Hey everyone, I’m having an issue with securing my mobile app’s server and I’d be really grateful for any help.
The architecture I have is simple:
Mobile app -> Cloudflare -> my server (azure functions)
I’ve configured everything to work correctly, all requests are proxied through Cloudflare as expected. Now I’d like to make sure that no one will be able to access my server directly, without going through Cloudflare. I’ve configured my server to require all requests to contain a client certificate. Then, after turning on “Authenticated Origin Pulls”, Cloudflare is attaching a client certificate to each request:
Here’s the certificate I receive on my backend:
Subject Alternative Names: origin-pull.cloudflare.net
Organization: CloudFlare, Inc.
Organization Unit: Origin Pull
Locality: San Francisco
Valid From: July 21, 2020
Valid To: July 21, 2021
Issuer: origin-pull.cloudflare.net, CloudFlare, Inc.
Serial Number: 50b43da5ce5d75518e65ad0c0863bf7934ea5780
The question now is - how can I make sure that this certificate (which comes with above request) comes from Cloudflare AND that it’s from “my” Cloudflare - not from hacker’s Cloudflare proxy (created just to get access to my server). Is this even possible without Argo Tunnel (I don’t think I can use that easily with Azure Functions)?
PS I know that I can restrict access to Cloudflare’s IPs only, but that does not prevent hacker from using their’s Cloudflare account to attack me.
Thanks a lot for any tips,