HTTPS Health Check with Authenticated Origin Pull - update?

This is a follow up on the post Health Check with Authenticated Origin Pull by @eliesermorais

Main question:
Is there an ETA on when the Cloudflare HTTPS Health Checks will be able to use the required SSL to connect with Authenticated Origin Pulls? Is this still in the books?

Basic recommendation:
The documentation is still lacking about Authenticated Origin Pulls breaking HTTPS health checks. At least a warning about this should be put on Dashboard > SSL/TLS > Authenticated Origin Pulls in the ‘Help’ section. This is a tiny improvement that will go a long way for anybody looking to try Authenticated Origin Pulls.

When I first enabled this feature on our servers, everything went dark as our Cloudflare origins went into offline state because the HTTPS Health Checks were not working anymore.

Our workaround:
The workaround we found is setting up our HAProxy servers to optionally verify the CA of Cloudflare. Then set up the HTTPS Health Checks on a GET path /?cf=securitykey and further configured HAProxy to allow CA unverified SSL connections only to the /?cf=securitykey, and 403 all other CA unverified SSL connections.
On top of this, one may restrict incoming connections to only the Cloudflare IP ranges.

@Cloudflare it is not all critique :slight_smile: You are doing a great job increasing the HA for our servers, and helping us cut down on costs with the CDN. The Argo service & Rocket Launcher options are brilliant right off the bat, they shaved a full second from our load time and now our site loads times are below 400ms in the US.

This topic was automatically closed after 30 days. New replies are no longer allowed.

Adding this for the benefit of people coming from search.

HTTPS Load Balancing Health Checks with Authenticated Origin Pulls is now supported with “Simulate Zone”

Read more: Health check with authenticated origin - #6 by andronicus_cf

1 Like