Get started
This guide walks you through connecting to Privacy Proxy and verifying that traffic is proxied correctly.
Privacy Proxy is a managed service. Before you can connect, Cloudflare will provision an endpoint and provide you with:
- Proxy endpoint URL: The hostname for your Privacy Proxy instance (for example,
https://your-proxy.example.com). - Pre-shared key (PSK): A secret key for proof-of-concept authentication.
- Egress IP ranges: The IP addresses that destination servers will see for proxied traffic.
Contact us ↗ to request access and receive your configuration details.
Privacy Proxy accepts connections over HTTP/2 and HTTP/3 using the HTTP CONNECT method. Because Privacy Proxy requires authentication headers, you cannot configure browsers to connect directly. Instead, use one of the following approaches:
For quick tests, use curl with the --proxy and --proxy-header flags to pass authentication directly:
curl -v \ --proxy https://your-proxy.example.com \ --proxy-header "Proxy-Authorization: Preshared <YOUR_PSK>" \ https://example.comChaussette is a local SOCKS5 proxy that handles authentication and forwards requests to Privacy Proxy.
-
Start Chaussette with your PSK and proxy endpoint:
Terminal window MASQUE_PRESHARED_KEY=<YOUR_PSK> chaussette \--listen 127.0.0.1:1987 \--proxy https://your-proxy.example.com:443 -
Configure your browser to use the local SOCKS5 proxy:
Terminal window google-chrome --proxy-server="socks5://127.0.0.1:1987"
To confirm that traffic is routing through Privacy Proxy, check your apparent IP address:
curl -v \ --proxy https://your-proxy.example.com \ --proxy-header "Proxy-Authorization: Preshared <YOUR_PSK>" \ https://cloudflare.com/cdn-cgi/traceThe response includes connection metadata. Look for the ip field, which should show a Cloudflare egress IP address rather than your real IP.
fl=123f456h=cloudflare.comip=162.159.xxx.xxxts=1234567890.123visit_scheme=httpsuag=curl/8.0.0colo=SJChttp=http/2loc=UStls=TLSv1.3The ip value confirms the egress IP address used by the proxy.
Privacy Proxy preserves user geolocation by selecting egress IP addresses based on the client's location. You can specify a geohash to test this behavior:
curl -v \ --proxy https://your-proxy.example.com \ --proxy-header "Proxy-Authorization: Preshared <YOUR_PSK>" \ --proxy-header "sec-ch-geohash: xn76c-JP" \ https://cloudflare.com/cdn-cgi/traceThe sec-ch-geohash header provides a geohash ↗ that the proxy uses to select an appropriate egress IP. The format is <geohash>-<country_code>.
The response should show a loc value corresponding to the geohash region.
- Learn about deployment models to understand single-hop versus double-hop architectures.
- Review authentication methods for production deployments using Privacy Pass.
- Configure observability to monitor proxy traffic with OpenTelemetry.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2026 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
