Introduction
This feature is only availble to Cloudflare Enterprise customers.
You can apply Gateway HTTP policies at the browser level by configuring a Proxy Auto-Configuration (PAC) file. The PAC file contains a Javascript function which instructs a browser to forward traffic to a proxy server instead of directly to the destination server. When end users visit a website, their browser will send the request to a Cloudflare proxy server associated with your account, to be filtered by Gateway.
You must use a PAC file instead of configuring the endpoint directly in the proxy configuration of the browser. This is because modern browsers still do not support HTTPS proxies without PAC files.
Documentation links:
Project source code:
Prerequisites
You need to install the Cloudflare Root certificate on the device.
Instructions
The Cloudflare documentation states that you must use a PAC file to configure the browser proxy settings. It also states that this can be done using a Cloudflare Worker. However, it does not provide a complete Worker example. This post shows how to use a Cloudflare Worker to serve PAC files.
-
Configure a proxy endpoint by going to Zero Trust > Gateway > Proxy Endpoints > Create endpoint.
- Create the project using Cloudflare Wrangler. Navigate to the directory where you would like to create the project and run
wrangler init proxypac.Follow the prompts as follows:
- git (Y/N)
- package.json (Y)
- Create Worker at /src/index.ts (Y)
If you choose to manage it with git, create a
.gitignorefile at the root withnode_modules/as the content so git does not track thenode_modulesdirectory.Wrangler will have generated a default worker template with the following structure.
1 2 3 4 5 6 7
proxypac/ |- src/ |- index.ts |- pacakge-lock.json |- package.json |- tsconfig.json |- wrangler.toml - Add
account_idandworkers_devto yourwrangler.tomlconfiguration file as shown below.account_idis the ID of the account associated with your zone.workers_devenables the use of *.workers.dev subdomain to test and deploy the Worker.
Refer to Wrangler Configuration documentation.
1 2 3 4 5 6
name = "proxypac" main = "src/index.ts" compatibility_date = "2022-11-18" account_id = "<your account id>" workers_dev = true
src/index.tsis shown below.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
const pac = (subdomain: string) => ` function FindProxyForURL(url,host) { // No proxy for private (RFC 1918) IP addresses (intranet sites) if (isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") || isInNet(dnsResolve(host), "172.16.0.0", "255.240.0.0") || isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0")) { return "DIRECT"; } // No proxy for localhost if (isInNet(dnsResolve(host), "127.0.0.0", "255.0.0.0")) { return "DIRECT"; } // Proxy all return 'HTTPS ${subdomain}.proxy.cloudflare-gateway.com:443'; }` export default { async fetch( request: Request, env: Env, ctx: ExecutionContext ): Promise<Response> { const url = new URL(request.url) const subdomain = url.pathname.slice(1).split('.')[0] return new Response(pac(subdomain), { headers: { 'content-type': 'application/x-ns-proxy-autoconfig', }, }) }, };
-
Save and publish the Worker using
wrangler publish. The Worker will be available at <yoursubdomain>.workers.dev. -
Add a Custom Domain to the Worker by going to Dashboard > Workers > Your Worker > Triggers > Custom Domains. Add your domain.
- You can now access your proxy PAC file by using
https://proxypac.<yourdomain>/<proxy endpoint>.pac. E.g. https://proxypac.customdomain/24xmhc2b27.pac.