As we have been discussing this week, securing the connection between CloudFlare and the origin server is arguably just as important as securing the connection between end users and CloudFlare. The origin certificate authority we announced this week will help CloudFlare verify that it is talking to the correct origin server. But what about verification in the opposite direction? How can the origin verify that the client talking to it is actually CloudFlare?
TLS Client Authentication
TLS (the modern version of SSL) allows a client to verify the identity of the server it is walking to. Normally, a TLS handshake is one-way, that is, the client is able to verify the server’s identity, but the server is not able to verify the client’s identity. What about when both sides need to verify each other’s identity?
Enter TLS Client Authentication. In a client authenticated TLS handshake both sides provide a certificate to be verified. If the origin server is configured to only accept requests which use a valid client certificate from CloudFlare, requests which have not passed through CloudFlare will be dropped (as they will not have our certificate). This means that attackers cannot circumvent CloudFlare features such as our WAF, even via an attack like TCP source IP spoofing which could typically be used make an origin server believe malicious requests have passed through CloudFlare’s network.
To implement TLS client authentication in CloudFlare, one of our engineers, Piotr Sikora, added support to nginx. This code is open source and has been merged into the official nginx 1.7 branch, and can be used by anyone utilizing nginx’s proxy module.
Enabling Authenticated Origin Pulls
Generally, enabling Authenticated Origin Pulls does not cause any problems with a website, even if client certificates are not validated. However, in the event a website uses client certificates for other purposes, the CloudFlare origin-pull certificate may conflict and cause problems. Consequently, Authenticated Origin Pulls are an opt-in setting for CloudFlare customers. This service is available for all levels of CloudFlare plan: Free, Professional, Business, and Enterprise.
In order to enable Authenticated Origin Pulls for your CloudFlare protected website, you will need to use our new dashboard (currently in beta). To access this beta dashboard, first log in to your CloudFlare account. In the lower right corner of the page there is a button labeled “Try Our New Dashboard.” Click and log in again. At this point, you’re in our new dashboard with access to all your existing domains and settings through a completely new user interface.
There will be more information about this new dashboard in the near future, but feel free to check it out. You can continue to freely switch between old and new dashboard.
CloudFlare presents certificates signed by a CA with the following certificate:
-----BEGIN CERTIFICATE----- MIIF0DCCA7qgAwIBAgIIRT8vUFWSsOYwCwYJKoZIhvcNAQENMIGQMQswCQYDVQQG EwJVUzEZMBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjEUMBIGA1UECxMLT3JpZ2lu IFB1bGwxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzARBgNVBAgTCkNhbGlmb3Ju aWExIzAhBgNVBAMTGm9yaWdpbi1wdWxsLmNsb3VkZmxhcmUubmV0MB4XDTE1MDEx MzAzMzkwMVoXDTE2MDExMzAzNDQwMVowgZgxCzAJBgNVBAYTAlVTMRkwFwYDVQQK ExBDbG91ZEZsYXJlLCBJbmMuMRwwGgYDVQQLExNPcmlnaW4gUHVsbCAoQ2hpbmEp MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMw IQYDVQQDExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAaIwDQYJKoZIhvcN AQEBBQADggGPADCCAYoCggGBAMM8Xr2Gn+zYVKklIobNZQ7u2jturAoV63XyefOH MTuNUVdrUN1YWPwcamJC+r/KFXUloxnSOBEOxVU3ErLX9tn1AofZy4hknKJHkm3L EOLdfh9WErMgbXhbzcyR7lsQCq4qFY4FpAVEJgg/0d226+oFw4Bk9zENn5aD30sx EZLPDjNi5UfI9JjbZytJanuUYZY72YavYAwhygt07z2n8D74b/LOyvGYarHIm+Vx pKWajds1PasepJ/O6i8GJoB+mjRMws4amU3dxKjc4hpl3k2keaaJttCtm146mEyK iONVaQCCYWCJsXPGqphcm0ly0+bkaiDiTdldpLWg9asecohcF62JzTlJ7NYoQPi6 /oZ33GhNTbyD168kL193m2kDFVDWOqZptGGk0+6hCHn4RrzinMuTdo0AIDaF8FBO AmDzW9bG/FHw+kD+iY4kmAv2thrf2hf5jB5ipzY0nWoTrusNZ5eCzZTsqNRv9he3 3Q/dhfNO7MM4zPmcWmryLQ0wTwIDAQABo4GnMIGkMA4GA1UdDwEB/wQEAwIAoDAd BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV HQ4EFgQU6i6WYt11Puh1tBin5wpwu6WhZ5kwHwYDVR0jBBgwFoAUQ1lLK2mLgOER M2pXzVc42p59xeswJQYDVR0RBB4wHIIab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5j b20wCwYJKoZIhvcNAQENA4ICAQDaHZI+69BEkeI3ufftB3KX8N4knsdkbLk9IwGU AjleqpG25pFl7S5YVicAlWbcrB7mTVsUNdB3K8GgbVJQZt0gy0X0E8pXWLWSRx6t 0mDsVkS6Q5TS6AdM8z8xmg5C240trBxju17VLQ+3yKRk82eZ68czaO6xradFI5Dt 2yoTz5ckzm3Tclxn04dsKAQObk84JtfiyZDSRGqhH3YOZDpkIrTP6wAxtws5Ue/X /dmK9V9Cf8SyNmrm94LD7yjcF2XI3Sl9msoeSilPYwS7/GWvkW0muMo0xPd5b78J mVEstmtcY/yQi4rnc+rX5EKxvbMF8x2NMH+oOfIqdtGbQqNIW33tdLnGIIk3oeB1 cs3kLYdhkvQnr/iXoSutbuIV5ECk/a9L0X+1F2OyQUda6pM4JApbPSs1jYRoY2Xw 7ADVMUnOWas4DtLQaq+TTH5gPBNFzIPd+y0N9jFNhrCdRoi051F/V+6yyLq9GiXG v6+0gdQrsNbTQPXKbGsdcEGg1wFUX+T+ygI6Y6WseSe0k6jYgw2n46Bp7bPtbdi1 kYFVTYFOsoodtLSGB6Q3UYmjfXaFUJ7C7YD+nw2jfKgCGvC+UposkPGrk08U2K0D h1Q4mpO8GeUhwMvBJtXxHSsZXEDPHWzVFRb/FPpq30LrqU9v3ObekVnosS26s6/T eX6iWg== -----END CERTIFICATE-----
This certificate is also available from https://origin-pull.cloudflare.com/
Origin Server Configuration
We will include configuration examples for popular web servers in our CloudFlare Support Knowledge Base in the next week.
The post Protecting web origins with Authenticated Origin Pulls is fed from ReadySpace Cloud Services United States. Contents strictly belongs to ReadySpace and its respective partners.