Further Cloudflare Security – Authenticated Origin Pulls

Previously we posted about the importance of ensuring that all traffic to your website is actually going via Cloudflare (if you use Cloudflare in this way).

Quick recap, why is this so important?

Unless you ensure this is the case a malicious actor could possibly reach your content/website via your server IP address. Ensuring that only traffic via Cloudflare is accepted secures your web site or app and means that other tools (like Cloudflare Access, Workers etc can work correctly) can also be used to enhance your security.

So, Authenticated Origin Pulls

In plain English, your web server presents a cryptographic signature and says that only if the visitor presents the other part of the certificate should they be allowed to load the web page. Your web server actually enforces this. This way, if traffic does not come from Cloudflare, it will be rejected.

Limitation: You will only be able to configure this if you have full access to your web server ie root access, VPS, dedicated server etc. A basic level of knowledge of server administration is required.

Setup

There are 3 steps involved. I’ll provide an example below for NGINX. Apache is just as easy.

  1. In your Cloudflare dashboard enable Authenticated Origin Pulls, a quick link to this page in your account is here. Please note, enabling this now is a good idea, it will allow Cloudflare the few minutes it needs to start sending the one part of the cryptographic signature from all parts of their network. Until you start to enforce it (step 3) there will be no change or downtime on your web site.
  2. Download the certificate Cloudflare provides for this purpose. You can find it here. Save this to your server, a good location is:

    /etc/ssl/certs/cloudflare.crt

    (other locations are probably quite acceptable)
  3. Now update your Nginx configuration to use Authenticated Origin Pulls. Open the configuration file for your domain, or include the following: 
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
ssl_verify_client on;

At this point, the moment you restart NGINX, your web server will ensure that only traffic via Cloudflare will be permitted.

Test

Test things by visiting your website directly via the IP address. You should see something like:

400 Bad Request

No required SSL certificate was sent

openresty

That’s it! A huge step in securing your server has now been completed. Any issues/questions please let us know in the comments below. Keep safe!

3 Comments

  1. Restrict access to only traffic from Cloudflare – XYZulu Hosting January 24, 2022 at 9:21 am - Reply

    […] PS If you wish to avail yourself of our services for things like this (securing your existing or new website, website hosting that ensures your site is always kept up to date and secure along with regular off-site backups (which we can automatically send to you each time) be sure to get in touch with us to find out more.Edit: For a simpler solution to this problem, but only if you have full server access it explained here: https://xyzuluhosting.com/further-cloudflare-security-authenticated-origin-pulls/ […]

  2. Chip August 15, 2022 at 11:07 pm - Reply

    Would this work with OpenLiteSpeed too?

    • Brad Baker August 16, 2022 at 6:50 am - Reply

      It won’t work on OLS yet as this isn’t something OLS support .. as yet.

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Restrict access to only traffic from Cloudflare
Zero Trust SSH