Authenticated Origin Pulls while using the ZeroTrust tunnels?

Hi guys,

I thought you might be able to help with this.

our current setup is like this:

CF_TUNNEL_ENDPOINT [https] → [https] reverse_proxy_caddy (dockerized) [http] → [http] application

  • the TLS works without issues between CF_ENDPOINT and REVERSE_PROXY on origin server using CF signed certificates.
  • however, when I am trying to enable Authenticated Origin Pulls i am getting this error on Rerverse Proxy side:
    ""msg":"http: TLS handshake error from tls: client didn't provide a certificate"}"

it looks like CF doesn’t send the certificate via tunnel?

is there any way to make this work?

as for why it might be required… well, sometimes there are multiple applications sharing the same docker network as the reverse proxy, and it’s required that only CF is able to pull the content. or is it unnecessarily complicated?

Thanks a lot


Caddy config file:

	tls /certs/cf_fullchain.pem /certs/cf_private.key {
		client_auth {
			mode require_and_verify
			trusted_ca_cert_file /certs/authenticated_origin_pull_ca.pem

cf_fullchain.pem , cf_private.key - generated by CF
authenticated_origin_pull_ca.pem - downloaded from CF

if client_auth section is commented out everything works well

i also have the same issue… it would be great if someone could give a hint