Cloudflare Updates


#1

I know Cloudflare are always updating and bringing out new functions but is there anything exciting we can look forward too for 2017?

I am very much looking forward to the new app system coming in june! what’s been your favorite update from cloudflare so far and why?


#2

Hi,

I like to use Cloudflare IP GEO location feature to prevent from brute force attack at my WordPress login page.


#3

Yeah, the geoIP stuff is great. Makes it really easy to restrict access to a site by just inpecting the header and using a rewrite etc.

I’m looking forward to the CAA record becoming available. Was supposed to be in beta last week I think? The combo of the API and CAA wll be really useful for locking down SSL cert registration. e.g. if you’re a Lets Encrypt user you could script it so that you add their CAA dat to your record, get the key issued, then lock the CAA record back down again behind you by removing them. Super useful.


#4

@saul I think adding CAA records every 90 days solely to get Let’s Encrypt certificates is not a good idea. You should at least add the records such that you may keep them. Especially some clients may cache DNS queries or changes may take a while and visitors might encounter troubles depending how clients treat the flag value in the record.

That said aside, applying example.com. IN CAA 0 issue "letsencrypt.org" actually means anyone else still may issue certificates, though. I’d advise seeing which CAs you want to really use and add something like

example.com. IN CAA 128 issue "caname.tld" example.com. IN CAA 0 iodef "mailto:[email protected]"

At least this is a safe implementation and how it is supposed to be used such that only the specified CAs may be permitted to issue any certificates and if there has been a request by any other CA and it failed, it would usually email you at the specified mail address.


#5

@cricsus : You raise interesting points.

I already have my more permanent records in place such as those needed by Cloudflare Universal SSL (comodoca, digicert etc).

In the short term I will continue with my idea of a temporary LE addition to those more permanent records prior to the LE issuance (obviously there will be grace period >TTL between CAA alteration and cert renewal request) unless you have any other idea as to how you could stop a malevolent webmaster generating certs for a domain using ACME well-known authentication? To me this seems a simple ‘belt and braces’ security method and didn’t seem to contravene expected CAA usage.

My LE certs are only used so I can retain Cloudflare strict SSL across my whole domain even where I have transient and less-important subdomains used for testing etc where i don’t want pay for a backend certs, and don’t want a Cloudflare Origin cert.