Allow Connections from cloudflare IPs only

I am encountering a problem on my website which is getting clicks on ads without even the ads being displayed on the website. Those scammers are from the UK as per my Adsense Report, I blocked the entire country, but even doing so ad units still getting clicks.

As been mentioned on another platform: People could be bypassing Cloudflare altogether if your server accepts connections from everyone.

Could you please tell how to Allow Connections from cloudflare IPs only?

This is something you will need to configure with your host, are you using a hosting provider? If you are using Nginx see https://serverfault.com/questions/601339/how-do-i-deny-all-requests-not-from-cloudflare

Usually for restricting origin connections to only Cloudflare IPs is done on firewall level on origin server. See https://support.cloudflare.com/hc/en-us/articles/201897700-Allowing-Cloudflare-IP-addresses

You can also do this at web server level via Cloudflare Authenticated Origin Pull certificates which are client TLS verification done on your origin web server https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/. I wrote a guide for my Centmin Mod Nginx users on implementing Cloudflare Authenticated Origin Pull certificates at https://community.centminmod.com/threads/setting-up-cloudflare-authenticated-origin-pulls-protecting-your-origins.13847/

However, the default Cloudflare Authenticated Origin Pull certificates has one flaw - using the provided default Cloudflare CA Root certificate will be verified at your origin correctly for not just your site’s requests but any Cloudflare proxied sites who also use the same default Cloudflare CA Root certificate. So if your real IP is leaked, an attacker can setup their own domain on Cloudflare pointing to your origin leaked IP address and enable Cloudflare Authenticated Origin Pull using default CF CA Root certificate and be able to connect and bypass the protection.

There is workaround for this in that Cloudflare allows you to via CF API only, create your own CA Root certificate and use that to create and sign your own custom client TLS certificate which you upload to Cloudflare via CF API. See CF API documentation for custom hostname client TLS Authenticated Origin Pull certificates at https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull#per-hostname-authenticated-origin-pull-using-customer-certificates-per-hostname

Per-Hostname Authenticated Origin Pull using customer certificates {#per-hostname}

When enabling Authenticated Origin Pull per hostname, all proxied traffic to the specified hostname is authenticated at the origin web server. Customers can use client certificates from their Private PKI to authenticate connections from Cloudflare.

The 3 methods outlined for Origin Authenticated Pull

  1. The default method which is can be worked around/flawed - Zone-Level Authenticated Origin Pull using Cloudflare certificates
  2. Using custom CA Root/client TLS at apex domain top level i.e. domain.com - Zone-Level Authenticated Origin Pull using customer certificates
  3. Using custom CA Root/client TLS at custom subdomain level i.e. sub.domain.com - Per-Hostname Authenticated Origin Pull using customer certificates {#per-hostname}

Then instead of using Cloudflare’s CA Root, you use your own custom created CA Root certificate and then Cloudflare edge server requests will pass on and use your custom uploaded client TLS certificate (which is signed by your custom CA Root certificate) to verify against/with your origin which has the custom CA Root certificate. This then ensures only your specifically allowed CF to origin connection is made and verified at your origin server as no other person has access to your custom CA Root and it’s signed custom client TLS certificate which you upload via CF API.

Note: one important note is that you remember to record the id of your custom client TLS uploaded certificate from CF API upload command’s output. The reason is CF does not have an API endpoint to list custom client TLS uploaded certificates. So you won’t be able to update or remove the custom uploaded client TLS certificate without that id.

I create my own custom CA Root certificate/signed client TLS certs for custom hostnames via my own custom scripted process at https://github.com/centminmod/cfssl-ca-ssl (gen-client mode) using Cloudflare’s own cfssl as the underlying tool. The script is also used for my own Centmin Mod Nginx client TLS authentication processes outside of Cloudflare proxied configurations :slight_smile:

3 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.