Why not use Authenticated Origin Pulls to secure origins for Cloudflare Access?


The Cloudflare Access documentation mentions only two ways to secure your origin:

  1. Argo Tunnel
  2. Allow only Cloudflare IPs and verify JWTs (in header Cf-Access-Jwt-Assertion or cookie CF_Authorization)

To secure your origin, you must also enable Argo Tunnel or limit connections to your origin to allow only Cloudflare IPs and verify the JWT.

Why aren’t Authenticated Origin Pulls a third option? Verifying Cloudflare’s client cert is less troublesome than maintaining a list of Cloudflare IPs and is easy to configure in reverse proxies.

Also, unlike IPs, the client cert can’t be spoofed/man-in-the-middled by the ISP or a TCP reverse proxy. Thus the backend can trust the Cf-Access-Authenticated-User-Email header.

Though there are some disadvantages:

  1. Blocking non-Cloudflare IPs at the firewall or reverse proxy reduces the strain of DDoS attacks directly on the origin (since the attacker can’t reach the costly TLS handshake step). So IP restriction should be done anyway.
  2. An insider attacker with the ability to bypass Cloudflare and a TLS-terminating reverse proxy could spoof the Cf-Access-Authenticated-User-Email header to the backend, allowing them to escalate their access in the backend app to impersonate any user. So the JWT should be verified in the backend regardless. (But then why does Cloudflare provide this scary header in the first place?)


Maybe I’m wrong, but nothing really stops you from combining Authenticated Origin Pulls, does it? Is this more just a case of documentation?


It is a case of documentation. But in this case the documentation is super important. If the admin messes this up, their server is completely insecure and unprotected by Cloudflare Access. And worse, they think it is protected.