0

I have to enable Authenticated Origin Pulls on my http.sys .NET Core application but i'm very confused.

So far the steps I have performed have been:

  1. Install origin-pull-ca.pem on Trusted root
  2. netsh http add sslcert hostnameport=xxxxxxxxxxx.com:443 appid= '{APPLICATION-IDENTIFIER}' certhash=THUMBPRINT-CERTIFICATE certstorename=MY clientcertnegotiation=enable (where THUMBPRINT-CERTIFICATE is the "Origin Certificate" of Cloudflare, not the origin-pull-ca.pem)

But.. now?

This is the NGINX configuration to make it work

ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
ssl_verify_client on;

What is the corrisponding to be applied it to web server HTTP.sys on ASP.NET Core?

Sauron
  • 2,156
  • 5
  • 17
  • 20
  • Did you ever get this to work? – mslot Jul 03 '20 at 14:34
  • Yes, the only way I found is to build a custom middleware and compare the context.Connection.ClientCertificate.Thumbprint with the thumbprint of origin-pull.cloudflare.net, If it's the same the call is legitimate, otherwise you can return a 403. Be sure of the incoming thumbprint, in my case it was different from the origin-pull.cloudflare.net, take a look at https://community.cloudflare.com/t/manual-authenticated-origin-pulls-verification/145614 – Sauron Jul 04 '20 at 15:14
  • hey @Sauron can you throw some light on [this post](https://stackoverflow.com/questions/67213204/cloudflare-authenticated-origin-pulls-with-kestrel-web-serverlinux) if by chance you found out the solution as I am planning to use kestrel server in linux and instead of directly using pem we can convert pem to the x509 format and try to validate but I am not able to do it successfully if you have any ideas regarding it please do provide your answer on above thread. – pb36 Apr 25 '21 at 19:09
  • 1
    Hi @JB, here what you are looking for https://stackoverflow.com/questions/62697927/certificate-validation-failed-validation-of-client-side-certificate-fails-when . Hope it will help you :) – Sauron Apr 26 '21 at 20:57
  • I tried that but not sure why when I used to get null certificate in so I was not able to verify and I ended up verifying cloudflare calls by [this library](https://github.com/dustinmoris/Firewall) – pb36 Apr 26 '21 at 21:54

0 Answers0