Cloudflare-hosted domain aliasing mine without consent

Hello Cloudflare Community!

I’ve encountered an intriguing and troubling situation related to my website that uses cloudflare for DNS proxy. I recently noticed that requests from a different domain (who’s DNS is hosted on cloudflare) appear to be aliasing my website. By aliasing I mean that browsing to this other domain is identical in every way to browsing to my domain, as I can see the requests in both my Nginx logs as well as my application server logs.

What’s puzzling is that my Nginx configuration explicitly uses the server_name directive for my domain in the sever{} clause and has a proper 301 redirect from HTTP to HTTPS. Additionally, my SSL setup uses the ssl_client_certificate from cloudflare and ssl_verify_client is set to ‘on’ and I use strict SSL in my cloudflare config. Despite these measures, it seems that this other domain is somehow able to still forward its requests to my domain.

I was able to thwart this to some extent by having nginx look for this other domain in the $http_referrer and returning a 403. However, I feel this is a weak fix as referrers can be spoofed or the domain can be changed to bypass this.

Key Questions:

  1. How is any of this possible with my domain only listening on 443 and using the cloudflare client cert verification?
  2. Is it possible for the owner of this other domain to spoof the Host header to make it look like the requests are coming from my domain?
  3. Are there any other ways that this other domain could be forwarding its traffic to my domain that I might not be aware of? It appears that cloudflare supports URL forwarding, can this be the culprit?
  4. What additional technical measures beyond referrer checking can I implement in my Nginx configuration to mitigate this issue and protect my website from being aliased?
  5. Is the owner of this other domain violating any cloudflare policies doing this since they too have their DNS hosted on cloudflare?

Thank you all for your time and assistance!

Absent an enterprise plan, not that I am aware of.


See the link above, there are a lot of great options, some more difficult than others.

You could certainly file an abuse complaint. Abuse approach - Cloudflare


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.