How can I check if traffic from cloudflare to servcer is encrypted

I have uploaded the generated origin certificates and uploaded them to the domain root. Additionally to this, I enabled the strict Full SLL mode. I read the instructions and followed them. The problem I have here is that I can not verify if the connection between Cloudflare and the origin server is really encrypted. I have no possibility to test this. I think security can only be high if I can verify that changes take place correctly.

Is there any possibility to test if the traffic from cloudflare to to origin server is encrypted?

I folled the instructions to install the authentificated origin pul CA to encrypt the traffic between cloudflare and my server. If I configure the nginx ssl same way as shown in the instruction i get only an nginx 400 error for misconfiguration. This does not work at all. Can anybody help me there?

What is the difference between a cloudflare Origin CA and an Authentificated Origin pull?

Setting Crypto to Full (Strict) will force Cloudflare to use encrypted connections to your server. This is the maximum most people will need.

Authenticated Origin Pull is kind of a reverse TLS connection. In addition to Cloudflare needing to verify the identity of your server via TLS, your server will want to verify the identify of Cloudflare by checking the certificate of the requesting server. This is generally not necessary.

To answer your original question, your server logs will show if it’s an HTTPS or just an HTTP connection. But if Cloudflare is set to Full (Strict), I can say with 99.999999% certainty that Cloudflare will use an encrypted connection.

1 Like

Thank you very much for the answer. This is really helpful !

Why is Authentificated Origin Pull CA gennerally not neccessary? I build a freelancer marketplace with maximum possible security standart. Is this really not needed?

If you want to use it, go ahead. But by the description in your post, it’s misconfigured. Its main purpose is to stop people from bypassing Cloudflare to access your website. I do this by configuring my firewall to block any requests that don’t come through Cloudflare.

I tried to find the log file showing https requests but failed. Ngninx access.log, auth.log, syslog I check all those but i did not find any entry there.

This souds correct. I use ufw, how can i allow only cloudflare there. Now I allow only https and ssh there.

Also what if a hacker simply changes his ip with a software so that it is identical from cloudflare ip. Thats why Authentificate Origin Pull CA
adds another layer of security in my view. Maybe I am wrong with my thought?

You’re going to have to dig around, most likely in general server forums, to get help in configuring ufw and how to get an authentication pull certificate to work. Here’s a list of Cloudflare IP addresses to let through the firewall: https://www.cloudflare.com/ips/

Spoofing IP addresses doesn’t help hackers, as Cloudflare’s response will only route to the legitimate owner of that IP address. Spoofing IP addresses is only helpful in DOS attacks, as they don’t care about the responses.

Maybe I dont understand your answer correct. What if a hacker simply uses the available cf ips to spoof and let the origin server think cf is requesting? In this case cf will be bypassed so that it can not route anything.

Where do you think the origin server is going to send that response?

Back to cf but maybe someone will sniff the port.

I have another problem. I set up the firewall the way you suggested to allow only cf ip. Somehow site does not open anymore. I get 522 error.

I got it running now. It was because I had before some ufw rules which disallowed 443/tcp and 443 completely

Only onpen question: Can people then sniff the respond?

Ufw probably works correctly to where nothing can probe/sniff that port. It will show closed for everyone other than CF.

And your host probably has the router set up correctly to where it verifies the IP isnt spoofed, spoofed IPs are rare since they almost always get dropped.

1 Like

A post was merged into an existing topic: My email does not work anymore