Why is 'Authenticated Origin Pulls' still working when disabled?


I setup Cloudflare in front of an origin server. The origin server is a loadbalancer.org appliance. However, I don’t think that’s relevant for my question below.

I am using the origin-server.pem from Cloudflare as server certificate and it works well. This file contains the server key and certificate.
I am using the origin-pull-ca.pem certificate downloaded from https://support.cloudflare.com/hc/en-us/articles/204899617 and it works well too.

The relevant SSL/TLS settings in the Cloudflare dashboard are:

SSL: Full (strict)
Origin Certificate: I created and use a free server certificate from Cloudflare.
Authenticated Origin Pulls: On

All works well: I can access my origin via Cloudflare. And I cannot access my origin bypassing Cloudflare because the client certificate is not installed on my test client. This is all great and as expected.

Now I set

Authenticated Origin Pulls: Off

without any other change
and everything is still working. I can still access the origin via Cloudflare. Now my question is:

Why are requests from Cloudflare still accepted at the origin when I disabled Authenticated Origin Pulls in the Cloudflare dashboard’s Crypto section?

Kind Regards,


This topic was automatically closed after 14 days. New replies are no longer allowed.