(NOTE: This is mostly a PSA, as it was a mis-config on my part that opened this up)
Context
I’m working on a new website (well, technically a rebuild of an old website) for someone using WordPress. To isolate it, I’m using Docker to run each instance and I have nginx setup to proxy-pass traffic based on the hostname to the appropriate docker container. To allow us to iterate on the site until he’s happy with it, I’ve made a “staging” instance and set it up so that it is accesseable using a Cloudflare Tunnel with email auth required (I do love how easy it is for me to setup a basic “if you’re on the list you can auth” and move on 
)
The hole I found
We had a log show up that made it clear that someone (other than me and the friends helping him out) had access to the server (specifically, they submitted the contact form).
I started digging into the nginx logs and came to the conclusion that the traffic was coming in using the non-staging domain name (weird).
Turns out (and this is obvious in hind sight), if you setup Cloudflare Tunnel, but then ALSO open your firewall ports to the public (which I did in prep for the “go live day”), some one can easily curl to your public IP (http://###.###.###.###) with a header set for the Host to the domain name nginx is looing for → and nginx will gladly act as if it got the request through normal DNS resolution.
(and…, turns out I had a misconfig where requesting “productionsite .com” from the server would return the staging site due to having my staging docker container listening on both ports…)
What I did
For now, it’s easy enough → close off the firewall. Anyone that is supposed to have access should be going through 0 Trust anyways.
For future…, well I plan to open 80 and 443 back up when production goes live, but we’ll have to do some more digging into how to block parts of the site when not coming from localhost (where Cloudflare Tunnel is running)
Lessons learned
- Maybe don’t open ports until you’re actually ready to go live
- 0 Trust only handles the traffic that’s going over it
- Double check what ports your containers are listening on after doing a refactor