The Cloudflare Access documentation mentions only two ways to secure your origin:
- Argo Tunnel
- Allow only Cloudflare IPs and verify JWTs (in header
Why aren’t Authenticated Origin Pulls a third option? Verifying Cloudflare’s client cert is less troublesome than maintaining a list of Cloudflare IPs and is easy to configure in reverse proxies.
Also, unlike IPs, the client cert can’t be spoofed/man-in-the-middled by the ISP or a TCP reverse proxy. Thus the backend can trust the
Though there are some disadvantages:
- Blocking non-Cloudflare IPs at the firewall or reverse proxy reduces the strain of DDoS attacks directly on the origin (since the attacker can’t reach the costly TLS handshake step). So IP restriction should be done anyway.
- An insider attacker with the ability to bypass Cloudflare and a TLS-terminating reverse proxy could spoof the
Cf-Access-Authenticated-User-Emailheader to the backend, allowing them to escalate their access in the backend app to impersonate any user. So the JWT should be verified in the backend regardless. (But then why does Cloudflare provide this scary header in the first place?)