From 93bbc1e045c0eeaae49a79f35741d35ac4a5050c Mon Sep 17 00:00:00 2001
From: Manuel de Brito Fontes <aledbf@gmail.com>
Date: Tue, 24 Oct 2017 22:18:23 -0300
Subject: [PATCH] Add note for certificate authentication in Cloudflare

---
 docs/user-guide/annotations.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docs/user-guide/annotations.md b/docs/user-guide/annotations.md
index 2d44f5c6f..133062307 100644
--- a/docs/user-guide/annotations.md
+++ b/docs/user-guide/annotations.md
@@ -149,6 +149,17 @@ The URL/Page that user should be redirected in case of a Certificate Authenticat
 
 Please check the [tls-auth](../examples/auth/client-certs/README.md) example.
 
+**Important:**
+
+TLS with Client Authentication is NOT possible in Cloudflare as is not allowed it and might result in unexpected behavior.
+
+Cloudflare only allows Authenticated Origin Pulls and is required to use their own certificate:
+https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/
+
+Only Authenticated Origin Pulls are allowed and can be configured by following their tutorial:
+https://support.cloudflare.com/hc/en-us/articles/204494148-Setting-up-NGINX-to-use-TLS-Authenticated-Origin-Pulls
+
+
 ### Configuration snippet
 
 Using this annotation you can add additional configuration to the NGINX location. For example: