Cloudflare Docs
SSL/TLS
SSL/TLS
Edit this page on GitHub
Set theme to dark (⇧+D)

Zone-level authenticated origin pulls

When you enable Authenticated Origin Pulls for a zone, all proxied traffic to your zone is authenticated at the origin web server.

​​ Before you begin

Make sure your zone is using an SSL/TLS encryption mode of Full or higher.

​​ 1. Upload certificate to origin

First, upload a certificate to your origin.

To use a Cloudflare certificate (which uses a specific CA), download the .PEM file and upload it to your origin. This certificate is not the same as the Cloudflare Origin CA certificate and will not appear on your Dashboard.

To use a custom certificate, follow the API instructions to upload a custom certificate to Cloudflare, but use the origin_tls_client_auth endpoint. Then, upload the certificate to your origin.

​​ 2. Configure origin to accept client certificates

With the certificate installed, set up your origin web server to accept client certificates.

Check the examples below for Apache and NGINX or refer to your origin web server documentation - e.g. HAProxy, Traefik, Caddy.

Apache example
SSLVerifyDepth 1
SSLCACertificateFile /path/to/origin-pull-ca.pem

For this example, you would have saved your certificate to /path/to/origin-pull-ca.pem.

To use the Cloudflare certificate, download it from step 1 above, rename the .PEM file, and then upload it to /path/to/origin-pull-ca.pem before applying the settings.

NGINX example
ssl_verify_client optional;
ssl_client_certificate /etc/nginx/certs/cloudflare.crt;

For this example, you would have saved your certificate to /etc/nginx/certs/cloudflare.crt.

To use the Cloudflare certificate, donwload it from step 1 above, rename the .PEM file, and then upload it to /etc/nginx/certs/cloudflare.crt before applying the settings.

At this point, you may also want to enable logging on your origin so that you can verify the configuration is working.

​​ 3. Configure Cloudflare to use client certificate

Then, enable the Authenticated Origin Pulls feature as an option for your Cloudflare zone.

This step sets the TLS Client Auth to require Cloudflare to use a client certificate when connecting to your origin server.

To enable Authenticated Origin Pulls in the dashboard:

  1. Log in to your Cloudflare account and go to a specific domain.
  2. Go to SSL/TLS > Origin Server.
  3. For Authenticated Origin Pulls, switch the toggle to On.

To enable or disable Authenticated Origin Pulls with the API, send a PATCH request with the value parameter set to your desired setting ("on" or "off").

​​ 4. Enable Authenticated Origin Pulls for all hostnames in a zone

Use the Cloudflare API to send a PUT request to enable zone-level authenticated origin pulls.

If you had set up logging on your origin during step 2, test and confirm that Authenticated Origin Pulls is working.

​​ 5. Enforce validation check on your origin

Once you can confirm everything is working as expected for your specific origin setup, configure your origin to enforce the authentication.

Apache example
SSLVerifyClient require
NGINX example
ssl_verify_client on;

After completing the process, you can use curl to send requests directly to your origin IPs, verifying that the requests fail due to certificate validation being enforced.

​​ 6. (Optional) Set up alerts for zone-level Authenticated Origin Pulls certificates

You can configure alerts to receive notifications before your AOP certificates expire.

Zone-level Authenticated Origin Pulls Certificate Expiration Alert

Who is it for?

Customers that upload their own certificate to use with zone-level Authenticated Origin Pull (AOP) to secure connections from Cloudflare to their origin server. AOP certificate expiration notifications are sent 30 days and 14 days before the certificate expiry.

Other options / filters

None.

Included with

Authenticated Origin Pull.

What should you do if you receive one?

Upload a renewed certificate to use for zone-level AOP.

Refer to Cloudflare Notifications for more information on how to set up an alert.