Skip to content

Authenticated Origin Pulls — Complete Guide

DodaTech 8 min read

In this tutorial, you'll learn about Authenticated Origin Pulls. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Authenticated Origin Pulls (also called mTLS or mutual TLS) is a Cloudflare security feature that ensures your origin server only accepts connections that present a valid Cloudflare client certificate. This prevents attackers from bypassing Cloudflare and connecting directly to your origin IP address, even if they discover it through DNS history or data breaches.

Why Authenticated Origin Pulls Matter

Your origin server's IP address is one of your most sensitive assets. Attackers can discover it through historical DNS records, certificate transparency logs, or compromised third-party services. Once they have the origin IP, they can send requests directly to your server, bypassing all Cloudflare security features -- WAF, DDoS protection, bot management, and SSL/TLS termination. Authenticated Origin Pulls close this gap by requiring a TLS client certificate that only Cloudflare possesses. Without this certificate, connection attempts from any source (including the attacker) are rejected at the TLS handshake level.

Real-World Use Case

A fintech company's origin IP was leaked through a misconfigured SPF record exposed in DNS history. Before they noticed, attackers launched a direct-to-origin attack targeting the login API endpoint, bypassing Cloudflare's WAF and Rate Limiting. After implementing Authenticated Origin Pulls, all direct connections to the origin IP were rejected. Only connections carrying Cloudflare's client certificate succeeded. The attack surface was reduced to a single, Cloudflare-protected entry point.

How Authenticated Origin Pulls Work

flowchart TD
    A[Visitor] -- Request --> B[Cloudflare Edge]
    B -- Request + Client Cert --> C{Origin Server}
    
    D[Attacker] -- Direct Request --> C
    C --> E{Validate Client Cert}
    E -->|Valid Cloudflare Cert| F[Process Request]
    E -->|Invalid or Missing Cert| G[Reject Connection]
    
    B -->|Has Cloudflare Client Cert| E
    D -->|No Client Cert| E
    
    style F fill:#27ae60,color:#fff
    style G fill:#e74c3c,color:#fff
    style D fill:#c0392b,color:#fff

When a client connects to your origin server, TLS 1.2 or 1.3 allows the server to request a client certificate. Cloudflare's edge is configured to present its client certificate automatically. Your origin server is configured to trust only Cloudflare's CA. Any connection without a valid Cloudflare-issued client certificate is terminated before it reaches your application.

Enabling Authenticated Origin Pulls

# Enable Authenticated Origin Pulls for a zone
curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/settings/tls_client_auth" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"value": "on"}' | python3 -m json.tool
# Expected output:
# {
#   "result": {
#     "id": "tls_client_auth",
#     "value": "on"
#   },
#   "success": true
# }

Once enabled at the zone level, Cloudflare presents a client certificate for every origin connection. You can also enable this per-hostname using the Cloudflare dashboard under SSL/TLS > Origin Server > Authenticated Origin Pulls. The feature requires Full or Full Strict SSL mode.

Obtaining the Cloudflare CA Certificate

# Download the Cloudflare Origin CA certificate bundle
curl -s "https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem" \
  -o /etc/ssl/certs/cloudflare-ca.pem

# Verify the certificate
openssl x509 -in /etc/ssl/certs/cloudflare-ca.pem -noout -text | grep -E "Subject:|Issuer:|Not Before"
# Expected output:
# Subject: C = US, O = Cloudflare, Inc., OU = Authenticated Origin Pull CA
# Issuer: C = US, O = Cloudflare, Inc., OU = Authenticated Origin Pull CA
# Not Before: Jan  1 00:00:00 2025 GMT

The Cloudflare CA certificate is used by your origin server to validate the client certificate presented by Cloudflare's edge. The certificate bundle includes the root and intermediate CA certificates needed to build the full trust chain.

Configuring Nginx for Authenticated Origin Pulls

# Configure Nginx to require Cloudflare client certificate
sudo tee /etc/nginx/sites-available/example.com << 'EOF'
server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/ssl/certs/origin.pem;
    ssl_certificate_key /etc/ssl/private/origin.key;
    ssl_protocols TLSv1.2 TLSv1.3;

    # Authenticated Origin Pulls configuration
    ssl_client_certificate /etc/ssl/certs/cloudflare-ca.pem;
    ssl_verify_client on;
    ssl_verify_depth 2;

    # Optional: pass verification status to application
    proxy_set_header X-Cloudflare-Client-Cert-Verified $ssl_client_verify;

    root /var/www/example.com;
}
EOF

# Test and reload
sudo nginx -t && sudo systemctl reload nginx
# Expected output:
# nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
# nginx: configuration file /etc/nginx/nginx.conf test is successful

The ssl_client_certificate directive specifies the Cloudflare CA certificate. ssl_verify_client on makes client certificate verification mandatory. If a connection does not present a valid Cloudflare client certificate, Nginx rejects it at the TLS level before passing any data to the application.

