Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Enable Gateway proxy with PAC files

You can apply Gateway HTTP policies at the browser level by configuring a Proxy Auto-Configuration (PAC) file. The PAC file contains a JavaScript function which instructs a browser to forward traffic to a proxy server instead of directly to the destination server. When end users visit a website, their browser will send the request to a Cloudflare proxy server associated with your account to be filtered by Gateway.

​​ Prerequisites

Install the Cloudflare certificate on your device.

​​ 1. Generate a proxy endpoint

You can generate a proxy endpoint on the Zero Trust dashboard or through the Cloudflare API.

Create a proxy endpoint (dashboard)
  1. In Zero Trust, go to Gateway > Proxy Endpoints.
  2. Select Create endpoint.
  3. Give your endpoint any name.
  4. Enter the public source IP address of your device(s) in CIDR notation. For example,
    • IPv4: (up to /26)
    • IPv6: 2601:645:4500:9c0:a945:f47c:23e9:a35b/128
  5. Select Save endpoint and confirm the endpoint creation.

Your Cloudflare proxy server domain is of the form:

Create a proxy endpoint (API)
  1. Run the following command:

    curl --request POST \
    --url<ACCOUNT_ID>/gateway/proxy_endpoints \
    --header 'X-Auth-Email: <EMAIL>' \
    --header 'X-Auth-Key: <API_KEY>' \
    --data '{"name": "any_name", "ips": ["<PUBLIC_IP>", "<PUBLIC_IP2>", "<PUBLIC_IP3>"]}'

    Replace <PUBLIC_IP> with the source IP address of your device in CIDR notation. For example,

    • IPv4: (up to ‘/25’)
    • IPv6: 2601:645:4500:9c0:a945:f47c:23e9:a35b/128 (up to ‘/109’)

    After running the command, you should see an output similar to

    "result": {
    "id": "d969d7bf-ec28-4291-9af0-86825f472c21",
    "name": "test",
    "created_at": "2022-03-02T10:57:18.094789Z",
    "updated_at": "2022-03-02T10:57:18.094789Z",
    "ips": [
    "subdomain": "3ele0ss56t"
    "success": true,
    "errors": [],
    "messages": []
  2. Note the subdomain value returned by the API. Your Cloudflare proxy server domain is of the form:


    In the example above, the subdomain is 3ele0ss56t and the proxy server domain is

​​ 2. Test your proxy server

  1. In Zero Trust, create an HTTP policy for testing purposes. For example:

    Selector Operator Value Action
    Domain in Block
  2. Verify that nothing is returned by a curl command:

    $ curl -4 -p -x

​​ 3. Create a PAC file

A PAC file is a text file that specifies which traffic should redirect to the proxy server.

Below is the default PAC file. You can customize the file and host it somewhere your browser can access, such as on an internal web server or on Cloudflare Workers.

function FindProxyForURL(url, host) {
// No proxy for private (RFC 1918) IP addresses (intranet sites)
if (
isInNet(dnsResolve(host), "", "") ||
isInNet(dnsResolve(host), "", "") ||
isInNet(dnsResolve(host), "", "")
) {
return "DIRECT";
// No proxy for localhost
if (isInNet(dnsResolve(host), "", "")) {
return "DIRECT";
// Proxy all
return "HTTPS";

​​ 4. Configure your browser

All major browsers support PAC files. You can configure individual browsers, or you can configure system settings that apply to all browsers on the device. Multiple devices can call the same PAC file as long as their source IP addresses were included in the proxy endpoint configuration.

The following example demonstrates the setup procedure for Firefox.

  1. In Firefox, go to Settings and scroll down to Network Settings.

    Going to Network Settings menu in Firefox

  2. Select Settings.

  3. Select Automatic proxy configuration URL.

  4. Enter the URL where your PAC file is hosted, for example

    Enter PAC file URL into Firefox

  5. Select OK. HTTP traffic from Firefox is now being filtered by Gateway.

​​ 5. Test your HTTP policy

You can test any supported HTTP policy, such as the example policy created in Step 2. When you go to in your browser, you should see the Gateway block page.

​​ Limitations

At this time, the agentless HTTP proxy does not support identity-based policies, mTLS authentication, or UDP traffic. To enforce HTTP policies for UDP traffic, you must disable QUIC in your users’ browsers.