[Privacy Gateway] onboarding guide #18646
Open
+323
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Deploying cloudflare-docs with
|
| Latest commit: |
dad28d4
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://ec952220.cloudflare-docs-7ou.pages.dev |
| Branch Preview URL: | https://kate-fixes-pgg.cloudflare-docs-7ou.pages.dev |
![hyperlint-ai[bot]](https://avatars.githubusercontent.com/in/718456?s=60&v=4){kind=small}
| - **Privacy Proxy**: The HTTP CONNECT-based proxy service running on Cloudflare’s edge. This service validates the PAT passed by the client, enforces any double spend prevention necessary for the token. The service handles proxying of the wrapped HTTP request, as well as selection of the egress path and IP. | ||
| - **Origin**: The external (target) website for the end-user request. | ||
|
|
||
| DNS resolution uses [Cloudflare’s public resolver (1.1.1.1)](/1.1.1.1/) infrastructure for name resolution. |
There was a problem hiding this comment.
Suggested change
| DNS resolution uses [Cloudflare’s public resolver (1.1.1.1)](/1.1.1.1/) infrastructure for name resolution. | |
| DNS resolution uses [Cloudflare's public resolver (1.1.1.1)](/1.1.1.1/) infrastructure for name resolution. |
Issues:
- Style Guide - (cloudflare.NonStandardQuotes-warning) Use standard single quotes or double quotes only. Do not use any of the following quote mark types: ‘ ’ “ ”. In the text, we found this character: ’
Fix Explanation:
The non-standard single quote ’ should be replaced with the standard single quote ' to comply with the style guide. This change ensures consistency and adherence to the style guidelines.
deadlypants1973
commented
Dec 12, 2024
| ## System overview | ||
|
|
||
| The Cloudflare Privacy Proxy consists of a generic HTTPS CONNECT (and CONNECT-UDP ) proxy. | ||
| These may be used to ensure that knowledge of sensitive user information leaked in web traffic is not only available to those that need it to function. |
There was a problem hiding this comment.
Suggested change
| These may be used to ensure that knowledge of sensitive user information leaked in web traffic is not only available to those that need it to function. | |
| These proxies ensure sensitive user information in web traffic is only accessible to those requiring it for functionality. |
| The Cloudflare Privacy Proxy consists of a generic HTTPS CONNECT (and CONNECT-UDP ) proxy. | ||
| These may be used to ensure that knowledge of sensitive user information leaked in web traffic is not only available to those that need it to function. | ||
|
|
||
| A high level overview of the system is shown below. Control plane services are shown in orange, whereas dataplane services are shown in blue. |
There was a problem hiding this comment.
Suggested change
| A high level overview of the system is shown below. Control plane services are shown in orange, whereas dataplane services are shown in blue. | |
| A high-level overview of how the the Prixacy Proxy works is shown below. Control plane services are shown in orange. Dataplane services are shown in blue. |
| The following components comprise the Privacy Proxy system: | ||
|
|
||
| - **Client**: The end-user making HTTP requests via the Privacy Proxy from within a web browser and/or other supported client. | ||
| - **Attester**: The client-facing service that authenticates the validity of end-user accounts, validates entitlements, and requests a PAT from the issuer on behalf of the end-user. Not operated by Cloudflare. |
There was a problem hiding this comment.
Suggested change
| - **Attester**: The client-facing service that authenticates the validity of end-user accounts, validates entitlements, and requests a PAT from the issuer on behalf of the end-user. Not operated by Cloudflare. | |
| - **Attester**: The client-facing service that authenticates the validity of end-user accounts, validates entitlements, and requests a Private Access Token (PAT) from the issuer on behalf of the end user. Not operated by Cloudflare. |
|
|
||
| - **Client**: The end-user making HTTP requests via the Privacy Proxy from within a web browser and/or other supported client. | ||
| - **Attester**: The client-facing service that authenticates the validity of end-user accounts, validates entitlements, and requests a PAT from the issuer on behalf of the end-user. Not operated by Cloudflare. | ||
| - **Privacy API**: Cloudflare service that issues PATs to the client for redemption against the Privacy Proxy service. This service mints Private Access Tokens (PATs) using the RSA blind signature protocol. |
There was a problem hiding this comment.
Suggested change
| - **Privacy API**: Cloudflare service that issues PATs to the client for redemption against the Privacy Proxy service. This service mints Private Access Tokens (PATs) using the RSA blind signature protocol. | |
| - **Privacy API**: Cloudflare service that issues PATs to the client for redemption against the Privacy Proxy service. Cloudflare Privacy Proxy mints Private Access Tokens (PATs) using the RSA blind signature protocol. |
| - **Client**: The end-user making HTTP requests via the Privacy Proxy from within a web browser and/or other supported client. | ||
| - **Attester**: The client-facing service that authenticates the validity of end-user accounts, validates entitlements, and requests a PAT from the issuer on behalf of the end-user. Not operated by Cloudflare. | ||
| - **Privacy API**: Cloudflare service that issues PATs to the client for redemption against the Privacy Proxy service. This service mints Private Access Tokens (PATs) using the RSA blind signature protocol. | ||
| - **Privacy Proxy**: The HTTP CONNECT-based proxy service running on Cloudflare’s edge. This service validates the PAT passed by the client, enforces any double spend prevention necessary for the token. The service handles proxying of the wrapped HTTP request, as well as selection of the egress path and IP. |
There was a problem hiding this comment.
