Merge a07009566d into daed515aa7

2026-01-16 23:11:06 +00:00 · 2026-01-10 19:44:53 +00:00 · 2026-01-10 19:44:53 +00:00 · 35eeb7b6e4
commit 35eeb7b6e4
parent daed515aa7 a07009566d
6 changed files with 68 additions and 38 deletions
--- a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx
+++ b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx
@ -12,8 +12,6 @@ import { Render, APIRequest } from "~/components";

 This guide will walk you through how to set up [per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) authenticated origin pulls to securely connect to an AWS Application Load Balancer using [mutual TLS verify](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html).

-You can also find instructions on how to [rollback](#rollback-the-cloudflare-configuration) this setup in Cloudflare.
-
 ## Before you begin

 - You should already have your AWS account and [EC2](https://docs.aws.amazon.com/ec2/?icmpid=docs_homepage_featuredsvcs) configured.
@ -104,34 +102,6 @@ Make sure your [encryption mode](/ssl/origin-configuration/ssl-modes/) is set to

 ---

-## Rollback the Cloudflare configuration
+## Roll back the Cloudflare configuration

-1. Use a [`PUT` request](/api/resources/origin_tls_client_auth/subresources/hostnames/methods/update/) to disable Authenticated Origin Pulls on the hostname.
-
-<APIRequest
-	path="/zones/{zone_id}/origin_tls_client_auth/hostnames"
-	method="PUT"
-	json={{
-		config: [
-			{
-				enabled: false,
-				cert_id: "<CERT_ID>",
-				hostname: "<YOUR_HOSTNAME>",
-			},
-		],
-	}}
-/>
-
-2. (Optional) Use a [`GET` request](/api/resources/origin_tls_client_auth/subresources/hostnames/subresources/certificates/methods/list/) to obtain a list of the client certificate IDs. You will need the ID of the certificate you want to remove for the following step.
-
-<APIRequest
-	path="/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates"
-	method="GET"
-/>
-
-3. Use the [Delete hostname client certificate](/api/resources/origin_tls_client_auth/subresources/hostnames/subresources/certificates/methods/delete/) endpoint to remove the certificate you had uploaded.
-
-<APIRequest
-	path="/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates/{certificate_id}"
-	method="DELETE"
-/>
+<Render file="aop-rollback-hostname-setup" product="ssl" />
--- a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/index.mdx
+++ b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/index.mdx
@ -9,7 +9,7 @@ description: Authenticated Origin Pulls helps ensure requests to your origin

 ---

-import { FeatureTable } from "~/components"
+import { FeatureTable, Render } from "~/components"

 Authenticated Origin Pulls (AOP) helps ensure requests to your origin server come from the Cloudflare network, which provides an additional layer of security on top of [Full](/ssl/origin-configuration/ssl-modes/full/) or [Full (strict)](/ssl/origin-configuration/ssl-modes/full-strict/) encryption modes.

@ -25,6 +25,11 @@ Although Cloudflare provides you a certificate to easily [configure zone-level a

 Using a custom certificate is possible with both [zone-level](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) and [per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) authenticated origin pulls and is required if you need your domain to be [FIPS](https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards) compliant.

+:::note
+
+<Render file="aop-disablement-callout" product="ssl" />
+:::
+
 ## Limitations

 Authenticated Origin Pulls does not apply when your [SSL/TLS encryption mode](/ssl/origin-configuration/ssl-modes/) is set to **Off** or **Flexible**.
--- a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname.mdx
+++ b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname.mdx
@ -67,11 +67,8 @@ You can configure alerts to receive notifications before your AOP certificates e

 <Render file="get-started" product="notifications" />

-:::note
-[Per-hostname AOP](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) and [zone-level AOP](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) are two separate configurations. Disabling zone-level AOP does not disable per-hostname AOP.
-:::
-
-
 ## Further options

 Refer to [Manage certificates](/ssl/origin-configuration/authenticated-origin-pull/set-up/manage-certificates/) for further options.
+
+To learn how to remove the configuration, refer to [Rollback](/ssl/origin-configuration/authenticated-origin-pull/set-up/rollback/).
--- a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/rollback.mdx
+++ b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/rollback.mdx
@ -0,0 +1,18 @@
+---
+pcx_content_type: how-to
+title: Roll back per-hostname AOP
+sidebar:
+  order: 4
+  label: Rollback
+---
+
+import { Render } from "~/components";
+
+If you need to disable or remove your [per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) Authenticated Origin Pulls configuration, follow these steps.
+
+:::note
+
+<Render file="aop-disablement-callout" product="ssl" />
+:::
+
+<Render file="aop-rollback-hostname-setup" product="ssl" />
--- a/src/content/partials/ssl/aop-disablement-callout.mdx
+++ b/src/content/partials/ssl/aop-disablement-callout.mdx
@ -0,0 +1,5 @@
+---
+{}
+---
+
+[Zone-level AOP](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) and [per-hostname AOP](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) are two separate configurations. Disabling one does not disable the other.
--- a/src/content/partials/ssl/aop-rollback-hostname-setup.mdx
+++ b/src/content/partials/ssl/aop-rollback-hostname-setup.mdx
@ -0,0 +1,35 @@
+---
+{}
+---
+
+import { APIRequest } from "~/components";
+
+1. Use a [`PUT` request](/api/resources/origin_tls_client_auth/subresources/hostnames/methods/update/) to disable Authenticated Origin Pulls on the hostname.
+
+   <APIRequest
+   	path="/zones/{zone_id}/origin_tls_client_auth/hostnames"
+   	method="PUT"
+   	json={{
+   		config: [
+   			{
+   				enabled: false,
+   				cert_id: "<CERT_ID>",
+   				hostname: "<YOUR_HOSTNAME>",
+   			},
+   		],
+   	}}
+   />
+
+2. (Optional) Use a [`GET` request](/api/resources/origin_tls_client_auth/subresources/hostnames/subresources/certificates/methods/list/) to obtain a list of the client certificate IDs. You will need the ID of the certificate you want to remove for the following step.
+
+   <APIRequest
+   	path="/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates"
+   	method="GET"
+   />
+
+3. Use the [Delete hostname client certificate](/api/resources/origin_tls_client_auth/subresources/hostnames/subresources/certificates/methods/delete/) endpoint to remove the certificate you had uploaded.
+
+   <APIRequest
+   	path="/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates/{certificate_id}"
+   	method="DELETE"
+   />