Passthrough of client certificates

When a DNS entry is created, with proxy on, for a webserver performing client authentication, client certificates are not passed to the web server and authentication fails resulting in a 403.

When a DNS entry is created, with proxy off, the web server receives the client certificate.

Is it not possible to use the Cloudflare proxy service and simply passthrough the client certificate authentication process to the web server?

We are not looking to upgrade to Enterprise in order to use Cloudflare’s CA services nor are we wanting to position our CA in Cloudflare, either.

However, is it even technically possible for Cloudflare to simply proxy the traffic as a TCP proxy (like our nginx ingress controllers do) and NOT intercept the SSL transaction.

We’ve tried creating a page rule and disabling SSL but that generates a 301 max_redirects.

Unfortunately, Cloudflare does not support the passthrough of client certificates when proxying traffic on non-Enterprise plans. The SSL/TLS termination occurs at Cloudflare’s edge, which strips the client certificate. If you need to maintain client certificate authentication, you must disable the Cloudflare proxy (set DNS to “DNS only” by clicking the orange cloud to turn it grey) so that connections go directly to your server. There is no way to bypass this limitation on non-Enterprise plans. The 301 max_redirects error when disabling SSL in page rules suggests a redirect loop, which is likely a separate configuration issue.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.