How do I Check if the Authenticated Origin Pulls is Working or Not?

Hi,

I would like to know if the Authenticated Origin Pulls are working correctly. How do I go about doing that?

I have tried deactivating it but my site still works fine in incognito mode. I have created and imported an Origin Certificate to my server, which replaced the one SiteGround setup.

Thanks and regards,

Tug

If you disabled it and your site is still loading fine (not from the cache) that would suggest your site is not requiring client authentication and so it’s not really working and you would need to ensure your server is properly configured to actually enforce and require client certificate authentication.

Bottom line, if your server is properly configured and you disable it on Cloudflare, you should get an error message.

We have had the talk before about deactivating the SSL from my host, which I did. My CA is being served by CloudFlare but, as you know, disabling the Authenticated Origin Pulls doesn’t cause any errors. I think I know why and I would like confirmation from you if you could.

I think this is caused by our edge certificate. We had the Universal CA. Since we are using the Origin CA that means we don’t need the Edge CA, right? From all of the information you have already given, I believe I should disable the Universal CA so the Origin CA can work, correct?

As I mentioned in the other thread already, the server certificate is completely unrelated to client certificate authentication. In particular the proxy certificate has nothing to do with it.

All you need to do is require on your server client certificate authentication and configure the right client certificate, which is provided by Cloudflare. https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull really has all on that.

And once more, that has nothing to do with your server certificate or the proxy certificate.

So breaking it down Barney style, the CloudFlare Edge Certificate should always be enabled and the Origin CA is just the middle man protecting the traffic to the origin server if CloudFlare cannot provide the cached version of the request, yes?

More or less yes. I would not say “just” as the proxies will typically have to talk to the origin and this will certainly require the certificate on the origin side (whether that is an Origin certificate or any other publicly recognised certificate).

As you mentioned, only if the request is served from the cache, the origin certificate won’t be involved as there won’t be such a request.

As for your original question, client certificate authentication also plays a role only between the proxies and the origin and here you simply need to enable this on your server, so that it is enforced, as well as toggle the setting on Cloudflare, so that the request actually contains the certificate.

Awesome, thanks for the information and help.

So deactivating the Authenticated Origin Pulls and seeing an error is literally the only way to verify if it’s working or not eh? No other methods as your solution assumes?

You can enhance your server logging and check if the certificate gets sent by Cloudflare, but that only checks that, not how your server responds when there’s no certificate and that’s what you want to check.

1 Like

Authenticated Origin Pull, Edge Certificates and Cloudflare Origin Certificates are three separate features. You can use any or none on their own or together.

Origin Pull is a two step configuration.

  1. The setting in the dashboard means Cloudflare will respond to a mTLS prompt from your Origin server.

  2. You also have to configure your Origin server to require client certificates for all incoming connections.

If you never configure the Origin, then the dashboard setting does nothing. In order to use client certificate authentication (authenticated origin pull) the request to your web server must be using HTTPS.

1 Like

You don’t have to use client certificate authentication, but if you do, you’ll also have to use the proxy certificate, as otherwise the request would be still on HTTP. Only exception would be if you are on an Enterprise plan and have Strict SSL-Only.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.