Proxy
You can forward HTTP and network traffic to Gateway for logging and filtering. Gateway can proxy both outbound traffic and traffic directed to resources connected via a Cloudflare Tunnel, GRE tunnel, or IPsec tunnel. When a user connects to the Gateway proxy, Gateway will accept the connection and establish a new, separate connection to the origin server.
The Gateway proxy is required for filtering HTTP and network traffic via the WARP client in Gateway with WARP mode. To proxy HTTP traffic without deploying the WARP client, you can configure PAC files on your devices.
Gateway uses the Happy Eyeballs algorithm ↗ to proxy traffic in the following order:
- The user's browser initiates the TCP handshake by sending Gateway a TCP SYN segment.
- Gateway sends a SYN segment to the origin server.
- If the origin server sends a SYN-ACK segment back, Gateway establishes separate TCP connections between the user and Gateway and between Gateway and the origin server.
- Gateway inspects and filters traffic received from the user.
- If the traffic passes inspection, Gateway proxies traffic bidirectionally between the user and the origin server.
flowchart TD %% Accessibility accTitle: How Gateway proxy works accDescr: Flowchart describing how the Gateway proxy uses the Happy Eyeballs algorithm to establish TCP connections and proxy user traffic. %% Flowchart A[User's device sends TCP SYN to Gateway] --> B[Gateway sends TCP SYN to origin server] B --> C{{Origin server responds with TCP SYN-ACK?}} C -->|Yes| E[TCP handshakes completed] C -->|No| D[Connection fails] E --> F{{Connection allowed?}} F -->|Yes| G[Gateway proxies traffic bidirectionally] F -->|No| H[Connection blocked by firewall policies] %% Styling style D stroke:#D50000 style G stroke:#00C853 style H stroke:#D50000
Gateway supports proxying TCP, UDP, and ICMP traffic.
When the proxy is enabled, Gateway will always forward TCP traffic.
By default, TCP connection attempts will timeout after 30 seconds and idle connections will disconnect after 8 hours.
The UDP proxy forwards UDP traffic such as VoIP, internal DNS requests, and thick client applications.
When the UDP proxy is enabled, Gateway will force all HTTP/3 traffic to HTTP/2 to allow inspection. Otherwise, HTTP/3 traffic will bypass inspection. For more information, refer to HTTP/3 inspection.
The ICMP proxy forwards traffic for diagnostic tools such as ping
and traceroute
.
To use the ICMP proxy with Cloudflare Tunnel, you may need to configure the cloudflared
host to allow ICMP traffic through cloudflared
.
-
Ensure that
ping_group_range
includes the Group ID (GID) of the user runningcloudflared
:a. Find the user that owns the
cloudflared
process:Terminal window ps -aux | grep cloudflaredjohndoe 407 0.8 1.7 1259904 35296 ? Ssl 21:02 0:00 /usr/bin/cloudflared --no-autoupdate tunnel run --token eyJhI...b. Get the Group ID of the
cloudflared
user:Terminal window id -g johndoe10001c. Determine the Group IDs that are allowed to use ICMP:
Terminal window sudo sysctl net.ipv4.ping_group_rangenet.ipv4.ping_group_range= 0 10000d. Either add the user to a group within that range, or update the range to encompass a group the user is already in. To update
ping_group_range
:Terminal window echo 0 10001 | sudo tee /proc/sys/net/ipv4/ping_group_rangee. To make the change persist on reboot, update your
systcl
parameters:Terminal window echo "net.ipv4.ping_group_range = 0 10001" | sudo tee -a /etc/sysctl.d/99-cloudflared.conf -
If you are running multiple network interfaces (for example,
eth0
andeth1
), configurecloudflared
to use the external Internet-facing interface:Terminal window cloudflared tunnel run --icmpv4-src <IP of primary interface>
In your environment, modify the ping_group_range
parameter to include the Group ID (GID) of the user running cloudflared
.
By default the cloudflared
Docker container ↗ executes as a user called nonroot
inside of the container. nonroot
is a specific user that exists in the base image ↗ we use, and its Group ID is hardcoded to 65532.
- In Zero Trust ↗, go to Settings > Network.
- In Firewall, turn on Proxy.
- Select TCP.
- (Optional) Depending on your use case, you can select UDP and/or ICMP.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark