[SSL] Restructure PQC in Cloudflare products: Cloudflare One umbrella, scoping fixes#30537
Draft
lukevalenta wants to merge 1 commit intoproductionfrom
Draft
[SSL] Restructure PQC in Cloudflare products: Cloudflare One umbrella, scoping fixes#30537lukevalenta wants to merge 1 commit intoproductionfrom
lukevalenta wants to merge 1 commit intoproductionfrom
Conversation
Contributor
|
This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:
|
Contributor
|
Preview URL: https://c3415bc3.preview.developers.cloudflare.com Files with changes (up to 15) |
lukevalenta
force-pushed
the
lvalenta/pqc-products-cf1-section
branch
from
caba47e to
56a88ba
Compare
lukevalenta
changed the title
lukevalenta
force-pushed
the
lvalenta/pqc-products-cf1-section
branch
from
56a88ba to
2ae4d55
Compare
…, scoping fixes - Add a new "Cloudflare One" H2 section with H3 sub-sections for each Cloudflare One product: Cloudflare One Client, Cloudflare Mesh, Agentless via proxy endpoints, Cloudflare Gateway, Cloudflare IPsec, and Cloudflare One Appliance. Each H3 has a Protection / Status table for connections that don't inherit from another (CF1 Client, proxy endpoints, IPsec, Appliance); Mesh inherits from CF1 Client via prose, and Cloudflare Gateway is a prose-only section that lists its possible on-ramps. - Move Cloudflare Tunnel to its own H2 section above the Cloudflare One umbrella, so it's not buried. - The 'Agentless via proxy endpoints' H3 covers Cloudflare Gateway proxy endpoints, where browsers are configured via PAC files or system proxy settings to forward traffic to a Cloudflare-hosted proxy endpoint that terminates TLS at Cloudflare's edge. The naming matches Cloudflare's official 'agentless via Proxy Endpoints' terminology distinguishing this deployment from agent-based (WARP). - Tighten the developer platform list under Visitor to Cloudflare to cover only proxied entrypoints (Workers custom domains, *.workers.dev, Pages, R2 public buckets, Stream, Images, API Shield-protected APIs, Cloudflare API and dashboard, Cloudflare Access self-hosted applications). Add a note that Worker-to-backend connections (D1, KV, Durable Objects, Workers AI, Hyperdrive) are governed by the Cloudflare internal network section, and Worker fetch() to third-party origins by Cloudflare to origin. Note that the Agentless via proxy endpoints on-ramp to Cloudflare Gateway terminates inbound TLS in its own edge stack and is covered separately under Cloudflare One. - Clarify that Gateway's PQ support on the egress leg to third-party origins (the Cloudflare to origin connection) is independent of which on-ramp the client uses.
lukevalenta
force-pushed
the
lvalenta/pqc-products-cf1-section
branch
from
2ae4d55 to
c3415bc
Compare
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reorganizes PQC in Cloudflare products to address inaccuracies in product scoping and improve discoverability of Cloudflare One product PQC status.
## Cloudflare OneH2 section with H3 sub-sections for each Cloudflare One product: Cloudflare One Client, Cloudflare Mesh, Cloudflare Gateway, Agentless via proxy endpoints, Cloudflare IPsec, and Cloudflare One Appliance. Each H3 has a Protection / Status table for connections that don't inherit from another (CF1 Client, proxy endpoints, IPsec, Appliance); Mesh inherits from CF1 Client via prose, and Cloudflare Gateway is a prose-only section that lists its possible on-ramps.Agentless via proxy endpointsH3 covers Cloudflare Gateway proxy endpoints, where browsers are configured via PAC files or system proxy settings to route egress HTTPS traffic through Gateway for inspection and filtering. The naming matches Cloudflare's official "agentless via Proxy Endpoints" terminology distinguishing this deployment from agent-based (WARP).*.workers.dev, Pages, R2 public buckets, Stream, Images, API Shield-protected APIs, Cloudflare API and dashboard, Cloudflare Access self-hosted applications). Add a note that Worker-to-backend connections (D1, KV, Durable Objects, Workers AI, Hyperdrive) are governed by the Cloudflare internal network section, and Workerfetch()to third-party origins by Cloudflare to origin. Note that the Agentless via proxy endpoints on-ramp to Cloudflare Gateway terminates inbound TLS in its own edge stack and is covered separately under Cloudflare One.A separate PR will tighten the PQC and Cloudflare One page.
Documentation checklist