#How do I only allow my subdomain to contact my server with mTLS?

The feature us called "Authenticated Origin Pulls" - you will need to upload your own cert to achieve what you want.

Woah alright will check it out thanks for the tip

I've been looking all day can you plz give me a hint, I am tired

I used origin certificates correctly but I still can connect to my server using the server url directly and not my sub domain.

You haven't shared what you did, so how would I know what you did wrong?

So I created an origin certificate, and installed it on my bitnami httpd apache server serving wordpress...

And that's it, I checked the CN and it says correctly cloudflare

And I turned off port 80

But I can still access the EC2 intance directly

That doesn't sound like you followed the guide for Authenticated Origin Pulls at all.

https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/

This is what you did?

Or this even?
https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/

So from what I understood,

• I created an origin certificate.
• I installed them on my apache server.
• I added:

SSLCACertificateFile /path/to/origin-pull-ca.pem```
BUT I CAN STILL ACCESS THE DAMNED EC2 SERVER DIRECTLY!!!!!

exhausted

I got it to work but all of cloudflare can access my server

but I cannot do it directly

now I want per hostname

update