Configuring Apache for Authenticated Origin Pulls

# Configure Apache to require Cloudflare client certificate
sudo tee /etc/apache2/sites-available/example.com-ssl.conf << 'EOF'
<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerName example.com
        DocumentRoot /var/www/example.com

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/origin.pem
        SSLCertificateKeyFile /etc/ssl/private/origin.key
        SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

        # Authenticated Origin Pulls configuration
        SSLCACertificateFile /etc/ssl/certs/cloudflare-ca.pem
        SSLVerifyClient require
        SSLVerifyDepth 2

        # Optional header for application
        RequestHeader set X-Cloudflare-Client-Cert-Verified "%{SSL_CLIENT_VERIFY}s"
    </VirtualHost>
</IfModule>
EOF

# Enable and reload
sudo a2enmod ssl && sudo a2ensite example.com-ssl && sudo systemctl reload apache2
# Expected output:
# Module ssl already enabled
# Site example.com-ssl already enabled

Apache configuration is similar to Nginx. SSLVerifyClient require enforces client certificate validation. Without this directive, Apache would request but not require the client certificate, and connections without a certificate would still reach your application.

Testing Authenticated Origin Pulls

# Test connection from a source without Cloudflare client cert (should fail)
curl -vI https://YOUR_ORIGIN_IP --resolve example.com:443:YOUR_ORIGIN_IP 2>&1 | grep -E "SSL|error|verify"
# Expected output:
# curl: (35) error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required
# or
# SSL certificate verify failed

# Cloudflare-proxied request (should succeed)
curl -sI https://example.com | head -5
# Expected output:
# HTTP/2 200

Direct requests to the origin IP without a Cloudflare client certificate should fail with a TLS alert. Requests routed through Cloudflare's edge succeed because Cloudflare automatically presents the client certificate. This confirms the protection is working.

Common Errors and Troubleshooting

SSL Connection Refused After Enabling

If you enable Authenticated Origin Pulls but have not configured the origin server to require a client certificate, traffic still flows normally. If you have configured the origin but forgotten to install the Cloudflare CA certificate, all connections fail. Solution: verify the CA certificate is installed in the correct location and the web server configuration references it.

Certificate Verification Depth Issues

If your web server uses an insufficient ssl_verify_depth, the certificate chain validation may fail. Solution: set ssl_verify_depth 2 to accommodate the Cloudflare CA chain which typically has one intermediate certificate.

Hostname-Level Authentication Not Working

Authenticated Origin Pulls can be enabled per hostname or per zone. If you enable it at the zone level but a hostname is DNS-only (gray cloud), the feature does not apply because traffic bypasses Cloudflare. Solution: ensure all hostnames you want to protect are proxied through Cloudflare (orange cloud).

Application Cannot Read Client Certificate Status

If your application needs to know whether the request came with a valid client certificate, configure the web server to pass the verification status via a header. Without this, your application cannot distinguish between authenticated and unauthenticated requests if you use optional verification.

Performance Impact

Client certificate validation adds a small overhead to the TLS handshake. In practice, the impact is negligible -- typically under 5 milliseconds per connection. The security benefit of preventing direct-to-origin attacks far outweighs this minimal latency increase.

Practice Questions

  1. What type of TLS authentication does Cloudflare Authenticated Origin Pulls use?
  2. Which Nginx directives are required to enforce client certificate verification?
  3. What happens when an attacker tries to connect directly to your origin IP after enabling this feature?

FAQ

Does Authenticated Origin Pulls work with all SSL modes?

No. Authenticated Origin Pulls requires Full or Full Strict SSL mode. Cloudflare must establish a TLS connection to the origin to present the client certificate. If you use Flexible or Off mode, Cloudflare connects to the origin over HTTP, and client certificate authentication cannot be performed.

Can I use my own client certificate instead of Cloudflare's?

Authenticated Origin Pulls is designed around Cloudflare's own CA. You must use the Cloudflare-issued client certificate. However, you can combine Authenticated Origin Pulls with your own mTLS requirements by configuring your origin server to require both the Cloudflare CA certificate and your own CA certificate for application-level authentication.

How do I rotate the Cloudflare CA certificate?

Cloudflare manages the CA certificate on their edge. You only need to download the updated CA certificate from Cloudflare's developer docs and replace it on your origin server. Cloudflare provides advance notice before CA certificate changes. Monitor Cloudflare's status page and developer blog for update announcements.

Summary

Authenticated Origin Pulls is a critical security control that prevents direct-to-origin attacks by requiring TLS client certificate authentication at the origin server. It ensures that only Cloudflare-proxied traffic reaches your application. Implementation requires enabling the feature in Cloudflare, downloading the Cloudflare CA certificate, and configuring your origin server (Nginx, Apache, or other) to require and validate the client certificate. After setup, any connection attempt without a valid Cloudflare certificate is rejected at the TLS handshake level.

This guide is brought to you by the developers of Cloudflare, Cyber Security, and Doda Browser at DodaTech.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro