Apache CloudFlare Authenticated Origin Pulls configuration
With Strict SSL enabled, CloudFlare is able to tell that my website is indeed the real one. Furthermore, I have restricted incoming IP addresses to CloudFlare ones. This should be reasonably secure but an attacker could potentially spoof its origin IP (man-in-the-middle attack) as one of theirs. To mitigate this potential problem, it is necessary for the client (CloudFlare) to present a certificate which is then verified by (my) web server.
In test-driven development, programmers should build the test where the code fails the test then build the functionality until the test is successful. Similarly, I setup Apache to verify the certificate before enabling the Authenticated Origin Pulls feature in CloudFlare.
Firstly, download CloudFlare’s origin-pull-ca.pem and place it somewhere on the server. On my Raspberry Pi, I placed it on
In Apache site configuration file, add three lines:
SSLVerifyClient require SSLVerifyDepth 10 SSLCACertificateFile /var/www/cloudflare-origin-pull-ca.pem
Reload Apache’s configuration,
sudo service apache2 reload.
Try browsing your website, CloudFlare reports: > Error 525 … SSL handshake failed If you are seeing this error message, you have configured Apache correctly.
Enable CloudFlare Authenticated Origin Pulls
Login to your CloudFlare account, choose the correct site (if you have multiple), and enable the Authenticated Origin Pulls feature. Try browsing your website again. If you are seeing your website, all is well.