Pete Freitag Pete Freitag

CloudFlare Authenticated Origin Pulls on Nginx or Apache

Updated on April 07, 2022
By Pete Freitag

If you are using CloudFlare in front of your web server, it is a good idea to setup CloudFlare Authenticated Origin Pulls. When this is enabled and properly configured only CloudFlare will be able to connect to your origin web server directly.

An example setup on nginx might require that you add something like this:

ssl_client_certificate /etc/cloudflare/cloudflare-origin-pull-ca.pem;
ssl_verify_client on;    

On Apache it might look like this:

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/cloudflare/cloudflare-origin-pull-ca.pem

In both examples I'm referencing a file: /etc/cloudflare/cloudflare-origin-pull-ca.pem this is CloudFlare's CA Certificate which you can grab from their site here. This public CA certificate is used to sign the client certificate on CloudFlare's edge servers that is used when requesting your origin server. The ssl_verify_client on or SSLVerifyClient require instruct your web server to reject any connections that are not signed by the CA certificate.

While it is pretty straight forward to setup if you miss something you might see a 400 Bad Request error like this:

400 Bad Request
No required SSL certificate was sent

Here are some things you can check if you see that error:

  • Make sure you have checked the Authenticated Origin Pulls checkbox in CloudFlare Dashboard under SSL/TLS then Origin Server.
  • Make sure you have set your SSL/TLS encryption mode to "Full" or "Full (Strict)" in the CloudFlare Dashboard, it won't work if your encryption mode is set to Flexible or Off.
  • Make sure you have restarted or reloaded the configuration on your web server

cloudflare tls

CloudFlare Authenticated Origin Pulls on Nginx or Apache was first published on January 27, 2022.

Discuss / Follow me on Twitter ↯


The Cloudflare "How To" for this has been largely removed from the web. Do you have a tutorial of your own for Apache/LightSpeed WS?
by TJ on 03/28/2022 at 12:16:12 AM UTC
Could you please link directly to the download certificate? I can't seems to find it.
by gulshan on 06/02/2023 at 1:59:56 PM UTC