Cloudflare: Implement Authenticated Origin Pulls
- Implement Authenticated Origin Pulls.
- This needs to be implemented both in HAProxy (gprd, gstg) as well as nginx (ops, etc.)
- This makes sure, that only Cloudflare can connect to our HAProxys.
- However, this does not offer protection from volumetric attacks against our origin, which is why we set up Cloudflare with dedicated loadbalancers, whose IPs where never exposed in DNS. So at least there is no targeted way for an attacker to know which IP we utilize within the GCP IP ranges.