Recently, I try to implement Client-Side-Authentication on my blog server to protect my management access point.
After I done all configurations, the setup works without Cloudflare. But with Cloudflare enabled, my browser does not prompt to let me select my cert, instead, it was showing this info:
When “Authenticated Origin Pulls” enabled:
400 Bad Request: No required SSL certificate was sent
I don’t exactly know for sure if you can authenticate via a certificate on the client’s side through Cloudflare. Have you looked at JWT’s and Cloudflare’s Access?
Cloudflare acts as an SSL termination endpoint to provide DDoS/WAF and CDN services. If we couldn’t see the traffic it would be difficult for us to do much than act as a basic dumb firewall.
Mutual TLS is available as an additional option to Enterprise customers today and client based authentication enhancements are being worked on for other plan tiers.
Well, My mistake. I mean for client side authentication to work, there should be tls handshake between client and origin server, right? While Cloudflare stand in the middle of origin server and clients, it can not proxy the handshake, resulting in authcate failure.
I’m not a expert in this area, thanks for helping.
An easy way to protect the Management Access Point would be to use Cloudflare’s Access feature. Single-user is free. Note that your server’s firewall needs to block all access except for Cloudflare’s IP addresses.