The insurance company is requiring that we block SSH (port 22) access except to authorized users. I could do this on my cloud-based server, but then if my IP changes, I’ll get locked out. I would like to do this through Cloudflare in a way that is easier for my dev team to manage.
My thought is to block port 22 on the server except to Cloudflare IP’s (since it’s proxied). Then, in Cloudflare, restrict connections on port 22 to specific IP’s. This way, if my IP changes, I can just go into Cloudflare and update it.
• Is this the best approach?
• If so, how do I configure this and what plan is required?
• Do I need to use Spectrum for this?
• Or, should I be going this direction: [https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/)
Cloudflare won’t proxy traffic for non-HTTP applications unless you use Spectrum (pro account + paid add-on option needed for a single SSH connection).
Best solution is to use zero trust with a Cloudflare tunnel and WARP for general use, but as you said, you need a fail-safe action to get in if the tunnel goes down. We have 3 allowlisted static IPs as fallback (only used for break-glass situations) that can access the hypervisor or VM SSH ports and so can fix things that way. Does your host offer any sort of web terminal you can use to get in if needed if you don’t have a static IP you can allowlist?
We use Digital Ocean and while they have a console in the control panel to access the server, the origin IP of the connection to the console changes each time you connect, so it seems that could be a problem. Although, maybe we could allowlist all Digital Ocean IP’s too.