Cloudflare Access Hardening


#1

I am attempting to place an ACL on my host that states: Allow - CloudFlare IPs; Deny - Everything. That being said, I am not currently able to access my website after putting a test ACL in place containing just my personal external IP on the deny list. I am starting to wonder if this is because I have the Cloudflare plugin installed on my WordPress site. Doesn’t that plugin enable the forwarding of the original requestor’s IP as opposed to not seeing my IP behind the proxy?

I am learning as I go so please forgive me if I worded this poorly. Thanks for any advice you can provide.


#2

You’re still being proxied. My setup looks like
Fortigate Firewall -> allow CloudFlare and deny everything else. I can still access my pages so I don’t think it’s a ACL issue.

I don’t use mod_cloudflare or any WordPress stuff but afaik the origin IP is sent with the HTTP header to allow your server to restore and log it. Cloudflare IPs are sent via the IP header and that’s what your ACL should care about. Usually.

Do you see the CloudFlare Access login page or do you get a timeout?


#3

I get the Cloudflare Access Login Page, but even my Custom Logo, which is hosted with on the same server, is blocked. It is really strange. I guess the origin IP in the HTTP header is enough for my host to deny me.


#4

You wrote that you created a deny policy with your IP. I’d expect this behavior then.
But no one else can access your pages?

If your host would deny access you won’t see the CloudFlare page.

Try the other way round: Edit the policy and remove the deny. Then create a new one, let’s call it “Bypass”
Decision: Bypass
IP Ranges: your current ip
and save.

This should work instantly and you should not see the Access page and being forwarded to your page directly instead.

By the way: what plugin do you use?


#5

I guess that is where I was confused. On the Access page it promotes that you can deny access to your servers from everywhere but cloudflare to fully secure. That being said, why can’t I block my own IP but access my server through the HTTP Proxy?

com's%20Account%20_%20Cloudflare%20-%20Web%20P


#6

What they mean is that you need to block everything except cloudflare on your origin or a firewall in front on it to prevent CloudFlare Access is being bypassed by connecting to the origin IP directly or any other DNS name. Many host probviders use own names for their servers like vps12345.hosting-company.com to make it easier for customers to connect to their server. Those DNS names are not protected by cloudflare.

So if you have access to the server firewall, iptables for example, you should block them there. Many hosts provide a UI like Plesk or CPanel for where you can set those rules. Basically Cloudflare Access is like a VPN. Everything is denied by default.

Bypass IPs, allowed emails and so on.

To make things a bit more clear:

Test 1 allows direct access to the page if I connect from the 195.x.x.x. IP without email code or use the given email address @gmail.com from everywhere.

Test 2 requires that i login with the given email address only from 195.x.x.x. When i try to login from anywhere else I don’t get a code emailed.

Since this is just a playgound, I don’t have any Firewall rules on this server. But I think it’s a good example:

With CF Access. (Notice the logout bar on top!?)

And the same server, CF Access bypassed with direct IP access:

So thats why you should use iptables or whatever you want to allow Clourdflare only :slight_smile:

For sure you could allow everyone to access the pages and deny single IPs or net ranges for example. Lets say you know your boss is stalking you while he’s at work. Block the office IPs… :joy:


#7

The CPanel is where I am blocking it.

Thanks,

Joshua Price

817.705.9196


#8

Well then it should work. Are you still having issues?


#9

Yes sir. I can freely remove the policy blocking my IP from Hostinger’s CPanel and regain access, but I never get access through Cloud flare during that time.

Thanks,

Joshua Price

817.705.9196


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.