Hi guys,
I thought you might be able to help with this.
our current setup is like this:
CF_TUNNEL_ENDPOINT [https] → [https] reverse_proxy_caddy (dockerized) [http] → [http] application
- the TLS works without issues between CF_ENDPOINT and REVERSE_PROXY on origin server using CF signed certificates.
- however, when I am trying to enable Authenticated Origin Pulls i am getting this error on Rerverse Proxy side:
""msg":"http: TLS handshake error from 172.25.0.3:42888: tls: client didn't provide a certificate"}"
it looks like CF doesn’t send the certificate via tunnel?
is there any way to make this work?
as for why it might be required… well, sometimes there are multiple applications sharing the same docker network as the reverse proxy, and it’s required that only CF is able to pull the content. or is it unnecessarily complicated?
Thanks a lot
attachments:
Caddy config file:
tls /certs/cf_fullchain.pem /certs/cf_private.key {
client_auth {
mode require_and_verify
trusted_ca_cert_file /certs/authenticated_origin_pull_ca.pem
}
}
cf_fullchain.pem , cf_private.key - generated by CF
authenticated_origin_pull_ca.pem - downloaded from CF
if client_auth section is commented out everything works well