletions(-) diff --git a/src/content/docs/page-shield/best-practices/handle-an-alert.mdx b/src/content/docs/page-shield/best-practices/handle-an-alert.mdx index a6672e342fd6746..034c648a0a80430 100644 --- a/src/content/docs/page-shield/best-practices/handle-an-alert.mdx +++ b/src/content/docs/page-shield/best-practices/handle-an-alert.mdx @@ -1,12 +1,10 @@ --- -title: Handle an alert +title: Handle a Page Shield alert pcx_content_type: tutorial updated: 2023-03-23 sidebar: order: 2 -head: - - tag: title - content: Handle a Page Shield alert + label: Handle an alert --- If you receive a Page Shield alert, sometimes you need to perform some manual investigation to confirm the nature of the script. Use the guidance provided in this page as a starting point for your investigation. diff --git a/src/content/docs/page-shield/detection/configure-alerts.mdx b/src/content/docs/page-shield/detection/configure-alerts.mdx index f860ca1d69237c7..ae857ba32555e19 100644 --- a/src/content/docs/page-shield/detection/configure-alerts.mdx +++ b/src/content/docs/page-shield/detection/configure-alerts.mdx @@ -1,22 +1,18 @@ --- -title: Configure alerts +title: Configure Page Shield alerts pcx_content_type: how-to sidebar: order: 5 -head: - - tag: title - content: Configure Page Shield alerts + label: Configure alerts description: Configure Page Shield alerts to get notified when new scripts are detected on your domain or when Page Shield detects resources that are likely malicious. - --- -import { Render } from "~/components" +import { Render } from "~/components"; :::note - -Only available to customers on a Business or Enterprise plan. +Only available to customers on a Business or Enterprise plan. ::: diff --git a/src/content/docs/page-shield/detection/monitor-connections-scripts.mdx b/src/content/docs/page-shield/detection/monitor-connections-scripts.mdx index 408fdbb20219df7..87cb023c4afb494 100644 --- a/src/content/docs/page-shield/detection/monitor-connections-scripts.mdx +++ b/src/content/docs/page-shield/detection/monitor-connections-scripts.mdx @@ -3,9 +3,6 @@ title: Monitor resources and cookies pcx_content_type: how-to sidebar: order: 2 -head: - - tag: title - content: Monitor resources and cookies --- Once you [activate Page Shield](/page-shield/get-started/), the **Monitors** dashboard will show which resources (scripts and connections) are running on your domain, as well as the cookies recently detected in HTTP traffic. diff --git a/src/content/docs/page-shield/get-started.mdx b/src/content/docs/page-shield/get-started.mdx index d46a92d964d2a19..a208aa8f9fd0610 100644 --- a/src/content/docs/page-shield/get-started.mdx +++ b/src/content/docs/page-shield/get-started.mdx @@ -7,10 +7,9 @@ head: - tag: title content: Get started with Cloudflare Page Shield description: Learn how to set up Page Shield. - --- -import { Render } from "~/components" +import { Render } from "~/components"; ## Activate Page Shield @@ -34,7 +33,7 @@ Depending on your plan, you may be able to also review the connections made by s :::note -Only available to customers on a Business or Enterprise plan. +Only available to customers on a Business or Enterprise plan. ::: @@ -44,16 +43,15 @@ Only available to customers on a Business or Enterprise plan. ## Define policies :::note - -Only available to Enterprise customers with a paid add-on. +Only available to Enterprise customers with a paid add-on. ::: [Policies](/page-shield/policies/) define allowed resources on your websites. Create policies to implement a positive security model [^1]. -1. [Create a policy](/page-shield/policies/create-dashboard/) with the *Log* action. +1. [Create a policy](/page-shield/policies/create-dashboard/) with the _Log_ action. 2. After some time, [review the list of policy violations](/page-shield/policies/violations/) to make sure the policy is correct. Update the policy if needed. -3. Change the policy action to *Allow* to start blocking resources not covered by the policy. +3. Change the policy action to _Allow_ to start blocking resources not covered by the policy. [^1]: A positive security model is one that defines what is allowed and rejects everything else. In contrast, a negative security model defines what will be rejected and accepts the rest. diff --git a/src/content/docs/page-shield/how-it-works/index.mdx b/src/content/docs/page-shield/how-it-works/index.mdx index 77835bdfb1f3602..c170aad8bc79b4c 100644 --- a/src/content/docs/page-shield/how-it-works/index.mdx +++ b/src/content/docs/page-shield/how-it-works/index.mdx @@ -1,18 +1,16 @@ --- -title: How it works +title: How Page Shield works pcx_content_type: concept sidebar: order: 3 -head: - - tag: title - content: How Page Shield works + group: + label: How it works description: Page Shield tracks resources (such as scripts) loaded by your website visitors and provides alerts when it detects new, changed, or malicious resources. - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; Page Shield helps manage resources loaded by your website visitors, including scripts, their connections, and cookies. It can trigger alert notifications when resources change or are considered malicious. @@ -30,8 +28,8 @@ Enterprise customers with a paid add-on can create [policies](/page-shield/polic When you create policies, Page Shield will generate CSP directives from those policies based on their configuration: -* Log policies will create CSP directives for the `Content-Security-Policy-Report-Only` HTTP header. -* Allow policies will create CSP directives for the `Content-Security-Policy` HTTP header. +- Log policies will create CSP directives for the `Content-Security-Policy-Report-Only` HTTP header. +- Allow policies will create CSP directives for the `Content-Security-Policy` HTTP header. For more information, refer to [Policies](/page-shield/policies/). diff --git a/src/content/docs/page-shield/policies/create-dashboard.mdx b/src/content/docs/page-shield/policies/create-dashboard.mdx index c1b7072b67c4cab..c0f54455ca9fc77 100644 --- a/src/content/docs/page-shield/policies/create-dashboard.mdx +++ b/src/content/docs/page-shield/policies/create-dashboard.mdx @@ -1,13 +1,10 @@ --- +title: Create a policy in the dashboard pcx_content_type: how-to -title: Create in the dashboard sidebar: order: 2 -head: - - tag: title - content: Create a policy in the dashboard + label: Create in the dashboard description: Learn how to create a Page Shield policy in the Cloudflare dashboard. - --- 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and domain. @@ -21,17 +18,18 @@ description: Learn how to create a Page Shield policy in the Cloudflare dashboar 5. Under **If incoming requests match**, define the policy scope. You can use the Expression Builder (specifying one or more values for **Field**, **Operator**, and **Value**) or manually enter an expression using the Expression Editor. For more information, refer to [Edit expressions in the dashboard](/ruleset-engine/rules-language/expressions/edit-expressions/). 6. Under **Allow these directives**, select the desired [CSP directives](/page-shield/policies/csp-directives/) for the policy by enabling one or more checkboxes. - * To manually enter an allowed source, select **Add source**. - * To refresh the displayed sources based on Page Shield's detected resources, select **Refresh suggestions**. + + - To manually enter an allowed source, select **Add source**. + - To refresh the displayed sources based on Page Shield's detected resources, select **Refresh suggestions**. :::note - Page Shield provides suggestions for **Default**, **Scripts**, and **Connections** directives. For the **Default** directive, suggestions are based on monitored scripts and connections resources. + Page Shield provides suggestions for **Default**, **Scripts**, and **Connections** directives. For the **Default** directive, suggestions are based on monitored scripts and connections resources. ::: 7. Under **Then take action**, select the desired action: - * *Allow*: Enforces the CSP directives configured in the policy, blocking any other resources from being loaded on your website, and logging any [policy violations](/page-shield/policies/violations/). - * *Log*: Logs any policy violations without blocking any resources not covered by the policy. + - _Allow_: Enforces the CSP directives configured in the policy, blocking any other resources from being loaded on your website, and logging any [policy violations](/page-shield/policies/violations/). + - _Log_: Logs any policy violations without blocking any resources not covered by the policy. 8. To save and deploy your rule, select **Deploy**. If you are not ready to deploy your rule, select **Save as Draft**. diff --git a/src/content/docs/page-shield/policies/index.mdx b/src/content/docs/page-shield/policies/index.mdx index 5c58fa92d3cfa3e..68f8ba6c0c542ab 100644 --- a/src/content/docs/page-shield/policies/index.mdx +++ b/src/content/docs/page-shield/policies/index.mdx @@ -3,19 +3,14 @@ title: Policies pcx_content_type: concept sidebar: order: 5 -head: - - tag: title - content: Policies description: Use Page Shield policies to define the resources (scripts) allowed on your applications. - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; :::note - -Only available to Enterprise customers with a paid add-on. +Only available to Enterprise customers with a paid add-on. ::: Policies define the resources allowed on your applications through Content Security Policy (CSP) directives. Policies can log violations and also enforce an allowlist of resources, effectively blocking resources not included in the policies. @@ -28,8 +23,8 @@ A policy can control both resources monitored by Page Shield, such as scripts an A policy can perform one of the following actions: -* **Log**: Page Shield will log any resources not covered by the policy, without blocking any resources. Use this action to validate a new policy before deploying it. Resources not covered by the policy will be reported as [policy violations](/page-shield/policies/violations/). -* **Allow**: Page Shield will block any resources not explicitly allowed by the policy. Switch to the *Allow* action after validating a new policy with the *Log* action, so that your policy does not block essential application resources, which would affect your application's end users. Policies with the *Allow* action will log [policy violations](/page-shield/policies/violations/) for any blocked resources. +- **Log**: Page Shield will log any resources not covered by the policy, without blocking any resources. Use this action to validate a new policy before deploying it. Resources not covered by the policy will be reported as [policy violations](/page-shield/policies/violations/). +- **Allow**: Page Shield will block any resources not explicitly allowed by the policy. Switch to the _Allow_ action after validating a new policy with the _Log_ action, so that your policy does not block essential application resources, which would affect your application's end users. Policies with the _Allow_ action will log [policy violations](/page-shield/policies/violations/) for any blocked resources. For details on the CSP directives Page Shield creates for each type of policy action, refer to [How Page Shield works](/page-shield/how-it-works/#positive-security-model-using-policies). For more information on the CSP directives supported by Page Shield policies, refer to [Supported CSP directives](/page-shield/policies/csp-directives/). @@ -37,5 +32,5 @@ For details on the CSP directives Page Shield creates for each type of policy ac Refer to the following pages for instructions on creating a policy in Page Shield: -* [Create a policy in the dashboard](/page-shield/policies/create-dashboard/) -* [Page Shield API: Create a policy](/page-shield/reference/page-shield-api/#create-a-policy) +- [Create a policy in the dashboard](/page-shield/policies/create-dashboard/) +- [Page Shield API: Create a policy](/page-shield/reference/page-shield-api/#create-a-policy) diff --git a/src/content/docs/page-shield/reference/alerts.mdx b/src/content/docs/page-shield/reference/alerts.mdx index bd0fa78ae97b9a7..4813c9c2e2a9606 100644 --- a/src/content/docs/page-shield/reference/alerts.mdx +++ b/src/content/docs/page-shield/reference/alerts.mdx @@ -1,28 +1,46 @@ --- -title: Alerts +title: Page Shield alerts pcx_content_type: reference sidebar: order: 3 -head: - - tag: title - content: Page Shield alerts - + label: Alerts --- -import { AvailableNotifications } from "~/components" +import { AvailableNotifications } from "~/components"; You can configure alerts for resources detected in your domain. Refer to [Configure Page Shield alerts](/page-shield/detection/configure-alerts/) for instructions. ## New resource alerts - + ## Code change alert - + ## Malicious resource alerts - - -Malicious resource alerts will only include resources with an *Active* status. Refer to [Script and connection statuses](/page-shield/reference/script-statuses/) for more information. + + +Malicious resource alerts will only include resources with an _Active_ status. Refer to [Script and connection statuses](/page-shield/reference/script-statuses/) for more information. diff --git a/src/content/docs/page-shield/reference/pci-dss.mdx b/src/content/docs/page-shield/reference/pci-dss.mdx index d8853ce99dd24f6..dc112f792cc8b1c 100644 --- a/src/content/docs/page-shield/reference/pci-dss.mdx +++ b/src/content/docs/page-shield/reference/pci-dss.mdx @@ -1,11 +1,9 @@ --- -title: PCI DSS compliance +title: Page Shield and PCI DSS compliance pcx_content_type: reference sidebar: order: 4 -head: - - tag: title - content: Page Shield and PCI DSS compliance + label: PCI DSS compliance --- You can use Page Shield for PCI DSS v4's client-side security requirements (items 6.4.3 and 11.6.1). From 29a4ce44d204cdb96d3e35edd6b287ae73d13c53 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Mon, 28 Oct 2024 14:19:36 +0000 Subject: [PATCH 020/273] [Rules] Update Redirect admin area reqs to HTTPS example (#17814) Fix target URL. --- .../docs/rules/url-forwarding/examples/redirect-admin-https.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/rules/url-forwarding/examples/redirect-admin-https.mdx b/src/content/docs/rules/url-forwarding/examples/redirect-admin-https.mdx index 766d126320236d2..8a668fd0d0e02c8 100644 --- a/src/content/docs/rules/url-forwarding/examples/redirect-admin-https.mdx +++ b/src/content/docs/rules/url-forwarding/examples/redirect-admin-https.mdx @@ -23,7 +23,7 @@ This example single redirect for zone `example.com` will redirect requests for t **Then** -- **Target URL**: `https://store.example.com/${1}` +- **Target URL**: `https://store.example.com/admin${1}` - **Status code:** _301_ - **Preserve query string:** Enabled From bebc09b4ea0f957d13a76526a6ef6bafaf0a43a9 Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Mon, 28 Oct 2024 10:30:35 -0400 Subject: [PATCH 021/273] abe's feedback (#17793) --- .../connect-networks/private-net/warp-connector/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx index 424d1780a40c33c..17673ea20fa5f82 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx @@ -28,7 +28,7 @@ import { Render, Details} from "~/components"; -Cloudflare WARP Connector is a piece of software [^1] that enables site-to-site, bidirectional, and mesh networking connectivity without requiring changes to underlying network routing infrastructure. WARP Connector establishes a secure Layer 3 connection between a private network and Cloudflare, allowing you to: +Cloudflare WARP Connector is a software client[^1] that enables site-to-site, bidirectional, and mesh networking connectivity without requiring changes to underlying network routing infrastructure. WARP Connector establishes a secure Layer 3 proxy between a private network and Cloudflare, allowing you to: - Connect two or more private networks to each other. - Connect IoT devices that cannot run external software, such as printers and IP phones. @@ -37,7 +37,7 @@ Cloudflare WARP Connector is a piece of software [^1] that enables site-to-site, ![Two subnets connected with WARP Connector](~/assets/images/cloudflare-one/connections/connect-apps/warp-connector/overview.png) -As shown in the diagram, WARP Connector acts as a router for a subnet within the private network to on-ramp and off-ramp traffic through Cloudflare. All devices on the subnet can access any services connected to Cloudflare, and all devices connected to Cloudflare can access any services on the subnet. Each subnet runs a WARP Connector on a designated Linux machine (typically the default gateway router), but other devices on the network do not need to install software. +As shown in the diagram, WARP Connector acts as a router for a subnet within the private network to on-ramp and off-ramp traffic through Cloudflare. All devices on the subnet can access any services connected to Cloudflare, and all devices connected to Cloudflare can access any services on the subnet. Each subnet runs a WARP Connector on a designated Linux machine (typically the [default gateway router](/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet/#3-route-traffic-from-subnet-to-warp-connector)), but other devices on the network do not need to install software. To set up WARP Connector, refer to the guide for your use case: From 2367bfd3980644035c35bc21ccb058580c30d83d Mon Sep 17 00:00:00 2001 From: Taylor Smith Date: Mon, 28 Oct 2024 09:31:04 -0500 Subject: [PATCH 022/273] Tsmith/stream 20240920 (#17817) * [Stream] Typo * [Stream] Stream doesn't bill R2 --- src/content/docs/stream/pricing.mdx | 2 +- src/content/docs/stream/stream-live/start-stream-live.