Cloudflare Docs
SSL/TLS
SSL/TLS
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Zone-level authenticated origin pulls

When you enable Authenticated Origin Pulls for a zone, all proxied traffic to your zone is authenticated at the origin web server.

​​ Before you begin

Make sure your zone is using an SSL/TLS encryption mode of Full or higher.

​​ 1. Upload certificate to origin

First, upload a certificate to your origin.

To use a Cloudflare certificate (which uses a specific CA), download the .PEM file and upload it to your origin.

To use a custom certificate, follow the API instructions to upload a custom certificate to Cloudflare, but use the origin_tls_client_auth endpoint. Then, upload the certificate to your origin.

​​ 2. Configure origin to accept client certificates

With the certificate installed, set up your origin web server to accept client certificates.

Apache example

For this example, you would have saved the certificate /path/to/origin-pull-ca.pem.


SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /path/to/origin-pull-ca.pem
NGINX example

For this example, you would have saved your certificate to /etc/nginx/certs/cloudflare.crt.


ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
ssl_verify_client on;

​​ 3. Configure Cloudflare to use client certificate

Then, enable the Authenticated Origin Pulls feature as an option for your Cloudflare zone.

This step sets the TLS Client Auth to require Cloudflare to use a client certificate when connecting to your origin server.

To enable Authenticated Origin Pulls in the dashboard:

  1. Log in to your Cloudflare account and go to a specific domain.
  2. Go to SSL/TLS > Origin Server.
  3. For Authenticated Origin Pulls, switch the toggle to On.

To enable or disable Authenticated Origin Pulls with the API, send a PATCH request with the value parameter set to your desired setting ("on" or "off").

​​ 4. Enable Authenticated Origin Pulls for all hostnames in a zone

Finally, use the Cloudflare API to send a PUT request to enable or disable zone-level authenticated origin pulls.