Client certificates question
I am looking for a solution to my problem: I would like to "lock" particular page on my site to only my devices and to be as simple as possible for end users (my family). The goal is to limit page access to only "trusted" devices without much hassle like using Access, custom cookies, IPs (because it changes), etc. I saw this "Client certificates" thing and assume it can help. Is there a way to somehow generate client cert, install it on each device and then limit access in CF WAF to only trusted certs? Note that server-side restriction access (like page password) is not an option. Any ideas? 🙂 Thanks.
11 Replies
Configure mTLS · Cloudflare API Shield docs
When you specify API hosts in mTLS authentication, Cloudflare will block all requests that do not have a client certificate for mTLS authentication.
Should he able to create the rule without api shield
Other option, you could put a cloudflare worker on the subdomain with routes and do your own JWT or validation with client
We do that now with https://approov.io/product/
Mobile API Security for Android & iOS Apps | Approov
Looking for end to end mobile app protection? Approov provides mobile app security for android and iOS. Block threats against backend APIs. Try today..
We use approov on our mobile app ans then when specific routes are fired we do a validation with cf worker
So, the "client certificate" doesn't do what I thought. I thought it could be installed on a device (Windows, Android) like any other certificate. And then if my site detects that I have that certificate installed on the device - I can open the page. That is not how it works?
Configure your mobile app or IoT device · Cloudflare SSL/TLS docs
This tutorial demonstrates how to configure your Internet-of-things (IoT) device and mobile application to use client certificates with API Shield™.
I would think you can do something like above ⏫
and then do something like this -
I havent verified this usecase yet, but this is how I interpretted their mTLS implementation
I am also looking to do this and have found very little resources on how to do so.
I have set up the rules in WAF and generated certificates, I have also added them to the devices, however the problem that I am facing is that when accessing the page I am not being asked for the certificate, so the browser doesn't use it and cannot get past the rule
I have tested my setup with curl by providing the certificate with:
curl -L -v --cert-type P12 --cert ./<cert-name>.p12:'<cert-password>' https://<my-domain>
and it works, so the issue is definitely that the website does not ask the browser for a certificatehttps://community.cloudflare.com/t/fyi-http3-quic-mode-w-mtls-is-causing-problems-with-chromium-browsers/427089
This guy just saved me so, SO, SOOOOOOOO much time
Cloudflare Community
FYI: HTTP3/QUIC mode w/ mTLS is causing problems with Chromium brow...
I use CF tunnels to publicly expose sites that I run at home. I had “HTTP/3 (with QUIC)” enabled, and I also have a WAF rule to require a Cloudflare-generated client certificate. On my home network, no client certificate is required because my internal DNS directs my sites to my server’s internal IP address. A few weeks ago, an update to Chrome...