diff --git a/src/content/docs/cloudflare-one/traffic-policies/http-policies/http3.mdx b/src/content/docs/cloudflare-one/traffic-policies/http-policies/http3.mdx index 84e6d70ae3f83d..5cc29e0bc28f10 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/http-policies/http3.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/http-policies/http3.mdx @@ -7,13 +7,15 @@ sidebar: import { Details } from "~/components"; -Gateway supports inspection of HTTP/3 traffic, which uses the QUIC protocol over UDP. HTTP/3 inspection requires a [user-side certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) to be deployed and traffic to be proxied over UDP with [TLS version 1.3](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). +Gateway supports inspection of HTTP/3 traffic, which uses the QUIC protocol over UDP. Gateway applies HTTP policies to HTTP/3 traffic last. For more information, refer to the [order of enforcement](/cloudflare-one/traffic-policies/order-of-enforcement/#http3-traffic). -## Enable HTTP/3 inspection +## Turn on HTTP/3 inspection -To enable HTTP/3 inspection, turn on the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/) for UDP: +Before you can inspect any HTTPS traffic, you must deploy a [user-side certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) to your devices and turn on [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). To inspect HTTP/3 traffic, you must also turn on the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/) for UDP. + +To turn on the Gateway proxy for UDP and TLS decryption: 1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Traffic settings**. 2. In **Proxy and inspection**, turn on **Allow Secure Web Gateway to proxy traffic**. @@ -24,7 +26,7 @@ To enable HTTP/3 inspection, turn on the [Gateway proxy](/cloudflare-one/traffic Gateway can inspect HTTP/3 traffic from Mozilla Firefox and Microsoft Edge by establishing an HTTP/3 proxy connection. Gateway will then terminate the HTTP/3 connection, decrypt and inspect the traffic, and connect to the destination server over HTTP/2. Gateway can also inspect other HTTP applications, such as cURL. -If the UDP proxy is turned on in Cloudflare One, Google Chrome will cancel all HTTP/3 connections and retry them with HTTP/2, allowing you to enforce your HTTP policies. If the UDP proxy is turned off, HTTP/3 traffic from Chrome will bypass inspection. +If both the UDP proxy and TLS decryption are turned on in Cloudflare One, Google Chrome will cancel all HTTP/3 connections and retry them with HTTP/2, allowing you to enforce your HTTP policies. If either the UDP proxy or TLS decryption is turned off, HTTP/3 traffic from Chrome will bypass inspection. ## Exempt HTTP/3 traffic from inspection diff --git a/src/content/docs/cloudflare-one/traffic-policies/proxy.mdx b/src/content/docs/cloudflare-one/traffic-policies/proxy.mdx index 7840705c9bae22..c93a44b9a08b6c 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/proxy.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/proxy.mdx @@ -37,7 +37,7 @@ By default, TCP connection attempts will timeout after 30 seconds and idle conne The UDP proxy forwards UDP traffic such as VoIP, [internal DNS requests](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns/), and thick client applications. -When the UDP proxy is enabled, Gateway will force all HTTP/3 traffic to HTTP/2 to allow inspection. Otherwise, HTTP/3 traffic will bypass inspection. For more information, refer to [HTTP/3 inspection](/cloudflare-one/traffic-policies/http-policies/http3/). +For HTTP/3 traffic to be logged and filtered, you need to turn on both TLS decryption and the Gateway proxy for UDP so that Gateway will force all HTTP/3 traffic to HTTP/2 to allow inspection. Otherwise, HTTP/3 traffic will bypass inspection. For more information, refer to [HTTP/3 inspection](/cloudflare-one/traffic-policies/http-policies/http3/). ### ICMP