cloudflare
diff --git a/‎src/content/docs/privacy-proxy/concepts/authentication.mdx‎
Lines changed: 161 additions & 0 deletions b/‎src/content/docs/privacy-proxy/concepts/authentication.mdx‎
Lines changed: 161 additions & 0 deletions
diff --git a/‎src/content/docs/privacy-proxy/concepts/deployment-models.mdx‎
Lines changed: 116 additions & 0 deletions b/‎src/content/docs/privacy-proxy/concepts/deployment-models.mdx‎
Lines changed: 116 additions & 0 deletions
diff --git a/‎src/content/docs/privacy-proxy/concepts/geolocation.mdx‎
Lines changed: 92 additions & 0 deletions b/‎src/content/docs/privacy-proxy/concepts/geolocation.mdx‎
Lines changed: 92 additions & 0 deletions
@@ -0,0 +1,161 @@
+---
+title: Authentication
+pcx_content_type: concept
+sidebar:
+  order: 3
+---
+
+Privacy Proxy requires clients to authenticate before proxying traffic. This page explains the supported authentication methods and when to use them.
+
+## Authentication methods
+
+Privacy Proxy supports two authentication methods:
+
+| Method | Use case | Privacy level |
+| -------- | ---------- | --------------- |
+| Pre-shared key (PSK) | Proof of concept, testing | Lower |
+| Privacy Pass tokens | Production deployments | Higher |
+
+---
+
+## Pre-shared key (PSK)
+
+Pre-shared keys provide a simple way to authenticate during development and proof-of-concept testing. Cloudflare provides a secret key that clients include in each request.
+
+### How it works
+
+Include the PSK in the `Proxy-Authorization` header:
+
+```http
+CONNECT example.com:443 HTTP/2
+Host: example.com
+Proxy-Authorization: Preshared <YOUR_PSK>
+```
+
+The proxy validates the key and allows the connection if it matches.
+
+### Limitations
+
+PSK authentication has limitations that make it unsuitable for production.
+
+- **Shared secret**: All clients use the same key, so you cannot revoke access for individual users.
+- **No rate limiting per user**: You cannot enforce per-user quotas or limits.
+- **Linkability**: The proxy can link all requests using the same PSK, which reduces user privacy.
+
+Use PSK only for testing. For production deployments, use [Privacy Pass tokens](#privacy-pass-tokens).
+
+---
+
+## Privacy Pass tokens
+
+[Privacy Pass](https://datatracker.ietf.org/wg/privacypass/about/) is a protocol that allows clients to authenticate without revealing their identity. Tokens are cryptographically unlinkable, meaning the proxy cannot correlate different requests from the same user.
+
+### How it works
+
+Privacy Pass uses a three-party architecture:
+
+- **Attester**: Verifies that the Client is a legitimate user (for example, has a valid account) and forwards token requests to the Issuer.
+- **Issuer**: Signs blinded tokens without learning which Client requested them.
+- **Origin (Privacy Proxy)**: Accepts tokens as proof of authorization.
+
+### Token issuance
+
+```
+┌──────────┐    1. Attestation request   ┌──────────┐
+│          │ ──────────────────────────▶ │          │
+│  Client  │                             │ Attester │
+│          │ ◀────────────────────────── │          │
+└──────────┘    2. Attestation OK        └──────────┘
+     │
+     │ 3. Blinded token request
+     ▼
+┌──────────┐    4. Forward request       ┌──────────┐
+│          │ ──────────────────────────▶ │          │
+│ Attester │                             │  Issuer  │
+│          │ ◀────────────────────────── │          │
+└──────────┘    5. Signed blinded token  └──────────┘
+     │
+     │ 6. Return to Client
+     ▼
+┌──────────┐
+│  Client  │  (unblinds and stores token)
+└──────────┘
+```
+
+The Client sends the token request through the Attester to maintain unlinkability. This ensures the Issuer cannot correlate token requests with specific attestation events or Client identities.
