Authenticated origin pulls with cloudways

I’m trying to setup Authenticated origin pulls. My host cloudways provides the following instruction: How to Configure Cloudflare Origin Certificate | Cloudways Help Center
They write about the importance of Authenticated origin pulls and there is the Step #7 — Enabling Authenticated Origin Pulls, which guides to switch it on in the Cloudflare dashboard.
I followed this guide step by step and the encryption mode is full(strict) and also the Authenticated origin pulls is switched on, now. Then I tried to test if the Authenticated origin pulls are working correctly, following this recommendation to test it: security - How to check if Authenticated Origin Pulls is enabled? - Stack Overflow
The result: Even with switched off Authenticated origin pulls, I do not get a certificate error as expected. Based on that, I assumed that there must be something wrong. I got in contact with cloudways and asked them if there is something missing (e.g. server setting) to enable the authenticated origin pulls (I also forwarded the following: https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up) and furthermore I asked them if following the above mentioned cloudways guide(like I did) prevents from bypassing the Cloudflare WAF. The answer was, that I “should be protected from bypassing” by following the cloudways guide. In my opinion, this cannot be true and the cloudways guide is confusing and incorrect. Could someone please provide clarity? In case that there are additional server settings needed: The stack is nginx as a reverse proxy before apache - so do they have to change the nxinx.config or the apache.config? Or could it be even set in .htaccess?

May I ask have you allowed only Cloudflare IPs to access your site over considered ports (443 for SSL for example)?

In this kind of a setup, I have to admit I never understand which one is the “real worker” here? Nginx or Apache? :smiley:

Therefore, using Nginx, you should save the Authenticated Origin Pull certificate at your host.
Next, using Full (Strict) SSL and Cloudflare Origin CA certificate.
Port 443 open and Cloudflare IPs allowed.

Furthermore, your nginx_site.vhost file should look like something as follows from below:

server {
        listen *:80;
        listen [::]:80; # if using IPv6
        
        listen *:443 ssl http2; # http2 if using it at origin?
        listen [::]:443 ssl http2; # http2 if using it at origin?, if using IPv6
        
        ssl_protocols TLSv1.2 TLSv1.3;
        
        # Cloudflare Origin CA certificate
        ssl_certificate /path-to-the-cloudflare-origin-ca-certificate-for-yourdomain/ssl_certificate.crt;
        ssl_certificate_key /path-to-the-cloudflare-origin-ca-certificate-for-yourdomain/ssl_certificate_key.key;

        # Cloudflare Authenticated Origin Pulls
        ssl_client_certificate /etc/cloudflare-auth-origin-pull-ca-cert.pem;
        ssl_verify_client on;

        # Some other usefull from ssl-config.mozilla.org
        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
        ssl_session_tickets off;
        # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
        ssl_dhparam /etc/dhparam-mozilla.pem;

        # ssl-config.mozilla.org., intermediate configuration
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;

If the ssl_verify_client parameter it’s set to on and no cloudflare-auth-origin-pull-ca-cert.pem is present, the error you should get would be HTTP 400 Bad Request.

  • the same error you should get if all is set correctly (hostname is proxied :orange:) as from above example config and you Disable the Authenticated Origin Pulls option at the Cloudflare dashboard, you should get the expected error 400 Bad Request - No required SSL certificate was sent too …

Helpful articles:

If needed, you can re-check your nginx vhost config file using this example here:

Thank you for the reply.

I asked cloudways to do so, but I received this answer from cloudways support:

Dear customer, we would like to bring this into your knowledge that at the moment, we can not bind the ports to specific cloudflare IPs but yes we can add the rules inside the Nginx conf to allow only CF Ips, nothing other.

Applying rules on the shorewall to bind the IPs to the ports isn’t doable since we are offering an option to host multiple sites on the single server.

So, they only change the Nginx conf to allow CF IPs only.

Unfortunately I’m not permitted to change the Nginx config with cloudways - I have to ask them to do possible changes.
The interesting point is, that they write about the importance of the Authenticated origin pulls in the linked help doc - to not allow bypassing the CF WAF. As I already wrote - I followed the help doc exactly and set everything correctly from my side.

When I switch off the Authenticated origin pulls in CF , I do not get the expected error which would mean, that they did not change the Nginx conf correctly?!?
Which would mean, that the CF WAF is not protected from bypassing, at all - or am I wrong?

I have only briefly read that document, but it is missing a critical step in enabling Authenticated Origin Pull.

They spend a lot of time in the article getting a Cloudflare Origin Certificate enabled, and setting the SSL Mode to Full Strict. Which is great, but has nothing to do with Authenticated Origin Pull. AOP and SSL Mode Full are different things, and are not really related. You can use AOP with a certificate from any CA, like Let’s Encrypt.

The missing step is to configure nginx to require all requests to present a Client certificate. The docs here might get you started.
https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up#certificate-value

You need to put in place the Cloudflare certificate (found at the link below) and config similar to this:

ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
ssl_verify_client on;

Depending on your threat level, the methods using customer supplied certificates are better, but in most situations the Cloudflare issued certificate is likely to be fine.

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.