Cloudflare

By: Sakit Atakishiyev user 14 Jul 2017 at 3:18 a.m. CDT

17 Responses
Sakit Atakishiyev gravatar
Hi. We use [cloudflare](https://www.cloudflare.com). But we have a problem when our user to choose login with ID card(certificate). To enable asking users certificate which side we should configure? `cloudflare` or we should add some configuration to `gluu server` for this
U1404
closed

Answers

By Mohib Zico staff 14 Jul 2017 at 5:40 a.m. CDT

Copy
Mohib Zico gravatar
Your question is not clear. What kind of setup you configured with them? Is it SP/RP? We can't comment much about Cloudflare but w/e IDP you want to use for authentication, you need to choose that server's certificate.

By Sakit Atakishiyev user 14 Jul 2017 at 5:58 a.m. CDT

Copy
Sakit Atakishiyev gravatar
Ok let me explain. We have custom `cert` scripts. which has 3 steps. When user choose this login type browser ask valid certificate from user on step 2. If we don't use cloudflare everything is ok. But when we activate cloudflare browser browser dont ask valid certificate from user on step 2 and failed because of there is no certificate on request header. Now my question is there any thing on gluu side we should configure for this?

By Mohib Zico staff 14 Jul 2017 at 6:01 a.m. CDT

Copy
Mohib Zico gravatar
Ok, thanks for clarification. I think it's custom cert based login script you are using ( most probably ). You can see the issue ( from Gluu server side ) in oxauth_script log.

By Sakit Atakishiyev user 14 Jul 2017 at 6:03 a.m. CDT

Copy
Sakit Atakishiyev gravatar
I checked the log problem is on step 2 I read certificate from request header. Because of there is no any certificate on request header login failed. Script is correct because when we deactivate cloudflare everyhting is ok.

By Mohib Zico staff 14 Jul 2017 at 6:14 a.m. CDT

Copy
Mohib Zico gravatar
Log should have something. As we are reproduce the issue locally, we can't tell what's wrong where.

By Sakit Atakishiyev user 14 Jul 2017 at 6:19 a.m. CDT

Copy
Sakit Atakishiyev gravatar
Mohib as I told problem is related to configuration. Let me share some configuration from our `gluu server` and `cloudflare`

By Sakit Atakishiyev user 14 Jul 2017 at 6:34 a.m. CDT

Copy
Sakit Atakishiyev gravatar
This our `apache configuration` on gluu server ```` <LocationMatch /oxauth/cert-login> SSLVerifyClient optional_no_ca SSLVerifyDepth 10 SSLOptions -StdEnvVars +ExportCertData # Forward certificate to destination server RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s </LocationMatch> ```` On `cloudflare` side we enabled `Authenticated Origin Pulls` and our ssl mode is `Full(strict)` now if deactivate cloudflare and directly connect our website over origin ip there is no any problem browser ask valid certificate and send to our OP(step 2). On step 3 we try to read this certificate and authorize the user. But if active cloudflare web browser does not ask certificate from user so that on step 3 we can not read certificate because there is not any selected certificate. Is it clear now?

By Mohib Zico staff 14 Jul 2017 at 6:37 a.m. CDT

Copy
Mohib Zico gravatar
Thanks but still same question.. how can we reproduce the issue from this side?

By Sakit Atakishiyev user 14 Jul 2017 at 6:42 a.m. CDT

Copy
Sakit Atakishiyev gravatar
Ok just try this. cloudlare is free just register your domain on cloudflare then try to login with certificate. I think in this case you can reproduce this problem

By Mohib Zico staff 14 Jul 2017 at 6:48 a.m. CDT

Copy
Mohib Zico gravatar
Alright. Shouldn't we need your script as well?

By Sakit Atakishiyev user 14 Jul 2017 at 6:49 a.m. CDT

Copy
Sakit Atakishiyev gravatar
no the default `cert` script is ok just enable it

By Mohib Zico staff 14 Jul 2017 at 6:57 a.m. CDT

Copy
Mohib Zico gravatar
Awesome! Thanks much!!

By Mohib Zico staff 21 Sep 2017 at 8:58 a.m. CDT

Copy
Mohib Zico gravatar
Hi Sakit, How do you instruct Cloudflare to use cert login? In my dashboard... I see only these [ screenshot attached ]
Screenshot_11.png

By Sakit Atakishiyev user 24 Sep 2017 at 8:42 a.m. CDT

Copy
Sakit Atakishiyev gravatar
Hi mohib. Unfortunately Cloudflare does not support what we need. So that we don't use Cloudflare

By Mohib Zico staff 24 Sep 2017 at 8:49 a.m. CDT

Copy
Mohib Zico gravatar
Ok, thanks for confirmation.

By Sakit Atakishiyev user 24 Sep 2017 at 8:57 a.m. CDT

Copy
Sakit Atakishiyev gravatar
Let me share this information also. Cloudflare team add this fetaure in the new version. After that we can configure on cloudflare side and we can use cloudflare and gluu at the same time. If someone need two of them, just wait the new version of cloudflare :)

By Dusan Vlajkovic user 08 Apr 2020 at 7:41 a.m. CDT

Copy
Dusan Vlajkovic gravatar
Hi there, I'd like to follow up on the thread above as I haven't found documentation anywhere. We use Gluu in production as IDP for multiple Wordpress and a Salesforce instance, with SAML2 as protocol. Is it realistic to put Cloudflare in front of our Gluu as reverse-proxy, to add a layer of protection? Is there any documentation on this and/or on benefits/adverse effects? Thanks, Dusan

Post an answer