Authenticated Origin Pulls

Cloudflare Support
()
Follow

An origin pull happens whenever Cloudflare is unable to serve content from our network cache. Cloudflare enables origin pulls that are authenticated through a certificate validation process.

Overview

Cloudflare sits on the network between end-user web browsers and website origin servers.  Traffic goes from the web browser to Cloudflare.  Cloudflare fulfills the request from cache whenever. Otherwise, it goes back to the origin web server in a second connection.  This type of request is called an origin pull.

Browser to Cloudflare

The link between end-user web browsers and Cloudflare benefits from strong security technology -- strong ciphers, SSL with automatically provisioned certificates, and the public CA infrastructure which maps certificates to domain names.  Browsers validate the server certificate to ensure they're communicating with the correct web server.

Cloudflare to Origin Server

Authenticated Origin Pulls let origin web servers strongly validate that a web request is coming from Cloudflare.  We use TLS client certificate authentication, a feature supported by most web servers, and present a Cloudflare certificate when establishing a connection between Cloudflare and the origin server.  By validating this certificate in origin server configuration, access can be limited to Cloudflare connections.

Authenticated Origin Pulls is particularly important when taking advantage of the Cloudflare Web Application Firewall (WAF) security features.  By using Authenticated Origin Pulls with a restricted-to-Cloudflare configuration, websites can be sure all traffic has been processed by a state of the art Web Application Firewall.

 
Once Authenticated Origin Pulls are enforced by your origin server, any HTTPS requests outside of Cloudflare to your origin will fail including those to gray clouded records on Cloudflare.

TLS Handshake

Without Authenticated Origin Pulls, the TLS session between Cloudflare and the origin looks like:

Normal TLS handshake

With Authenticated Origin Pulls, connections look like:

Client authenticated TLS handshake

Installing on Apache and NGINX

 
Currently, the Authenticated Origin Pulls feature is incompatible with Railgun.

Click below to expand instructions for configuring TLS Authenticated Origin Pulls for either NGINX or Apache origin web servers:

Setting up Apache to use TLS Authenticated Origin Pulls
For authenticated origin pulls to work, use Full SSL in the Cloudflare SSL/TLS app, and update the origin web server SSL configuration. Download origin-pull-ca.pem and place the certificate in a file on your origin web server, for example in /path/to/origin-pull-ca.pem

Then add these lines to the SSL configuration for your origin web server:

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /path/to/origin-pull-ca.pem
Setting up NGINX to use TLS Authenticated Origin Pulls
For authenticated origin pulls to work, use Full SSL in the Cloudflare SSL/TLS app, and update the origin web server SSL configuration. Download origin-pull-ca.pem and place the certificate in a file on your origin web server, for example in /etc/nginx/certs/cloudflare.crt

Then add these lines to the SSL configuration for your origin web server:

    ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
    ssl_verify_client on;

Origin Pull Certificate

Cloudflare uses the following certificate authority to sign certificates for the Authenticated Origin Pull service:

Was this article helpful?
26 out of 33 found this helpful
Not finding what you need?
Ask the Community   Submit a request

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Popular questions: Why is my site slow, 522 errors, I'm expecting a spike in traffic

Powered by Zendesk