Authenticated origin pull while DNS is proxied

Do we still need the Authenticated origin pull while the dns records are already proxied ? to make sure that all traffic is evaluated before receiving a response from your origin server

You either need authenticated origin pulls, or you need to verify that the incoming IP (REMOTE_ADDR) is a Cloudflare IP Address. Note that you also need to verify that the HOST header is destined for your hostname (otherwise attackers could add their own website to CF and attack through Cloudflare without activating your CF security settings).

@Judge but the DNS is proxied. So, anyone hitting mydomain.com will go through CF IP
am i correct here ?

Yes, but that doesn’t protect your IP address itself. If anyone figured out the IP address of your server, whether that be via historical DNS history or whole-internet scanning services like shodan or censys, they would be able to request your website without going through Cloudflare. The protections I mention above will prevent this and ensure only Cloudflare protected traffic can hit your server.

1 Like

@Judge and what if the site is on a shared server ? So, the IP is not just my site

You’d, likely, not be able to make use of authenticated origin pulls with a shared Web host. However, you could do something like this though:

How to Prevent Cloudflare Bypass on Shared Hosting - oba!press (obapress.com)

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.