Authenticated Origin Pulls (AOP)

Checks whether Cloudflare presented a valid client certificate to this origin — i.e. whether AOP is active for aop.pimenta.fun.

The origin runs Apache with SSLVerifyClient optional and exposes the verification result via response headers (X-AOP-Client-Verify). This page reads them and reports below. With SSLVerifyClient require, non-Cloudflare traffic is rejected outright (400).

Checking…

Reading origin TLS client-auth headers.

Details

X-AOP-Client-Verify

…

Client cert subject

…

Client cert issuer

…

CF-Ray

…

Test from the CLI

# Through Cloudflare (AOP on): Cloudflare presents its cert -> origin accepts
curl -sI https://aop.pimenta.fun/ | grep -i x-aop-client-verify
#   -> X-AOP-Client-Verify: SUCCESS

# Direct to the origin, bypassing Cloudflare: no CF client cert is sent
curl -sI --resolve aop.pimenta.fun:443:<ORIGIN_IP> https://aop.pimenta.fun/ | head
#   optional mode -> X-AOP-Client-Verify: NONE
#   require  mode -> 400 No required SSL certificate was sent

What the result means

SUCCESS — Cloudflare presented a certificate the origin trusts. AOP is working.
NONE — no client cert was presented: AOP is off in Cloudflare, the record isn't proxied (grey cloud), or you reached the origin directly.
FAILED / mismatch — a cert was sent but didn't validate against the configured origin-pull CA.

AOP setup steps →