Can we put the Cloudflare WAF after our on-prem load balancer

pwebber · August 23, 2021, 6:15pm

Can we put the Cloudflare WAF after our on-prem load balancer? Can we just point our load balancer to the CDN URL provided? The flow would be like this:

On Prem Load Balancer → Cloudflare WAF → Website

Right now we can load the website in this flow. But wondering if we can turn on the WAF?

Judge · August 23, 2021, 6:19pm

Technically possible, but you’ll be losing out on stuff like Cloudflare’s IP reputation and you might even tank your LB’s IP reputation in the process; since Cf can’t be configured to accept custom x-forwarded-for, any malicious traffic will be attributed to your LB and your LB itself might even get blocked for too many repeated malicious requests or too many requests per second.

pwebber · August 23, 2021, 6:24pm

Interesting, I’ll take those concerns back to the team. Totally makes sense. If we did want to proceed doing this, What parts do we need to configure? Do we need to verify our domain with a txt record? Will the WAF just know to filter for the CDN url provided?

Judge · August 23, 2021, 6:36pm

You would still need to set up your domain within Cloudflare regularly; if you don’t want your DNS managed by Cloudflare, you’d need to go with a CNAME setup on the business plan.

Now, (regardless of if you use a CNAME setup) you would create the correct DNS record in Cloudflare pointing to your origin IP, and your LB would then forward requests to your Cloudflare CNAME/Cloudflare IP addresses using the hostname www.example.com.cdn.cloudflare.net but with the correct SNI and Host header for your website. an example with curl:

$ curl --resolve www.judge.sh:443:`dig +short www.judge.sh.cdn.cloudflare.net | head -1` https://www.judge.sh
<!doctype html>

This will run the WAF assuming you have the Pro plan or better and WAF is enabled. But again, you won’t be benefiting from Cloudflare’s IP reputation scores, which stop a lot of known bad actors from requesting your site.

Plus, this method is really a hack - Cloudflare makes no guarantees for this and I imagine you’d throw support for a loop if you ever had problems with CF or the WAF.

pwebber · August 23, 2021, 6:46pm

Thanks so much, I’m going to dig into this a bit more based on your comments. This helps a lot!

erictung · August 24, 2021, 2:09am

Also, you won’t be able to mitigate DDoS attacks since all traffic routes to your LB first.

system · August 27, 2021, 2:09am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Troubles adding website where DNS is not in CloudFlare Getting Started	4	537	October 14, 2023
Load balancer IP address Getting Started	5	3620	July 7, 2021
Question with existing onpremise dns server and cloudflare dns DNS & Network	7	3671	June 7, 2022
Load Balancer - Domain DNS values Website, Application, Performance dns , loadbalancing	1	2460	April 4, 2018
Using Cloudflare WAF on a subdomain not hosted in Cloudflare Security	3	3358	August 8, 2022

Can we put the Cloudflare WAF after our on-prem load balancer

Related topics