Cloudflare Origin and ProScan HTTPS server

[johndball]

Hi folks,

I'm trying to configure ProScan HTTPS using a Cloudflare Origin certificate and it is failing. I pinged Bob via email and he suggested that I open a thread here but followed up a bit later asking if there were any error messages. This is what I replied with and I'm hoping somebody has gotten this to work.

Hi Bob,

No rush on this. It has been on my back burner for a while. Yes, I am receiving an error on the HTTPS Web Server page of ProScan.

The goal here is to allow access to the ProScan server on my DMZ only from users that are forced through Cloudflare. This is achieved through various methods, but it boils down to restricted access to the ProScan server only though Cloudflare-supplied IPV4 subnets and secured through a Cloudflare Origin certificate/connection. I have this working on a few servers already but not with ProScan.

The requirement for this is running a Cloudflare Origin Certificate on the server using a Cloudflare-provided public and private key pair although I can supply my own CSR to Cloudflare if Proscan allowed for CSR generation. The Origin Certificate is a certificate that is supplied by Cloudflare that runs on the local web server and will only allow communication between Cloudflare and the server. Think if it as a client certificate. Cloudflare has a blog post on this feature from 2014: Introducing CloudFlare Origin CA

The challenge is that the ProScan server will accept the certificate but does not recognize the certificate as valid. Cloudflare will generate for me a public and private key pair which I’ve added to the server, but the result is that I receive a Valid “False” error message in ProScan. My gut tells me is has something to do with the domain checking that is done on the certificate, but without a deep knowledge of ProScan’s programing, I can only guess.

I’ve attached a few screenshots for reference.

 

[ProScan]

Can you do an online search for 'x509 cert validator' and see what that shows? ProScan doesn't actually check if a cert is valid. Windows does that.

 

[johndball]

Can you do an online search for 'x509 cert validator' and see what that shows? ProScan doesn't actually check if a cert is valid. Windows does that.

It decodes as:

• Issued To: O=CloudFlare, Inc., OU=CloudFlare Origin CA, CN=CloudFlare Origin Certificate
• Issued By: C=US, O=CloudFlare, Inc., OU=CloudFlare Origin SSL Certificate Authority, L=San Francisco, ST=California
• Serial Number: 42 xx xxxx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx 64
• Issued On: Sat Jun 28 2025 11:22:00 GMT-0400 (Eastern Daylight Time)
• Expires On: Sun Jun 24 2040 11:22:00 GMT-0400 (Eastern Daylight Time)
• SHA-256 Fingerprint: x1 xx xx x5 64 d1 fx 5x 61 xx xx 1d be fx xx xx x5 xx 4x xf xx fx xb fb xx xe 5x xx c1 xx 4x c5
• SHA-1 Fingerprint: dx 3x xx ax 8d x8 f9 fx x8 xc x8 xx x4 8x 93 x9 xx xx xx xx

* Intentionally replaced some alphanumeric characters with "x"

 

[webstar22]

You could also do all this with CloudFlare tunnels, let them worry about the cert. Also, no need to open incoming ports to ProScan. DMZ or Not.

 

[ProScan]

I don't think anything can be done in ProScan ProScan uses the System.Security.Cryptography.X509Certificates.X509Certificate2 class
which has a Verify() method. That is coming back false with the cert you provided

Perhaps find another online validator that shows if the cert is valid or not.

 

[BinaryMode]

I don't think Cloudflare Tunnel will allow that kind of traffic from Proscan. Unless that's HTTP. Cloudflared (the daemon) only allows things like HTTP and SSH and some other stuff.

If you're not using Cloudflare Tunnel, which I'm assuming you're not since you DMZed the whole thing (not a good idea), you still might not be able to do this unless this is HTTP type of traffic. Or you could go into your SSL/TLS settings and chose flexible and see if that changes origin Cert. validation.

Yeah, Cloudflare's origin Cert is like self-signed or something. I'd have to check my own.

There's always ZeroTier, but that's limited in scope to you and a few people you add to your ZeroTier configuration. There's also Twingate.

If this can work with Cloudflare, then Cloudflare tunnel is the way to go. It means you don't have to port forward or use the DMZ... You can host a website at home and no one can find your origin IP address. Even though you are using Cloudflare now, I'm sure your origin is exposed. Tell me your website name and I'll probably be able to tell you your home IP address. There is a method to do this properly, and many websites don't, yet think everything is fine because they are sitting behind Cloudflare. It has to be done right!

 

[johndball]

Hi folks, thanks for all of the replies and the offers of support. Some additional background:

Public IP: I have two dedicated blocks of business IPs: one via Starlink and another via another ISP. Everything for this is being routed through the other ISP because Starlink doesn't do true public IP. The origin on this is not exposed, but you can query the hostnames if you'd like: scanner.johndball.com is the host which is a CNAME for gateway01dmz04.johndball.com

DMZ: As it relates to the DMZ, the setup is secure (or would be if I could route traffic through Cloudflare). The ProScan web server sits in it's own /30 network and there is a DMZ network segment carved out for all public-facing web servers in use. Most of my DMZ zones share a WAN IP that serves about four-ish servers (some zones more, others less). Combined with Cloudflare Access, NSGs, and firewall traffic only allowing inbound traffic from Cloudflare IPV4 subnets, authentication and access would be forced through Cloudflare. It isn't an "unsecure" setup, just a "less secure" setup since anything public-facing/public-access has inherit risks. This isn't hosted on a home network but rather a business network with dedicated connectivity that I own... well technically lease from a major ISP.