+
+### Token redemption
+
+```
+┌──────────┐    1. Present token         ┌──────────┐
+│          │ ──────────────────────────▶ │          │
+│  Client  │                             │  Privacy │
+│          │ ◀────────────────────────── │  Proxy   │
+└──────────┘    2. Connection OK         └──────────┘
+```
+
+The Privacy Proxy validates the token using the Issuer's public key. The proxy learns only that the token is valid, not who it was issued to.
+
+The token issuance process:
+
+1. The client proves their identity to the attester (for example, by signing in with an account).
+2. The attester confirms the client is valid.
+3. The client generates blinded tokens and sends them to the issuer.
+4. The issuer signs the blinded tokens and returns them.
+5. The client unblinds the tokens and stores them.
+
+When making a request:
+
+1. The client includes a token in the `Proxy-Authorization` header.
+2. The proxy verifies the token signature with the issuer's public key.
+3. The proxy allows the connection if the token is valid.
+
+Because tokens are blinded during issuance, the issuer cannot link tokens to specific issuance requests. The proxy sees only that a token is valid, not who it was issued to.
+
+### Token format
+
+Privacy Pass tokens are included in the `Proxy-Authorization` header using the `PrivateToken` scheme:
+
+```http
+CONNECT example.com:443 HTTP/2
+Host: example.com
+Proxy-Authorization: PrivateToken token=<base64-encoded-token>
+```
+
+### Set up Privacy Pass
+
+For production deployments using Privacy Pass:
+
+1. Choose an issuer. Cloudflare can operate a token issuer, or you can integrate with a third-party issuer.
+2. Configure attestation to define how clients prove their identity before receiving tokens.
+3. Distribute issuer configuration. Clients need the issuer's public key and endpoint to request tokens.
+
+[Contact us](https://www.cloudflare.com/lp/privacy-edge/) to configure Privacy Pass for your deployment.
+
+---
+
+## Authentication in double-hop deployments
+
+In [double-hop deployments](/privacy-proxy/concepts/deployment-models/#double-hop), authentication occurs at two levels:
+
+### User to Proxy A
+
+Proxy A (which you operate) authenticates users. Common methods include:
+
+- Account credentials (username/password, SSO)
+- Privacy Pass tokens issued by your infrastructure
+- Client certificates (mTLS)
+
+### Proxy A to Proxy B 
+
+Proxy B authenticates itself to Proxy A using TLS. Depending on your configuration, this can use:
+
+- Standard TLS certificates
+- Raw Public Key (RPK) TLS extension for reduced certificate overhead
+
+---
+
+## Related resources
+
+- [Privacy Pass Working Group](https://datatracker.ietf.org/wg/privacypass/about/) - IETF working group developing the Privacy Pass protocol.
+- [Supporting the latest version of the Privacy Pass protocol](https://blog.cloudflare.com/supporting-the-latest-version-of-the-privacy-pass-protocol/) - Cloudflare blog post on Privacy Pass implementation.
@@ -0,0 +1,116 @@
+---
+title: Deployment models
+pcx_content_type: concept
+sidebar:
+  order: 2
+---
+
+Privacy Proxy supports two deployment architectures: single-hop and double-hop. The right choice depends on your privacy requirements and operational preferences.
+
+## Single-hop
+
+In a single-hop deployment, Cloudflare operates the entire proxy infrastructure. Clients connect directly to Cloudflare's Privacy Proxy, which handles authentication, proxying, and egress.
+
+```
+┌────────┐      ┌─────────────────┐      ┌─────────────┐
+│ Client │ ───▶ │  Privacy Proxy  │ ───▶ │ Destination │
+│        │      │  (Cloudflare)   │      │   Server    │
+└────────┘      └─────────────────┘      └─────────────┘
+```
+
+### How it works
+
+1. The client establishes an HTTP/2 or HTTP/3 connection to the Cloudflare proxy endpoint.
+2. The client authenticates using Privacy Pass tokens or a pre-shared key.
+3. The client sends CONNECT requests to establish tunnels to destination servers.
+4. Cloudflare proxies traffic and selects egress IP addresses based on client geolocation.
