Setup Authenticated origin pulls via Cloudflare

I would like my ASP.NET application and Kestrel server to only respond to traffic coming from Cloudflare.

EX: = 200 = 403

Cloudflare has a concept of authenticated origin pulls. Any clue to how this could be implemented with fly? Or is this something that has to be done in the application itself?


Yep, you would need to implement this yourself, in the application. You couldn’t rely on simply checking the hostname.

As you say, Cloudflare have that option for exactly that: How Authenticated Origin Pulls works · Cloudflare SSL/TLS docs

Your application would need to check the certificate. I don’t know much about ASP.NET but with nginx you would do something like:

ssl_client_certificate /etc/cloudflare/cloudflare-origin-pull-ca.pem;
ssl_verify_client on; 

… and so only requests from Cloudflare would be valid. Ones to would not go via Cloudflare, and would be rejected by that check.

Therefore you wouldn’t want Fly to terminate the TLS at its proxy. You would remove the tls in the fly.toml. The TCP would then go straight to your application, so it could handle/verify it.

A simpler (but less good) way to check the request came from Cloudflare would be to use IP ranges. Cloudflare publish their IPs e.g IP Ranges and so you could check the IP of the incoming request. If it’s not part of their published IP range, well it can’t have come from Cloudflare. That approach would rely on being able to get the request IP (so again, you have to consider the Fly proxy’s role as you don’t want its IP to be checked).


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.