cloudflare · ranbel · Oct 22, 2024 · Oct 8, 2024 · Oct 8, 2024 · Oct 8, 2024
@@ -56,6 +56,8 @@ Certain protocols require configuring the server to trust connections through Ac
 
 Users connect to the target's IP address as if they were on your private network, using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/policies/gateway/resolver-policies/) to allow connections to the target's private hostname.
 
+SSH with Access for Infrastructure also supports `scp` and `rsync` functions. At this time, `sftp` is not supported.
+
 ### Connect to different VNET
 
 To connect to targets that are in different VNETS, users will need to [switch their connected virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/#connect-to-a-virtual-network) in the WARP client.

@@ -25,8 +25,9 @@ import { Tabs, TabItem, Badge, Render } from "~/components";
 To connect your devices to Cloudflare:
 
 1. [Deploy the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your devices in Gateway with WARP mode.
-2. Install and trust the [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your devices.
-3. [Create device enrollment rules](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/) to determine which devices can enroll to your Zero Trust organization.
+2. [Enable proxy mode for WARP](/cloudflare-one/connections/connect-networks/warp/warp-modes/#proxy-mode).
+3. Install and trust the [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your devices.
+4. [Create device enrollment rules](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/) to determine which devices can enroll to your Zero Trust organization.
 
 ## 3. Route private network IPs through WARP
 
@@ -62,6 +63,10 @@ To generate a Cloudflare SSH CA and get its public key:
 ### Modify your SSHD config
 <Render file="ssh/modify-sshd" />
 
+:::note
+For certain distributions, such as Amazon Linux 1 (based on RHEL), the certificate file permissions must be set to 600. "
+:::
+
 ### Restart your SSH server
 <Render file="ssh/restart-server" />
 

@@ -11,12 +11,12 @@ To create a new target:
 
 <Tabs>
 <TabItem label="Dashboard">
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Network** > **Targets**.
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Targets**.
 2. Select **Add a target**.
 3. In **Target hostname**, enter a user-friendly name for the target resource. We recommend using the server hostname, for example `production-server`. The hostname does not need to be unique and can be reused for multiple targets. Hostnames are used to define the subset of targets included in an infrastructure application and are not used in DNS address resolution.
 	<Details header="Format restrictions">
 			- Case insensitive
-			- Contain no more than 255 characters
+			- Contain no more than 253 characters
 			- Contain only alphanumeric characters, `-`, or `.` (no spaces allowed)
 			- Start and end with an alphanumeric character
 	</Details>

@@ -5,7 +5,7 @@
 
 import { Render } from "~/components"
 
-1. Make a `POST` request to the Cloudflare API with your email address and [API key](/fundamentals/api/get-started/keys/) as request headers.
+1. If you have not yet generated your Cloudflare SSH CA, make a `POST` request to the Cloudflare API with your email address and [API key](/fundamentals/api/get-started/keys/) as request headers.
 
    ```bash
    curl --request POST \
@@ -14,4 +14,22 @@ import { Render } from "~/components"
    --header "X-Auth-Key: <API_KEY>"
    ```
 
-2. Copy the `public_key` value returned in the response.
+2. If you have already created your Cloudflare SSH CA or try the above and receive the error message, "access.api.error.gateway_ca_already_exists," modify the above command to a `GET` request instead.
+
+   ```bash
+   curl --request GET \
+   "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \
+   --header "X-Auth-Email: <EMAIL>" \
+   --header "X-Auth-Key: <API_KEY>"
+   ```
+
+3. If you would like to use an API token instead of a Global API key, the token must have edit permissions for "Access: SSH Auditing" permissions. The `POST` or `GET` request should be modified to use the "Authorization: Bearer" value instead of "X-Auth-Key."
+
+   ```bash
+   curl --request POST \
+   "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \
+   --header "X-Auth-Email: <EMAIL>" \
+   --header "Authorization: Bearer <API_TOKEN>"
+   ```
+
+4. Copy the `public_key` value returned in the response.