Suggested change
| - **Privacy Proxy**: The HTTP CONNECT-based proxy service running on Cloudflare’s edge. This service validates the PAT passed by the client, enforces any double spend prevention necessary for the token. The service handles proxying of the wrapped HTTP request, as well as selection of the egress path and IP. | |
| - **Privacy Proxy**: The HTTP CONNECT-based proxy service running on Cloudflare's edge. Privacy Proxy validates the PAT passed by the client, enforces any double spend prevention necessary for the token. Privacy Proxy handles proxying of the wrapped HTTP request, as well as selection of the egress path and IP. |
@mari the second sentence seems incomplete, is there supposed to be an "and" after "client," and before "enforces"?
|
|
||
| This gets the token configuration for a region. | ||
|
|
||
| - In this case, we want the API to select the region automatically, so we must also include the X-Forwarded-For HTTP request header including the client IP for handling the region lookup. |
There was a problem hiding this comment.
Suggested change
| - In this case, we want the API to select the region automatically, so we must also include the X-Forwarded-For HTTP request header including the client IP for handling the region lookup. | |
| - In this case, you want the API to select the region automatically, so you must also include the `X-Forwarded-For` HTTP request header including the client IP for handling the region lookup. |
| This gets the token configuration for a region. | ||
|
|
||
| - In this case, we want the API to select the region automatically, so we must also include the X-Forwarded-For HTTP request header including the client IP for handling the region lookup. | ||
| - The “ _auto ” region indicates that the Privacy Proxy should use the (client; leftmost) IP address in the X-Forwarded-For HTTP request header shall be used for region selection by the edge service. |
There was a problem hiding this comment.
Suggested change
| - The “ _auto ” region indicates that the Privacy Proxy should use the (client; leftmost) IP address in the X-Forwarded-For HTTP request header shall be used for region selection by the edge service. | |
| - The `_auto` region indicates that the Privacy Proxy should use the (client; leftmost) IP address in the `X-Forwarded-For` HTTP request header shall be used for region selection by the edge service. |
@mari sentence seems wrong after "HTTP request header"
|
|
||
| ::: | ||
|
|
||
| - This request may specify the desired quota management policy in an HTTP header, “Sec-Quota-Policy”, which is an integer value of either 1, 2, or 3 for single-use unlimited bandwidth, single-use limited bandwidth, and multi-use limited bandwidth, respectively. |
There was a problem hiding this comment.
Suggested change
| - This request may specify the desired quota management policy in an HTTP header, “Sec-Quota-Policy”, which is an integer value of either 1, 2, or 3 for single-use unlimited bandwidth, single-use limited bandwidth, and multi-use limited bandwidth, respectively. | |
| - This request may specify the desired quota management policy in an HTTP header, `Sec-Quota-Policy`, which is an integer value of either `1`, `2`, or `3` for single-use unlimited bandwidth, single-use limited bandwidth, and multi-use limited bandwidth, respectively. |
| ``` | ||
|
|
||
| - `requests` field is a list of byte arrays for signing, which are encoded into base 64 strings. Each request is the output of the [corresponding client blind signature operation](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-rsa-blind-signatures#section-5.1.1). | ||
| - `key_id` is a 32-byte key ID that identifies the key used to produce the signature (details are at https://tfpauly.github.io/privacy-proxy/draft-privacy-token.html). This is generated as SHA256(`token_key`), this is used by the server to determine which token key the client is using. |
There was a problem hiding this comment.
Suggested change
| - `key_id` is a 32-byte key ID that identifies the key used to produce the signature (details are at https://tfpauly.github.io/privacy-proxy/draft-privacy-token.html). This is generated as SHA256(`token_key`), this is used by the server to determine which token key the client is using. | |
| - `key_id` is a 32-byte key ID that identifies the key used to produce the signature (details are at https://tfpauly.github.io/privacy-proxy/draft-privacy-token.html). This is generated as SHA256(`token_key`), this is used by the server to determine which token key the client is using. |
@mari are both instances of "this" refererring to key_id as the proper noun? If so, I will change "this" to key_id.
|
|
||
| If `key_id` is invalid, the response status code is `404`. | ||
|
|
||
| If one of the strings in the requests field is not correctly encoded base 64 string, the response status code is `400`. |
There was a problem hiding this comment.
Suggested change
| If one of the strings in the requests field is not correctly encoded base 64 string, the response status code is `400`. | |
| If one of the strings in the `requests` field is not correctly encoded base 64 string, the response status code is `400`. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
14563
Summary
adding privacy proxy onboarding guide
Documentation checklist