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/stream/pricing.mdx b/src/content/docs/stream/pricing.mdx index abd9d82853e8c58..05acead15f08873 100644 --- a/src/content/docs/stream/pricing.mdx +++ b/src/content/docs/stream/pricing.mdx @@ -31,7 +31,7 @@ Storage is not consumed by: - Deleted videos - Downloadable files generated for [MP4 Downloads](/stream/viewing-videos/download-videos/) -Storage consumption is rounded up to the second of video duration. File size does not matter. +Storage consumption is rounded up to the second of video duration. File size does not matter. Video stored in Stream does not incur additional storage fees from other storage products like R2. **If you run out of storage**, you will not be able to upload new videos or start new live streams until you purchase more storage or delete videos. diff --git a/src/content/docs/stream/stream-live/start-stream-live.mdx b/src/content/docs/stream/stream-live/start-stream-live.mdx index b48dbec13ca6b34..3aa8068bb04358c 100644 --- a/src/content/docs/stream/stream-live/start-stream-live.mdx +++ b/src/content/docs/stream/stream-live/start-stream-live.mdx @@ -85,7 +85,7 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}/stream/live_inputs - The `timeoutSeconds` property specifies how long a live feed can be disconnected before it results in a new video being created. -The following four properties are nested under the `recoring` object. +The following four properties are nested under the `recording` object. - `mode` string default: `off` From c8dfdfee7c9e4ee5594c44e9c5c8f10ba79a1e03 Mon Sep 17 00:00:00 2001 From: nenizera Date: Mon, 28 Oct 2024 11:40:16 -0300 Subject: [PATCH 023/273] [R2] Update index.mdx (#17801) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Hello team, Per the way we use this word in the docs. “datasets” --- src/content/docs/r2/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/r2/index.mdx b/src/content/docs/r2/index.mdx index c644ece9a8b72f2..fbbd70e7d36c26c 100644 --- a/src/content/docs/r2/index.mdx +++ b/src/content/docs/r2/index.mdx @@ -28,7 +28,7 @@ You can use R2 for multiple scenarios, including but not limited to: * Cloud storage for web content * Storage for podcast episodes * Data lakes (analytics and big data) -* Cloud storage output for large batch processes, such as machine learning model artifacts or data sets +* Cloud storage output for large batch processes, such as machine learning model artifacts or datasets Get started Browse the examples From 9776d2e7221e9278cf62d1ed117779958eb1f806 Mon Sep 17 00:00:00 2001 From: Kathy <153706637+kathayl@users.noreply.github.com> Date: Mon, 28 Oct 2024 08:04:52 -0700 Subject: [PATCH 024/273] Update index.mdx (#17440) for learning more about plan limits, changed link from Pricing page to Limits page --- src/content/docs/ai-gateway/observability/logging/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/ai-gateway/observability/logging/index.mdx b/src/content/docs/ai-gateway/observability/logging/index.mdx index 543a5f29cffa6d1..31a3707bb236662 100644 --- a/src/content/docs/ai-gateway/observability/logging/index.mdx +++ b/src/content/docs/ai-gateway/observability/logging/index.mdx @@ -14,7 +14,7 @@ Your AI Gateway dashboard shows logs of individual requests, including the user You can store up to 10 million logs per gateway. If your limit is reached, new logs will stop being saved. To continue saving logs, you must delete older logs to free up space for new logs. -To learn more about your plan limits, refer to [Pricing](/ai-gateway/reference/pricing/). +To learn more about your plan limits, refer to [Limits](/ai-gateway/reference/limits/). ## Default configuration From ccbe38b6da6ba62d080fae5dba03d65b70618228 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 15:22:12 +0000 Subject: [PATCH 025/273] [Docs Site] Bump @types/node from 22.7.8 to 22.8.0 (#17797) Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.7.8 to 22.8.0. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 10 +++++----- package.json | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package-lock.json b/package-lock.json index db52de2fc938a95..c6678413085b0e2 100644 --- a/package-lock.json +++ b/package-lock.json @@ -24,7 +24,7 @@ "@stoplight/json-schema-tree": "^4.0.0", "@types/dompurify": "^3.0.5", "@types/he": "^1.2.3", - "@types/node": "^22.7.8", + "@types/node": "^22.8.0", "@types/react": "^18.3.12", "@types/react-dom": "^18.3.1", "algoliasearch": "^5.10.2", @@ -4234,12 +4234,12 @@ } }, "node_modules/@types/node": { - "version": "22.7.8", - "resolved": "https://registry.npmjs.org/@types/node/-/node-22.7.8.tgz", - "integrity": "sha512-a922jJy31vqR5sk+kAdIENJjHblqcZ4RmERviFsER4WJcEONqxKcjNOlk0q7OUfrF5sddT+vng070cdfMlrPLg==", + "version": "22.8.0", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.8.0.tgz", + "integrity": "sha512-84rafSBHC/z1i1E3p0cJwKA+CfYDNSXX9WSZBRopjIzLET8oNt6ht2tei4C7izwDeEiLLfdeSVBv1egOH916hg==", "dev": true, "dependencies": { - "undici-types": "~6.19.2" + "undici-types": "~6.19.8" } }, "node_modules/@types/node-forge": { diff --git a/package.json b/package.json index 1e680b999be6d9f..59ffdfc9f58baf7 100644 --- a/package.json +++ b/package.json @@ -36,7 +36,7 @@ "@stoplight/json-schema-tree": "^4.0.0", "@types/dompurify": "^3.0.5", "@types/he": "^1.2.3", - "@types/node": "^22.7.8", + "@types/node": "^22.8.0", "@types/react": "^18.3.12", "@types/react-dom": "^18.3.1", "algoliasearch": "^5.10.2", From 047013361357c83b5af538ea8f0c3340bda5f622 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 15:24:57 +0000 Subject: [PATCH 026/273] [Docs Site] Bump instantsearch.js from 4.75.2 to 4.75.3 (#17796) Bumps [instantsearch.js](https://github.com/algolia/instantsearch) from 4.75.2 to 4.75.3. - [Release notes](https://github.com/algolia/instantsearch/releases) - [Commits](https://github.com/algolia/instantsearch/compare/instantsearch.js@4.75.2...instantsearch.js@4.75.3) --- updated-dependencies: - dependency-name: instantsearch.js dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index c6678413085b0e2..961ea0028f884e6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -41,7 +41,7 @@ "hastscript": "^9.0.0", "he": "^1.2.0", "instantsearch.css": "^8.5.1", - "instantsearch.js": "^4.75.2", + "instantsearch.js": "^4.75.3", "lz-string": "^1.5.0", "marked": "^14.1.3", "mermaid": "^11.3.0", @@ -9262,9 +9262,9 @@ "license": "MIT" }, "node_modules/instantsearch.js": { - "version": "4.75.2", - "resolved": "https://registry.npmjs.org/instantsearch.js/-/instantsearch.js-4.75.2.tgz", - "integrity": "sha512-+NER2ZxOzDcoM6/ujUpw5XBPXINJ59K7vH+hRCQQhEBBxv1IASzEdMNYKcbXP+nipTOpTPQ5rk6Pt2YWPi+VzA==", + "version": "4.75.3", + "resolved": "https://registry.npmjs.org/instantsearch.js/-/instantsearch.js-4.75.3.tgz", + "integrity": "sha512-WVVWlqR3XDqJjrEt4+kQXudrdxWIhkxzUhwxFnccB/RdsMvVHp+N6bIcVSIMGyRo/rGfGZ5Rki2E++iGwOljtA==", "dev": true, "dependencies": { "@algolia/events": "^4.0.1", diff --git a/package.json b/package.json index 59ffdfc9f58baf7..52ead8f9e476bd0 100644 --- a/package.json +++ b/package.json @@ -53,7 +53,7 @@ "hastscript": "^9.0.0", "he": "^1.2.0", "instantsearch.css": "^8.5.1", - "instantsearch.js": "^4.75.2", + "instantsearch.js": "^4.75.3", "lz-string": "^1.5.0", "marked": "^14.1.3", "mermaid": "^11.3.0", From bc3c31be8e4ebeed848319ee4216827176d8391f Mon Sep 17 00:00:00 2001 From: Maddy <130055405+Maddy-Cloudflare@users.noreply.github.com> Date: Mon, 28 Oct 2024 15:25:30 +0000 Subject: [PATCH 027/273] [Email Security] Remove duplicate titles (#17818) --- .../email-security/directories/manage-es-directories.mdx | 2 -- .../email-security/directories/manage-ms-directories/index.mdx | 2 -- .../manage-ms-directories/manage-groups-directory.mdx | 2 -- .../manage-ms-directories/manage-users-directory.mdx | 2 -- .../email-security/setup/post-delivery-deployment/api/index.mdx | 1 - .../insights/email-monitoring/phishing-report.mdx | 2 -- src/content/docs/cloudflare-one/roles-permissions.mdx | 2 +- 7 files changed, 1 insertion(+), 12 deletions(-) diff --git a/src/content/docs/cloudflare-one/email-security/directories/manage-es-directories.mdx b/src/content/docs/cloudflare-one/email-security/directories/manage-es-directories.mdx index 157e924c6213ef8..f5d70fa61c76ca0 100644 --- a/src/content/docs/cloudflare-one/email-security/directories/manage-es-directories.mdx +++ b/src/content/docs/cloudflare-one/email-security/directories/manage-es-directories.mdx @@ -5,8 +5,6 @@ sidebar: order: 5 --- -# Manage Email Security directories - You can manage your Email Security directory by editing and deleting added users. :::note[Registered users] diff --git a/src/content/docs/cloudflare-one/email-security/directories/manage-ms-directories/index.mdx b/src/content/docs/cloudflare-one/email-security/directories/manage-ms-directories/index.mdx index 1eca78ecdf3acc1..d7d936f368ec454 100644 --- a/src/content/docs/cloudflare-one/email-security/directories/manage-ms-directories/index.mdx +++ b/src/content/docs/cloudflare-one/email-security/directories/manage-ms-directories/index.mdx @@ -5,8 +5,6 @@ sidebar: order: 2 --- -# Manage Microsoft directories - To manage a Microsoft directory: 1. Log in to [Zero Trust](https://one.dash.cloudflare.com/). diff --git a/src/content/docs/cloudflare-one/email-security/directories/manage-ms-directories/manage-groups-directory.mdx b/src/content/docs/cloudflare-one/email-security/directories/manage-ms-directories/manage-groups-directory.mdx index e46b6383afef7d7..ac8f92c27e46cc8 100644 --- a/src/content/docs/cloudflare-one/email-security/directories/manage-ms-directories/manage-groups-directory.mdx +++ b/src/content/docs/cloudflare-one/email-security/directories/manage-ms-directories/manage-groups-directory.mdx @@ -5,8 +5,6 @@ sidebar: order: 3 --- -# Manage groups in your directory - Email Security allows you to view and manage your groups directory and their [impersonation registry](/cloudflare-one/email-security/detection-settings/impersonation-registry/). When a group is added to the registry, all members are registered by default. To manage your group directory, on the **MS directory** page, select **Groups**. diff --git a/src/content/docs/cloudflare-one/email-security/directories/manage-ms-directories/manage-users-directory.mdx b/src/content/docs/cloudflare-one/email-security/directories/manage-ms-directories/manage-users-directory.mdx index 5b288f30c9b43cf..5ce609a2c14e506 100644 --- a/src/content/docs/cloudflare-one/email-security/directories/manage-ms-directories/manage-users-directory.mdx +++ b/src/content/docs/cloudflare-one/email-security/directories/manage-ms-directories/manage-users-directory.mdx @@ -5,8 +5,6 @@ sidebar: order: 4 --- -# Manage users in your directory - Email Security allows you to view and manage the [impersonation registry](/cloudflare-one/email-security/detection-settings/impersonation-registry/) status of your users directory. On the **MS directory** page, select **Users**. diff --git a/src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/api/index.mdx b/src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/api/index.mdx index 3be66e4ebf5b7d1..d1a6da5b27c26b4 100644 --- a/src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/api/index.mdx +++ b/src/content/docs/cloudflare-one/email-security/setup/post-delivery-deployment/api/index.mdx @@ -17,7 +17,6 @@ When you choose API deployment, you get the following benefits: - Easy protection for complex email architectures, without requiring any change to mailflow operations. - Agentless deployment for Microsoft 365. -- The initial email protection measures offered by your current email provider. ## Limitations diff --git a/src/content/docs/cloudflare-one/insights/email-monitoring/phishing-report.mdx b/src/content/docs/cloudflare-one/insights/email-monitoring/phishing-report.mdx index 3d10c18e46688b6..8becfed6647d5d6 100644 --- a/src/content/docs/cloudflare-one/insights/email-monitoring/phishing-report.mdx +++ b/src/content/docs/cloudflare-one/insights/email-monitoring/phishing-report.mdx @@ -5,8 +5,6 @@ sidebar: order: 3 --- -# Phishing report - Email Security allows you to generate a Phishing Risk Assessment Report (PRA) to provide an overview of your email traffic. To generate a phishing risk assessment report: diff --git a/src/content/docs/cloudflare-one/roles-permissions.mdx b/src/content/docs/cloudflare-one/roles-permissions.mdx index a14fd6f828f8d3c..ace1c4c58e0e1c4 100644 --- a/src/content/docs/cloudflare-one/roles-permissions.mdx +++ b/src/content/docs/cloudflare-one/roles-permissions.mdx @@ -73,4 +73,4 @@ Mail trace allows you to track the path your selected message took from the send - **Date**: The date and time when the mail was tracked. - **Type**: An email can be inbound (email sent to you from another email), or outbound (emails sent from your email address). -- **Activity**: The activity taken on an email. For example, moving the email to the trash folder, releasing a quarantined email, and more. +- **Activity**: The activity taken on an email. For example, moving the email to the trash folder, releasing a quarantined email, and more. \ No newline at end of file From 8442870c2572f94da11b1c538847789ea2f46e9d Mon Sep 17 00:00:00 2001 From: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> Date: Mon, 28 Oct 2024 08:35:28 -0700 Subject: [PATCH 028/273] [API Shield] Update JWT Validation fields (#17728) * update JWTV fields * edits * remove fields * dynamic fields * spacing * feedback updates --- .../jwt-validation/transform-rules.mdx | 27 +------- .../rules-language/fields/dynamic-fields.mdx | 64 +++++++++++++++++++ .../partials/api-shield/jwt-claims.mdx | 6 ++ 3 files changed, 71 insertions(+), 26 deletions(-) create mode 100644 src/content/partials/api-shield/jwt-claims.mdx diff --git a/src/content/docs/api-shield/security/jwt-validation/transform-rules.mdx b/src/content/docs/api-shield/security/jwt-validation/transform-rules.mdx index ba199feaf962e2d..7da05e4ffff6617 100644 --- a/src/content/docs/api-shield/security/jwt-validation/transform-rules.mdx +++ b/src/content/docs/api-shield/security/jwt-validation/transform-rules.mdx @@ -34,29 +34,4 @@ As an example, to send the header `x-send-jwt-claim-user` request header to the 4. Enter a rule name and a filter expression, if applicable. 5. Choose **Set dynamic**. 6. Set the header name. -7. Set the value to `lookup_json_string(http.request.jwt.claims[""][0], "claim_name")`, where `` is your token configuration ID found in JWT Validation and `claim_name` is the JWT claim you want to add to the header. - -## Available fields - -You can create Transform Rules using more claims present in tokens processed by [JWT Validation](/api-shield/security/jwt-validation/). - -- `http.request.jwt.claims.aud,` -- `http.request.jwt.claims.aud.names,` -- `http.request.jwt.claims.aud.values,` -- `http.request.jwt.claims.iat.sec,` -- `http.request.jwt.claims.iat.sec.names,` -- `http.request.jwt.claims.iat.sec.values,` -- `http.request.jwt.claims.iss,` -- `http.request.jwt.claims.iss.names,` -- `http.request.jwt.claims.iss.values,` -- `http.request.jwt.claims.jti,` -- `http.request.jwt.claims.jti.names,` -- `http.request.jwt.claims.jti.values,` -- `http.request.jwt.claims.nbf.sec,` -- `http.request.jwt.claims.nbf.sec.names,` -- `http.request.jwt.claims.nbf.sec.values,` -- `http.request.jwt.claims.sub,` -- `http.request.jwt.claims.sub.names,` -- `http.request.jwt.claims.sub.values,` -- `cf.api_gateway.auth_id_present,` -- `cf.api_gateway.request_violates_schema` \ No newline at end of file +7. Set the value to `lookup_json_string(http.request.jwt.claims[""][0], "claim_name")`, where `` is your token configuration ID found in JWT Validation and `claim_name` is the [JWT claim](/ruleset-engine/rules-language/fields/dynamic-fields/#json-web-tokens-validation-claims) you want to add to the header. \ No newline at end of file diff --git a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx index f6de4da0e8bb858..2c6226261566033 100644 --- a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx +++ b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx @@ -511,3 +511,67 @@ Identifies whether a request comes from a worker or not. When a request comes fr ## Corporate Proxy + +## JSON Web Tokens Validation claims + +[API Shield](/api-shield/) users can now create [custom rules](/waf/custom-rules/) using claims present in tokens processed by [JSON Web Tokens Validation](/api-shield/security/jwt-validation/). + +### `aud` (audience) + +`http.request.jwt.claims.aud` `Map>`
+`http.request.jwt.claims.aud.names` `Array`
+`http.request.jwt.claims.aud.values` `Array`
+ +The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for. Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value. + + + +### `iat` (issued at) + +`http.request.jwt.claims.iat.sec` `Map>`
+`http.request.jwt.claims.iat.sec.names` `Array`
+`http.request.jwt.claims.iat.sec.values` `Array`
+ +The `iat` (issued at) claim identifies the time (number of seconds) at which the JWT was issued. + + + +### `iss` (issuer) + +`http.request.jwt.claims.iss` `Map>`
+`http.request.jwt.claims.iss.names` `Array`
+`http.request.jwt.claims.iss.values` `Array`
+ +The `iss` (issuer) claim identifies the principal that issued the JWT. + + + +### `jti` (JWT ID) + +`http.request.jwt.claims.jti` `Map>`
+`http.request.jwt.claims.jti.names` `Array`
+`http.request.jwt.claims.jti.values` `Array`
+ +The `jti` (JWT ID) claim provides a unique identifier for the JWT. + + + +### `nbf` (not before) + +`http.request.jwt.claims.nbf.sec` `Map>`
+`http.request.jwt.claims.nbf.sec.names` `Array`
+`http.request.jwt.claims.nbf.sec.values` `Array`
+ +The `nbf` (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing. + + + +### `sub` (subject) + +`http.request.jwt.claims.sub` `Map>`
+`http.request.jwt.claims.sub.names` `Array`
+`http.request.jwt.claims.sub.values` `Array`
