Skip to content

Commit a18546f

Browse files
securitypedanthyperlint-ai[bot]
securitypedant
and
hyperlint-ai[bot]
authored
New mTLS implementation guide in reference architecture section (#18506)
* New mTLS implementation guide * Update src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> --------- Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com>
1 parent 782bc41 commit a18546f

File tree

5 files changed

+36
-12
lines changed

5 files changed

+36
-12
lines changed

src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,24 @@
11
---
2-
title: mTLS at Cloudflare
2+
title: Use mTLS with Cloudflare protected resources
33
pcx_content_type: overview
44
sidebar:
55
order: 3
6+
label: mTLS with Cloudflare
67
---
78

89
In this implementation guide we will be focusing on the L7 / Application Layer security for HTTP/S requests targeting [proxied](/dns/manage-dns-records/reference/proxied-dns-records/) hostnames, including the [first connection](/ssl/origin-configuration/ssl-modes/) between client and Cloudflare.
910

1011
Some common mTLS use cases are:
12+
1113
- Protect and verify legitimate API traffic by verifying Client Certificates provided during TLS/SSL handshakes.
1214
- Check IoT devices' identity by verifying Client Certificates they provide during TLS/SSL handshakes.
1315

1416
There are two main ways to use mTLS at Cloudflare, either by using the Application Security offering (optionally including [API Shield](/api-shield/)) or [Cloudflare Access](/cloudflare-one/policies/access/). Below is a non-exhaustive overview table of their differences:
1517

16-
| Feature | Application Security (Client Certificate \+ WAF) | Cloudflare Access (mTLS) |
17-
| :---- | :---- | :---- |
18-
| Mainly used for | External Authentication (that is, APIs) | Internal Authentication (that is, employees) |
19-
| Availability | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. |
20-
| [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca) | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability). | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access). |
18+
| Feature | Application Security (Client Certificate \+ WAF) | Cloudflare Access (mTLS) |
19+
| :-------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
20+
| Mainly used for | External Authentication (that is, APIs) | Internal Authentication (that is, employees) |
21+
| Availability | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. |
22+
| [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca) | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability). | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access). |
2123
| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/enable-mtls/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/enable-mtls/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/enable-mtls/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/identity/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. |
22-
| Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [*cf.tls\_client\_auth.cert\_revoked*](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA. <br /><br /> For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. |
24+
| Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [_cf.tls_client_auth.cert_revoked_](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA. <br /><br /> For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. |

src/content/docs/learning-paths/mtls/index.mdx

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,14 @@
11
---
2-
title: mTLS at Cloudflare
2+
title: Use mTLS with Cloudflare protected resources
33
type: developers-site
44
new_learning_path: true
55
pcx_content_type: learning-path
66
head:
77
- tag: title
8-
content: mTLS at Cloudflare
8+
content: Use mTLS with Cloudflare protected resources
99
description: Safeguarding APIs and devices on Cloudflare's network.
10-
1110
---
1211

13-
import { LearningPath } from "~/components"
12+
import { LearningPath } from "~/components";
1413

1514
<LearningPath file="mtls" />

src/content/docs/reference-architecture/implementation-guides/application-security/index.mdx

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
---
2+
title: Application Security
3+
pcx_content_type: navigation
4+
---
5+
6+
import { Description, DirectoryListing, Render } from "~/components";
7+
8+
Application security implementation guides walk you through the steps to secure your public applications, devices and APIs with Cloudflare.
9+
10+
## Application Security
11+
12+
- [Use mTLS with Cloudflare protected resources](/learning-paths/mtls/)

src/content/docs/reference-architecture/implementation-guides/application-security/mtls.mdx

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
---
2+
pcx_content_type: navigation
3+
title: Use mTLS with Cloudflare protected resources
4+
external_link: /learning-paths/mtls/
5+
sidebar:
6+
order: 2
7+
---

src/content/docs/reference-architecture/implementation-guides/index.mdx

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,10 +7,14 @@ sidebar:
77

88
import { Description, DirectoryListing, Render } from "~/components";
99

10-
Implementation guides provide [step-by-step instructions](/reference-architecture/implementation-guides/) and practical guidance for how to effectively deploy and configure specific solutions or services. Implementation guides are focused on a specific implementation goal.
10+
Implementation guides provide [step-by-step instructions](/reference-architecture/implementation-guides/) and practical guidance for how to effectively deploy and configure specific solutions or services. Implementation guides are focused on a specific implementation goal.
1111

1212
## Zero Trust
1313

1414
- [Secure your Internet traffic and SaaS apps](/learning-paths/secure-internet-traffic/)
1515
- [Replace your VPN](/learning-paths/replace-vpn/)
1616
- [Deploy Zero Trust Web Access](/learning-paths/zero-trust-web-access/)
17+
18+
## Application Security
19+
20+
- [Use mTLS with Cloudflare protected resources](/learning-paths/mtls/)

0 commit comments

Comments
 (0)