+
+### Use cases
+
+Single-hop deployment works well when:
+
+- You want Cloudflare to manage the complete proxy infrastructure.
+- Your privacy model requires hiding client IP addresses from destinations, but not from the proxy operator.
+- You need a straightforward integration with minimal client-side changes.
+
+#### Example: Microsoft Edge Secure Network
+
+[Microsoft Edge Secure Network](https://blog.cloudflare.com/cloudflare-now-powering-microsoft-edge-secure-network/) uses single-hop deployment. The Edge browser connects directly to Cloudflare's Privacy Proxy, which handles authentication via Privacy Pass and proxies traffic to destination servers. Users get protection from network observers and destination servers without needing to configure additional infrastructure.
+
+---
+
+## Double-hop
+
+In a double-hop deployment, you operate the first proxy (Proxy A), and Cloudflare operates the second proxy (Proxy B). This creates stronger privacy separation because no single party sees both user identity and destination.
+
+```
+┌────────┐      ┌─────────────┐      ┌─────────────────┐      ┌─────────────┐
+│ Client │ ───▶ │   Proxy A   │ ───▶ │    Proxy B      │ ───▶ │ Destination │
+│        │      │    (You)    │      │  (Cloudflare)   │      │   Server    │
+└────────┘      └─────────────┘      └─────────────────┘      └─────────────┘
+```
+
+### How it works
+
+1. The client connects to Proxy A, which you operate.
+2. Proxy A authenticates the user and verifies they can use the service.
+3. Proxy A establishes a tunnel to Cloudflare's Proxy B, forwarding the client's CONNECT request.
+4. Proxy B connects to the destination and proxies traffic.
+5. Proxy B selects egress IPs based on geolocation provided by Proxy A.
+
+### Privacy separation
+
+The double-hop architecture ensures:
+
+| Information | Proxy A (you) | Proxy B (Cloudflare) |
+| ------------- | --------------- | ---------------------- |
+| Client IP address | Yes | No |
+| User account | Yes | No |
+| Destination server | Encrypted | Yes |
+| Request content | Encrypted | Encrypted |
+
+Proxy A knows who the user is but cannot see where they are going (the destination is encrypted). Proxy B knows the destination but not who is making the request. Neither party has the complete picture.
+
+### Use cases
+
+Double-hop deployment works well when:
+
+- You need stronger privacy guarantees where no single operator sees both identity and destination.
+- You want to maintain control over user authentication and account management.
+- Regulatory or compliance requirements mandate separation of user data.
+
+#### Example: iCloud Private Relay
+
+[iCloud Private Relay](https://blog.cloudflare.com/icloud-private-relay/) uses double-hop deployment. Apple operates the first-hop proxy, which authenticates users with their Apple ID and encrypts the destination. Cloudflare operates the second-hop proxy, which decrypts the destination and connects to the server. Apple knows who the user is but not where they browse. Cloudflare knows the destinations but not who is browsing.
+
+---
+
+## Comparison
+
+| Aspect | Single-hop | Double-hop |
+| -------- | ------------ | ------------ |
+| Infrastructure | Cloudflare only | You + Cloudflare |
+| Privacy separation | Proxy sees identity + destination | Split across two parties |
+| Operational complexity | Lower | Higher |
+| Authentication | Cloudflare-managed | You manage first-hop auth |
+| Use case | Browser VPNs, simple privacy | Maximum privacy separation |
+
+---
+
+## Choose a deployment model
+
+Consider these questions when selecting a deployment model:
+
+1. Who should manage user authentication?
+
+If you want Cloudflare to handle authentication, use single-hop. If you need control over user accounts, use double-hop.
+
+2. What are your privacy requirements?
+
+If your threat model requires that no single party sees both user identity and browsing activity, use double-hop.
+
+3. What operational capacity do you have?
+
+Double-hop requires you to operate and maintain a proxy. If you prefer a fully managed solution, use single-hop.
+
+[Contact us](https://www.cloudflare.com/lp/privacy-edge/) to discuss which deployment model fits your use case.