+ +The `sub` (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject. + + \ No newline at end of file diff --git a/src/content/partials/api-shield/jwt-claims.mdx b/src/content/partials/api-shield/jwt-claims.mdx new file mode 100644 index 000000000000000..42973c501d93d2a --- /dev/null +++ b/src/content/partials/api-shield/jwt-claims.mdx @@ -0,0 +1,6 @@ +--- +{} + +--- + +Refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519 for more information. From f5acae3775f7a5d3061e426f55d1b6515e4b7e79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denise=20Pe=C3=B1a?= <75506267+dcpena@users.noreply.github.com> Date: Mon, 28 Oct 2024 10:41:58 -0500 Subject: [PATCH 029/273] [Images] Webhooks and saturation parameter (#17742) * Added saturation parameter * Added configure webhooks & added links * Apply suggestions from code review Co-authored-by: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> --------- Co-authored-by: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> --- .../manage-images/configure-webhooks.mdx | 20 +++++++++++++++++++ .../transform-images/transform-via-url.mdx | 4 ++++ .../transform-via-workers.mdx | 4 ++++ .../upload-images/direct-creator-upload.mdx | 4 +++- src/content/partials/images/saturation.mdx | 19 ++++++++++++++++++ 5 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 src/content/docs/images/manage-images/configure-webhooks.mdx create mode 100644 src/content/partials/images/saturation.mdx diff --git a/src/content/docs/images/manage-images/configure-webhooks.mdx b/src/content/docs/images/manage-images/configure-webhooks.mdx new file mode 100644 index 000000000000000..1a4616260397c87 --- /dev/null +++ b/src/content/docs/images/manage-images/configure-webhooks.mdx @@ -0,0 +1,20 @@ +--- +pcx_content_type: how-to +title: Configure webhooks +--- + +You can set up webhooks to receive notifications about your upload workflow. This will send an HTTP POST request to a specified endpoint when an image either successfully uploads or fails to upload. + +Currently, webhooks are supported only for [direct creator uploads](/images/upload-images/direct-creator-upload/). + +To receive notifications for direct creator uploads: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account. +2. Go to **Notifications** > **Destinations**. +3. From the Webhooks card, select **Create**. +4. Enter information for your webhook and select **Save and Test**. The new webhook will appear in the **Webhooks** card and can be attached to notifications. +5. Next, go to **Notifications** > **All Notifications** and select **Add**. +6. Under the list of products, locate **Images** and select **Select**. +7. Give your notification a name and optional description. +8. Under the **Webhooks** field, select the webhook that you recently created. +9. Select **Save**. diff --git a/src/content/docs/images/transform-images/transform-via-url.mdx b/src/content/docs/images/transform-images/transform-via-url.mdx index 9fd35e136aa8d99..9c9d29cd9e5ff03 100644 --- a/src/content/docs/images/transform-images/transform-via-url.mdx +++ b/src/content/docs/images/transform-images/transform-via-url.mdx @@ -111,6 +111,10 @@ You must specify at least one option. Options are comma-separated (spaces are no +### `saturation` + + + ### `sharpen` diff --git a/src/content/docs/images/transform-images/transform-via-workers.mdx b/src/content/docs/images/transform-images/transform-via-workers.mdx index 1a511e66fb64267..0a15964202b21ce 100644 --- a/src/content/docs/images/transform-images/transform-via-workers.mdx +++ b/src/content/docs/images/transform-images/transform-via-workers.mdx @@ -98,6 +98,10 @@ The `fetch()` function accepts parameters in the second argument inside the `{cf +### `saturation` + + + ### `sharpen` diff --git a/src/content/docs/images/upload-images/direct-creator-upload.mdx b/src/content/docs/images/upload-images/direct-creator-upload.mdx index fd3dab3564c044f..4f271a7995fb191 100644 --- a/src/content/docs/images/upload-images/direct-creator-upload.mdx +++ b/src/content/docs/images/upload-images/direct-creator-upload.mdx @@ -1,6 +1,6 @@ --- pcx_content_type: how-to -title: Accept direct creator uploads +title: Direct creator uploads sidebar: order: 5 @@ -8,6 +8,8 @@ sidebar: The Direct Creator Upload feature in Cloudflare Images lets your users upload images with a one-time upload URL without exposing your API key or token to the client. Using a direct creator upload also eliminates the need for an intermediary storage bucket and the storage/egress costs associated with it. +You can set up [webhooks](/images/manage-images/configure-webhooks/) to receive notifications on your direct creator upload workflow. + ## Request a one-time upload URL Make a `POST` request to the `direct_upload` endpoint using the example below as reference. diff --git a/src/content/partials/images/saturation.mdx b/src/content/partials/images/saturation.mdx new file mode 100644 index 000000000000000..7d82701e88d65a2 --- /dev/null +++ b/src/content/partials/images/saturation.mdx @@ -0,0 +1,19 @@ +--- +{} +--- +import { Tabs, TabItem } from "~/components" + +Increases saturation by a factor. A value of `1.0` equals no change, a value of `0.5` equals half saturation, and a value of `2.0` equals twice as saturated. `0` is ignored. + + + + ```js + saturation=0.5 + ``` + + + ```js + cf: {image: {saturation: 0.5}} + ``` + + \ No newline at end of file From 2117cfc29e5ddd17ef8a0b31dcd3140c8b97595d Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Mon, 28 Oct 2024 11:47:57 -0400 Subject: [PATCH 030/273] [ZT] Add DEX log retention period (#17798) * add DEX log retention period * update free plan --- .../insights/dex/tests/view-results.mdx | 14 ++------------ .../cloudflare-one/insights/logs/index.mdx | 19 ++++++++++--------- 2 files changed, 12 insertions(+), 21 deletions(-) diff --git a/src/content/docs/cloudflare-one/insights/dex/tests/view-results.mdx b/src/content/docs/cloudflare-one/insights/dex/tests/view-results.mdx index 3803351db55cb9e..ac48343beadc2ab 100644 --- a/src/content/docs/cloudflare-one/insights/dex/tests/view-results.mdx +++ b/src/content/docs/cloudflare-one/insights/dex/tests/view-results.mdx @@ -6,7 +6,7 @@ sidebar: --- -You can use the results of a DEX test to monitor availability and performance for a specific application. +You can use the results of a DEX test to monitor availability and performance for a specific application. DEX will store test results according to our [log retention policy](/cloudflare-one/insights/logs/#log-retention). ## Prerequisites @@ -28,14 +28,4 @@ To view analytics on a per-device level: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **My Team** > **Devices**. 2. Select the device you want to view, and then select **View details**. 3. Select the **Tests** tab. -4. Select a test to view detailed results. - -## Data retention - -DEX stores test results for the following amount of time: - -| Zero Trust plan | Duration | -| --------------- | -------- | -| **Free** | 24 hours | -| **Standard** | 7 days | -| **Enterprise** | 7 days | +4. Select a test to view detailed results. \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/insights/logs/index.mdx b/src/content/docs/cloudflare-one/insights/logs/index.mdx index de85827076c03c0..390245ad7e52078 100644 --- a/src/content/docs/cloudflare-one/insights/logs/index.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/index.mdx @@ -16,15 +16,16 @@ Review detailed logs for your Zero Trust organization. ## Log retention -Cloudflare Zero Trust logs are stored for a varying period of time based on the service used: - -| Zero Trust plan | Admin logs | Access logs | DNS logs | Network logs | HTTP logs | -| --------------- | ---------- | ----------- | ---------------------------------------------- | ------------ | --------- | -| **Free** | 24 hours | 24 hours | 24 hours | 24 hours | 24 hours | -| **Standard** | 30 days | 30 days | 30 days | 30 days | 30 days | -| **Access** | 30 days | 30 days | 24 hours | 24 hours | 24 hours | -| **Gateway** | 30 days | 24 hours | 30 days | 30 days | 30 days | -| **Enterprise** | 180 days | 180 days | 180 days1 | 30 days | 30 days | +Cloudflare Zero Trust logs are stored for a varying period of time based on the service used and plan type: + +| | Free | Standard | Access | Gateway | Enterprise | +| ----| ------ | ------ | ------ | ------ | -------- | +| **Admin logs** | 24 hours | 30 days | 30 days | 30 days | 30 days | 180 days | +| **Access logs** | 24 hours | 30 days | 30 days | 24 hours | 180 days | +| **DNS logs** | 24 hours | 30 days | 24 hours | 30 days | 180 days1 | +| **Network logs** | 24 hours | 30 days | 24 hours | 30 days | 30 days | +| **HTTP logs** | 24 hours | 30 days | 24 hours | 30 days | 30 days | +| **DEX logs** | 7 days | 7 days | 7 days | 7 days | 7 days | 1 Enterprise users on per query plans cannot store DNS logs via Cloudflare. You can still export logs via [Logpush](/cloudflare-one/insights/logs/logpush/). From d4b5607ef79d5067b034e83eb7e4c176b2982099 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Dores?= <147410514+jdorescf@users.noreply.github.com> Date: Mon, 28 Oct 2024 15:58:58 +0000 Subject: [PATCH 031/273] New Reference Architecture Design Guide - Using a zero trust framework to secure SaaS applications (#17687) Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> Co-authored-by: Simon Thorpe Co-authored-by: Max Phillips --- .../zero-trust-saas-image-01.svg | 178 +++++++++++++ .../zero-trust-saas-image-02.svg | 100 +++++++ .../zero-trust-saas-image-03.svg | 167 ++++++++++++ .../zero-trust-saas-image-04.svg | 130 ++++++++++ .../zero-trust-saas-image-05.svg | 100 +++++++ .../zero-trust-saas-image-06.svg | 96 +++++++ .../zero-trust-saas-image-07.svg | 73 ++++++ .../zero-trust-saas-image-08.svg | 166 ++++++++++++ .../zero-trust-saas-image-09.svg | 120 +++++++++ .../zero-trust-saas-image-10.svg | 104 ++++++++ .../zero-trust-saas-image-11.svg | 70 +++++ .../design-guides/zero-trust-for-saas.mdx | 244 ++++++++++++++++++ 12 files changed, 1548 insertions(+) create mode 100644 src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-01.svg create mode 100644 src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-02.svg create mode 100644 src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-03.svg create mode 100644 src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-04.svg create mode 100644 src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-05.svg create mode 100644 src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-06.svg create mode 100644 src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-07.svg create mode 100644 src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-08.svg create mode 100644 src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-09.svg create mode 100644 src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-10.svg create mode 100644 src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-11.svg create mode 100644 src/content/docs/reference-architecture/design-guides/zero-trust-for-saas.mdx diff --git a/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-01.svg b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-01.svg new file mode 100644 index 000000000000000..2142e0f7c212e43 --- /dev/null +++ b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-01.svg @@ -0,0 +1,178 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-02.svg b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-02.svg new file mode 100644 index 000000000000000..647ec1f4d3a6896 --- /dev/null +++ b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-02.svg @@ -0,0 +1,100 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-03.svg b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-03.svg new file mode 100644 index 000000000000000..50ff3f0f2c997e7 --- /dev/null +++ b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-03.svg @@ -0,0 +1,167 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-04.svg b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-04.svg new file mode 100644 index 000000000000000..77deaf0cfd382d5 --- /dev/null +++ b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-04.svg @@ -0,0 +1,130 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-05.svg b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-05.svg new file mode 100644 index 000000000000000..e3156663a7ca761 --- /dev/null +++ b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-05.svg @@ -0,0 +1,100 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-06.svg b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-06.svg new file mode 100644 index 000000000000000..8fdec91d21b79b3 --- /dev/null +++ b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-06.svg @@ -0,0 +1,96 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-07.svg b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-07.svg new file mode 100644 index 000000000000000..76fa25cb684f61e --- /dev/null +++ b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-07.svg @@ -0,0 +1,73 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-08.svg b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-08.svg new file mode 100644 index 000000000000000..ff9aa4ca007cffd --- /dev/null +++ b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-08.svg @@ -0,0 +1,166 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-09.svg b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-09.svg new file mode 100644 index 000000000000000..584781558ac0aa9 --- /dev/null +++ b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-09.svg @@ -0,0 +1,120 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-10.svg b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-10.svg new file mode 100644 index 000000000000000..c121843ab5b8384 --- /dev/null +++ b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-10.svg @@ -0,0 +1,104 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-11.svg b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-11.svg new file mode 100644 index 000000000000000..7b93ed81ac1f9e0 --- /dev/null +++ b/src/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-11.svg @@ -0,0 +1,70 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/content/docs/reference-architecture/design-guides/zero-trust-for-saas.mdx b/src/content/docs/reference-architecture/design-guides/zero-trust-for-saas.mdx new file mode 100644 index 000000000000000..15163e073fde0b7 --- /dev/null +++ b/src/content/docs/reference-architecture/design-guides/zero-trust-for-saas.mdx @@ -0,0 +1,244 @@ +--- +title: Using a zero trust framework to secure SaaS applications +pcx_content_type: design-guide +products: + - Cloudflare One + - Cloudflare Access + - Cloudflare Gateway + - Data Loss Prevention + - Cloud Access Security Broker + - Remote Browser Isolation + - Cloud Email Security + - Magic WAN +weight: null +sidebar: + order: 1 + label: Zero Trust for SaaS applications +updated: 2024-10-22 +--- + +## Introduction + +SaaS applications have become crucial in today's business landscape, particularly with the rise of hybrid workforces. As organizations adopt flexible working models, the ability of SaaS apps to provide seamless, global access is essential for maintaining productivity and fostering collaboration across distributed teams. + +SaaS applications significantly reduce the burden on IT teams by eliminating the need to manage the underlying infrastructure. By entrusting these responsibilities to the SaaS provider, organizations no longer need to worry about hardware and software lifecycle management or scalability challenges. Furthermore, the subscription-based model of SaaS applications lowers adoption barriers by minimizing upfront costs and ultimately offer a lower Total Cost of Ownership (TCO) compared to legacy applications. + +Along with these advantages, SaaS applications introduce new challenges and security risks. Their Internet accessibility requires greater focus on the security of users and devices to prevent unauthorized access and data leaks. User provisioning (onboarding/offboarding), appropriate access controls and control/visibility into device security is essential to ensure only authorized users on trusted devices access company applications. Moreover, IT teams must monitor SaaS applications for misconfiguration and gain visibility into risky user activity. Employees might publicly share files that contain sensitive information or integrate managed SaaS applications with unauthorized third-party apps, all without the IT team's knowledge. + +The ease with which users can sign up for new SaaS services, particularly free and popular ones, often leaves IT teams unaware of all the applications employees use -- a trend known as [shadow IT](https://www.cloudflare.com/en-gb/learning/access-management/what-is-shadow-it/). These unmanaged SaaS applications can be misused by employees, either intentionally or accidentally, potentially leading to data leaks due to the upload of sensitive data into applications that are not under the control of the IT team. + +Trying to use a [traditional castle-and-moat security model](https://www.cloudflare.com/en-gb/learning/access-management/castle-and-moat-network-security/) is unsuitable for SaaS applications, as the services and their data are no longer confined to on-premises data centers within an enterprise network. This outdated approach forces a trade-off between security and performance: + +- One strategy organizations adopt to enhance security involves shielding SaaS applications from the broader Internet by implementing IP allow lists and routing traffic through the organization's data center where traffic can be inspected and filtered according to security policy. However, this method negatively impacts the user experience, leading to increased latency and reduced bandwidth when routing all traffic through a single data center. +- Conversely, if user traffic is sent directly to the Internet, bypassing a local VPN client by using split tunneling, security and visibility are compromised as enterprise network controls are bypassed (and IP allow lists are no longer feasible). + +![Figure 1: Two different routes to a SaaS application, one secure but low performance, the second fast but less security.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-01.svg "Figure 1: Two different routes to a SaaS application, one secure but low performance, the second fast but less security.") + +This is where a [SASE (Secure Access Service Edge) architecture implementing a Zero Trust framework](/reference-architecture/architectures/sase/) becomes essential. By centralizing security in a global cloud network, the trade-off between security and performance is eliminated. User traffic no longer needs to be routed through a single remote data center for security. With Cloudflare user traffic is routed into our services at the nearest data center – out of hundreds – where it will undergo the necessary security controls. These security controls are implemented in a single-pass architecture to avoid adding unnecessary latency and are applied consistently across the entire Cloudflare network. + +![Figure 2: SASE solutions ensure user traffic is secured and filtered close to the user.