Configure Cloudflare Gateway for PTC

Configure Cloudflare Gateway to redirect package traffic to Artifactory for PTC.

Cloudflare Gateway Configuration Guide

Cloudflare Gateway is one of the SASE providers supported by Package Traffic Controller (PTC). Cloudflare Gateway TLS-inspects matching public registry traffic and redirects it to your Artifactory /package-reroute endpoint, so policy checks and logging happen in one governed path. Cloudflare owns the Gateway portal navigation and labels, which can vary by account and release. Use this as a workflow guide and confirm exact options in Cloudflare's documentation.

Complete Artifactory and workstation setup before activating Gateway policies. See Configure Artifactory for PTC and Configure Workstation for PTC. For the correct deployment sequence, see Deployment Sequence.


Prerequisites

Before you configure Cloudflare Gateway for PTC:

  1. Create a Cloudflare One user with a valid email address under Team & Resources > Users (URL path: /one/team-resources/users).
  2. Install the Cloudflare One Client on developer workstations. Download from Cloudflare One Client download.
  3. Install the Cloudflare certificate on each workstation. The certificate name and installation path differ per operating system. Follow Cloudflare's guide for automated certificate deployment.
  4. Configure Artifactory for PTC — complete Configure Artifactory for PTC before activating any Gateway redirect rules.

Step 1 — Enable TLS Inspection

Cloudflare Gateway must decrypt HTTPS traffic to apply redirect rules to package manager requests.

To enable TLS inspection:

Navigate to:

https://dash.cloudflare.com/<ACCOUNT_ID>/one/traffic-policies/traffic-settings

Where:

  • <ACCOUNT_ID>: Your Cloudflare account ID, visible in the Cloudflare dashboard URL.

Enable Inspect HTTPS requests with TLS decryption.

Note

Make sure the required package registry traffic is not bypassed in your firewall policies, as some policies may bypass inspection by default.


Step 2 — Create a Firewall Policy for npm

Create a Cloudflare Gateway firewall policy that intercepts npm registry traffic and redirects it to Artifactory.

To create the npm redirect policy:

Navigate to Traffic policies > Firewall policies > Add a policy and configure the following.

Conditions:

FieldOperatorValue
Traffic typeisHTTP
HTTP MethodinGET, HEAD
Hostinregistry.npmjs.org, registry.yarnpkg.com

Important — exclude POST: Do not include POST in the HTTP Method condition. Commands like npm audit send POST requests to the registry. Including POST breaks those commands.

Actions and settings:

FieldValue
ThenRedirect
Policy URL redirecthttps://<YOUR_ARTIFACTORY_URL>/package-reroute

Enable Send policy context. Details are sent as a query string to Artifactory.


Step 3 — Create a Firewall Policy for PyPI

PyPI requires special handling because pypi.org hosts both the package index and the PyPI web UI. Redirecting all traffic to pypi.org would break the web UI. The policy must restrict the redirect to the package index URL paths only.

To create the PyPI redirect policy:

Navigate to Traffic policies > Firewall policies > Add a policy and configure the following. Use either Method 1 (Visual Builder) or Method 2 (Wirefilter). They are equivalent.

Method 1 — Visual Builder

Configure two condition groups connected by Or:

Group 1 — pypi.org package index paths:

FieldOperatorValue
Traffic typeisHTTP
HTTP MethodinGET, HEAD
URL Pathmatches regex^/(pypi|simple)(/.*)?$
Hostispypi.org

Or

Group 2 — Python package files:

FieldOperatorValue
Traffic typeisHTTP
HTTP MethodinGET, HEAD
Hostisfiles.pythonhosted.org

Method 2 — Wirefilter

Switch to the Wirefilter tab and enter:

(
  http.request.method in {"GET" "HEAD"} and
  http.request.uri.path matches "^/(pypi|simple)(/.*)?$" and
  http.request.host == "pypi.org"
)
or
(
  http.request.method in {"GET" "HEAD"} and
  http.request.host == "files.pythonhosted.org"
)

Actions and settings (for both methods):

FieldValue
ThenRedirect
Policy URL redirecthttps://<YOUR_ARTIFACTORY_URL>/package-reroute

Note

Hugging Face: If you redirect Hugging Face traffic through PTC, create a separate firewall policy for huggingface.co that uses GET only — do not include HEAD. Hugging Face requires GET-only routing across all SASE providers, including Cloudflare Gateway. See Docker, Hugging Face, and Other Types for Hugging Face setup details.

