Skip to content

[CF1] CWI TLS decryption note #21789

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 21, 2025
Merged

[CF1] CWI TLS decryption note #21789

merged 4 commits into from
Apr 21, 2025

Conversation

deadlypants1973
Copy link
Contributor

@deadlypants1973 deadlypants1973 commented Apr 17, 2025
edited
Loading

Summary

PCX-15362

Screenshots (optional)

Documentation checklist

  • The documentation style guide has been adhered to.
  • If a larger change - such as adding a new page- an issue has been opened in relation to any incorrect or out of date information that this PR fixes.
  • Files which have changed name or location have been allocated redirects.

@deadlypants1973 deadlypants1973 requested review from maxvp, ranbel and a team as code owners April 17, 2025 13:29
@hyperlint-ai Hyperlint AI
Copy link
Contributor

hyperlint-ai bot commented Apr 17, 2025

Howdy and thanks for contributing to our repo. The Cloudflare team reviews new, external PRs within two (2) weeks. If it's been two weeks or longer without any movement, please tag the PR Assignees in a comment.

We review internal PRs within 1 week. If it's something urgent or has been sitting without a comment, start a thread in the Developer Docs space internally.

PR Change Summary

Added a note regarding TLS decryption requirements for Clientless Web Isolation traffic in the documentation.

  • Clarified that TLS decryption is not required for applying HTTP policies to Clientless Web Isolation traffic.
  • Specified that enabling TLS decryption is necessary for adding Data Loss Prevention (DLP) configurations.

Modified Files

  • src/content/docs/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation.mdx
How can I customize these reviews?

Check out the Hyperlint AI Reviewer docs for more information on how to customize the review.

If you just want to ignore it on this PR, you can add the hyperlint-ignore label to the PR. Future changes won't trigger a Hyperlint review.

Note specifically for link checks, we only check the first 30 links in a file and we cache the results for several hours (for instance, if you just added a page, you might experience this). Our recommendation is to add hyperlint-ignore to the PR to ignore the link check for this PR.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 17, 2025
edited
Loading

Preview URL: https://1de8fd46.preview.developers.cloudflare.com
Preview Branch URL: https://kate-fixes-cwi-tls.preview.developers.cloudflare.com

Files with changes (up to 15)

Original Link Updated Link
https://developers.cloudflare.com/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/ https://kate-fixes-cwi-tls.preview.developers.cloudflare.com/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/

cdisher
cdisher requested changes Apr 17, 2025
View reviewed changes
Copy link
Contributor

@cdisher cdisher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a note to clarify functionality

...ontent/docs/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation.mdx Outdated
@@ -54,6 +54,12 @@ If [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryptio
| -------- | -------- | ------------ | -------------- |
| Domain | is | `mysite.com` | Do Not Inspect |

:::note

TLS decryption is not required to apply HTTP policies to Clientless Web Isolation traffic. However, enabling TLS decryption is necessary if you want to add [Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/) configurations.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realized that using DLP wording in my comment on the ticket was probably confusing. I sometimes refer to the isolation settings (e.g. disable copy paste, disable download,etc) as DLP configurations but this does NOT refer to our Data Loss Prevention platform, which actually doesn't yet work with RBI but is something we'd like to do in H2.

HTTP Policies cannot be enforced in Clientless without TLS decryption being turned on.

@deadlypants1973 deadlypants1973 requested a review from cdisher April 17, 2025 16:21
cdisher
cdisher approved these changes Apr 18, 2025
View reviewed changes
Copy link
Contributor

@cdisher cdisher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@deadlypants1973 deadlypants1973 merged commit e482323 into production Apr 21, 2025
12 checks passed
@deadlypants1973 deadlypants1973 deleted the kate/fixes-cwi-tls branch April 21, 2025 10:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cdisher cdisher cdisher approved these changes

@caley-b caley-b caley-b approved these changes

@maxvp maxvp Awaiting requested review from maxvp maxvp is a code owner

@ranbel ranbel Awaiting requested review from ranbel ranbel is a code owner

Assignees

@maxvp maxvp

@ranbel ranbel

Labels
product:cloudflare-one size/xs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@deadlypants1973 @cdisher @caley-b @maxvp @ranbel