Health check with authenticated origin


this is a follow up of these two posts:

The issue is the following:

  • in our configuration, we use authenticated origin on our domains (which means CF connects to the origin server with client certificates, which we validate and then allow)
  • if I set up an health check, it always fails as no client certificate is used to establish the connection

This issue is at least 2 years old, are there any news on when it will be solved?



@madami We do have a workaround for now.

You can configure a orange clouded cname for the origin in question and use that name in the Healthchecks config instead of the origin IP address. That would make our healthchecks run through the CDN and the authenticated origin pulls will be used for the connection.

Please take care and let us know if you have any other questions.

1 Like


Nice tip, thanks!



1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.

Adding this for the benefit of people coming from search.

Monitors now support authenticated origin pulls by entering the appropriate zone in the “Simulate Zone” field of the UI.

Setting “Simulate Zone” will allow Cloudflare Load Balancing Monitor to emulate the specified zone while probing. It pushes a request from Cloudflare Health Monitors through the Cloudflare stack as if it were a real visitor request to help analyze behavior or validate a configuration.

You could find it under “Advanced health check settings”:


I hope the above explains and helps you configure your Health Check Monitor with Authenticated Origin Pulls.