Per-hostname
When you enable Authenticated Origin Pulls per hostname, all proxied traffic to the specified hostname is authenticated at the origin web server. You can use client certificates from your Private PKI to authenticate connections from Cloudflare.
First, follow the API instructions to upload a custom certificate to Cloudflare, but use the /origin_tls_client_auth/hostnames/certificates
endpoint.
In the API response, save the certificate id
since it will be required in step 4.
With the certificate installed, set up your origin web server to accept client certificates.
Check the examples below for Apache and NGINX or refer to your origin web server documentation - e.g. HAProxy ↗, Traefik ↗, Caddy ↗.
Apache example
For this example, you would have saved your certificate to /path/to/origin-pull-ca.pem
.
NGINX example
For this example, you would have saved your certificate to /etc/nginx/certs/cloudflare.crt
.
At this point, you may also want to enable logging on your origin so that you can verify the configuration is working.
Then, enable the Authenticated Origin Pulls feature as an option for your Cloudflare zone.
This step sets the TLS Client Auth to require Cloudflare to use a client certificate when connecting to your origin server.
To enable Authenticated Origin Pulls in the dashboard:
- Log in to your Cloudflare account ↗ and go to a specific domain.
- Go to SSL/TLS > Origin Server.
- For Authenticated Origin Pulls, switch the toggle to On.
To enable or disable Authenticated Origin Pulls with the API, send a PATCH
request with tls_client_auth
as the setting name in the URI path, and the value
parameter set to your desired setting ("on"
or "off"
).
Use the Cloudflare API to send a PUT
request to enable Authenticated Origin Pulls for specific hostnames.
If you had set up logging on your origin during step 2, test and confirm that Authenticated Origin Pulls is working.
Once you can confirm everything is working as expected for your specific origin setup, configure your origin to enforce the authentication.
Apache example
NGINX example
After completing the process, you can use curl
to send requests directly to your origin IPs, verifying that the requests fail due to certificate validation being enforced.
You can configure alerts to receive notifications before your AOP certificates expire.
Hostname-level Authenticated Origin Pulls Certificate Expiration Alert
Who is it for?Customers that upload their own certificate to use with hostname-level Authenticated Origin Pull (AOP) to secure connections from Cloudflare to their origin server. AOP certificate expiration notifications are sent 30 days and 14 days before the certificate expiry.
Other options / filtersNone.
Included withAuthenticated Origin Pull.
What should you do if you receive one?Upload a renewed certificate to use for hostname-level AOP.
Refer to Cloudflare Notifications for more information on how to set up an alert.