I’ve started using Cloudflare and to make the connection from the client through Cloudflare and then to my server (origin) secure, I enabled SSL Full (Strict) with Origin CA and “Always use HTTPS” in the Couldflare side.
My server is in AWS and I included in the Security Group at port 443 the Cloudflare IPs to be the only ones to access my server, except for a subdomain that is gray cloud and uses a port that is blocked for everyone except for a specific IP, and SSH (the same; these are used for admin access).
So it seems safe to assume that only Cloudflare requests will reach my server (the only open port (to Cloudflare) is 443, the other ports are for admin access restricted by IP).
There are 2 possible problems with this solution:
The gray cloud in the subdomain exposes the server ip (assuming someone tries to acess the subdomain). I don’t mind to much with this, but it would be great to solve it (in a simple way).
Although non Cloudflare ips can’t access the site, there is the possibility in which Cloudflare IPs access my site but not coming from my Cloudflare account.
So I would like to block not only non-Cloudflare accesses, but also Cloudflare accesses that are not coming from my domain (specified in my Cloudflare account).
Is there some way to do that?
I thought about enabling “Authenticated Origin Pulls”, but it seems I just include some generic Cloudflare certificate that is the same for all Cloudflare users, and that would only block non-Cloudflare accesses, but some Cloudflare malicious user could still access my site directly from their Cloudflare account/domain.
This means that the “Authenticated Origin Pulls” would not be better than the security groups that I already use (actually, the security group would be better because it would block the traffic before reaching the machine).
Is there some way to use “Authenticated Origin Pulls” per client/domain/account or similar?
Or is there some other way to achive that (without installing third party apps/packages in my server)
You probably use for that subdomain because…it’s not HTTP or it’s a port that Cloudflare won’t proxy. When I want to do this, I access it directly by IP, not subdomain, so I don’t need that DNS entry.
I’ve thought this, as I have a similar setup. I think it’s safe. A properly configured server only responds to an approved domain name(s). Someone sets up their Cloudflare account to point fraudDOTcom to your IP address, but your server will reject that request because it’s not listening for that domain.
Authenticated Origin pulls aren’t much different from what you should already have: A properly configured server (only listening for your domain) and only accepting requests from Cloudflare (as configured by your firewall).
I prefer subdomains because I can add some security group rule to a private port like 12345 to only allow access from a specific IP, then I could have subdomains sub1, sub2 and sub3 to be private and access it with https://sub1.domain.com:12345, etc… Then I just need to define a rule for 1 port, I access through HTTPS, but want to make sure that no one outside access these domains. The subdomain makes it more practical to add different functionalities without adding (and securing) new ports, although accessing by IP would add a layer of security.
(But truth be told, I don’t think someone would discover the subdomains so easily, and if they discovered, why can’t they also discover the IP from other means? So I don’t consider this as a big problem.)
From what I see someone in Cloudflare can create a page rule to change the host header, so they can make a request to one domain and make it like a request from that other domain directly through Cloudflare:
In the article it says it’s only available to Enterprise users, so I think very few people will use, let alone someone with bad purposes. Even so, this seems like a security breach in that regard (because I can’t be sure that the access to my site was really through my domain in Cloudflare). Or is there something I’m overlooking?
From what I see in this comment from someone in the Cloudflare team, it doesn’t allow to override the host header, for security reasons:
Then it was created a feature to override the host header if both the URL and the value to override are orange clouded in the domain, which seems safe to me:
But in the end I don’t know if the first article I mentioned (it’s recent, about 10 days ago) allows for someone to override the host header in any way they want using page rules. I haven’t seen that page rule (Host Header Override) but I’m not an enterprise user. Can someone give a clarification about it?
@sdayman Yes, I saw the Cloudflare Access, but although I’ve said “I”, it can actually be more people to access (few people tough). $3 per user is a bit to much, and in any case the block by Ip seems enough for me.
About the header not being overriden, I tought so too, although in the article it doesn’t clarify about that, but allowing any domain to rewrite the host header seems like a security issue to me and I think is more plausible that the rewrite is limited to domains in the account, like you said.
On the other hand, what @KentonVarda stated seems to relate to Resolve Override, not to Host Header Override. I see both of them in the Page Rules Article (you can search for any of them, they’re together in the Enterprise plan), so I guess they’re different things.
In any case, I will consider that a Cloudflare user isn’t able to send a request directly to my domain with my domain in the Host header, and will mark your answer as the solution, but it would be great some official information that changing the Host header to a Cloudflare domain in another account is really not possible.
If the request comes from Cloudflare (authenticated by IP or by Authenticated Origin Pull), and the Host header matches your hostname, you can assume the request came through your Cloudflare zone and has had your security settings applied.
The “Host Header Override” page rule is only available to trusted enterprise customers, and we monitor its usage. We do not permit it to be abused to bypass another customer’s security settings.
With that said, you can get even better security here by using Argo Tunnel. With this product, your server is not exposed to the internet at all – instead, the server makes a private outgoing connection to Cloudflare and receives requests from that. In this case, you don’t need to check the Host header at all.
(Note that Cloudflare Access is not a solution to your particular problem.)