How to set up Apache to support authenticated origin pulls from Cloudflare, which prevents access to the site that bypasses Cloudflare over HTTPS.
In order to prevent bypassing Cloudflare's DNS, a client TLS certificate can be set up so that all traffic goes through the Cloudflare firewall. This is different from a typical SSL certificate, and can be set up on VPS or dedicated hosting by following this guide.
Related Articles
Change DNS at Cloudflare
Redirect Error When Using Cloudflare
AutoSSL Not Renewing When Using Cloudflare
Enable Origin Pull
IMPORTANT: This solution will require root access or an escalation to APS for those without T1E+ access.
- Log into Cloudflare
- Navigateto Origin Server, located under SSL/TLS
- Enable Authenticed Origin Pulls
- SSH into the server as root
- Download the CloudFlare origin certificate with
wget https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem -O "/etc/apache2/conf.d/ssl.crt/origin-pull-ca.pem"
- Create the configuration directory
mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/userna5/domain.com
REPLACE: domain.com with the domain name and userna5 with the cPanel username. - Create the file
cloudflare-authenticated-origin.conf
within the new directory - Edit the new file and add the following
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/apache2/conf.d/ssl.crt/origin-pull-ca.pem - Save
- Rebuild and restart Apache
/scripts/rebuildhttpdconf && /scripts/restartsrv_httpd
CAUTION: Setting this up means that if the domain is not entirely covered by Cloudflare, it will show SSL errors and be unable to load entirely.
Comments
0 comments
Article is closed for comments.