{"id":267,"date":"2026-03-04T00:00:00","date_gmt":"2026-03-04T00:00:00","guid":{"rendered":"https:\/\/wordpress.securinsight.ca\/index.php\/2026\/03\/04\/gateway-gateway-authorization-proxy-and-hosted-pac-files-open-beta\/"},"modified":"2026-03-04T00:00:00","modified_gmt":"2026-03-04T00:00:00","slug":"gateway-gateway-authorization-proxy-and-hosted-pac-files-open-beta","status":"publish","type":"post","link":"https:\/\/wordpress.securinsight.ca\/index.php\/2026\/03\/04\/gateway-gateway-authorization-proxy-and-hosted-pac-files-open-beta\/","title":{"rendered":"Gateway &#8211; Gateway Authorization Proxy and hosted PAC files (open beta)"},"content":{"rendered":"<p>The <a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/networks\/resolvers-and-proxies\/proxy-endpoints\/#authorization-endpoint\">Gateway Authorization Proxy<\/a> and <a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/networks\/resolvers-and-proxies\/proxy-endpoints\/#create-a-hosted-pac-file\">PAC file hosting<\/a> are now in open beta for all plan types.<\/p>\n<p>Previously, <a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/networks\/resolvers-and-proxies\/proxy-endpoints\/#source-ip-endpoint\">proxy endpoints<\/a> relied on static source IP addresses to authorize traffic, providing no user-level identity in logs or policies. The new authorization proxy replaces IP-based authorization with <a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/access-controls\/policies\/\">Cloudflare Access<\/a> authentication, verifying who a user is before applying Gateway filtering without installing the WARP client.<\/p>\n<p>This is ideal for environments where you cannot deploy a device client, such as virtual desktops (VDI), mergers and acquisitions, or compliance-restricted endpoints.<\/p>\n<h4>Key capabilities<\/h4>\n<ul>\n<li><strong>Identity-aware proxy traffic<\/strong> \u2014 Users authenticate through your identity provider (Okta, Microsoft Entra ID, Google Workspace, and others) via Cloudflare Access. Logs now show exactly which user accessed which site, and you can write <a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/traffic-policies\/identity-selectors\/\">identity-based policies<\/a> like &#8220;only the Finance team can access this accounting tool.&#8221;<\/li>\n<li><strong>Multiple identity providers<\/strong> \u2014 Display one or multiple login methods simultaneously, giving flexibility for organizations managing users across different identity systems.<\/li>\n<li><strong>Cloudflare-hosted PAC files<\/strong> \u2014 Create and host <a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/networks\/resolvers-and-proxies\/proxy-endpoints\/#create-a-hosted-pac-file\">PAC files<\/a> directly in Cloudflare One with pre-configured templates for Okta and Azure, hosted at <code>https:\/\/pac.cloudflare-gateway.com\/&lt;account-id&gt;\/&lt;slug&gt;<\/code> on Cloudflare&#8217;s global network.<\/li>\n<li><strong>Simplified billing<\/strong> \u2014 Each user occupies a seat, exactly like they do with the Cloudflare One Client. No new metrics to track.<\/li>\n<\/ul>\n<h4>Get started<\/h4>\n<ol>\n<li>In <a href=\"https:\/\/one.dash.cloudflare.com\/\" target=\"_blank\">Cloudflare One<\/a>, go to <strong>Networks<\/strong> &gt; <strong>Resolvers &amp; Proxies<\/strong> &gt; <strong>Proxy endpoints<\/strong>.<\/li>\n<li><a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/networks\/resolvers-and-proxies\/proxy-endpoints\/#authorization-endpoint\">Create an authorization proxy endpoint<\/a> and configure Access policies.<\/li>\n<li><a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/networks\/resolvers-and-proxies\/proxy-endpoints\/#create-a-hosted-pac-file\">Create a hosted PAC file<\/a> or write your own.<\/li>\n<li><a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/networks\/resolvers-and-proxies\/proxy-endpoints\/#3b-configure-browser-to-use-pac-file\">Configure browsers<\/a> to use the PAC file URL.<\/li>\n<li><a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/team-and-resources\/devices\/user-side-certificates\/\">Install the Cloudflare certificate<\/a> for HTTPS inspection.<\/li>\n<\/ol>\n<p>For more details, refer to the <a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/networks\/resolvers-and-proxies\/proxy-endpoints\/\">proxy endpoints documentation<\/a> and the <a href=\"https:\/\/blog.cloudflare.com\/gateway-authorization-proxy-identity-aware-policies\/\" target=\"_blank\">announcement blog post<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>The Gateway Authorization Proxy and PAC file hosting are now in open beta for all plan types. Previously, proxy endpoints relied on static source IP addresses to authorize traffic, providing no user-level identity in logs or policies. The new authorization proxy replaces IP-based authorization with Cloudflare Access authentication, verifying who a user is before applying [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-267","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts\/267","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/comments?post=267"}],"version-history":[{"count":0,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts\/267\/revisions"}],"wp:attachment":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/media?parent=267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/categories?post=267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/tags?post=267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}