Zone-level authenticated origin pulls
When you enable Authenticated Origin Pulls for a zone, all proxied traffic to your zone is authenticated at the origin web server.
Before you begin
1. Upload certificate to origin
First, upload a certificate to your origin.
To use a Cloudflare certificate (which uses a specific CA), and upload it to your origin. This certificate is not the same as the Cloudflare Origin CA certificate and will not appear on your Dashboard.
2. Configure origin to accept client certificates
With the certificate installed, set up your origin web server to accept client certificates.
Check the examples below for Apache and NGINX or refer to your origin web server documentation - e.g. , , . For this example, you would have saved the certificate For this example, you would have saved your certificate to
For this example, you would have saved the certificate
For this example, you would have saved your certificate to
At this point, you may also want to enable logging on your origin so that you can verify the configuration is working.
3. Configure Cloudflare to use client certificate
Then, enable the Authenticated Origin Pulls feature as an option for your Cloudflare zone.
This step sets the TLS Client Auth to require Cloudflare to use a client certificate when connecting to your origin server.
To enable Authenticated Origin Pulls in the dashboard:
4. Enable Authenticated Origin Pulls for all hostnames in a zone
5. Enforce validation check on your origin
Once you can confirm everything is working as expected for your specific origin setup, configure your origin to enforce the authentication.
After completing the process, you can use
curl to send requests directly to your origin IPs, verifying that the requests fail due to certificate validation being enforced.