Allow access for rule `cf.tls_client_auth.cert_verified` doesn’t work

Currently, we have protected which only access from our VPN IPs, all other IPs are disallowed.

We made a CF worker to proxy traffic to CF worker is under and it is publicly accessible.

We want to create a rule which would not only allow the VPN access and also alow the CF worker access.

I create a Client Certificates mTLS in and rule for allow access if cf tls_client_auth cert_verified.

When I tried to access the with my mTLS, I still got rejected.

not sure if mTLS can support my use case but if not, is there any thing else we can use to achieve this?

I found the solution.

I have to first add a host to the Client Certificates in SSL/TLS and then create a mTLS rule.

After that I can change to rule to be like
ALLOW ( in {“”} and cf.tls_client_auth.cert_verified)

It worked