Verify End-to-End

After activating the Cloudflare Gateway redirect policies from Steps 2 and 3, make sure the Cloudflare One Client is running on the test workstation.

To verify end-to-end connectivity:

Run a test install with verbose logging:

npm install express --loglevel verbose

In the verbose output, look for GET requests going to your Artifactory hostname instead of registry.npmjs.org. You should see a line like:

npm http fetch GET 200 https://<YOUR_ARTIFACTORY_URL>/artifactory/api/npm/<REPO_KEY>/express 350ms

Where:

  • <YOUR_ARTIFACTORY_URL>: Your JFrog Platform URL (for example, acme.jfrog.io).
  • <REPO_KEY>: The name of your npm remote repository in Artifactory.

If you see your Artifactory hostname in the output, PTC is working. Cloudflare Gateway intercepted the request and rerouted it through Artifactory.


Troubleshooting

SSL Error During npm Install

The Cloudflare certificate is not trusted. Check:

  1. The Cloudflare certificate is installed on the workstation (see Prerequisites).
  2. The NODE_EXTRA_CA_CERTS environment variable points to the correct certificate file (if you set it manually).
  3. The Cloudflare One Client is connected and TLS decryption is enabled.

Artifactory Hostname Not Appearing in Verbose Output

The request was not rerouted. Check:

  1. The Cloudflare One Client is connected and signed in.
  2. The firewall redirect policy is active and includes the correct registry hostnames.
  3. The policy HTTP Method condition includes GET and HEAD (not POST).
  4. Artifactory has been configured with the Package Reroute Config API for the relevant package type.

The npm Install Was Rerouted But Curation Blocked the Package

This is expected behavior when a JFrog Curation policy violation is detected. Check your Curation policy in Artifactory under Curation > Audit to understand why the package was blocked.


Frequently Asked Questions

This section provides answers to frequently asked questions.

plusFAQs
Q: How do I create a firewall policy in Cloudflare Gateway for PTC?

A: Navigate to Traffic policies > Firewall policies > Add a policy, set traffic type to HTTP, add GET and HEAD as HTTP methods, specify the registry hostnames (such as registry.npmjs.org), and set the redirect URL to your Artifactory /package-reroute endpoint. See Step 2 — Create a Firewall Policy for npm for the full procedure.

Q: What happens if I include POST in the HTTP Method condition?

A: Including POST breaks commands like npm audit, which use POST to communicate with the registry. Configure your HTTP Method condition to include only GET and HEAD. See Step 2 — Create a Firewall Policy for npm for details.

Q: What is the difference between the Visual Builder and Wirefilter methods for PyPI?

A: Both methods produce an identical redirect policy. Visual Builder uses dropdown fields to configure condition groups, while Wirefilter accepts a raw filter expression. Use whichever your team prefers. See Step 3 — Create a Firewall Policy for PyPI for both approaches.

Q: What do I need to configure before activating Cloudflare Gateway redirect rules?

A: Complete three steps first: create a Cloudflare One user, install the Cloudflare One Client and certificate on workstations, and configure Artifactory for PTC using the Package Reroute Config API. See Prerequisites and Configure Artifactory for PTC.

Q: Does the Cloudflare Gateway redirect work for all package types supported by PTC?

A: You can create a separate firewall policy for each supported package type. This guide covers npm and PyPI. For Docker, Hugging Face, and other supported ecosystems, see Configuration by Package Type.


Related Topics