I want to ensure that traffic to my origin would go through my domain name only. I read about Authenticated Origin Pulls feature that prevents traffic going directly to origin without going through Cloudflare WAF.
However, I have an assumption that anyone on Cloudflare can just point their domain name to my origin’s IP address (that is if they somehow know the IP) because the certificate used between Cloudflare and origin is the same for everyone (I’m using Cloudflare Pro plan which doesn’t allow uploading custom certificate, which I assume applies to uploading Authenticated Origin Pulls certificate as well) and those who do this may lead to vulnerability/attacks on my website.
Is my assumption correct? Should I be concerned? Is there something I can do to really secure my origin?
You can use your own certificate, which you can upload via the API as per these instructions. I’ve never done this but I don’t see any indication that it’s not available to Pro plans.
But you probably don’t need to worry about it. The certificate ensures that the connection is coming from Cloudflare, but if someone puts your IP address with their domain into their account, the request will come in with their domain in the Host header. Assuming your server is set up properly it will return an error because it doesn’t know about that domain name.
The only way to spoof a Host header via Cloudflare is with an Enterprise account, and only with manual validation, so it’s not an issue.
I tried uploading my certificate using API and it worked!
I can confirm that connection between Cloudflare and my origin uses mTLS authentication. I tried pointing a domain to my IP on another Cloudflare account and the connection didn’t go through.