AWS integration
This guide will walk you through how to set up per-hostname authenticated origin pulls to securely connect to an AWS Application Load Balancer using mutual TLS verify.
You can also find instructions on how to rollback this setup in Cloudflare.
- You should already have your AWS account and EC2 configured.
- Note that this tutorial uses command-line interface (CLI) to generate a custom certificate, and API calls to configure Cloudflare Authenticated Origin Pulls.
- For the most up-to-date documentation on how to set up AWS, refer to the AWS documentation.
- Run the following command to generate a 4096-bit RSA private key, using AES-256 encryption. Enter a passphrase when prompted.
- Create the CA root certificate. When prompted, fill in the information to be included in the certificate. For the
Common Name
field, use the domain name as value, not the hostname.
- Create a Certificate Signing Request (CSR). When prompted, fill in the information to be included in the request. For the
Common Name
field, use the hostname as value.
- Sign the certificate using the
rootca.key
androotca.crt
created in previous steps.
- Make sure the certificate extensions file
cert.v3.ext
specifies the following:
- Upload the
rootca.cert
to an S3 bucket. - Create a trust store at your EC2 console, indicating the S3 URI where you uploaded the certificate.
- Create an EC2 instance and install an HTTPD daemon. Choose an instance type according to your needs - it can be a minimal instance eligible to AWS Free Tier. This tutorial was based on an example using t2.micro and Amazon Linux 2023.
- Create a target group for your Application Load Balancer.
- Choose Instances as target type.
- Specify port
HTTP/80
.
- After you finish configuring the target group, confirm that the target group is healthy.
- Configure a load balancer and a listener.
- Choose the Internet-facing scheme.
- Switch the listener to port
443
so that the mTLS option is available, and select the target group created in previous steps. - For Default SSL/TLS server certificate, choose Import certificate > Import to ACM, and add the certificate private key and body.
- Under Client certificate handling, select Verify with trust store.
- Save your settings.
- (Optional) Run the following commands to confirm that the Application Load Balancing is asking for the client certificate.
Since you have not yet uploaded the certificate to Cloudflare, the connection should fail (read:errno=54
, for example).
You can also run curl --verbose
and confirm Request CERT (13)
is present within the SSL/TLS handshake:
- Upload the certificate you created in Step 1 to Cloudflare. You should use the leaf certificate, not the root CA.
2.Associate the certificate with the hostname that should use it.
- Enable the Authenticated Origin Pulls feature on your zone.
- Use a
PUT
request to disable Authenticated Origin Pulls on the hostname.
- (Optional) Use a
GET
request to obtain a list of the client certificate IDs. You will need the ID of the certificate you want to remove for the following step.
- Use the Delete hostname client certificate endpoint to remove the certificate you had uploaded.