Global

When you enable global Authenticated Origin Pulls (AOP), Cloudflare uses a Cloudflare-provided client certificate for all proxied traffic to your zone. This certificate is shared across all Cloudflare accounts and guarantees that the request is coming from the Cloudflare network.

Global, zone-level, and per-hostname AOP are independent configurations. Enabling or disabling one does not affect the others.

Before you begin

• Make sure your zone is using an SSL/TLS encryption mode of Full or higher.

• Consider your security and certificate needs:

  • The Cloudflare-provided certificate is not exclusive to your account. It only guarantees that a request is coming from the Cloudflare network. If you need stricter security, set up zone-level or per-hostname AOP with your own certificate instead.

  • Global AOP is applied to all proxied hostnames on your zone, including custom hostnames configured on a Cloudflare for SaaS zone. If you need a different AOP certificate for different custom hostnames, use per-hostname AOP.

1. Download the Cloudflare certificate

Download the Cloudflare authenticated origin pull certificate (.PEM) and upload it to your origin server. This certificate is not the same as the Cloudflare Origin CA certificate.

2. Configure origin to accept client certificates

With the certificate installed, set up your origin web server to accept client certificates.

Check the examples below for Apache and NGINX or refer to your origin web server documentation - for example, HAProxy ↗, Traefik ↗, Caddy ↗.

Apache example

SSLCACertificateFile /path/to/origin-pull-ca.pem

For this example, you would have saved your certificate to /path/to/origin-pull-ca.pem.

Rename the downloaded .PEM file and upload it to /path/to/origin-pull-ca.pem before applying the settings.

NGINX example

ssl_verify_client optional;
ssl_client_certificate /etc/nginx/certs/cloudflare.crt;

For this example, you would have saved your certificate to /etc/nginx/certs/cloudflare.crt.

Rename the downloaded .PEM file and upload it to /etc/nginx/certs/cloudflare.crt before applying the settings.

At this point, you may also want to enable logging on your origin so that you can verify the configuration is working.

3. Enable global Authenticated Origin Pulls

Dashboard

1. Go to the Origin Server page.

   Go to Origin Server

2. Select the Authenticated Origin Pulls tab.

3. In the Global section, switch the toggle to On.

API

To enable or disable global Authenticated Origin Pulls with the API, use the Edit zone setting endpoint with tls_client_auth as the setting name in the URI path, and the value parameter set to your desired setting ("on" or "off").

4. Enforce validation check on your origin

Once you can confirm everything is working as expected for your specific origin setup, configure your origin to enforce the authentication.

Apache example

SSLVerifyClient require

NGINX example

ssl_verify_client on;

After completing the process, you can use curl to send requests directly to your origin IPs, verifying that the requests fail due to certificate validation being enforced.