Zone-level authenticated origin pulls
When you enable authenticated origin pulls for a zone, all proxied traffic to your zone is authenticated at the origin web server.
Before you begin
Make sure your zone is using an SSL/TLS encryption mode of Full or higher.
1. Upload certificate to origin
First, upload a certificate to your origin.
To use a Cloudflare certificate (which uses a specific CA), download the .PEM file and upload it to your origin.
To use a custom certificate, upload a custom certificate to Cloudflare following these instructions, but use the
origin_tls_client_auth endpoint. Then, upload the certificate to your origin.
2. Configure origin to accept client certs
With the certificate installed, set up your origin web server to accept client certificates. For this example, you would have saved the certificate For this example, you would have saved the your certificate to
For this example, you would have saved the certificate
For this example, you would have saved the your certificate to
3. Enable authenticated origin pulls (globally)
Then, enable authenticated origin pulls as an option for your Cloudflare zone.
To enable Authenticated Origin Pulls in the dashboard:
- Log in to your Cloudflare account and go to a specific domain.
- Navigate to SSL/TLS > Origin Server.
- For Authenticated Origin Pulls, switch the toggle to On.
PATCHrequest with the
valueparameter set to your desired setting (
4. Enable authenticated origin pulls for zone
Finally, use the Cloudflare API to send a
PUT request to enable or disable zone-level authenticated origin pulls.