I have a question regarding access control to Origin Servers using mTLS/Client Authentication certificates.
We have third-party providers who submit data to our origin servers. Currently, they use a Client certificate issued from a 3rd party CA which works fine, but now we would like to migrate this over to Cloudflare.
I created the Client Certificate via Cloudflare using SSL/TLS → Client Certificate. We proxy (Orange-Cloud) the origin server via Cloudflare. We test, and it works perfectly.
The issue now is now managing Client Certificates for these third parties. We have numerous origin servers that we want mTLS on, but we don’t want our 3rd party providers the ability to access other endpoints reserved for specific vendors. For instance:
- 3rd Party Provider (Aaron.com) needs to access to aaron.mydomain.com.
- 3rd Party Provider (Billy.com) needs to access to billy.mydomain.com.
- 3rd Party Provider (Ciri.com) needs to access to cirri.mydomain.com
The dashboard in Cloudflare only specifies which hosts I want to enable mTLS for. I specify the domains I want:
Is there any recommendations or actions I can take to restrict what domains our 3rd Parties can access using mTLS?