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-02.svg "Figure 2: SASE solutions ensure user traffic is secured and filtered close to the user.") + +This design guide will focus on how Cloudflare's SASE architecture can more effectively and efficiently secure user access to, and the data within SaaS applications. For a broader understanding of how Cloudflare can be used for an organization's zero trust initiatives, please read our [SASE reference architecture](/reference-architecture/architectures/sase/). + +### Who is this document for and what will you learn? + +This guide is designed for IT and security professionals seeking to safely adopt and deploy SaaS applications within their organization while maintaining a positive user experience. It assumes familiarity with concepts such as identity providers (IdPs), user directories, single sign-on (SSO), and data loss prevention (DLP) technologies. + +What you will learn: + +- How to secure access to managed SaaS applications and protect their data +- Key considerations when using cloud email solutions +- How to get visibility of and regain control over unmanaged SaaS applications + +This guide assumes you have an Enterprise contract with Cloudflare that includes: + +- Cloudflare Zero Trust licenses for the number of users you plan to onboard +- Cloudflare Cloud Email Security licenses for the number of users whose cloud inbox emails will be filtered + +:::note[Free and PayGo capabilities] +A lot of the capabilities described in this document [are also available in our free and Pay-as-you-go plans](https://www.cloudflare.com/en-gb/plans/zero-trust-services/). +::: + +Recommended resources for a stronger understanding of Cloudflare: + +- What is Cloudflare? | [Website](https://www.cloudflare.com/what-is-cloudflare/) (five-minute read) or [video](https://www.youtube.com/watch?v=XHvmX3FhTwU) (two minutes) +- Blog: [Zero Trust, SASE, and SSE: Foundational Concepts for Your Next-Generation Network](https://blog.cloudflare.com/zero-trust-sase-and-sse-foundational-concepts-for-your-next-generation-network/) (14-minute read) +- Reference Architecture: [Evolving to a SASE Architecture with Cloudflare](/reference-architecture/architectures/sase/) (three-hour read) + +## Securing managed SaaS applications + +Managed SaaS applications are those procured and approved by IT, forming part of the official suite of tools employees use to perform their tasks. IT typically manages these applications and are responsible for: + +1. **Securing access:** Ensuring only authorized users and devices can access SaaS applications. This includes managing the onboarding and offboarding of users. For instance, if an employee leaves the organization, their access is automatically revoked. Typically this involves integrating the SaaS application with the company identity management solution. +2. **Data protection:** Preventing data leaks from within the SaaS application and proactively mitigating risky behaviors by users that may result in data breaches. +3. **Monitor configuration:** Identifying and promptly correcting misconfigurations within the SaaS application to ensure they operate securely and efficiently. +4. **Cloud email security:** IT teams should take special care when dealing with cloud email SaaS solutions. Since email is a primary target for attacks, a specialized approach is required to protect users from phishing and other email-based threats. + +Note a section later in this document will cover how to gain visibility into, and control over, unmanaged applications. For example where your marketing department decides to sign up and start using a new CRM system without engaging IT or security departments. + +### Securing access + +#### Using SaaS IP allow lists + +One simple method for securing access to SaaS applications, is to only allow access from a specific set of IP addresses. This forces users to have to connect to, and have their traffic exit from a specific network and therefore ensure whatever access controls are in place on that network are applied to that traffic. + +Organizations that already use IP allow lists to secure access to SaaS applications can easily migrate to Cloudflare using [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/). User traffic egresses from Cloudflare to the Internet and onto the SaaS application, sourced from a set of IP addresses unique to the organization. This approach supports various ways in which users access Cloudflare before gaining access to the SaaS application: + +- **Hybrid employees:** Connecting to Cloudflare using our Zero Trust client, [WARP](/cloudflare-one/connections/connect-devices/warp/). +- **Office-based users:** Connecting to a local network which routes Internet bound traffic to Cloudflare through GRE or IPsec [Magic WAN tunnels](/magic-wan/). +- **Contractors and external users:** Accessing SaaS applications through a [remote browser](/learning-paths/zero-trust-web-access/alternative-onramps/clientless-rbi/) hosted in a Cloudflare data center. + +Organizations add the new dedicated egress IPs to the existing SaaS IP allow lists for the Cloudflare sourced traffic to be allowed into the SaaS application. This way, organizations can maintain legacy connectivity methods in parallel with Cloudflare and migrate users gradually. Once all users are migrated to access with Cloudflare, the SaaS IP allow lists can be updated by removing the IPs corresponding to legacy infrastructure. + +There are several advantages to using Cloudflare's dedicated egress IPs when compared with using IPs from on-prem infrastructure: + +- [Dedicated egress IPs can be geolocated](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/#ip-geolocation) to one or more Cloudflare data centers in a geography of your choosing, instead of being restricted to the geographic locations of your existing Internet breakout data centers. +- Users will always connect to Cloudflare [through the closest Cloudflare Data Center and Cloudflare will optimize the path towards the SaaS application](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/#egress-location). +- Dedicated egress IPs are assigned to user traffic using policies that follow zero trust principles. [Egress policies](/cloudflare-one/policies/gateway/egress-policies/) can be defined that will only assign a dedicated egress IP to a user if they belong to the correct IdP group and/or pass [device posture](/cloudflare-one/identity/devices/) checks. Otherwise, traffic will be sourced from Cloudflare's public IP range, which may not be part of the SaaS IP allowlist, preventing access to the SaaS application while still allowing Internet usage. +- Dedicated egress IPs imply that traffic needs to flow through Cloudflare before reaching the SaaS application. This makes it easy to add secure web gateway policies to protect data in the SaaS applications once users have authenticated. + +![Figure 3: Enforce only traffic that has been secured by Cloudflare is accepted by the SaaS application.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-03.svg "Figure 3: Enforce only traffic that has been secured by Cloudflare is accepted by the SaaS application.") + +#### Using Cloudflare as an identity proxy + +With Cloudflare, [Zero Trust Network Access (ZTNA)](https://www.cloudflare.com/en-gb/learning/access-management/what-is-ztna/) can be applied to managed SaaS applications. In this scenario, Cloudflare acts as the [Single Sign-On (SSO)](https://www.cloudflare.com/en-gb/learning/access-management/what-is-sso/) service for an application, proxying user authentication requests to the organization's existing identity providers (IdPs). This allows for additional restrictions to be layered on before granting access, such as requiring [multi-factor authentication](https://www.cloudflare.com/en-gb/learning/access-management/what-is-multi-factor-authentication/), implementing [device posture checks](/cloudflare-one/identity/devices/), or [evaluating the country](/cloudflare-one/policies/access/#selectors) the request is coming from. + +![Figure 4: Cloudflare can act as an identity proxy, providing a consistent authentication experience for all SaaS applications.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-04.svg "Figure 4: Cloudflare can act as an identity proxy, providing a consistent authentication experience for all SaaS applications.") + +Most organizations initially use Cloudflare's [ZTNA service](/cloudflare-one/policies/access/) for self-hosted applications. Extending it to SaaS applications simplifies IT management in several ways, as both self-hosted and SaaS apps will: + +- Use the same access policies +- Leverage the same IdP and device posture integrations +- Consistently audit access requests + +IT teams will also benefit from a consistent and automated process for onboarding and offboarding users from applications. Since all access policies leverage authentication from existing IdPs, changes in a user's status will automatically affect the outcome of access requests for both self hosted applications as well as SaaS. + +Consider a scenario where a user moves to a different group or team within an organization. As soon as the user group information is updated on the IdP, Cloudflare's ZTNA policies will dynamically enforce these changes, ensuring that the user's access to the SaaS applications is immediately adjusted based on their new role. This also helps in SaaS applications' license optimization. For example, if an employee is transferred from the sales team, which uses Salesforce, to a team that does not require access to Salesforce, the ZTNA policies will revoke their access to the application. This automated process helps in reclaiming the license that was previously assigned to the user, ensuring that only those who actually need the application have access to it. + +Finally, SaaS applications are accessible over the Internet, allowing any device to access them if a user authenticates successfully. However, with Cloudflare's ZTNA service, IT teams can ensure that only managed devices access a SaaS application by enforcing device posture checks, in addition to identity checks. A common use case is [verifying the presence of an IT-deployed device certificate](/cloudflare-one/identity/devices/warp-client-checks/client-certificate/#client-certificate) before granting application access. + +#### Deployment guidelines + +For SaaS applications that do not support SSO or organizations that are already implementing IP allow lists to secure access to SaaS applications, implementing dedicated egress IPs is the most straightforward approach to enhance access security to SaaS applications, without impacting the user experience. + +Organizations that would like to simplify their onboarding/offboarding of users to applications and standardize ZTNA policies should consider implementing Cloudflare's ZTNA solution for both self-hosted and SaaS applications. In such scenarios, it might still be relevant to consider dedicated egress IPs for a subset of critical SaaS applications. As egress policies operate at the network and transport layers, their enforcement is almost real-time. [For example](/cloudflare-one/tutorials/m365-dedicated-egress-ips/#protect-access-to-microsoft-365-with-dedicated-egress-ips), consider an egress policy for a specific SaaS application that accounts for posture status from an external endpoint management solution. If a device becomes compromised and its posture status becomes non-compliant, the egress policy will no longer match. This results in the user of that device losing access to the SaaS application, as traffic will no longer be sourced from the dedicated egress IP. + +Finally, organizations that have already integrated all their SaaS applications with an IdP for SSO can still consider adding IP allow lists with dedicated egress IPs for a subset of applications for the same reason as detailed before. + +### Data protection for managed SaaS applications + +While extending ZTNA principles to managed SaaS applications ensures that only the right users and devices can access these applications, it is crucial to address the risk of authorized users leaking data once they have access. + +![Figure 5: Cloudflare can also protect data that's downloaded or uploaded to managed SaaS applications.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-05.svg "Figure 5: Cloudflare can also protect data that's downloaded or uploaded to managed SaaS applications.") + +To mitigate these risks, controls should be implemented for both data in transit and data at rest. + +#### Data in transit + +As mentioned before, all traffic can be forced through Cloudflare using the device agent, Magic WAN (MWAN) tunnels, or the remote browser. This allows [secure web gateway](/cloudflare-one/policies/gateway/) policies to manage and protect data as it is uploaded or downloaded from SaaS applications. Common use cases include: + +- Restricting the ability to download [all](/cloudflare-one/policies/gateway/http-policies/common-policies/#block-google-drive-downloads) or a [subset of files](/cloudflare-one/policies/gateway/http-policies/common-policies/#block-file-types) from managed SaaS applications to specific groups of users within the organization. +- Using [Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/#data-loss-prevention) profiles to limit the download of data containing sensitive information from managed SaaS applications. + +For more information about securing data in transit, refer to our [reference architecture center](/reference-architecture/diagrams/security/securing-data-in-transit/). + +#### Data at rest + +Cloudflare's [Cloud Access Security Broker (CASB)](/cloudflare-one/applications/scan-apps/) integrates with [popular SaaS applications](/cloudflare-one/applications/scan-apps/casb-integrations/) through APIs. Once integrated, Cloudflare continuously scans these applications for security risks. This enables IT teams to detect incidents of authorized users oversharing data, such as sharing a file publicly on the Internet. For Google Workspace, Microsoft 365, Box, and Dropbox, the API CASB can also utilize DLP profiles to detect the sharing of sensitive data. For more information about securing data at rest, refer to our [reference architecture center](/reference-architecture/diagrams/security/securing-data-at-rest/). + +In addition to the previous measures, IT teams should also consider introducing [User Entity and Behavior Analytics (UEBA)](https://www.cloudflare.com/en-gb/learning/security/what-is-ueba/) controls. Cloudflare can assign a [risk score](/cloudflare-one/insights/risk-score/) to users when detecting activities and behaviors that could introduce risks to the organization. These risk behaviors include scenarios where users trigger an unusually high number of DLP policy matches. By implementing these measures, organizations can significantly reduce the risk of data leaks from managed SaaS applications, even by authorized users. + +![Figure 6: Cloudflare can secure data traveling over its network, as well as using SaaS application APIs to examine data stored at rest.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-06.svg "Figure 6: Cloudflare can secure data traveling over its network, as well as using SaaS application APIs to examine data stored at rest.") + +### Monitor configuration + +While this design guide has primarily focused on SaaS application users so far, it is important to note that a significant number of SaaS data leaks today are not caused by user behavior but rather by misconfigurations made by IT teams. When these misconfigurations go unchecked, they expose both the SaaS application and the organization to serious security risks. + +You can mitigate these risks using Cloudflare's CASB. The API CASB continuously scans for and identifies misconfigurations, enabling swift remediation. It can detect issues such as exposed credentials, keys that need rotation, users with disabled two-factor authentication (2FA), unauthorized third-party apps with access to the SaaS application, among others. + +### Cloud email security + +Phishing attacks and campaigns to spread malware to take over devices and access company data usually focus on email as the channel for attack. The vast majority of companies today have migrated their email from on-premises servers to cloud hosted services. While the built-in security of solutions such as Microsoft 365 and Google Workspace are good, they are unable to keep up with the constant evolution of attack methods. Many organizations therefore deploy advanced email security solutions integrated with existing email platforms. + +#### Securing access + +As described already, implementing ZTNA to secure your email platform offers numerous benefits. One key advantage is ensuring that email access is restricted to trusted, managed devices, even when using a cloud-based email service. This typically involves using Cloudflare to verify the presence of a [client certificate](/cloudflare-one/identity/devices/warp-client-checks/client-certificate/) and confirm that there are no risks detected by an external endpoint management solution, such as [Crowdstrike](/cloudflare-one/identity/devices/service-providers/crowdstrike/) or [SentinelOne](/cloudflare-one/identity/devices/service-providers/sentinelone/). + +#### Tenant control + +Organizations with stringent requirements about email communications for compliance or regulatory reasons, operational control or accountability, or to reduce the potential for data leaks can block access to email tenants other than the organization's own. This can be achieved by using [Cloudflare Gateway SaaS tenant controls](/cloudflare-one/policies/gateway/http-policies/tenant-control/). Cloudflare injects custom HTTP headers into the traffic flow, informing Microsoft 365 and Google Workspace of the specific tenant users are allowed to authenticate into and blocking any access attempts to any other tenant. + +![Figure 7: Cloudflare can enforce access to only specific cloud email tenants.