Origin servers often need to strongly validate that a request is coming from one of their authorized clients. Using TLS client certificate authentication, Cloudflare will validate that a client presents a client certificate signed by the company’s root CA certificate when establishing a connection between a client and Cloudflare. By validating this certificate on each request, access can be limited to authorized client connections.
For an extra layer of security, the origin can optionally additionally authenticate that each request is coming from Cloudflare with the use of our Authenticated Origin Pulls feature, which can be toggled on in the Crypto section of the Cloudflare dashboard. In an Authenticated Origin Pull, Cloudflare will present a client certificate to the origin server during the TLS handshake, allowing the origin server to limit access to connections with Cloudflare certificates. Cloudflare uses the following certificate authority to sign certificates for the Authenticated Origin Pull service: origin-pull-ca.pem
Another option to lock down traffic to Cloudflare is by limiting access to connections established with Cloudflare IP’s.
With TLS Client Auth, the client handshake with Cloudflare looks like this:
Options on invalid certificate:
On an invalid/missing client certificate, Cloudflare can either:
- Return an HTTP 403 Forbidden status
- Forward the request to the origin and mark the certificate as invalid in the CF-Client-Auth request header
CF-Client-Auth request header:
When TLS Client Auth is enabled, Cloudflare will forward information about the connection to the origin in the CF-Client-Auth request header.
The request header includes two parts: the status of the certificate (valid, invalid, or none) ( ‘none’ is sent when the client certificate is missing), and the client certificate’s SKI.
CF-Client-Auth: status=valid; cert=6192e2d204fb79fbeb8e0492a506fbf0fc57ea52
A certificate may be marked as invalid if the certificate is signed by the incorrect certificate authority or if it is expired.
You may specify custom JSON to return on a 403 error.
To tell Cloudflare to stop trusting a root CA certificate, delete that certificate from Cloudflare.
Who is TLS Client Auth available for?
TLS Client Auth is available for Enterprise Cloudflare customers.
Want to try it out?
We have TLS CLient Auth setup on a test domain, at auth.pizza.
If you curl auth.pizza, you’ll get back a 403 and a custom JSON error, telling you that you are not authorized.
curl https://auth.pizza -H 'Accept: application/json'
However, if you download this certificate: pizza.pem and curl the domain again using that certificate, you will be authenticated.
curl https://auth.pizza -H 'Accept: application/json' --cert pizza.pem