Can we put the Cloudflare WAF after our on-prem load balancer

Can we put the Cloudflare WAF after our on-prem load balancer? Can we just point our load balancer to the CDN URL provided? The flow would be like this:

On Prem Load Balancer → Cloudflare WAF → Website

Right now we can load the website in this flow. But wondering if we can turn on the WAF?

Technically possible, but you’ll be losing out on stuff like Cloudflare’s IP reputation and you might even tank your LB’s IP reputation in the process; since Cf can’t be configured to accept custom x-forwarded-for, any malicious traffic will be attributed to your LB and your LB itself might even get blocked for too many repeated malicious requests or too many requests per second.

1 Like

Interesting, I’ll take those concerns back to the team. Totally makes sense. If we did want to proceed doing this, What parts do we need to configure? Do we need to verify our domain with a txt record? Will the WAF just know to filter for the CDN url provided?

You would still need to set up your domain within Cloudflare regularly; if you don’t want your DNS managed by Cloudflare, you’d need to go with a CNAME setup on the business plan.

Now, (regardless of if you use a CNAME setup) you would create the correct DNS record in Cloudflare pointing to your origin IP, and your LB would then forward requests to your Cloudflare CNAME/cloudflare IP addresses using the hostname www.example.com.cdn.cloudflare.net but with the correct SNI and Host header for your website. an example with curl:

$ curl --resolve www.judge.sh:443:`dig +short www.judge.sh.cdn.cloudflare.net | head -1` https://www.judge.sh
<!doctype html>

This will run the WAF assuming you have the Pro plan or better and WAF is enabled. But again, you won’t be benefiting from Cloudflare’s IP reputation scores, which stop a lot of known bad actors from requesting your site.

Plus, this method is really a hack - Cloudflare makes no guarantees for this and I imagine you’d throw support for a loop if you ever had problems with CF or the WAF.

1 Like

Thanks so much, I’m going to dig into this a bit more based on your comments. This helps a lot!

Also, you won’t be able to mitigate DDoS attacks since all traffic routes to your LB first.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.