You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Aug 30, 2024. It is now read-only.
Feature request: origin CA certificates and authenticated origin pulls support
Description
Cloudflare (and other similar service providers) offers origin certificates and mTLS, which allow origin servers to authenticate incoming requests from Cloudflare and vice-versa using TLS certificates. This can provide an additional layer of security and prevent unauthorized access to the origin server.
Why is this feature important?
This feature is important for several reasons:
It can improve the security and privacy of the communication between Cloudflare and the origin server, reducing the attack surface and preventing malicious actors from impersonating Cloudflare or the origin server.
It can simplify the configuration and management of the origin server, as it does not need to rely on IP whitelisting or other methods to identify Cloudflare traffic.
It allows engineers to properly implement solutions like Cloudflare Zero Trust in front of applications hosted on Kraud.
Use cases
Some possible use cases for this feature are:
A web application that handles sensitive data and wants to ensure that only authorized requests from Cloudflare can reach the origin server.
A web application that doesn't implement authentication/authorization and relies on Cloudflare Zero Trust to cover such uses.
Proposed solution
The proposed solution is to add support for authenticated origin pulls and mTLS in this project. This would involve:
Generating and installing an origin certificate.
Configuring the origin server to require and validate the client certificate for incoming requests.
Configuring Cloudflare to require and validate the client certificate for outgoing requests to the origin server.
A complete step-by-step documentation was made available by Cloudflare here:
This feature request is motivated by the need to enhance the security and privacy of the communication between upstream proxies and the origin server and support security solutions like Cloudflare Zero Trust. It could also enable more flexibility and control over the access and authorization policies based on the certificate attributes. This feature would be beneficial for any web application or service that wants to leverage Cloudflare's features while maintaining a secure connection with the origin server and/or the end user.
Feature request: origin CA certificates and authenticated origin pulls support
Description
Cloudflare (and other similar service providers) offers origin certificates and mTLS, which allow origin servers to authenticate incoming requests from Cloudflare and vice-versa using TLS certificates. This can provide an additional layer of security and prevent unauthorized access to the origin server.
Why is this feature important?
This feature is important for several reasons:
Use cases
Some possible use cases for this feature are:
Proposed solution
The proposed solution is to add support for authenticated origin pulls and mTLS in this project. This would involve:
A complete step-by-step documentation was made available by Cloudflare here:
Additional context
This feature request is motivated by the need to enhance the security and privacy of the communication between upstream proxies and the origin server and support security solutions like Cloudflare Zero Trust. It could also enable more flexibility and control over the access and authorization policies based on the certificate attributes. This feature would be beneficial for any web application or service that wants to leverage Cloudflare's features while maintaining a secure connection with the origin server and/or the end user.