Cloudflare Origin Certificate: @ProScan - would it be possible to modify the "Verify()" method to allow for an Origin certificate installation Some way to allow the web server to run even if the validation failed on the certificate check? It would push the failure to the client that is trying to establish the connection. In the case of the Cloudflare Origin certificate, it would successfully allow the tunnel connection from Cloudflare. I've also deployed page rules to step down the SSL from STRICT to FULL and FLEXIBLE but the browsers (Edge, Chrome, Firefox) still choke even with the page rule deployed to the top of the stack. That one is a little wonky, but Cloudflare support is going to immediately point a finger at the ProScan software so I'd rather not involve their support team for now.

Cloudflare Tunnel: This might be the push I need to get Cloudflare Tunnels up and running. To-date, I have various servers reversed proxied through Amazon and Azure. Not the case in the ProScan instance, mainly due to troubleshooting and eliminating failure points during setup, but moving to Cloudflare Tunnel for ProScan might be the route to go if the Cloudflare Origin certificate won't install. I haven't had success in previous deployments due to port limitations, but I'll give it a try for ProScan and this dedicated server. TBH, I'd rather have the Origin Certificate working but I'm at the mercy of the developers.

 

[ProScan]

Cloudflare Origin Certificate: @ProScan - would it be possible to modify the "Verify()" method to allow for an Origin certificate installation Some way to allow the web server to run even if the validation failed on the certificate check? It would push the failure to the client that is trying to establish the connection. In the case of the Cloudflare Origin certificate, it would successfully allow the tunnel connection from Cloudflare. I've also deployed page rules to step down the SSL from STRICT to FULL and FLEXIBLE but the browsers (Edge, Chrome, Firefox) still choke even with the page rule deployed to the top of the stack. That one is a little wonky, but Cloudflare support is going to immediately point a finger at the ProScan software so I'd rather not involve their support team for now.

Send me a suggestion. I'll put it on the list.

If you have suggestions, send an email to support@proscan.org One suggestion per email. The advantage of email is that I can ask additional questions to make sure the suggestion is done right and send you the latest ProScan file with the suggestion implemented. Put "suggestion" or "request" in the Subject line.

Suggestions are given a higher priority and more likely to get done when received via email initially.

 

[johndball]

Send me a suggestion. I'll put it on the list.

If you have suggestions, send an email to support@proscan.org One suggestion per email. The advantage of email is that I can ask additional questions to make sure the suggestion is done right and send you the latest ProScan file with the suggestion implemented. Put "suggestion" or "request" in the Subject line.

Suggestions are given a higher priority and more likely to get done when received via email initially.

I appreciate the reply on a Sunday.
I sent a suggestion via email and attached a sample Origin certificate for review.

 

[BinaryMode]

Cloudflare Tunnel doesn't need an open port - and it'll work with Starlink. Though, with that you'll probably have high latency. With Cloudflare Tunnel the beauty is no port forwarding needed. And no IPtables and firewalls and whatnot to mess with. The WAF you only need to mess around with is at the Cloudflare level in your dashboard. When you use tunnel ALL traffic HAS to go through Cloudflare so it reaches your origin. I take that back, you will need a layer 7 WAF on your origin server.

Instead of messing with a page rule, go to the actual SSL/TLS options and try flexible.


@ProScan According to Shodan you have several vulnerabilities relating to TLS/SSL and LDAP. Might want to update those...

 

[johndball]

Thanks, @BinaryMode. RE: Page rules - I can't change my site-level SSL/TLS option to flexible. It will impact a dozen or so servers that are production facing. Best I can do is fiddle with page rules and try to step down the SSL/TLS options on this one server. However, I've been working with ProScan via an email support ticket and I have a test version of the ProScan.exe which allowed me to import the Origin Certificate and fire up the server. Unfortunately, this week is a pretty high traffic week with festivities and duty calls so testing this will have to go on hold after tomorrow. I'll look into Tunnels again in the near future.

Chasing a rabbit and at the risk of straying off of the original thread, Shodan.io free is great. Shodan.io Corporate is awesome. Even their other priced packages are pretty good. Hardenize is another good tool as well as SSLlabs.

 

[ProScan]

@ProScan According to Shodan you have several vulnerabilities relating to TLS/SSL and LDAP. Might want to update those...

Where do you see that?

https://www.shodan.io/search?query=Server%3A+ProScan

 

[ndebaggis]

Thanks, @BinaryMode. RE: Page rules - I can't change my site-level SSL/TLS option to flexible. It will impact a dozen or so servers that are production facing. Best I can do is fiddle with page rules and try to step down the SSL/TLS options on this one server. However, I've been working with ProScan via an email support ticket and I have a test version of the ProScan.exe which allowed me to import the Origin Certificate and fire up the server. Unfortunately, this week is a pretty high traffic week with festivities and duty calls so testing this will have to go on hold after tomorrow. I'll look into Tunnels again in the near future.

