Tunnel HTTPS ssl_verify_client not working
Hello I am new to networking and have recently set up a simple WSGI flask server with an nginx reverse proxy at the front. I want some extra protection and DNS help so I put a cloudlfare tunnel in front of nginx. I got everything working in HTTP. However, I want to encrypt the user data with https. To do so I went to the tunnel and changed it to use HTTPS protocol. I followed this guide https://www.digitalocean.com/community/tutorials/how-to-host-a-website-using-cloudflare-and-nginx-on-ubuntu-22-04 . I also found this guide to but didnt do the api step since I think i already did this in the dashboard when creating the certs https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/#2-configure-origin-to-accept-client-certificates.
When I set the ssl_verify client to optional the cloudlfare proxy works awesome and https is established. However, I can still access the website without going through cloudlfare by directly typing in the ip address and port. It connects with HTTPS but insecurely ie the cert not valid like its self authenticated. like when you go to a sketchy website and google asks if you want to continue. When I set the verify client to on it returns and "nginx 400 400 Bad Request No required SSL certificate was sent". I am so confused as to what I am doing wrong. Could anyone help? Am I not able to treat a tunnel like an origin server? If so then why do the origin CA certs work? Also to note when I turn off No TLS Verify it gives me the same 400 error when I do optional.
When I set the ssl_verify client to optional the cloudlfare proxy works awesome and https is established. However, I can still access the website without going through cloudlfare by directly typing in the ip address and port. It connects with HTTPS but insecurely ie the cert not valid like its self authenticated. like when you go to a sketchy website and google asks if you want to continue. When I set the verify client to on it returns and "nginx 400 400 Bad Request No required SSL certificate was sent". I am so confused as to what I am doing wrong. Could anyone help? Am I not able to treat a tunnel like an origin server? If so then why do the origin CA certs work? Also to note when I turn off No TLS Verify it gives me the same 400 error when I do optional.
In this tutorial, you will secure a website served by Nginx with an Origin CA certificate from Cloudflare and configure Nginx to use authenticated pull reque…
Cloudflare Docs
When you enable Authenticated Origin Pulls (AOP) for a zone, all proxied traffic to your zone is authenticated at the origin web server.