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-07.svg "Figure 7: Cloudflare can enforce access to only specific cloud email tenants.") + +#### Filtering inbound emails + +While SaaS email solutions offer native security capabilities, their popularity makes them high-value targets for attackers who seek to exploit vulnerabilities and limitations in their inbound filtering capabilities. To mitigate this risk, IT teams should consider supplementing the native capabilities of cloud email solutions with specialized solutions for inbound email filtering. + +[Cloudflare's Email Security](https://www.cloudflare.com/en-gb/zero-trust/products/email-security/) scans for malicious content or attachments in emails and proactively monitors the Internet for attacker infrastructure and attack delivery mechanisms. It identifies programmatically-created and impersonation domains used to host malicious content as part of planned attacks. This data also helps protect against business and vendor email compromises ([BEC](https://www.cloudflare.com/en-gb/learning/email-security/business-email-compromise-bec/)/[VEC](https://www.cloudflare.com/en-gb/learning/email-security/what-is-vendor-email-compromise/)), which are notoriously difficult to detect due to their lack of payloads and resemblance to legitimate email traffic and a gap for legacy email security platforms. + +Integrating Cloudflare into the existing email infrastructure is both flexible and straightforward, with deployment options available in [inline](/email-security/deployment/inline/) and [API](/email-security/deployment/api/) modes. + +In an inline deployment, Cloudflare's Email Security will evaluate email messages before they reach a user's inboxes (by pointing the email domain MX record to Cloudflare). This allows Cloudflare to [quarantine messages](/email-security/email-configuration/admin-quarantine/) so they never reach the user's inbox or [tag messages with email headers](/email-security/reference/dispositions-and-attributes/#header-structure) to inform the email provider how emails should be handled (for example, [by redirecting bulk emails directly to the spam folder](/email-security/deployment/inline/setup/office-365-area1-mx/use-cases/one-junk-admin-quarantine/)). Cloudflare can also [modify the subject and body of email messages](/email-security/email-configuration/email-policies/text-addons/) to inform a user to be more cautious about a suspicious email and [rewrite links within emails and even isolate those links behind a remote browser](/email-security/email-configuration/email-policies/link-actions/). + +In an API deployment, Cloudflare's Email Security will see the email messages only after they have reached the users' inboxes by setting up Journaling/BCC rules in the email provider or through API scan. Then, through integrations with the email provider, Cloudflare can [retract phishing emails](/email-security/email-configuration/retract-settings/) from users' inboxes. Unlike the inline mode, this deployment method does not support quarantining emails or modifying the email messages. However, it is an easy way to add protection in complex email infrastructures with no changes to the existing mail flow operations. + +These modes can be used concurrently to enhance email security. The inline mode ensures that Cloudflare's Email Security scans and filters emails before they reach users' inboxes. For emails that initially pass through without being flagged as threats, Cloudflare [periodically re-evaluates them](/email-security/email-configuration/retract-settings/office365-retraction/#post-delivery-retractions-for-new-threats). If these emails are later identified as part of a phishing campaign, they are automatically retracted with the API. This proactive approach protects organizations against deferred phishing attacks, where attackers send emails with seemingly benign links that are weaponized after delivery to bypass initial detection. + +![Figure 8: Cloudflare can protect email services either inline or by API.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-08.svg "Figure 8: Cloudflare can protect email services either inline or by API.") + +#### Ensuring availability + +Cloudflare also helps ensure the availability of cloud email services. It auto-scales TCP connections and SMTP traffic to handle message spikes, protecting the organization from email DoS attacks. The service automatically pools and queues messages for extended periods and throttles delivery post-spike according to the downstream email service's capacity. This pooling and queuing capability is beneficial during cloud email service outages. + +#### Filtering outbound emails with outbound data loss prevention + +Organizations using Microsoft 365 can enhance protection against sensitive information leaks through email by integrating a Cloudflare add-in into their environment. This integration enables IT administrators to establish [outbound Data Loss Prevention (DLP) policies](/cloudflare-one/email-security/outbound-dlp/) that leverage the same DLP profiles used with the Secure Web Gateway (SWG) and API Cloud Access Security Broker (CASB). + +Moreover, organizations that utilize [Microsoft Purview Sensitivity Labels](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles/) for classifying and safeguarding sensitive documents can incorporate these labels into Cloudflare's DLP profiles. This capability allows the creation of targeted policies, such as blocking emails containing Microsoft Office documents marked as 'Highly Confidential' in Microsoft Outlook from being sent to external recipients. These DLP profiles can also be applied across SWG and API CASB. + +## Regain control over unmanaged SaaS applications + +Unmanaged SaaS applications are those used by employees without IT's approval or knowledge, commonly referred to as [shadow IT](https://www.cloudflare.com/en-gb/learning/access-management/what-is-shadow-it/). This growing challenge is driven by the proliferation of free or low-cost SaaS applications. While these apps can boost employee satisfaction and productivity, they also pose significant risks, such as: + +- **Data breaches:** Employees can upload sensitive data to these applications without any security controls. And without Single Sign-On (SSO) or strong password protocols, the risk of data loss or theft is significantly higher. +- **Compliance violations:** In regulated industries, the use of unauthorized SaaS tools can lead to non-compliance with legal and industry standards, potentially resulting in fines, legal action, and reputational damage. +- **Increased costs:** IT typically can often secure favorable pricing by managing SaaS subscription across the business. However, when employees independently purchase subscriptions with personal credit cards, it can lead to unchecked shadow IT spending and higher overall costs for the organization. + +To mitigate these risks, the first step is to discover which SaaS applications employees are using. When all traffic from employee devices is routed through Cloudflare, [reports are generated](/cloudflare-one/insights/analytics/access/#shadow-it-discovery) showing the usage of common SaaS applications. + +![Figure 9: When all user traffic bound for the Internet goes through Cloudflare, it allows IT to monitor for unapproved SaaS applications.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-09.svg "Figure 9: When all user traffic bound for the Internet goes via Cloudflare, it allows IT to monitor for unapproved SaaS applications.") + +With this information, IT teams can analyze and decide how to handle each unmanaged SaaS application: + +- **Allow the application:** If the application presents no risk to the organization, it is deemed acceptable for employee use, and no further action is required. +- **Allow the application with data protection controls:** If the application is acceptable but poses a data leak risk, appropriate data protection measures should be implemented. +- **Adopt the application as a managed SaaS application:** If the application is beneficial for the organization, it should be brought under IT management. +- **Block the application:** If the application is deemed unacceptable, it should be blocked using Cloudflare Gateway DNS and/or HTTP policies. + +### Data protection for unmanaged SaaS applications + +Data protection for unmanaged SaaS applications is similar to that for managed SaaS applications, but the focus shifts from mitigating the downloading of data to preventing the uploading of sensitive information. Policies can be configured using Cloudflare Gateway to address these risks. Common use cases include: + +- Restricting the ability to [upload certain file types](/cloudflare-one/policies/data-loss-prevention/dlp-policies/common-policies/#block-file-types) to SaaS applications, limiting this capability to specific groups of users within the organization. +- Using Data Loss Prevention (DLP) profiles to block the upload of data containing sensitive information. + +In addition to these measures, [remote browser isolation](/cloudflare-one/policies/browser-isolation/#browser-isolation) can be considered for unmanaged SaaS applications. This approach allows users to access certain unmanaged SaaS applications while [restricting their actions within those applications](/cloudflare-one/policies/browser-isolation/isolation-policies/#policy-settings) to prevent misuse. + +![Figure 10: DLP policies can be combined with browser isolation, to protect company data.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-10.svg "Figure 10: DLP policies can be combined with browser isolation, to protect company data.") + +### Adopting a new SaaS application + +Many SaaS applications offer a free version as part of their business model to encourage users to integrate them into their work. This helps demonstrate the application's usefulness and facilitates its adoption at the corporate level ([Cloudflare follows this model as well](https://www.cloudflare.com/en-gb/plans/zero-trust-services/)). When a previously unmanaged SaaS application is officially adopted by the organization, IT teams take over its management to ensure proper support and adherence to best practices. This involves aligning the new SaaS application with all the aspects discussed in the Securing Managed SaaS Applications section. + +After fully adopting the new SaaS application, access to the consumer version may be restricted. If the corporate SaaS version has a unique domain, access to other tenant domains or the consumer domain can be blocked using Cloudflare DNS and/or HTTP policies. Some SaaS solutions offer [native tenant control](/cloudflare-one/policies/gateway/http-policies/tenant-control/) through HTTP headers, which can be enforced by injecting these headers for data in transit using Cloudflare Gateway HTTP policies. + +## Summary + +This design guide described how organizations can enhance their SaaS application security by implementing a Zero Trust framework within a SASE architecture. With Cloudflare, organizations gain access to a comprehensive solution that addresses the challenges posed by both managed and unmanaged SaaS applications. By using techniques like ZTNA, dedicated egress IPs, CASB, and robust email security measures, organizations can ensure secure access, protect sensitive data, and gain control over shadow IT, all while maintaining a positive user experience. These techniques and when to apply them are summarized in the diagram below: + +![Figure 11: Techniques for enforcing a zero trust approach in SaaS applications.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-11.svg "Figure 11: Techniques for enforcing a zero trust approach in SaaS applications.") + +## Related resources + +- [SASE reference architecture](/reference-architecture/architectures/sase/) +- [Using Cloudflare SASE with Microsoft](/reference-architecture/architectures/cloudflare-sase-with-microsoft/) From 7feba46d109866e8d024bb2d33655d860aad4869 Mon Sep 17 00:00:00 2001 From: Alejandro Krumkamp Date: Mon, 28 Oct 2024 16:15:56 +0000 Subject: [PATCH 032/273] PCX-14416 - adding reference architecture diagram (#17805) * PCX-14416 - adding reference architecture 'Ingesting BigQuery Data into Workers AI' * PCX-14416 - removing non-standard quotes --- .../scheduled-based-architecture.svg | 7656 +++++++++++++++++ .../user-based-architecture.svg | 7474 ++++++++++++++++ .../diagrams/ai/bigquery-workers-ai.mdx | 67 + 3 files changed, 15197 insertions(+) create mode 100644 src/assets/images/reference-architecture/bigquery-workers-ai/scheduled-based-architecture.svg create mode 100644 src/assets/images/reference-architecture/bigquery-workers-ai/user-based-architecture.svg create mode 100644 src/content/docs/reference-architecture/diagrams/ai/bigquery-workers-ai.mdx diff --git a/src/assets/images/reference-architecture/bigquery-workers-ai/scheduled-based-architecture.svg b/src/assets/images/reference-architecture/bigquery-workers-ai/scheduled-based-architecture.svg new file mode 100644 index 000000000000000..c116be1fdbc8734 --- /dev/null +++ b/src/assets/images/reference-architecture/bigquery-workers-ai/scheduled-based-architecture.svg @@ -0,0 +1,7656 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/assets/images/reference-architecture/bigquery-workers-ai/user-based-architecture.svg b/src/assets/images/reference-architecture/bigquery-workers-ai/user-based-architecture.svg new file mode 100644 index 000000000000000..c4a66ee039ac810 --- /dev/null +++ b/src/assets/images/reference-architecture/bigquery-workers-ai/user-based-architecture.svg @@ -0,0 +1,7474 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/content/docs/reference-architecture/diagrams/ai/bigquery-workers-ai.mdx b/src/content/docs/reference-architecture/diagrams/ai/bigquery-workers-ai.mdx new file mode 100644 index 000000000000000..8ab18039f4210e9 --- /dev/null +++ b/src/content/docs/reference-architecture/diagrams/ai/bigquery-workers-ai.mdx @@ -0,0 +1,67 @@ +--- +title: "Ingesting BigQuery Data into Workers AI" +pcx_content_type: reference-architecture-diagram +tags: + - AI +products: + - Workers AI + - Workers + - R2 + - Vectorize + - D1 + - Workers KV +sidebar: + order: 1 + label: Ingesting BigQuery Data into Workers AI +updated: 2024-10-26 +--- + +## Introduction + +You can connect a Cloudflare Worker to get data from Google BigQuery and pass it to Workers AI, to run AI Models, powered by serverless GPUs. This will allow you to enhance data with AI-generated responses, such as detecting the sentiment score of some text or generating tags for an article. This document describes a simple way to get started if you are looking to give Workers AI a try and see how the [new and different AI models](/workers-ai/models/) would perform with your data hosted in BigQuery. + +## User-based approach + +This version of the integration is aimed at workflows that require interaction with users to fetch data or generate ad-hoc reports. + +![Figure 1: Ingesting Google BigQuery Data into Workers AI (user-based)](~/assets/images/reference-architecture/bigquery-workers-ai/user-based-architecture.svg "Figure 1: Ingesting Google BigQuery Data into Workers AI (user-based)") + +1. A user makes a request to a [Worker](https://workers.cloudflare.com/) endpoint. (Which can optionally incorporate [Access](/cloudflare-one/policies/access/) in front of it to authenticate users). +2. Worker fetches [securely stored](/workers/configuration/secrets/) Google Cloud Platform service account information such as service key and generates a JSON Web Token to issue an authenticated API request to BigQuery. +3. Worker receives the data from BigQuery and [transforms it into a format](/workers-ai/tutorials/using-bigquery-with-workers-ai/#6-format-results-from-the-query) that will make it easier to iterate when interacting with Workers AI. +4. Using its [native integration](/workers-ai/configuration/bindings/) with Workers AI, the Worker forwards the data from BigQuery which is then run against one of Cloudflare's hosted AI models. +5. The original data retrieved from BigQuery alongside the AI-generated information is returned to the user as a response to the request initiated in step 1. + +## Cron-triggered approach + +For periodic or longer workflows, you may opt for a batch approach. This diagram also explores more products where you can use the data ingested from BigQuery. It relies on [Cron Triggers](/workers/configuration/cron-triggers/), which are built into the Developer Platform and available for free when using Workers to schedule initialization of workloads. + +![Figure 2: Ingesting Google BigQuery Data into Workers AI (cron-triggered)](~/assets/images/reference-architecture/bigquery-workers-ai/scheduled-based-architecture.svg "Figure 2: Ingesting Google BigQuery Data into Workers AI (cron-triggered)") + +1. [A Cron Trigger](/workers/configuration/cron-triggers/) invokes the Worker without any user interaction. +2. Worker fetches [securely stored](/workers/configuration/secrets/) Google Cloud Platform service account information such as service key and generates a JSON Web Token to issue an authenticated API request to BigQuery. +3. Worker receives the data from BigQuery and [transforms it into a format](/workers-ai/tutorials/using-bigquery-with-workers-ai/#6-format-results-from-the-query) that will make it easier to iterate when interacting with Workers AI. +4. Using its [native integration](/workers-ai/configuration/bindings/) with Workers AI, the Worker forwards the data from BigQuery to generate some content related to it. +5. Optionally, you can store the BigQuery data and the AI-generated data in a variety of different Cloudflare services. + * Into [D1](/d1/), a SQL database. + * If in step four you used Workers AI to generate embeddings, you can store them in [Vectorize](/vectorize/). To learn more about this type of solution, please consider reviewing the reference architecture diagram on [Retrieval Augmented Generation](/reference-architecture/diagrams/ai/ai-rag/). + * To [Workers KV](/kv/) if the output of your data will be stored and consumed in a key/value fashion. + * If you prefer to save the data fetched from BigQuery and Workers AI into objects (such as images, files, JSONs), you can use [R2](/r2/), our egress-free object storage to do so. +6. You can set up an integration so a system or a user gets notified whenever a new result is available or if an error occurs. It's also worth mentioning that Workers by themselves can already provide additional [observability](/workers/observability/). + * Sending an email with all the data retrieved and generated in the previous step is possible using [Email Routing](/email-routing/email-workers/send-email-workers/). + * Since Workers allows you to issue HTTP requests, you can notify a webhook or API endpoint once the process finishes or if there's an error. + +## Related resources + +- [Workers AI: Get Started](/workers-ai/get-started/workers-wrangler/) +- [Workers: Secrets](/workers/configuration/secrets/) +- [Workers: Cron Triggers](/workers/runtime-apis/handlers/scheduled/) +- [Email Routing](/email-routing/email-workers/send-email-workers/) +- [Create a GCP service account](https://cloud.google.com/iam/docs/service-accounts-create#iam-service-accounts-create-console) +- [Create a GCP service account key](https://cloud.google.com/iam/docs/keys-create-delete#iam-service-account-keys-create-console) +- [Retrieval Augmented Generation (RAG) Reference Architecture](/reference-architecture/diagrams/ai/ai-rag/) +- [Vectorize](/vectorize/) +- [Workers KV](/kv/) +- [R2](/r2/) +- [D1](/d1/) + From c9012f50ddb9c45fc3be386cfe5e70c7f1797ed3 Mon Sep 17 00:00:00 2001 From: Brendan Irvine-Broque Date: Mon, 28 Oct 2024 12:16:31 -0400 Subject: [PATCH 033/273] Revert "[Workers] Add documentation for cf-tutor tool (#17627)" (#17820) This reverts commit e69d73ce168311edb3853b7b1aed72265ce6dd44. --- src/content/docs/d1/get-started.mdx | 1 - src/content/docs/r2/get-started.mdx | 22 +++------- .../get-started/workers-wrangler.mdx | 1 - .../docs/workers/get-started/cf-tutor.mdx | 33 --------------- .../docs/workers/get-started/guide.mdx | 13 +++--- src/content/partials/workers/cf-tutor.mdx | 41 ------------------- 6 files changed, 12 insertions(+), 99 deletions(-) delete mode 100644 src/content/docs/workers/get-started/cf-tutor.mdx delete mode 100644 src/content/partials/workers/cf-tutor.mdx diff --git a/src/content/docs/d1/get-started.mdx b/src/content/docs/d1/get-started.mdx index 3ff582f08e195a4..2f95990dc57e1d0 100644 --- a/src/content/docs/d1/get-started.mdx +++ b/src/content/docs/d1/get-started.mdx @@ -533,5 +533,4 @@ If you have any feature requests or notice any bugs, share your feedback directl - See supported [Wrangler commands for D1](/workers/wrangler/commands/#d1). - Learn how to use the [D1 client API](/d1/build-with-d1/d1-client-api/) within your Worker. -- Learn the basics of using Workers with D1 and CLI development in a guided learning experience with [Cloudflare CLI tutor](/workers/get-started/cf-tutor/). - Explore [community projects built on D1](/d1/reference/community-projects/). diff --git a/src/content/docs/r2/get-started.mdx b/src/content/docs/r2/get-started.mdx index 0ea1f461a7a151f..62dee80f00777a3 100644 --- a/src/content/docs/r2/get-started.mdx +++ b/src/content/docs/r2/get-started.mdx @@ -6,20 +6,14 @@ sidebar: head: - tag: title content: Get started guide + --- -import { Render } from "~/components"; +import { Render } from "~/components" Cloudflare R2 Storage allows developers to store large amounts of unstructured data without the costly egress bandwidth fees associated with typical cloud storage services. -