Chasing a rabbit and at the risk of straying off of the original thread, Shodan.io free is great. Shodan.io Corporate is awesome. Even their other priced packages are pretty good. Hardenize is another good tool as well as SSLlabs.

Does the Windows machine running your ProScan have the entire Cloudflare Origin root CA chain installed? anchored link to the CA root chain topic:

Cloudflare origin CA

Encrypt traffic between Cloudflare and your origin web server and reduce origin bandwidth consumption.

developers.cloudflare.com

You might try installing that so the .NET API on the box can validate your Origin certificate directly. You'd install the PEM file into the LocalMachine\ROOT certificate store. You can do this from an elevated (Administrator) Powershell prompt after downloading the PEM file:

Import-Certificate -FilePath C:\temp\origin_ca_ecc_root.pem -CertStoreLocation Cert:\LocalMachine\Root\

Give that a shot, it's pretty quick to install the cert. If it doesn't work it's easy enough to remove it as well.

 

[ProScan]

This is fixed.
I changed the ChainPolicy to AllowUnknownCertificateAuthority

 

[ProScan]

Import-Certificate -FilePath C:\temp\origin_ca_ecc_root.pem -CertStoreLocation Cert:\LocalMachine\Root\

Give that a shot, it's pretty quick to install the cert. If it doesn't work it's easy enough to remove it as well.

I tried that and it was still showing Verify=false

 

[BinaryMode]

Where do you see that?

https://www.shodan.io/search?query=Server%3A+ProScan

https://www.shodan.io/host/47.181.141.181

Chasing a rabbit and at the risk of straying off of the original thread, Shodan.io free is great. Shodan.io Corporate is awesome. Even their other priced packages are pretty good. Hardenize is another good tool as well as SSLlabs.

Check out Censys as well. An then there's AlienVault. LevelBlue - Open Threat Exchange Beyond that there's Masscan and a few other things...

 

[johndball]

Found some time between meetings to work on this step. Camera off/mic mute meetings are the best. I'm up and running. Few AAR/items to reflect on:

1. Running a custom version of ProScan software (24.0.2.0) the Cloudflare Origin certificate shows as valid and the web server starts. Thank you, @ProScan !
2. I had completely overlooked adding the Cloudflare Origin CA certificates to the Windows trusted root store. I never missed this step on Linux... guess I need to go back to my comfort zone and get off of Windows. Cloudflare origin CA. Thank you @ndebaggis !
3. Hitting the server locally and bypassing Cloudflare over the web (direct to origin) worked after these changes, but proxying a custom port through Cloudflare still failed even though Cloudflare documentation has a list of supported non-standard web ports that are supposed to work. I can confirm that some of these ports are not working through the proxy: Network ports Once I removed the custom port and went direct with 443, Proscan loaded over the web.

In summary, it was no single item above that prevented the server from loading through Cloudflare, but all of these items and each one was discovered once the thread was pulled more and more.

Now I'm off to mess around with Tunnels. with the prod and nudge from @BinaryMode @webstar22

 

[ndebaggis]

I tried that and it was still showing Verify=false

View attachment 186130

It has to be an elevated (Run-As Administrator) powershell window to install in the machine store. i.e. that windows title should show Administrator: Windows PowerShell...

 

[ndebaggis]

Found some time between meetings to work on this step. Camera off/mic mute meetings are the best. I'm up and running. Few AAR/items to reflect on:

1. Running a custom version of ProScan software (24.0.2.0) the Cloudflare Origin certificate shows as valid and the web server starts. Thank you, @ProScan !
2. I had completely overlooked adding the Cloudflare Origin CA certificates to the Windows trusted root store. I never missed this step on Linux... guess I need to go back to my comfort zone and get off of Windows. Cloudflare origin CA. Thank you @ndebaggis !
3. Hitting the server locally and bypassing Cloudflare over the web (direct to origin) worked after these changes, but proxying a custom port through Cloudflare still failed even though Cloudflare documentation has a list of supported non-standard web ports that are supposed to work. I can confirm that some of these ports are not working through the proxy: Network ports Once I removed the custom port and went direct with 443, Proscan loaded over the web.

In summary, it was no single item above that prevented the server from loading through Cloudflare, but all of these items and each one was discovered once the thread was pulled more and more.

Now I'm off to mess around with Tunnels. with the prod and nudge from @BinaryMode @webstar22

@johndball I'm curious, does it still work if you revert ProScan back to the non-custom release version? if so, then Bob @ProScan should be able to revert the change: "I changed the ChainPolicy to AllowUnknownCertificateAuthority"...

 

[johndball]

@johndball I'm curious, does it still work if you revert ProScan back to the non-custom release version? if so, then Bob @ProScan should be able to revert the change: "I changed the ChainPolicy to AllowUnknownCertificateAuthority"...

It does not work. The ProScan web server does not start as it flags the Origin certificate as an invalid certificate.