Protecting web origins with Authenticated Origin Pulls

As we have been discussing this week, securing the connection between CloudFlare and the origin server is arguably just as important as securing the connection between end users and CloudFlare. The origin certificate authority we announced this week will help CloudFlare verify that it is talking to the correct origin server. But what about verification in the opposite direction? How can the origin verify that the client talking to it is actually CloudFlare?

TLS Client Authentication

Normal TLS handshake

TLS (the modern version of SSL) allows a client to verify the identity of the server it is walking to. Normally, a TLS handshake is one-way, that is, the client is able to verify the server’s identity, but the server is not able to verify the client’s identity. What about when both sides need to verify each other’s identity?

Client authenticated TLS handshake

Enter TLS Client Authentication. In a client authenticated TLS handshake both sides provide a certificate to be verified. If the origin server is configured to only accept requests which use a valid client certificate from CloudFlare, requests which have not passed through CloudFlare will be dropped (as they will not have our certificate). This means that attackers cannot circumvent CloudFlare features such as our WAF, even via an attack like TCP source IP spoofing which could typically be used make an origin server believe malicious requests have passed through CloudFlare’s network.

To implement TLS client authentication in CloudFlare, one of our engineers, Piotr Sikora, added support to nginx. This code is open source and has been merged into the official nginx 1.7 branch, and can be used by anyone utilizing nginx’s proxy module.

Enabling Authenticated Origin Pulls

Generally, enabling Authenticated Origin Pulls does not cause any problems with a website, even if client certificates are not validated. However, in the event a website uses client certificates for other purposes, the CloudFlare origin-pull certificate may conflict and cause problems. Consequently, Authenticated Origin Pulls are an opt-in setting for CloudFlare customers. This service is available for all levels of CloudFlare plan: Free, Professional, Business, and Enterprise.

In order to enable Authenticated Origin Pulls for your CloudFlare protected website, you will need to use our new dashboard (currently in beta). To access this beta dashboard, first log in to your CloudFlare account. In the lower right corner of the page there is a button labeled “Try Our New Dashboard.” Click and log in again. At this point, you’re in our new dashboard with access to all your existing domains and settings through a completely new user interface.

There will be more information about this new dashboard in the near future, but feel free to check it out. You can continue to freely switch between old and new dashboard.

Certificate

CloudFlare presents certificates signed by a CA with the following certificate:


-----BEGIN CERTIFICATE-----
MIIF0DCCA7qgAwIBAgIIRT8vUFWSsOYwCwYJKoZIhvcNAQENMIGQMQswCQYDVQQG
EwJVUzEZMBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjEUMBIGA1UECxMLT3JpZ2lu
IFB1bGwxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzARBgNVBAgTCkNhbGlmb3Ju
aWExIzAhBgNVBAMTGm9yaWdpbi1wdWxsLmNsb3VkZmxhcmUubmV0MB4XDTE1MDEx
MzAzMzkwMVoXDTE2MDExMzAzNDQwMVowgZgxCzAJBgNVBAYTAlVTMRkwFwYDVQQK
ExBDbG91ZEZsYXJlLCBJbmMuMRwwGgYDVQQLExNPcmlnaW4gUHVsbCAoQ2hpbmEp
MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMw
IQYDVQQDExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAaIwDQYJKoZIhvcN
AQEBBQADggGPADCCAYoCggGBAMM8Xr2Gn+zYVKklIobNZQ7u2jturAoV63XyefOH
MTuNUVdrUN1YWPwcamJC+r/KFXUloxnSOBEOxVU3ErLX9tn1AofZy4hknKJHkm3L
EOLdfh9WErMgbXhbzcyR7lsQCq4qFY4FpAVEJgg/0d226+oFw4Bk9zENn5aD30sx
EZLPDjNi5UfI9JjbZytJanuUYZY72YavYAwhygt07z2n8D74b/LOyvGYarHIm+Vx
pKWajds1PasepJ/O6i8GJoB+mjRMws4amU3dxKjc4hpl3k2keaaJttCtm146mEyK
iONVaQCCYWCJsXPGqphcm0ly0+bkaiDiTdldpLWg9asecohcF62JzTlJ7NYoQPi6
/oZ33GhNTbyD168kL193m2kDFVDWOqZptGGk0+6hCHn4RrzinMuTdo0AIDaF8FBO
AmDzW9bG/FHw+kD+iY4kmAv2thrf2hf5jB5ipzY0nWoTrusNZ5eCzZTsqNRv9he3
3Q/dhfNO7MM4zPmcWmryLQ0wTwIDAQABo4GnMIGkMA4GA1UdDwEB/wQEAwIAoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV
HQ4EFgQU6i6WYt11Puh1tBin5wpwu6WhZ5kwHwYDVR0jBBgwFoAUQ1lLK2mLgOER
M2pXzVc42p59xeswJQYDVR0RBB4wHIIab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5j
b20wCwYJKoZIhvcNAQENA4ICAQDaHZI+69BEkeI3ufftB3KX8N4knsdkbLk9IwGU
AjleqpG25pFl7S5YVicAlWbcrB7mTVsUNdB3K8GgbVJQZt0gy0X0E8pXWLWSRx6t
0mDsVkS6Q5TS6AdM8z8xmg5C240trBxju17VLQ+3yKRk82eZ68czaO6xradFI5Dt
2yoTz5ckzm3Tclxn04dsKAQObk84JtfiyZDSRGqhH3YOZDpkIrTP6wAxtws5Ue/X
/dmK9V9Cf8SyNmrm94LD7yjcF2XI3Sl9msoeSilPYwS7/GWvkW0muMo0xPd5b78J
mVEstmtcY/yQi4rnc+rX5EKxvbMF8x2NMH+oOfIqdtGbQqNIW33tdLnGIIk3oeB1
cs3kLYdhkvQnr/iXoSutbuIV5ECk/a9L0X+1F2OyQUda6pM4JApbPSs1jYRoY2Xw
7ADVMUnOWas4DtLQaq+TTH5gPBNFzIPd+y0N9jFNhrCdRoi051F/V+6yyLq9GiXG
v6+0gdQrsNbTQPXKbGsdcEGg1wFUX+T+ygI6Y6WseSe0k6jYgw2n46Bp7bPtbdi1
kYFVTYFOsoodtLSGB6Q3UYmjfXaFUJ7C7YD+nw2jfKgCGvC+UposkPGrk08U2K0D
h1Q4mpO8GeUhwMvBJtXxHSsZXEDPHWzVFRb/FPpq30LrqU9v3ObekVnosS26s6/T
eX6iWg==
-----END CERTIFICATE-----

This certificate is also available from https://origin-pull.cloudflare.com/

Origin Server Configuration

We will include configuration examples for popular web servers in our CloudFlare Support Knowledge Base in the next week.

The post Protecting web origins with Authenticated Origin Pulls is fed from ReadySpace Cloud Services United States. Contents strictly belongs to ReadySpace and its respective partners.

Comments are closed.

>