Setting up Authenticated Origin Pulls

#1

I am having trouble understand on how to set it up.

Right now i have an ssl from KOMODO uploaded on my server and thus the selected service on cloudflare is FULL(strict).

If i follow this guide located here : https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/

Do i just need to upload this certificate located there and set my cloudflare account to full instead of full strict, then configure something ? and change the option authenticated origin plus to yes?

If yes in what path do i save the certificate?
what configurations do i need to do ?

How can i proceed to activate Authentication origin pulls , im lost on the guides since they are not that noob friendly.

I am using
CentOS7 and nginx.

Thank you.

1 Like

#2

found how to edit.

0 Likes

#3

This sounds like two different uses of certificates.

Authenticated Origin Pulls aren’t something most users here use. It’s to make sure only Cloudflare can get responses from your web server. This has nothing to do with SSL Mode (Full or Strict).

I’d say hold off for now…but when you’re ready, here are the instructions for NGINX:

0 Likes

#4

I can’t hold on since i am getting ddosed due to my ip being exposed on censys.io and from my understanding this should fix the issue.

So all i have to do is put that certificate in /etc/nginx/certs/cloudflare.crt

Then add those 2 lines in my ssl configuration ?

And i can keep using my ssl as FULL STRICT since i have bought and uploaded one from KOMODO.

thanks for your reply. @sdayman

0 Likes

#5

Make sure you restart NGINX after you add the cloudflare cert and add those lines to your NGINX conf file.

You can keep using your Comodo cert in Full (Strict) mode. That’s separate from Authenticated Origin Pulls.

If you have firewall control over your server, it’s more effective to block port 80 and 443 except for Cloudflare IP addresses. If you’re on Digital Ocean or Vultr (maybe others as well), they have good upstream firewalls you can configure.

1 Like

#6

Just FYI, authenticated origin pulls won’t hide your IP from censys/other tools since nginx will still respond on port 443, exposing your origin’s SSL certificate (they just won’t be able to access the backed web app). As @sdayman said, you should set up a provider-level firewall rule (see here for AWS, GCP, or DigitalOcean) to completely prevent these tools from finding your server whatsoever.

1 Like

closed #7

This topic was automatically closed after 30 days. New replies are no longer allowed.

0 Likes