On the following Cloudflare documentation it mentions the following.
“Although Cloudflare provides you a certificate to easily configure zone-level authenticated origin pulls, this certificate is not exclusive to your account and only guarantees that a request is coming from the Cloudflare network.”
What is the actual exposure surface here and is there a way I can test this scenario?
It seems like the documentation is suggesting another malicious Cloudflare user can somehow bypass the mTLS with a Full (Strict) setup?
If so, how can I simulate it?
I want to try to add extra protections into my Origin Server if there is a legitimate risk here.
You can try unproxying the hostname that you configured with origin pull mTLS. If it’s configured correctly, requests to your origin should fail because no mTLS certificate is presented when origin ask for it and the request is not coming from the Cloudflare network.
If you use the Cloudflare certificate, then only Cloudflare will be able to connect to your origin but that means any user could still create a DNS record for a domain in their own account, enable AOP, and point it at your server. They could lower the Cloudflare security settings on this, then attack their own domain which will then go to your origin.
Using this setup is only useful if, for example, you use shared hosting but can’t configure the firewall to block non-Cloudflare IPs. If you already do that then AOP with Cloudflare’s certificate doesn’t offer anything additional.
If you use your own certificate, connections to your origin from Cloudflare via another domain will be rejected by your server during the handshake so it confirms the request is only from Cloudflare and only from a zone you control.
The certificate generation and upload can be confusing for some people so starting with the Cloudflare certificate as a first step can be useful to ensure you can get that far, before moving over to your own cert.