Authenticated requests from Pages

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Description

GitLab Pages + a low-cost CDN (eg. CloudFlare / KeyCDN) provides an excellent, cheap solution for serving small static sites globally over HTTPS. However, it'd be even better to have the assurance that only the CDN is able to directly access the origin server.

• CloudFlare has an option for "authenticated origin pulls", which with eg. an nginx server is configurable using ssl_client_certificate + ssl_verify_client.

• KeyCDN can set an X-Pull header specifying a PSK.

Proposal

Provide the option for Pages sites to demand client verification with either (A) client certificates or (B) the presence of a specific HTTP header key/value combination.

Links / references

• CloudFlare: authenticated origin pulls
• CloudFlare: recommend nginx config for the above
• KeyCDN: "X-Pull" headers
• nginx: SSL module docs