@@ -0,0 +1,92 @@
+---
+title: Geolocation
+pcx_content_type: concept
+sidebar:
+  order: 4
+---
+
+Privacy Proxy preserves user geolocation without exposing real IP addresses. This ensures location-based services work correctly while maintaining privacy.
+
+## Why geolocation matters
+
+Many online services use IP addresses to determine user location:
+
+- Search engines return locally relevant results.
+- Content providers enforce regional licensing restrictions.
+- E-commerce sites show local pricing and shipping options.
+- News sites display region-specific content.
+
+Traditional VPNs and proxies often break these services because traffic exits from data centers far from the user's actual location. Privacy Proxy solves this by selecting egress IP addresses that match the user's geographic region.
+
+## How geolocation works
+
+Privacy Proxy uses geohashes to preserve location without revealing precise coordinates.
+
+### Geohash encoding
+
+A [geohash](https://en.wikipedia.org/wiki/Geohash) is a compact representation of latitude and longitude. Geohashes use a hierarchical encoding where longer strings represent more precise locations:
+
+| Geohash length | Approximate area |
+| ---------------- | ------------------ |
+| 1 character | ~5,000 km |
+| 2 characters | ~1,250 km |
+| 3 characters | ~150 km |
+| 4 characters | ~40 km |
+| 5 characters | ~5 km |
+
+Privacy Proxy uses reduced-precision geohashes (typically four to five characters) to locate users to a city or region without pinpointing their exact location.
+
+### Egress IP selection
+
+When a client connects to Privacy Proxy:
+
+1. The client (or first-hop proxy in double-hop deployments) determines the user's approximate location.
+2. The client sends a geohash in the `sec-ch-geohash` header.
+3. Privacy Proxy validates the geohash and selects an egress IP address from a pool registered to that geographic area.
+4. Destination servers see the egress IP and geolocate the user to the correct region.
+
+### Geohash header format
+
+The `sec-ch-geohash` header includes the geohash and country code:
+
+```http
+sec-ch-geohash: xn76c-JP
+```
+
+The format is `<geohash>-<country_code>`. The country code helps resolve edge cases where geohashes span country borders.
+
+## Geolocation accuracy
+
+Cloudflare maintains egress IP pools in hundreds of cities worldwide. When you register egress IPs with geolocation databases, they map to specific locations.
+
+Privacy Proxy achieves:
+
+- **City-level accuracy** by default, so users get locally relevant search results.
+- **Country-level accuracy** as a fallback if city-level is not available.
+
+Users can opt for coarser geolocation (country and timezone only) if they prefer less precise location sharing.
+
+### The pizza test
+
+A simple way to verify geolocation accuracy is to search for "pizza near me" through the proxy. If results show pizza places in the user's actual city rather than a distant data center, geolocation is working correctly.
+
+## IPv6 and geolocation precision
+
+Privacy Proxy achieves better geolocation precision over IPv6. If your origin servers support IPv6 (AAAA DNS records), the proxy prefers IPv6 egress addresses, which are registered with greater geographic precision than IPv4 equivalents.
+
+To maximize geolocation accuracy for your users, ensure your services are reachable over IPv6.
+
+## Geolocation in double-hop deployments
+
+In [double-hop deployments](/privacy-proxy/concepts/deployment-models/#double-hop), Proxy A (which you operate) is responsible for determining and forwarding the geohash:
+
+1. Proxy A geolocates the client's IP address.
+2. Proxy A converts the location to a geohash with appropriate precision.
+3. Proxy A includes the geohash in the forwarded CONNECT request to Proxy B.
+4. Proxy B (Cloudflare) selects an egress IP based on the geohash.
+
+The geohash is cryptographically protected to prevent clients from spoofing their location.
+
+## Related resources
+
+- [Geo-egress: Improving WARP user experience on a larger network](https://blog.cloudflare.com/geoexit-improving-warp-user-experience-larger-network/) - How Cloudflare implements geolocation-aware egress.