I’ve started using Cloudflare and to make the connection from the client through cloudflare and then to my server (origin) secure, I enabled SSL Full (Strict) with Origin CA and “Always use HTTPS” in the Couldflare side.
My server is in AWS and I included in the Security Group at port 443 the Cloudflare IPs to be the only ones to access my server, except for a subdomain that is gray cloud and uses a port that is blocked for everyone except for a specific IP, and SSH (the same; these are used for admin access).
So it seems safe to assume that only Cloudflare requests will reach my server (the only open port (to Cloudflare) is 443, the other ports are for admin access restricted by IP).
There are 2 possible problems with this solution:
The gray cloud in the subdomain exposes the server ip (assuming someone tries to acess the subdomain). I don’t mind to much with this, but it would be great to solve it (in a simple way).
Although non Cloudflare ips can’t access the site, there is the possibility in which cloudflare IPs access my site but not coming from my Cloudflare account.
So I would like to block not only non-cloudflare accesses, but also Cloudflare accesses that are not coming from my domain (specified in my Cloudflare account).
Is there some way to do that?
I thought about enabling “Authenticated Origin Pulls”, but it seems I just include some generic Cloudflare certificate that is the same for all Cloudflare users, and that would only block non-Cloudflare accesses, but some Cloudflare malicious user could still access my site directly from their Cloudflare account/domain.
This means that the “Authenticated Origin Pulls” would not be better than the security groups that I already use (actually, the security group would be better because it would block the traffic before reaching the machine).
Is there some way to use “Authenticated Origin Pulls” per client/domain/account or similar?
Or is there some other way to achive that (without installing third party apps/packages in my server)
Thanks for your great work!