How to make my backend only accept requests from Cloudflare

Hey everyone, I’m having an issue with securing my mobile app’s server and I’d be really grateful for any help.

The architecture I have is simple:

Mobile app -> Cloudflare -> my server (azure functions)

I’ve configured everything to work correctly, all requests are proxied through Cloudflare as expected. Now I’d like to make sure that no one will be able to access my server directly, without going through Cloudflare. I’ve configured my server to require all requests to contain a client certificate. Then, after turning on “Authenticated Origin Pulls”, Cloudflare is attaching a client certificate to each request:

Here’s the certificate I receive on my backend:
Subject Alternative Names: origin-pull.cloudflare.net
Organization: CloudFlare, Inc.
Organization Unit: Origin Pull
Locality: San Francisco
State: California
Country: US
Valid From: July 21, 2020
Valid To: July 21, 2021
Issuer: origin-pull.cloudflare.net, CloudFlare, Inc.
Serial Number: 50b43da5ce5d75518e65ad0c0863bf7934ea5780

The question now is - how can I make sure that this certificate (which comes with above request) comes from Cloudflare AND that it’s from “my” Cloudflare - not from hacker’s Cloudflare proxy (created just to get access to my server). Is this even possible without Argo Tunnel (I don’t think I can use that easily with Azure Functions)?

PS I know that I can restrict access to Cloudflare’s IPs only, but that does not prevent hacker from using their’s Cloudflare account to attack me.

Thanks a lot for any tips,
Michał

A properly configured server won’t deliver your content if the hostname in the request doesn’t match your site. And Cloudflare won’t let other accounts spoof your hostname.

1 Like

All Cloudflare plans support custom client TLS authenticated origin pull certificates for zone or custom hostname level as outlined below https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull. This means instead of using Cloudflare’s CA root provided Authenticated Origin Pull certificate, you can generate your own CA root/CA intermediate certificate and then use that to sign your own client and server SSL certificates for use for Authenticated Origin Pull configurations. Unfortunately, all this is done only via Cloudflare API right now and not via the CF GUI dashboard.

See

This means you create and use your own unique CA root/CA Intermediate and signed client/server certificates that no other Cloudflare customer has access to thus ensuring only your Cloudflare edge to origin connection is secured uniquely.

I have tested and done this with my own Centmin Mod LEMP stack Nginx origin server with custom per hostname Authenticated Origin Pull client TLS certificates. I script it using my own wrapper script at https://github.com/centminmod/cfssl-ca-ssl which utilises Cloudflare’s cfssl toolkit to generate a custom CA root/intermediate and then use the CA Intermediate to sign custom server, client or peer TLS certificates. The client certificates also have outlined instructions for Cloudflare API commands used to upload the custom generated client TLS certificate and key and to enable per hostname Authenticated Origin Pull certificate feature.

Just be aware of one thing, there’s no CF API endpoint support for listing the uploaded custom client TLS certificates that I have found, so when you first upload it make sure to record the json response and record the uploaded certificate ID so you can in future delete and update the certificate.

@cscharff @cloonan would be nice to have a CF API endpoint to list uploaded custom client TLS authenticated origin pull certificates :slight_smile:

3 Likes

Thank you for this really detailed answer, I’ve managed to do it as you suggested :slight_smile:

1 Like

Glad I could help :smiley:

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.