Argo Tunnel and Authenticated Origin Pulls


#1

I have a question, having an Argo Tunnel in place does it renders Authenticated Origin Pulls for that domain unusable?
Does “cloudflared” presents this certificate to the host? (https://support.cloudflare.com/hc/en-us/article_attachments/201243967/origin-pull-ca.pem)

Cheers!


#2

Hello rayduxz,

Cloudflared initiates the request to your origin. Since it runs on your machine, we don’t present a client cert because it would require that cloudflared has access to the private key.

Joaquin


#3

Oh, that makes sense, haha.

Is is possible to make “cloudflared” show a custom certificate to the host? So I can only allow connections from it.


#4

Since cloudflared connects to your host, I’d suggest setting up a routing policy to only allow connections from the cloudflared instance to your origin server. It’s common to deploy cloudflared on the same host you’re proxying from and to disallow connections from anywhere but localhost.

Can you elaborate on your use case? What are you proxying and from where?

Joaquin


#5

My case is that there are other hostnames that need to be open to the world, so I wanted to restrict the Argo Tunnel one with a certificate. That’s what I had as a first thought but as I see “cloudflared” doesn’t supports this, then a few nginx rules will do. Anyway some extra security is always welcome.