Allow only CloudFlare CA SSL for origin communication

I want to enable traffic from CloudFlare to my origin to use only CloudFlare CA based communication, and for CloudFlare not to trust any other CA.

Is this possible?

I am not sure if i got it right but setting your SSL Mode to "Full (Strict) and Cloudflare Origin Certificates should fit.

1 Like

Thanks for answering !

It will not help.

Since Cloudflare would also accept an origin that is using other CAs signed certificates. And I want cloudflare to trust just its own CA in the traffic to the origin.

Well then, another approach.

2 Likes

Yup https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/

Just note CF Authenticated Origin Pulls do not work with Cloudflare Railgun if you have/intend to use it.

1 Like

I know about “CF Authenticated Origin Pulls”.
But it is too permissive.

It allows both CF internal CA generated certificate AND any known CA certificate.

I don’t want to trust known CAs.

I want to trust only CloudFlare internal CA generated certificate.

Is there a way to do this?

I don’t think there is anyway. Might want to contact Cloudflare tech support via ticket system and ask.

Why not at origin server firewall level block all non-cloudflare traffic to your origin https://support.cloudflare.com/hc/en-us/articles/201897700-Whitelisting-Cloudflare-IP-addresses ?

1 Like

IP filtering is not strong enough for me.
Thanks - will open a ticket to CloudFlare tech support.

One other possibility with is an optional paid service is using Cloudflare Argo with Argo Tunneling https://www.cloudflare.com/en-au/products/argo-tunnel/

Cloudflare’s lightweight Argo Tunnel daemon creates an encrypted tunnel between your origin web server and Cloudflare’s nearest data center — all without opening any public inbound ports.

After locking down all origin server ports and protocols using your firewall, any request on HTTP/S ports are dropped, including volumetric DDoS attacks. Data breach attempts — such as snooping of data in transit or brute force login attacks — are blocked entirely.

Argo Tunnel lets you quickly secure and encrypt application traffic to any type of infrastructure, freeing you to focus on delivering great applications. Now you can encrypt origin traffic and hide your web server IP addresses so direct attacks can’t happen.

Learn more about the Argo Tunnel story

1 Like

ArgoTunnel is indeed interesting.
However it doesn’t support AWS load balancers that terminate TLS, nor does it support EC2 instances that don’t have internet connection (but the load balancer does).

And I am not sure it includes mutual TLS.

This topic was automatically closed after 30 days. New replies are no longer allowed.