- -
+
## 1. Install and authenticate Wrangler @@ -57,10 +51,6 @@ You will receive a confirmation message after a successful upload. Cloudflare provides multiple ways for developers to access their R2 buckets: -- [Workers Runtime API](/r2/api/workers/workers-api-usage/) -- [S3 API compatibility](/r2/api/s3/api/) -- [Public buckets](/r2/buckets/public-buckets/) - -## Related resources - -- [Cloudflare CLI tutor](/workers/get-started/cf-tutor/) - Learn the basics of using Workers with R2 and CLI development in a guided learning experience. +* [Workers Runtime API](/r2/api/workers/workers-api-usage/) +* [S3 API compatibility](/r2/api/s3/api/) +* [Public buckets](/r2/buckets/public-buckets/) diff --git a/src/content/docs/workers-ai/get-started/workers-wrangler.mdx b/src/content/docs/workers-ai/get-started/workers-wrangler.mdx index 5f4c56b1a2176c3..4017a55403c5879 100644 --- a/src/content/docs/workers-ai/get-started/workers-wrangler.mdx +++ b/src/content/docs/workers-ai/get-started/workers-wrangler.mdx @@ -135,4 +135,3 @@ By finishing this tutorial, you have created a Worker, connected it to Workers A - [Cloudflare Developers community on Discord](https://discord.cloudflare.com) - Submit feature requests, report bugs, and share your feedback directly with the Cloudflare team by joining the Cloudflare Discord server. - [Models](/workers-ai/models/) - Browse the Workers AI models catalog. -- [Cloudflare CLI tutor](/workers/get-started/cf-tutor/) - Learn the basics of Workers AI and CLI development in a guided learning experience. diff --git a/src/content/docs/workers/get-started/cf-tutor.mdx b/src/content/docs/workers/get-started/cf-tutor.mdx deleted file mode 100644 index 31b27edaf774523..000000000000000 --- a/src/content/docs/workers/get-started/cf-tutor.mdx +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: CLI guided learning -pcx_content_type: get-started -sidebar: - order: 2 - badge: - text: Beta -head: - - tag: title - content: Get started - CLI guided learning ---- - -import { Badge, Render } from "~/components"; - -Cloudflare CLI tutor, or `cf-tutor`, is a guided learning experience within your terminal. If you are unfamiliar with Workers, or are new to command line interface (CLI) based development, cf-tutor offers an introduction on how to use Workers with other Cloudflare products through your terminal. - -`cf-tutor` is currently a beta application in pre-release. To download the application, you can use the `git clone` in your terminal, or download the application from the releases page on the project repo. - -## Prerequisites - - - -## How to run - - - -## Next steps - -To do more: - -- Visit the [Cloudflare dashboard](https://dash.cloudflare.com/) for simpler editing. -- Learn how to [test and debug](/workers/testing/) your Workers. -- Read about [Workers limits and pricing](/workers/platform/). diff --git a/src/content/docs/workers/get-started/guide.mdx b/src/content/docs/workers/get-started/guide.mdx index 364f812a24fcd40..762c52e31a0ee6b 100644 --- a/src/content/docs/workers/get-started/guide.mdx +++ b/src/content/docs/workers/get-started/guide.mdx @@ -48,11 +48,11 @@ cd my-first-worker In your project directory, C3 will have generated the following: -- `wrangler.toml`: Your [Wrangler](/workers/wrangler/configuration/#sample-wranglertoml-configuration) configuration file. -- `index.js` (in `/src`): A minimal `'Hello World!'` Worker written in [ES module](/workers/reference/migrate-to-module-workers/) syntax. -- `package.json`: A minimal Node dependencies configuration file. -- `package-lock.json`: Refer to [`npm` documentation on `package-lock.json`](https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json). -- `node_modules`: Refer to [`npm` documentation `node_modules`](https://docs.npmjs.com/cli/v7/configuring-npm/folders#node-modules). +* `wrangler.toml`: Your [Wrangler](/workers/wrangler/configuration/#sample-wranglertoml-configuration) configuration file. +* `index.js` (in `/src`): A minimal `'Hello World!'` Worker written in [ES module](/workers/reference/migrate-to-module-workers/) syntax. +* `package.json`: A minimal Node dependencies configuration file. +* `package-lock.json`: Refer to [`npm` documentation on `package-lock.json`](https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json). +* `node_modules`: Refer to [`npm` documentation `node_modules`](https://docs.npmjs.com/cli/v7/configuring-npm/folders#node-modules). @@ -191,7 +191,7 @@ Preview your Worker at `..workers.dev`.
-If you see [`523` errors](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-5xx-errors/#error-523-origin-is-unreachable) when pushing your `*.workers.dev` subdomain for the first time, wait a minute or so and the errors will resolve themselves. +If you see [`523` errors](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-5xx-errors/#error-523-origin-is-unreachable) when pushing your `*.workers.dev` subdomain for the first time, wait a minute or so and the errors will resolve themselves.
@@ -201,7 +201,6 @@ To do more: - Visit the [Cloudflare dashboard](https://dash.cloudflare.com/) for simpler editing. - Review our [Examples](/workers/examples/) and [Tutorials](/workers/tutorials/) for inspiration. -- Learn the basics of developing Cloudflare applications through a CLI with our [Cloudflare CLI tutor tool](/workers/get-started/cf-tutor/). - Set up [bindings](/workers/runtime-apis/bindings/) to allow your Worker to interact with other resources and unlock new functionality. - Learn how to [test and debug](/workers/testing/) your Workers. - Read about [Workers limits and pricing](/workers/platform/). diff --git a/src/content/partials/workers/cf-tutor.mdx b/src/content/partials/workers/cf-tutor.mdx deleted file mode 100644 index a105a264a226d9c..000000000000000 --- a/src/content/partials/workers/cf-tutor.mdx +++ /dev/null @@ -1,41 +0,0 @@ ---- -{} ---- - -import { TabItem, Tabs } from "~/components"; - - - - - -1. Open a terminal window. -2. In your terminal, navigate to the folder you wish to install cf-tutor. You can change directory by using the `cd` command followed by the folder path. You can either enter the full path such as `cd Documents/Projects/ ` or you can use `cd` multiple times to go folder by folder. To see the files and folders in the directory you are currently in, run `ls`. -3. Run the command `git clone https://github.com/db-cloudflare/cf-tutor.git` to download cf-tutor. -4. Run the command `cd cf-tutor` to enter the application folder. -5. Run the command `npm i` to install all dependendant packages. -6. Once the dependencies have installed, run `npm start ` to run the application - - - - - -The following steps require an SSH key. Vist [GitHub documentation on Connecting with SSH to learn more](https://docs.github.com/en/authentication/connecting-to-github-with-ssh) - -1. Open a terminal window. -2. In your terminal, navigate to the folder you wish to install cf-tutor. You can change directory by using the `cd` command followed by the folder path. You can either enter the full path such as `cd Documents/Projects/ ` or you can use `cd` multiple times to go folder by folder. To see the files and folders in the directory you are currently in, run `ls`. -3. Run the command `git clone git@github.com:db-cloudflare/cf-tutor.git` and enter your SSH key to download cf-tutor. -4. Run the command `cd cf-tutor` to enter the application folder. -5. Run the command `npm i` to install all dependendant packages. -6. Once the dependencies have installed, run `npm start ` to run the application - - - - - -1. Open [cf-tutor releases](https://github.com/db-cloudflare/cf-tutor/releases). -2. Download the cf-tutor.zip file and extract the folder inside it into your desired location. -3. In your terminal, navigate to the cf-tutor folder. You can change directory by using the `cd` command followed by the folder path. You can either enter the full path such as `cd Documents/Projects/cf-tutor` or you can use `cd` multiple times to go folder by folder. To see the files and folders in the directory you are currently in, run `ls`. -4. Run the command `npm i` to install all dependendant packages. -5. Once the dependencies have installed, run `npm start ` to run the application. - - From 79719ac3e2edde839eb7040837a6f182ddbe8333 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Dores?= <147410514+jdorescf@users.noreply.github.com> Date: Mon, 28 Oct 2024 16:19:50 +0000 Subject: [PATCH 034/273] Jdorescf patch 2 (#17789) * New Reference Architecture Diagram - DNS filtering solution for Internet Service Providers * Create dummy.txt * Add files via upload * Delete src/assets/images/reference-architecture/gateway-dns-for-isp/dummy.txt * Update src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update gateway-dns-for-isp.mdx Removing https://developers.cloudflare.com from links because they should be relative. * Update src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * PCX Review --------- Co-authored-by: Simon Thorpe Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> Co-authored-by: Jun Lee --- .../gateway-dns-for-isp-image-01.svg | 135 +++++++++++++++++ .../gateway-dns-for-isp-image-02.svg | 118 +++++++++++++++ .../gateway-dns-for-isp-image-03.svg | 138 ++++++++++++++++++ .../diagrams/sase/gateway-dns-for-isp.mdx | 67 +++++++++ 4 files changed, 458 insertions(+) create mode 100644 src/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-01.svg create mode 100644 src/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-02.svg create mode 100644 src/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-03.svg create mode 100644 src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx diff --git a/src/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-01.svg b/src/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-01.svg new file mode 100644 index 000000000000000..aa67de1ca730c0c --- /dev/null +++ b/src/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-01.svg @@ -0,0 +1,135 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-02.svg b/src/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-02.svg new file mode 100644 index 000000000000000..eff67fb2e34c5a7 --- /dev/null +++ b/src/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-02.svg @@ -0,0 +1,118 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-03.svg b/src/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-03.svg new file mode 100644 index 000000000000000..a002219307a6dbc --- /dev/null +++ b/src/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-03.svg @@ -0,0 +1,138 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx b/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx new file mode 100644 index 000000000000000..a9c7c3c2603c5ec --- /dev/null +++ b/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx @@ -0,0 +1,67 @@ +--- +title: DNS filtering solution for Internet service providers +pcx_content_type: reference-architecture-diagram +products: + - Cloudflare Gateway +sidebar: + order: 1 + label: DNS filtering solution for Internet service providers +updated: 2024-10-25 +--- + +## Introduction + +Internet service providers are constantly exploring new revenue opportunities to expand their business, and many are now turning to security as a value-added service alongside their connectivity offerings. Traditionally, integrating security with connectivity posed significant challenges due to the reliance on legacy solutions that required costly on-premises hardware. This makes it difficult to deploy and manage, and introduce post-deployment struggles with scalability and availability. + +Today, these limitations can be addressed through cloud-based solutions like [Cloudflare Gateway](/cloudflare-one/policies/gateway/), our Secure Web Gateway service. Cloudflare Gateway's DNS filtering capabilities allow service providers to offer enhanced security as a value-added service for residential and mobile subscribers or B2B clients. With easy-to-create policies backed by Cloudflare's [extensive threat intelligence](https://www.cloudflare.com/en-gb/security/), service providers can effectively safeguard their customers from accessing potentially [harmful domains](/cloudflare-one/policies/gateway/domain-categories/#security-categories). + +Moreover, Cloudflare Gateway eliminates concerns around availability, performance, and scalability, as it is built on [Cloudflare's 1.1.1.1 public DNS resolver](/1.1.1.1/), one of the [fastest](https://www.dnsperf.com/#!dns-providers) and most widely used DNS resolvers in the world. + +Furthermore, this solution opens up opportunities for developing additional services beyond security, such as parental controls or tailored filtering profiles for B2B clients. + +## Solution + +Providing DNS security to the service providers' end customers with Cloudflare is straightforward. Service providers simply forward their public DNS requests to their Cloudflare tenant, and Cloudflare will filter DNS queries in accordance with the configured DNS filtering policies. + +![Figure 1: The service provider subscribers send DNS queries to the service provider DNS server, which will forward them to Cloudflare Gateway to apply DNS filtering policies.](~/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-01.svg) + +Cloudflare Gateway, like all Cloudflare services, utilizes [anycast technology](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/), ensuring that all service provider DNS queries are directed to the nearest Cloudflare point of presence. + +To distinguish queries originating from the service provider from those coming from other customers, admins configure a [location](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) in their Cloudflare tenant dashboard. When a DNS location is created, Gateway assigns IPv4/IPv6 addresses and DoT/DoH hostnames for that location. These assigned IP addresses and hostnames are then used by the service provider to send DNS queries for resolution. In turn, the service provider configures the location object with the public IP addresses of their on-premises DNS servers, allowing Cloudflare to accurately associate queries with the corresponding location. + +:::note[On Locations] +If stable and defined source IPv4 addresses cannot be assigned to the on-premises DNS servers, service providers can instead use unique destination location endpoints. Each location is assigned a distinct [DoT](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#dns-over-tls) and [DoH](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#dns-over-https) hostname, as well as a unique [destination IPv6 address](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#ipv6-address). Additionally, Cloudflare can provide unique [destination IPv4 addresses upon request](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip). +::: + +DNS filtering is then enforced through DNS policies set up by the service provider to detect domains linked to [security risks](/cloudflare-one/policies/gateway/domain-categories/#security-categories). Cloudflare continuously updates the list of risky domains using [its extensive threat intelligence](https://www.cloudflare.com/en-gb/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/policies/gateway/dns-policies/#block),' where Gateway responds with 0.0.0.0 for IPv4 queries or :: for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/policies/gateway/block-page/). Alternatively, an '[Override](/cloudflare-one/policies/gateway/dns-policies/#override)' action can redirect the DNS query to a block page hosted by the service provider. + +![Figure 2: A DNS policy to prevent users from navigating to malicious domains. The action is to override and redirect the DNS query to a block page hosted by the service provider.](~/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-02.svg) + +To achieve more precise control over which domains are allowed or blocked, the service provider can configure additional 'Allowed Domains' and 'Blocked Domains' policies. By setting these policies with [lower precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence) than the 'Security Risks' policy, the service provider can override the 'Security Risks' policy for specific domains. + +To streamline the management of allowed and blocked domains, [lists](/cloudflare-one/policies/gateway/lists/) can be utilized. These lists are easily updated through the dashboard or via [APIs](/api/operations/zero-trust-lists-update-zero-trust-list), making policy adjustments more efficient. + +![Figure 3: DNS policies are applied according to their order of precedence. In this example, the 'Allow List Policy' and 'Block List Policy' will be considered before the 'Security List' policy.](~/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-03.svg) + +Additionally, all DNS queries forwarded to Cloudflare Gateway are logged and can be exported to external systems