Apache CloudFlare Authenticated Origin Pulls configuration

  • Last updated on March 10, 2016
  • Web

With Strict SSL enabled, CloudFlare is able to tell that my website is indeed the real one. Furthermore, I have restricted incoming IP addresses to CloudFlare ones. This should be reasonably secure but an attacker could potentially spoof its origin IP (man-in-the-middle attack) as one of theirs. To mitigate this potential problem, it is necessary for the client (CloudFlare) to present a certificate which is then verified by (my) web server.

Apache setup

In test-driven development, programmers should build the test where the code fails the test then build the functionality until the test is successful. Similarly, I setup Apache to verify the certificate before enabling the Authenticated Origin Pulls feature in CloudFlare.

Firstly, download CloudFlare’s origin-pull-ca.pem and place it somewhere on the server. On my Raspberry Pi, I placed it on /var/www/cloudflare-origin-pull-ca.pem.

In Apache site configuration file, add three lines:

SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /var/www/cloudflare-origin-pull-ca.pem

Reload Apache’s configuration, sudo service apache2 reload.

Try browsing your website, CloudFlare reports: > Error 525 … SSL handshake failed If you are seeing this error message, you have configured Apache correctly.

Enable CloudFlare Authenticated Origin Pulls

Login to your CloudFlare account, choose the correct site (if you have multiple), and enable the Authenticated Origin Pulls feature. Try browsing your website again. If you are seeing your website, all is well.