I have a Cloudflare Pages site hosted at, say, admin.example.com.
I want users to have a valid TLS Client Certificate installed in order to access this site.
I followed the instructions at https://developers.cloudflare.com/ssl/client-certificates/configure-your-mobile-app-or-iot-device/ to generate a certificate and key, and enabled mTLS in the example.com zone for admin.example.com. As per the instructions, I added a WAF rule configured to block requests matching (http.host in {"admin.example.com"} and not cf.tls_client_auth.cert_verified)
However, all requests to admin.example.com are blocked by this rule. When I go to admin.example.com in Chrome, I would expect to see a popup asking me to choose a certificate to authenticate with, but I just get the cloudflare block page. When I try using curl with the --cert and --key options, I still get blocked. (The output of curl -v doesn’t even include Request CERT which I think signifies the server requesting a client cert.)
Is there anything else I need to configure to get this to work?
The zone in question is on the free plan if that matters.