mTLS Client control for specific Origin Servers

Hi,

I have a question regarding access control to Origin Servers using mTLS/Client Authentication certificates.

We have third-party providers who submit data to our origin servers. Currently, they use a Client certificate issued from a 3rd party CA which works fine, but now we would like to migrate this over to Cloudflare.

I created the Client Certificate via Cloudflare using SSL/TLS → Client Certificate. We proxy (Orange-Cloud) the origin server via Cloudflare. We test, and it works perfectly.

The issue now is now managing Client Certificates for these third parties. We have numerous origin servers that we want mTLS on, but we don’t want our 3rd party providers the ability to access other endpoints reserved for specific vendors. For instance:

The dashboard in Cloudflare only specifies which hosts I want to enable mTLS for. I specify the domains I want:

But now, this means Ciri.com can access aaron.mydomain.com and billy.mydomain.com. Likewise, Aaron.com can access cirri.mydomain.com and billy.mydomain.com. Same thing for billy.

We want only aaron.com to access aaron.mydomain.com. Same for billy.com and ciri.com.

Is there any recommendations or actions I can take to restrict what domains our 3rd Parties can access using mTLS?

Thank you.

I am looking at the same scenario. Did you find an answer? Can anyone else shed some light on this.

I assumed we could do a check in the firewall rule that a specific CN was used on the client cert and not just that the certificate is valid. I just don’t see how to do that…

That way you could create one rule per origin server with any specific trusted Certs added to just that rule. It would stop users of all trusted certs from seeing all protected origin servers

1 Like

Is this something you are looking for:

https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull#per-hostname--customer-certificates

I think you could use CF API Shield and CF Firewall rules to control who has access

Expression Action
(http.host in {orangeclouded.com api.orangeclouded.com} and not cf.tls_client_auth.cert_verified) Block

That should work too. I scripted custom CA cert signed TLS client certificates via CF API using using Cloudflare’s cfssl tool - example at GitHub - centminmod/cfssl-ca-ssl and GitHub - centminmod/cfssl-ca-ssl

Thanks for your responses!

I am currently using this. However, the issue is that there are no controls that restrict the holders of the certificate to access domains I don’t want them to. Even if I create several mTLS Certificates, any certificate holder can access any subdomain. I don’t want this; I want Certificate A to only access websitea.mydomain.com, not all of them.

I don’t believe so. This concerns authenticating requests at my Origin Server from Cloudflare. My issue is not with this part; it is managing mTLS connections from the internet to Cloudflare. As mentioned above, I want Customer A with Certificate A to access domainA.mydomain.com, and not have access to domainB.mydomain.com which is also behind mTLS.

Then the best you can have is the Cloudflare Access - Mutual TLS feature under Cloudflare for Teams.

But, access to Mutual TLS feature requires Cloudflare for Teams Enterprise plan.

1 Like

Cloudflare docs mentions this if you use CF CA issued TLS client certs, then use CF Firewall with mTLS enabled protection for API shield. But if you want to use non-CF CA issued TLS client certs for finer grain control, you would need to upload your own CA and TLS client certs and use CF Access

see https://developers.cloudflare.com/firewall/cf-firewall-rules/api-shield

Important

API Shield’s Mutual TLS requires Cloudflare-issued certificates. You can use mTLS with any fully managed certificate authority (CA) where Cloudflare issues the client certificates.

If you need to use certificates issued by another CA, use Cloudflare Access to upload your own CA.

so https://developers.cloudflare.com/cloudflare-one/identity/devices/mutual-tls-authentication?

unfortunately, it’s CF Enterprise only

Important

Adding mTLS to your application is only available on the Cloudflare enterprise plan Open external link. For more information, please contact your Cloudflare customer success manager.

and only for HTTP/2 not HTTP/3

With a root certificate authority (CA) in place, Access only allows requests from devices with a corresponding client certificate. When a request reaches the application, Access responds with a request for the client to present a certificate. If the device fails to present the certificate, the request is not allowed to proceed. If the client does have a certificate, Access completes a key exchange to verify.

Currently, mTLS does not work with HTTP3 traffic.

edit: in short what @erictung said :slight_smile:

1 Like

Cloudflare only mentions firewall rules that verify any valid Cloudflare Client Certificate. It has no ability to restrict certain certificates to certain domains. There is only a blanket rule of which hosts you want mTLS for; there is no Certificate per domain rule (at least none that I could find).

We were hoping to move away from this and keep Client Certificate provisioning with Cloudflare only. I’d rather keep the management of security and access with the rest of it; within Cloudflare.

I guess that answer’s the question. Sadly the prospect of upgrading to that plan is more of a political problem than a techincal one :upside_down_face:

So without the ability to utilise Enterprise plan features for mTLS management, I will opt to use the Cloudflare Header Firewall rules as an additional protective layer. Not ideal, but since I have the ability to change headers on the 3rd party services, this is something I can achieve.

Thank you everyone for your help.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.