using [Logpush](/cloudflare-one/insights/logs/logpush/). + +:::note[Miscategorization of domains] +In cases of a miscategorization of domains, a [categorization change request](/security-center/investigate/change-categorization/#change-categorization-via-the-cloudflare-dashboard) can be raised directly from the Cloudflare dashboard. +::: + +## Additional offerings based on DNS filtering capabilities + +Service providers can enhance their offerings by utilizing Cloudflare Gateway DNS policies to deliver additional value-added services alongside the base DNS security service. By utilizing the same solution, service providers can develop customized content category filtering services. These services can be easily constructed using Cloudflare's built-in [content categories](/cloudflare-one/policies/gateway/domain-categories/#content-categories) and [application types](/cloudflare-one/policies/gateway/application-app-types/), as well as the service provider's own custom allow and block lists. + +Some potential applications include: +- **Parental Control Services**: This service can block categories such as adult themes, child abuse, violence, and questionable content to ensure a safer online environment for children. +- **Educational Services**: Designed for schools and educational organizations, this service can extend beyond parental controls by blocking additional categories like CIPA, gambling, and entertainment, thereby promoting a focused learning atmosphere. +- **Enterprise Services**: This offering allows businesses to easily restrict access to non-work-related domains, including categories such as entertainment, social networking, gambling, shopping & auctions, society & lifestyle, and sports. + +To differentiate these additional services from the core DNS security offering, the service provider would create additional DNS locations, one for each service. Cloudflare would be able to distinguish DNS queries for these services if the service provider sends them to one of the unique identifiers of a location. Each location has a unique [DoH](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#dns-over-https) and [DoT](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#dns-over-tls) hostname, and a unique [destination IPv6 address](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#ipv6-address). Cloudflare can also provision [dedicated destination IPv4 addresses](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip) per location. + +## Related resources + +- [Cloudflare Gateway DNS policies](/cloudflare-one/policies/gateway/dns-policies/) +- [Cloudflare Blog: Using the power of Cloudflare's global network to detect malicious domains using machine learning](https://blog.cloudflare.com/threat-detection-machine-learning-models/) +- [Protect ISP and telecommunications networks from DDoS attacks](/reference-architecture/diagrams/network/protecting-sp-networks-from-ddos/) From 4810cc299c504f664db9a9972437ccfabc4fd2fb Mon Sep 17 00:00:00 2001 From: daisyfaithauma Date: Mon, 28 Oct 2024 16:46:35 +0000 Subject: [PATCH 035/273] [AIG ]Grok initial documentation (#17764) * Grok initial documentation * Grok edit * Update src/content/docs/ai-gateway/providers/grok.mdx Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> * Update src/content/docs/ai-gateway/providers/grok.mdx Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> * Update src/content/docs/ai-gateway/providers/grok.mdx Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> * Update src/content/docs/ai-gateway/providers/grok.mdx Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> * URL edits --------- Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> --- .../docs/ai-gateway/providers/grok.mdx | 142 ++++++++++++++++++ 1 file changed, 142 insertions(+) create mode 100644 src/content/docs/ai-gateway/providers/grok.mdx diff --git a/src/content/docs/ai-gateway/providers/grok.mdx b/src/content/docs/ai-gateway/providers/grok.mdx new file mode 100644 index 000000000000000..d8e5b2caa4c9953 --- /dev/null +++ b/src/content/docs/ai-gateway/providers/grok.mdx @@ -0,0 +1,142 @@ +--- +title: Grok +pcx_content_type: get-started +sidebar: + badge: + text: Beta +--- + +[Grok](https://docs.x.ai/docs#getting-started) is s a general purpose model that can be used for a variety of tasks, including generating and understanding text, code, and function calling. + +## Endpoint + +`https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/grok` + +## URL structure + +When making requests to [Grok](https://docs.x.ai/docs#getting-started), replace `https://api.x.ai/v1` in the URL you are currently using with `https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/grok`. + +## Examples + +### cURL + +```bash title="Request" +curl https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/grok/v1/chat/completions \ + --header 'content-type: application/json' \ + --header 'Authorization: Bearer {grok_api_token}' \ + --data '{ + "model": "grok-beta", + "messages": [ + { + "role": "user", + "content": "What is Cloudflare?" + } + ] +}' +``` + +If you are using the OpenAI SDK with JavaScript, you can set your endpoint like this: + +```js title="JavaScript" +import OpenAI from "openai"; + +const openai = new OpenAI({ + apiKey: "", + baseURL: + "https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/grok", +}); + +const completion = await openai.chat.completions.create({ + model: "grok-beta", + messages: [ + { + role: "system", + content: + "You are Grok, a chatbot inspired by the Hitchhiker's Guide to the Galaxy.", + }, + { + role: "user", + content: "What is the meaning of life, the universe, and everything?", + }, + ], +}); + +console.log(completion.choices[0].message); +``` + +If you are using the OpenAI SDK with Python, you can set your endpoint like this: + +```python title="Python" +import os +from openai import OpenAI + +XAI_API_KEY = os.getenv("XAI_API_KEY") +client = OpenAI( + api_key=XAI_API_KEY, + base_url="https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/grok", +) + +completion = client.chat.completions.create( + model="grok-beta", + messages=[ + {"role": "system", "content": "You are Grok, a chatbot inspired by the Hitchhiker's Guide to the Galaxy."}, + {"role": "user", "content": "What is the meaning of life, the universe, and everything?"}, + ], +) + +print(completion.choices[0].message) +``` + +If you are using the Anthropic SDK with JavaScript, you can set your endpoint like this: + +```js title="JavaScript" +import Anthropic from "@anthropic-ai/sdk"; + +const anthropic = new Anthropic({ + apiKey: "", + baseURL: + "https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/grok", +}); + +const msg = await anthropic.messages.create({ + model: "grok-beta", + max_tokens: 128, + system: + "You are Grok, a chatbot inspired by the Hitchhiker's Guide to the Galaxy.", + messages: [ + { + role: "user", + content: "What is the meaning of life, the universe, and everything?", + }, + ], +}); + +console.log(msg); +``` + +If you are using the Anthropic SDK with Python, you can set your endpoint like this: + +```python title="Python" +import os +from anthropic import Anthropic + +XAI_API_KEY = os.getenv("XAI_API_KEY") +client = Anthropic( + api_key=XAI_API_KEY, + base_url="https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/grok", +) + +message = client.messages.create( + model="grok-beta", + max_tokens=128, + system="You are Grok, a chatbot inspired by the Hitchhiker's Guide to the Galaxy.", + messages=[ + { + "role": "user", + "content": "What is the meaning of life, the universe, and everything?", + }, + ], +) + +print(message.content) +``` From 58997fb57413b8bcf1a9945350af6bf4c080435a Mon Sep 17 00:00:00 2001 From: Simon Thorpe Date: Mon, 28 Oct 2024 09:54:55 -0700 Subject: [PATCH 036/273] Reference architecture diagram - Bring your own IP space to Cloudflare (#17785) * Initial commit * Update src/content/docs/reference-architecture/diagrams/network/bring-your-own-ip-space-to-cloudflare.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/docs/reference-architecture/diagrams/network/bring-your-own-ip-space-to-cloudflare.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/docs/reference-architecture/diagrams/network/bring-your-own-ip-space-to-cloudflare.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/docs/reference-architecture/diagrams/network/bring-your-own-ip-space-to-cloudflare.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/docs/reference-architecture/diagrams/network/bring-your-own-ip-space-to-cloudflare.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/docs/reference-architecture/diagrams/network/bring-your-own-ip-space-to-cloudflare.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update figure1.svg * Apply suggestions from code review Co-authored-by: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> * Update bring-your-own-ip-space-to-cloudflare.mdx Changing references to Cloudflare edge as per style guide * Update figure1.svg * Update figure2.svg --------- Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> Co-authored-by: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> --- .../figure1.svg | 67 +++++++++++++ .../figure2.svg | 99 +++++++++++++++++++ .../bring-your-own-ip-space-to-cloudflare.mdx | 58 +++++++++++ 3 files changed, 224 insertions(+) create mode 100644 src/assets/images/reference-architecture/bring-your-own-ip-space-to-cloudflare/figure1.svg create mode 100644 src/assets/images/reference-architecture/bring-your-own-ip-space-to-cloudflare/figure2.svg create mode 100644 src/content/docs/reference-architecture/diagrams/network/bring-your-own-ip-space-to-cloudflare.mdx diff --git a/src/assets/images/reference-architecture/bring-your-own-ip-space-to-cloudflare/figure1.svg b/src/assets/images/reference-architecture/bring-your-own-ip-space-to-cloudflare/figure1.svg new file mode 100644 index 000000000000000..0aeaa57d2638b59 --- /dev/null +++ b/src/assets/images/reference-architecture/bring-your-own-ip-space-to-cloudflare/figure1.svg @@ -0,0 +1,67 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/assets/images/reference-architecture/bring-your-own-ip-space-to-cloudflare/figure2.svg b/src/assets/images/reference-architecture/bring-your-own-ip-space-to-cloudflare/figure2.svg new file mode 100644 index 000000000000000..a519c8fd56924c8 --- /dev/null +++ b/src/assets/images/reference-architecture/bring-your-own-ip-space-to-cloudflare/figure2.svg @@ -0,0 +1,99 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/content/docs/reference-architecture/diagrams/network/bring-your-own-ip-space-to-cloudflare.mdx b/src/content/docs/reference-architecture/diagrams/network/bring-your-own-ip-space-to-cloudflare.mdx new file mode 100644 index 000000000000000..3703d016cbd307c --- /dev/null +++ b/src/content/docs/reference-architecture/diagrams/network/bring-your-own-ip-space-to-cloudflare.mdx @@ -0,0 +1,58 @@ +--- +title: Bring your own IP space to Cloudflare +pcx_content_type: reference-architecture-diagram +products: + - DDoS Protection + - BYOIP +sidebar: + order: 1 + label: BYOIP to Cloudflare +updated: 2024-10-24 +--- + +## Introduction + +Cloudflare brings security and performance to our customers' digital estates. However, one of the characteristics of proxying services is that interactions on the web that go to Cloudflare (DNS queries or requests to SaaS providers, for example) will appear to the world as coming from the Cloudflare IP space. This can create challenges for some enterprises. + +For example, partners or other B2B relationships may use the public IP space owned by a customer for attestation and attribution in various transactions. They may look at the resolved address for a public hostname (for example, `www.example.com`) and expect that IP to match a specific range or address known to be owned by the customer. + +[Bring Your Own IP (BYOIP)](/byoip/) allows enterprises to bring their IP space to Cloudflare, thus gaining the security and performance of the Cloudflare platform while still appearing to the rest of the world via their own public IP space. This reference architecture diagram highlights the different ways customers can bring their IP space to the Cloudflare network and the benefits that are achieved. + +## BYOIP scenario one \- Cloudflare proxy services + +The default behavior when a DNS query is made to a Cloudflare proxied hostname will be to return one of Cloudflare's [default anycast IP addresses](https://www.cloudflare.com/ips/). The traffic is then accelerated, protected, and, if not served by Cloudflare cache, sent to the customer's origin server. + +In the diagram below, instead of the default behavior, traffic will proxy through Cloudflare's application services platform but DNS queries will return an IP address that is owned by the customer while also benefiting from Cloudflare's anycast network. + +There are two different network ranges used in this example: + +- `152.3.15.0/24` \- Customer owned IP range that will be associated with the Cloudflare network. +- `152.3.14.0/24` \- Customer owned IP range that will continue to be associated with their origin network. + +![Figure 1: Cloudflare announces customer IP range and proxies it to the origin server IP.](~/assets/images/reference-architecture/bring-your-own-ip-space-to-cloudflare/figure1.svg "Figure 1: Cloudflare announces customer IP range and proxies it to the origin server IP.") + +1. In order for Cloudflare to respond to DNS queries with addresses from the customer's space, a Letter of Agency (LOA) must be provided by the customer to Cloudflare, so that the addresses can be provisioned and advertised. This address space (in the example, `152.3.15.0/24`) must be dedicated for Cloudflare's configuration and not used anywhere within the customer environment. +2. The Cloudflare DNS configuration for the origin server `www.abc.com` is configured with the IP address `152.3.14.10/32`. +3. A DNS query for `www.abc.com` is made. +4. Cloudflare returns an address from the customer's space that was previously configured from a BYOIP space provided by the customer. In this case, the response was `152.2.15.200`, which is a part of the `/24` prefix of `152.2.15.0/24`. +5. The eyeball sends a request to `152.2.15.200` which is routed to Cloudflare. +6. Cloudflare proxies the connection, using the SNI (`www.abc.com`) to determine the actual origin IP, `152.3.14.10`. The request is then routed through Cloudflare's proxy services, such as DDoS protection, Web Application Firewall, and Bot Management. +7. Successful requests are sent to origin (if not served by cache) to `152.3.14.10` with a source IP of the Cloudflare network. + +## BYOIP scenario two \- network DDoS protection + +Cloudflare is well known for its DDoS mitigation services protecting public websites and APIs. The same technologies can also be used to protect entire networks. Cloudflare's [Magic Transit](/magic-transit/) service offers a cloud-based network DDoS mitigation service for our customers' public IP space. + +![Figure 2: Protection against DDoS attacks can be placed in front of the BYOIP range in front of your Cloudflare tunneled network.](~/assets/images/reference-architecture/bring-your-own-ip-space-to-cloudflare/figure2.svg "Figure 2: Protection against DDoS attacks can be placed in front of the BYOIP range in front of your Cloudflare tunneled network.") + +1. In order for Cloudflare to attract traffic destined for customer network prefixes, a Letter of Agency (LOA) must be provided by the customer to Cloudflare, so that the network prefixes can be provisioned and advertised. +2. Once provisioned, Cloudflare will advertise the customer prefixes to the Internet, attracting traffic destined for those networks to the Cloudflare network. +3. All traffic destined for those prefixes is routed to Cloudflare. +4. DDoS traffic is mitigated by Cloudflare and legitimate traffic is directed back to customer networks via [tunnels](/magic-wan/), or via [Cloudflare Network Interconnect](/network-interconnect/) (CNI) on ramps to the customer environment. + +More detailed information about Magic Transit capabilities can be found in the [Magic Transit Reference Architecture](/reference-architecture/architectures/magic-transit/). + +## Related resources + +- [Protect hybrid cloud networks with Cloudflare Magic Transit](/reference-architecture/diagrams/network/protect-hybrid-cloud-networks-with-cloudflare-magic-transit/) +- [Protect public networks with Cloudflare](/reference-architecture/diagrams/network/protect-public-networks-with-cloudflare/) From 35b3b01c914d6c92838b1bb69175cc2cdd9bd108 Mon Sep 17 00:00:00 2001 From: Brendan Irvine-Broque Date: Mon, 28 Oct 2024 13:10:10 -0400 Subject: [PATCH 037/273] Clarify node.js vs edge runtime in Next.js <> Pages docs (#17196) Provide more guidance for which adapter to use when, and what will/won't work. --- .../nextjs/ssr/supported-features.mdx | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/src/content/docs/pages/framework-guides/nextjs/ssr/supported-features.mdx b/src/content/docs/pages/framework-guides/nextjs/ssr/supported-features.mdx index 8efd76c4b29c3fe..9b5cace8ab89a43 100644 --- a/src/content/docs/pages/framework-guides/nextjs/ssr/supported-features.mdx +++ b/src/content/docs/pages/framework-guides/nextjs/ssr/supported-features.mdx @@ -13,11 +13,21 @@ import { Details } from "~/components" `@cloudflare/next-on-pages` supports all minor and patch version of Next.js 13 and 14. We regularly run manual and automated tests to ensure compatibility. -### Node.js +### Node.js API support -Next.js has [two "runtimes"](https://nextjs.org/docs/app/building-your-application/rendering/edge-and-nodejs-runtimes) — "Edge" and "Node.js". When you run your Next.js app on Cloudflare, you [can use available Node.js APIs](/workers/runtime-apis/nodejs/) — but you currently can only use Next.js' "Edge" runtime. +Next.js has [two "runtimes"](https://nextjs.org/docs/app/building-your-application/rendering/edge-and-nodejs-runtimes) — "Edge" and "Node.js". -The Workers runtime [supports a broad set of Node.js APIs](/workers/runtime-apis/nodejs/) — but [the Next.js Edge Runtime code intentionally constrains this](https://github.com/vercel/next.js/blob/canary/packages/next/src/build/webpack/plugins/middleware-plugin.ts#L820). As a result, only the following Node.js APIs work in a Next.js app: +The `@cloudflare/next-on-pages` adapter supports only the edge "runtime". + +The [`@opennextjs/cloudflare` adapter](https://opennext.js.org/cloudflare), which lets you build and deploy Next.js apps to [Cloudflare Workers](/workers/), supports the Node.js "runtime" from Next.js. When you use it, you can use the [full set of Node.js APIs](/workers/runtime-apis/nodejs/) that Cloudflare Workers provide. + +`@opennextjs/cloudflare` is pre 1.0, and still in active development. As it approaches 1.0, it will become the clearly better choice for most Next.js apps, since Next.js has been engineered to only support its Node.js "runtime" for many newly introduced features. + +Refer to the [OpenNext docs](https://opennext.js.org/cloudflare) and the [Workers vs. Pages compatibility matrix](/workers/static-assets/compatibility-matrix/) for more information to help you decide which to use. + +#### Supported Node.js APIs when using `@cloudflare/next-on-pages` + +When you use `@cloudflare/next-on-pages`, your Next.js app must use the "edge" runtime from Next.js. The Workers runtime [supports a broad set of Node.js APIs](/workers/runtime-apis/nodejs/) — but [the Next.js Edge Runtime code intentionally constrains this](https://github.com/vercel/next.js/blob/canary/packages/next/src/build/webpack/plugins/middleware-plugin.ts#L820). As a result, only the following Node.js APIs will work in your Next.js app: * `buffer` * `events` @@ -25,6 +35,8 @@ The Workers runtime [supports a broad set of Node.js APIs](/workers/runtime-apis * `util` * `async_hooks` +If you need to use other APIs from Node.js, you should use [`@opennextjs/cloudflare`](https://opennext.js.org/cloudflare) instead. + ## Supported Features ### Routers From 7b8561bb30ad91b442fd19d2219680db28c0ec40 Mon Sep 17 00:00:00 2001 From: Simon Thorpe Date: Mon, 28 Oct 2024 11:55:11 -0700 Subject: [PATCH 038/273] Update by-solution.mdx (#17827) Adding new items to the list --- .../reference-architecture/by-solution.mdx | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/src/content/docs/reference-architecture/by-solution.mdx b/src/content/docs/reference-architecture/by-solution.mdx index 3f8e2f4fa48c06b..2a1ed9e8b3eb867 100644 --- a/src/content/docs/reference-architecture/by-solution.mdx +++ b/src/content/docs/reference-architecture/by-solution.mdx @@ -43,11 +43,13 @@ Architecture documentation related to using Cloudflare for Zero Trust, SSE and S - [Securing data at rest](/reference-architecture/diagrams/security/securing-data-at-rest/) - [Securing data in transit](/reference-architecture/diagrams/security/securing-data-in-transit/) - [Securing data in use](/reference-architecture/diagrams/security/securing-data-in-use/) +- [Extend ZTNA with external authorization and serverless computing](/reference-architecture/diagrams/sase/augment-access-with-serverless/) #### Design guides - [Building zero trust architecture into your startup](/reference-architecture/design-guides/zero-trust-for-startups/) - [Network-focused migration from VPN concentrators to Zero Trust Network Access](/reference-architecture/design-guides/network-vpn-migration/) +- [Using a zero trust framework to secure SaaS applications](/reference-architecture/design-guides/zero-trust-for-saas/) #### Implementation guides @@ -55,6 +57,13 @@ Architecture documentation related to using Cloudflare for Zero Trust, SSE and S - [Replace your VPN](/learning-paths/replace-vpn/) - [Deploy Zero Trust Web Access](/learning-paths/zero-trust-web-access/) +### Networking + +#### Reference architecture diagrams + +- [Protect public networks with Cloudflare](/reference-architecture/diagrams/network/protect-public-networks-with-cloudflare/) +- [Bring your own IP space to Cloudflare](/reference-architecture/diagrams/network/bring-your-own-ip-space-to-cloudflare/) + ### Application Performance Content related to DNS, caching, load balancing and other Cloudflare services designed to improve application reliability and performance. @@ -68,6 +77,11 @@ Content related to DNS, caching, load balancing and other Cloudflare services de Content related to protecting your applications from threats such as DDoS attack, SQL injection, exploiting application vulnerabilities, scraping API data and more. +#### Reference architecture diagrams + +- [Bot management](/reference-architecture/diagrams/bots/bot-management/) + + #### Design guides - [Secure application delivery](/reference-architecture/design-guides/secure-application-delivery/) @@ -78,16 +92,26 @@ Architecture content for our developer platform. #### Reference architecture diagrams +##### AI + - [Automatic captioning for video uploads](/reference-architecture/diagrams/ai/ai-video-caption/) - [Composable AI architecture](/reference-architecture/diagrams/ai/ai-composable/) - [Content-based asset creation](/reference-architecture/diagrams/ai/ai-asset-creation/) - [Multi-vendor AI observability and control](/reference-architecture/diagrams/ai/ai-multivendor-observability-control/) - [Retrieval Augmented Generation (RAG)](/reference-architecture/diagrams/ai/ai-rag/) +- [Ingesting BigQuery Data into Workers AI](/reference-architecture/diagrams/ai/bigquery-workers-ai/) + +##### Serverless + - [Optimizing Image Delivery with Cloudflare Image Resizing and R2](/reference-architecture/diagrams/content-delivery/optimizing-image-delivery-with-cloudflare-image-resizing-and-r2/) - [A/B-testing using Workers](/reference-architecture/diagrams/serverless/a-b-testing-using-workers/) - [Fullstack Applications](/reference-architecture/diagrams/serverless/fullstack-application/) - [Serverless ETL pipelines](/reference-architecture/diagrams/serverless/serverless-etl/) - [Serverless global APIs](/reference-architecture/diagrams/serverless/serverless-global-apis/) - [Serverless image content management](/reference-architecture/diagrams/serverless/serverless-image-content-management/) + +##### Storage + - [Egress-free object storage in multi-cloud setups](/reference-architecture/diagrams/storage/egress-free-storage-multi-cloud/) - [On-demand Object Storage Data Migration](/reference-architecture/diagrams/storage/on-demand-object-storage-migration/) +- [Event notifications for storage](/reference-architecture/diagrams/storage/event-notifications-for-storage/) From 449c1cd823f30bfc70bf77308fd92f4aa28a9b0b Mon Sep 17 00:00:00 2001 From: Taylor <1628134+taylorlee@users.noreply.github.com> Date: Mon, 28 Oct 2024 12:34:57 -0700 Subject: [PATCH 039/273] Fix durable-object and observability sections of wrangler.toml docs (#17800) * [Workers] Document Durable Object migrations in configuration and add missing brace in renamed_classes * [Workers] Fix observabilty and logpush wrangler configuration * fix type info * remove duplicate example toml key * link to logpush info * [Workers] lift observability in wrangler configuration It is not a binding. It is a script-setting, which lives somewhere between triggers and versioned settings (including bindings). --- .../docs/workers/wrangler/configuration.mdx | 52 ++++++++++--------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/src/content/docs/workers/wrangler/configuration.mdx b/src/content/docs/workers/wrangler/configuration.mdx index d5f9a6060e60da7..9e5a14721a763de 100644 --- a/src/content/docs/workers/wrangler/configuration.mdx +++ b/src/content/docs/workers/wrangler/configuration.mdx @@ -63,6 +63,10 @@ Top-level keys apply to the Worker as a whole (and therefore all environments). - Whether Wrangler should keep variables configured in the dashboard on deploy. Refer to [source of truth](#source-of-truth). +- `migrations` + + - When making changes to your Durable Object classes, you must perform a migration. Refer to [Durable Object migrations](/durable-objects/reference/durable-objects-migrations/). + - `send_metrics` - Whether Wrangler should send usage metrics to Cloudflare for this project. @@ -161,13 +165,13 @@ At a minimum, the `name`, `main` and `compatibility_date` keys are required to d - `logpush` - - Enables Workers Trace Events Logpush for a Worker. Any scripts with this property will automatically get picked up by the Workers Logpush job configured for your account. Defaults to `false`. + - Enables Workers Trace Events Logpush for a Worker. Any scripts with this property will automatically get picked up by the Workers Logpush job configured for your account. Defaults to `false`. Refer to [Workers Logpush](/workers/observability/logs/logpush/). - `limits` - Configures limits to be imposed on execution at runtime. Refer to [Limits](#limits). -* `observability` object optional +* `observability` - Configures automatic observability settings for telemetry data emitted from your Worker. Refer to [Observability](#observability). @@ -322,6 +326,26 @@ Example: crons = ["* * * * *"] ``` +## Observability + +The [Observability](/workers/observability/logs/workers-logs) setting allows you to automatically ingest, store, filter, and analyze logging data emitted from Cloudflare Workers directly from your Cloudflare Worker's dashboard. + +- `enabled` + + - When set to `true` on a Worker, logs for the Worker are persisted. Defaults to `true` for all new Workers. + +- `head_sampling_rate` + - A number between 0 and 1, where 0 indicates zero out of one hundred requests are logged, and 1 indicates every request is logged. If `head_sampling_rate` is unspecified, it is configured to a default value of 1 (100%). Read more about [head-based sampling](/workers/observability/logs/workers-logs/#head-based-sampling). + +Example: + +```toml title="wrangler.toml" +[observability] +enabled = true +head_sampling_rate = 0.1 # 10% of requests are logged +``` + + ## Custom builds You can configure a custom build step that will be run before your Worker is deployed. Refer to [Custom builds](/workers/wrangler/custom-builds/). @@ -510,7 +534,7 @@ When making changes to your Durable Object classes, you must perform a migration - The new Durable Objects being defined. -- `renamed_classes` +- `renamed_classes` - The Durable Objects being renamed. @@ -629,28 +653,6 @@ binding = "" id = "" ``` -### Observability - -The [Observability](/workers/observability/logs/workers-logs) setting allows you to automatically ingest, store, filter, and analyze logging data emitted from Cloudflare Workers directly from your Cloudflare Worker's dashboard. - -- `enabled` boolean required - - - When set to `true` on a Worker, logs for the Worker are persisted. Defaults to `true` for all new Workers. - -- `head_sampling_rate` number optional - - A number between 0 and 1, where 0 indicates zero out of one hundred requests are logged, and 1 indicates every request is logged. If `head_sampling_rate` is unspecified, it is configured to a default value of 1 (100%). Read more about [head-based sampling](/workers/observability/logs/workers-logs/#head-based-sampling). - -Example: - -```toml title="wrangler.toml" -[observability] -enabled = true - -[observability] -enabled = true -head_sampling_rate = 0.1 # 10% of requests are logged -``` - ### Queues [Queues](/queues/) is Cloudflare's global message queueing service, providing [guaranteed delivery](/queues/reference/delivery-guarantees/) and [message batching](/queues/configuration/batching-retries/). To interact with a queue with Workers, you need a producer Worker to send messages to the queue and a consumer Worker to pull batches of messages out of the Queue. A single Worker can produce to and consume from multiple Queues. From c96ef9c5d96e0d41a3f5d2eac369123e55b9c06b Mon Sep 17 00:00:00 2001 From: Kenton Varda Date: Mon, 28 Oct 2024 14:40:54 -0500 Subject: [PATCH 040/273] [Durable Objects] Document transaction API changes with SQLite. (#17698) * [Durable Objects] Document transaction API changes with SQLite. * [Durable Objects] Fix broken links to SQLite class creation docs. These existing links were just broken. Though, arguably they should actually go to `/durable-objects/best-practices/access-durable-objects-storage/#sqlite-storage-backend`, perhaps? For now I just fixed the links. --- .../docs/durable-objects/api/storage-api.mdx | 20 +++++++++++++++++-- .../partials/workers/storage_api_pricing.mdx | 2 +- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/src/content/docs/durable-objects/api/storage-api.mdx b/src/content/docs/durable-objects/api/storage-api.mdx index c87773f37d091c1..af69c8b20a24617 100644 --- a/src/content/docs/durable-objects/api/storage-api.mdx +++ b/src/content/docs/durable-objects/api/storage-api.mdx @@ -191,7 +191,21 @@ The `put()` method returns a `Promise`, but most applications can discard this p * `txn` - * Provides access to the `put()`, `get()`, `delete()` and `list()` methods documented above to run in the current transaction context. In order to get transactional behavior within a transaction closure, you must call the methods on the `txn` Object instead of on the top-level `state.storage` Object.

Also supports a `rollback()` function that ensures any changes made during the transaction will be rolled back rather than committed. After `rollback()` is called, any subsequent operations on the `txn` Object will fail with an exception. `rollback()` takes no parameters and returns nothing to the caller. + * Provides access to the `put()`, `get()`, `delete()` and `list()` methods documented above to run in the current transaction context. In order to get transactional behavior within a transaction closure, you must call the methods on the `txn` Object instead of on the top-level `ctx.storage` Object.

Also supports a `rollback()` function that ensures any changes made during the transaction will be rolled back rather than committed. After `rollback()` is called, any subsequent operations on the `txn` Object will fail with an exception. `rollback()` takes no parameters and returns nothing to the caller. + + * When using [the SQLite-backed storage engine](/durable-objects/best-practices/access-durable-objects-storage/#sqlite-storage-backend), the `txn` object is obsolete. Any storage operations performed directly on the `ctx.storage` object, including SQL queries using [`ctx.storage.sql.exec()`](#sqlexec), will be considered part of the transaction. + +### transactionSync + +* `transactionSync(callback)`: + + * Only available when using [the SQLite-backed storage engine](/durable-objects/best-practices/access-durable-objects-storage/#sqlite-storage-backend). + + * Invokes `callback()` wrapped in a transaction, and returns its result. + + * If `callback()` throws an exception, the transaction will be rolled back. + + * The callback must complete synchronously, that is, it should not be declared `async` nor otherwise return a Promise. Only synchronous storage operations can be part of the transaction. This is intended for use with SQL queries using [`ctx.storage.sql.exec()`](#sqlexec), which complete sychronously. ### sync @@ -233,7 +247,7 @@ The `put()` method returns a `Promise`, but most applications can discard this p :::note[SQLite in Durable Objects Beta] -SQL API methods accessed with `ctx.storage.sql` are only allowed on [Durable Object classes with SQLite storage backend](/durable-objects/reference/durable-objects-migrations/#enable-sqlite-storage-backend-on-create-durable-object-class-migration) and will return an error if called on Durable Object classes with a key-value storage backend. +SQL API methods accessed with `ctx.storage.sql` are only allowed on [Durable Object classes with SQLite storage backend](/durable-objects/reference/durable-objects-migrations/#enable-sqlite-storage-backend-on-new-durable-object-class-migration) and will return an error if called on Durable Object classes with a key-value storage backend. ::: @@ -282,6 +296,8 @@ A cursor (`SqlStorageCursor`) to iterate over query row results as objects. `Sql * `rowsWritten`: * The number of rows written so far as part of this SQL `query`. This may increase as you iterate the cursor. The final value is used for [SQL billing](/durable-objects/platform/pricing/#sqlite-storage-backend). +Note that `sql.exec()` cannot execute transaction-related statements like `BEGIN TRANSACTION` or `SAVEPOINT`. Instead, use the [`ctx.storage.transaction()`](#transaction) or [`ctx.storage.transactionSync()`](#transactionsync) APIs to start a transaction, and then execute SQL queries in your callback. + #### Examples diff --git a/src/content/partials/workers/storage_api_pricing.mdx b/src/content/partials/workers/storage_api_pricing.mdx index 2707c3d175109a5..a570785b5e353fe 100644 --- a/src/content/partials/workers/storage_api_pricing.mdx +++ b/src/content/partials/workers/storage_api_pricing.mdx @@ -42,7 +42,7 @@ You can introspect rows read and rows written using `cursor.rowsRead` and `curso ::: -For [Durable Objects classes with SQLite storage backend](/durable-objects/reference/durable-objects-migrations/#enable-sqlite-storage-backend-on-create-durable-object-class-migration) via `ctx.storage.sql` the following pricing is used instead: +For [Durable Objects classes with SQLite storage backend](/durable-objects/reference/durable-objects-migrations/#enable-sqlite-storage-backend-on-new-durable-object-class-migration) via `ctx.storage.sql` the following pricing is used instead: | | Workers Paid plan | | ----------------------------| -------------------------- | From ab23e9ee93b95066abb96cd23beac0295f852602 Mon Sep 17 00:00:00 2001 From: Michael Hart Date: Tue, 29 Oct 2024 09:18:24 +1100 Subject: [PATCH 041/273] Include other products that the Cursor AI Assistant uses (#17661) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Include other products that the Cursor AI Assistant uses It uses Worker AI embeddings models and AI Gateway for caching and analytics * Update Cursor disclaimer to remove references to OpenAI Cursor no longer uses OpenAI and relies solely on first-party models provided by Workers AI. * Oxford it up 🎓 Co-authored-by: Claire W <78226508+crwaters16@users.noreply.github.com> --------- Co-authored-by: Claire W <78226508+crwaters16@users.noreply.github.com> --- src/pages/workers/ai.astro | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/src/pages/workers/ai.astro b/src/pages/workers/ai.astro index 0399f83be1e69cc..6e0775e893fdbb8 100644 --- a/src/pages/workers/ai.astro +++ b/src/pages/workers/ai.astro @@ -31,10 +31,13 @@ import CursorLight from "~/assets/images/workers/ai/cursor-light.png";

Cursor is an experimental AI assistant, trained to answer questions about Cloudflare's Developer Platform and powered by - Cloudflare Workers and - Vectorize. Cursor - is here to help answer your Cloudflare Workers and Developer Platform - questions, so ask away! + Cloudflare Workers, + Workers AI, Vectorize, and AI Gateway. + Cursor is here to help answer your Cloudflare Workers and Developer + Platform questions, so ask away!