From ae3ccffd0fb7eda0193eac517791e0e28d0308a5 Mon Sep 17 00:00:00 2001 From: Simon Thorpe Date: Mon, 2 Dec 2024 09:45:08 -0800 Subject: [PATCH 1/2] New mTLS implementation guide --- .../mtls/concepts/mtls-cloudflare.mdx | 18 ++++++++++-------- src/content/docs/learning-paths/mtls/index.mdx | 7 +++---- .../application-security/index.mdx | 12 ++++++++++++ .../application-security/mtls.mdx | 7 +++++++ .../implementation-guides/index.mdx | 6 +++++- 5 files changed, 37 insertions(+), 13 deletions(-) create mode 100644 src/content/docs/reference-architecture/implementation-guides/application-security/index.mdx create mode 100644 src/content/docs/reference-architecture/implementation-guides/application-security/mtls.mdx diff --git a/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx b/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx index 5486149bb97f0b1..d7b635564a73b16 100644 --- a/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx +++ b/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx @@ -1,22 +1,24 @@ --- -title: mTLS at Cloudflare +title: Use mTLS with Cloudflare protected resources pcx_content_type: overview sidebar: order: 3 + label: mTLS with Cloudflare --- In this implementation guide we will be focusing on the L7 / Application Layer security for HTTP/S requests targeting [proxied](/dns/manage-dns-records/reference/proxied-dns-records/) hostnames, including the [first connection](/ssl/origin-configuration/ssl-modes/) between client and Cloudflare. Some common mTLS use cases are: + - Protect and verify legitimate API traffic by verifying Client Certificates provided during TLS/SSL handshakes. - Check IoT devices' identity by verifying Client Certificates they provide during TLS/SSL handshakes. There are two main ways to use mTLS at Cloudflare, either by using the Application Security offering (optionally including [API Shield](/api-shield/)) or [Cloudflare Access](/cloudflare-one/policies/access/). Below is a non-exhaustive overview table of their differences: -| Feature | Application Security (Client Certificate \+ WAF) | Cloudflare Access (mTLS) | -| :---- | :---- | :---- | -| Mainly used for | External Authentication (that is, APIs) | Internal Authentication (that is, employees) | -| Availability | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. | -| [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca) | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability). | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access). | -| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/enable-mtls/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/enable-mtls/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/enable-mtls/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/identity/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. | -| Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [*cf.tls\_client\_auth.cert\_revoked*](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA.

For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. | \ No newline at end of file +| Feature | Application Security (Client Certificate \+ WAF) | Cloudflare Access (mTLS) | +| :-------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Mainly used for | External Authentication (that is, APIs) | Internal Authentication (that is, employees) | +| Availability | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. | +| [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca) | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability). | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access). | +| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/enable-mtls/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/enable-mtls/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/enable-mtls/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/identity/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. | +| Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [_cf.tls_client_auth.cert_revoked_](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA.

For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. | diff --git a/src/content/docs/learning-paths/mtls/index.mdx b/src/content/docs/learning-paths/mtls/index.mdx index 67cadcd502d8cda..004a01d7d392167 100644 --- a/src/content/docs/learning-paths/mtls/index.mdx +++ b/src/content/docs/learning-paths/mtls/index.mdx @@ -1,15 +1,14 @@ --- -title: mTLS at Cloudflare +title: Use mTLS with Cloudflare protected resources type: developers-site new_learning_path: true pcx_content_type: learning-path head: - tag: title - content: mTLS at Cloudflare + content: Use mTLS with Cloudflare protected resources description: Safeguarding APIs and devices on Cloudflare's network. - --- -import { LearningPath } from "~/components" +import { LearningPath } from "~/components"; diff --git a/src/content/docs/reference-architecture/implementation-guides/application-security/index.mdx b/src/content/docs/reference-architecture/implementation-guides/application-security/index.mdx new file mode 100644 index 000000000000000..ad1274cc58d71ee --- /dev/null +++ b/src/content/docs/reference-architecture/implementation-guides/application-security/index.mdx @@ -0,0 +1,12 @@ +--- +title: Application Security +pcx_content_type: navigation +--- + +import { Description, DirectoryListing, Render } from "~/components"; + +Application security implementation guides walk you through the steps to secure your public applications, devices and APIs with Cloudflare. + +## Application Security + +- [Use mTLS with Cloudflare protected resources](/learning-paths/mtls/) diff --git a/src/content/docs/reference-architecture/implementation-guides/application-security/mtls.mdx b/src/content/docs/reference-architecture/implementation-guides/application-security/mtls.mdx new file mode 100644 index 000000000000000..27ee919bd1ead92 --- /dev/null +++ b/src/content/docs/reference-architecture/implementation-guides/application-security/mtls.mdx @@ -0,0 +1,7 @@ +--- +pcx_content_type: navigation +title: Use mTLS with Cloudflare protected resources +external_link: /learning-paths/mtls/ +sidebar: + order: 2 +--- diff --git a/src/content/docs/reference-architecture/implementation-guides/index.mdx b/src/content/docs/reference-architecture/implementation-guides/index.mdx index 9f8dac0873f9876..aa555181cc92b6f 100644 --- a/src/content/docs/reference-architecture/implementation-guides/index.mdx +++ b/src/content/docs/reference-architecture/implementation-guides/index.mdx @@ -7,10 +7,14 @@ sidebar: import { Description, DirectoryListing, Render } from "~/components"; -Implementation guides provide [step-by-step instructions](/reference-architecture/implementation-guides/) and practical guidance for how to effectively deploy and configure specific solutions or services. Implementation guides are focused on a specific implementation goal. +Implementation guides provide [step-by-step instructions](/reference-architecture/implementation-guides/) and practical guidance for how to effectively deploy and configure specific solutions or services. Implementation guides are focused on a specific implementation goal. ## Zero Trust - [Secure your Internet traffic and SaaS apps](/learning-paths/secure-internet-traffic/) - [Replace your VPN](/learning-paths/replace-vpn/) - [Deploy Zero Trust Web Access](/learning-paths/zero-trust-web-access/) + +## Application Security + +- [Use mTLS with Cloudflare protected resources](/learning-paths/mtls/) From e6f086b131310576cf02d72f364baa4890a6a4e4 Mon Sep 17 00:00:00 2001 From: Simon Thorpe Date: Mon, 2 Dec 2024 09:46:30 -0800 Subject: [PATCH 2/2] Update src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> --- .../docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx b/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx index d7b635564a73b16..6f8008624065acc 100644 --- a/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx +++ b/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx @@ -20,5 +20,5 @@ There are two main ways to use mTLS at Cloudflare, either by using the Applicati | Mainly used for | External Authentication (that is, APIs) | Internal Authentication (that is, employees) | | Availability | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. | | [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca) | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability). | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access). | -| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/enable-mtls/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/enable-mtls/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/enable-mtls/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/identity/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. | +| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/enable-mtls/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/enable-mtls/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/enable-mtls/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/identity/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. | | Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [_cf.tls_client_auth.cert_revoked_](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA.

For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. |