I setup Cloudflare in front of an origin server. The origin server is a loadbalancer.org appliance. However, I don’t think that’s relevant for my question below.
I am using the origin-server.pem from Cloudflare as server certificate and it works well. This file contains the server key and certificate.
I am using the origin-pull-ca.pem certificate downloaded from https://support.cloudflare.com/hc/en-us/articles/204899617 and it works well too.
The relevant Crypto settings in the Cloudflare dashboard are:
SSL: Full (strict)
Origin Certificate: I created and use a free server certificate from Cloudflare.
Authenticated Origin Pulls: On
All works well: I can access my origin via Cloudflare. And I cannot access my origin bypassing Cloudflare because the client certificate is not installed on my test client. This is all great and as expected.
Now I set
Authenticated Origin Pulls: Off
without any other change
and everything is still working. I can still access the origin via Cloudflare. Now my question is:
Why are requests from Cloudflare still accepted at the origin when I disabled Authenticated Origin Pulls in the Cloudflare dashboard’s Crypto section?