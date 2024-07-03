Set up Authenticated Origin Pulls with AWS

This guide will walk you through how to set up per-hostname authenticated origin pulls to securely connect to an AWS Application Load Balancer using mutual TLS verify External link icon Open external link .

You can also find instructions on how to rollback this setup in Cloudflare.

​​ Before you begin

You should already have your AWS account and EC2 External link icon Open external link configured.

configured. Note that this tutorial uses command-line interface (CLI) to generate a custom certificate, and API calls to configure Cloudflare Authenticated Origin Pulls.

to configure Cloudflare Authenticated Origin Pulls. For the most up-to-date documentation on how to set up AWS, refer to the AWS documentation External link icon Open external link .

​​ 1. Generate a custom certificate

Run the following command to generate a 4096-bit RSA private key, using AES-256 encryption. Enter a passphrase when prompted.

openssl genrsa -aes256 -out rootca.key 4096

Create the CA root certificate. When prompted, fill in the information to be included in the certificate. For the Common Name field, use the domain name as value, not the hostname.

openssl req -x509 -new -nodes -key rootca.key -sha256 -days 1826 -out rootca.crt

Create a Certificate Signing Request (CSR). When prompted, fill in the information to be included in the request. For the Common Name field, use the hostname as value.

openssl req -new -nodes -out cert.csr -newkey rsa:4096 -keyout cert.key

Sign the certificate using the rootca.key and rootca.crt created in previous steps.

openssl x509 -req -in cert.csr -CA rootca.crt -CAkey rootca.key -CAcreateserial -out cert.crt -days 730 -sha256 -extfile ./cert.v3.ext

Make sure the certificate extensions file cert.v3.ext specifies the following:

basicConstraints=CA:FALSE

​​ 2. Configure AWS Application Load Balancer

sudo yum install -y httpd sudo systemctl start httpd

Create a target group External link icon Open external link for your Application Load Balancer. Choose Instances as target type.

as target type. Specify port HTTP/80 . After you finish configuring the target group, confirm that the target group is healthy External link icon Open external link . Configure a load balancer and a listener External link icon Open external link . Choose the Internet-facing scheme.

scheme. Switch the listener to port 443 so that the mTLS option is available, and select the target group created in previous steps.

so that the option is available, and select the target group created in previous steps. For Default SSL/TLS server certificate , choose Import certificate > Import to ACM , and add the certificate private key and body.

, choose > , and add the certificate private key and body. Under Client certificate handling, select Verify with trust store. Save your settings. (Optional) Run the following commands to confirm that the Application Load Balancing is asking for the client certificate.

openssl s_client -verify 5 -connect < your-application-load-balancer > :443 -quiet -state

Since you have not yet uploaded the certificate to Cloudflare, the connection should fail ( read:errno=54 , for example).

You can also run curl --verbose and confirm Request CERT (13) is present within the SSL/TLS handshake:

curl --verbose https:// < your-application-load-balancer > .. . * TLSv1.2 ( IN ) , TLS handshake, Request CERT ( 13 ) : .. .

​​ 3. Configure Cloudflare

Upload the certificate you created in Step 1 to Cloudflare. You should use the leaf certificate, not the root CA.

MYCERT = " $( cat cert.crt | perl -pe 's/\r?

/\

/' | sed -e 's/..$//' ) " MYKEY = " $( cat cert.key | perl -pe 's/\r?

/\

/' | sed -e 's/..$//' ) " request_body = $( < < ( cat << EOF { "certificate": " $MYCERT ", "private_key": " $MYKEY ", "bundle_method":"ubiquitous" } EOF ) ) curl -sX POST https://api.cloudflare.com/client/v4/zones/ $ZONEID /origin_tls_client_auth/hostnames/certificates \ --header "Content-Type: application/json" \ --header "X-Auth-Email: $MYAUTHEMAIL " \ --header "X-Auth-Key: $MYAUTHKEY " \ --data " $request_body "

2. Associate the certificate with the hostname API link label Open API docs link that should use it.

curl -s --request PUT \ --url https://api.cloudflare.com/client/v4/zones/ $ZONEID /origin_tls_client_auth/hostnames \ --header "Content-Type: application/json" \ --header "X-Auth-Email: $MYAUTHEMAIL " \ --header "X-Auth-Key: $MYAUTHKEY " \ --data '{ "config": [ { "enabled": true, "cert_id": "<CERT_ID>", "hostname": "<YOUR_HOSTNAME>" } ] }'

Enable the Authenticated Origin Pulls feature on your zone.

curl --request PATCH \ https://api.cloudflare.com/client/v4/zones/ $ZONEID /settings/tls_client_auth \ --header "Authorization: Bearer undefined" \ --header "Content-Type: application/json" \ --data '{ "value": "on" }'

Make sure your encryption mode is set to Full or higher. If you only want to adjust this setting for a specific hostname, use Configuration Rules.

​​ Rollback the Cloudflare configuration

Use a PUT request API link label Open API docs link to disable Authenticated Origin Pulls on the hostname.

curl -s --request PUT \ --url https://api.cloudflare.com/client/v4/zones/ $ZONEID /origin_tls_client_auth/hostnames \ --header "Content-Type: application/json" \ --header "X-Auth-Email: $MYAUTHEMAIL " \ --header "X-Auth-Key: $MYAUTHKEY " \ --data '{ "config": [ { "enabled": false, "cert_id": "<CERT_ID>", "hostname": "<YOUR_HOSTNAME>" } ] }' 2 . ( Optional ) Use a [ ` GET ` request ] ( /api/operations/per-hostname-authenticated-origin-pull-list-certificates ) to obtain a list of the client certificate IDs. You will need the ID of the certificate you want to remove for the following step. ```bash curl -s --request GET \ --url https://api.cloudflare.com/client/v4/zones/ $ZONEID /origin_tls_client_auth/hostnames/certificates \ --header 'Content-Type: application/json' \ --header "X-Auth-Email: $MYAUTHEMAIL " \ --header "X-Auth-Key: $MYAUTHKEY "

Use the Delete hostname client certificate API link label Open API docs link endpoint to remove the certificate you had uploaded.