Empty Host header requests origin ip leak

Is it enough to disable empty Host header requests to prevent origin ip from leaking?

1 Like

No. And I wouldn’t expect an empty Host header to leak your IP anyway because such a request (sent to Cloudflare) wouldn’t even hit your server as Cloudflare relies on the Host header to route the request and therefore this request would not got your server.

There are many ways of potentially leaking an IP, any unhandled HTTP error could include server details depending on your server’s configuration. Anything that sends an email or makes an outbound request could potentially result in your IP being exposed in some fashion — for example, a forum that allows a user to specify a URL for an avatar upload will most likely cause that server to receive a request from your server for the user-supplied URL).

1 Like

I am more worried of systems like Censys and Shodan which are scanning the whole internet.
If the main website is accessible from other than CF ip ranges and serves it even without Host header present, those systems could store the page and the origin ip which would make it possible for someone to search my page title as example in the censys.io which would then show the response which my origin server sent to censys + the origin ip. I assume those systems can’t know the correct Host header, so dropping those requests wouldnt give them any valuable information.

Yes. And yes. This is really a non-Cloudflare issue as it applies to requests that don’t go through Cloudflare. Even better, set up Authenticated Origin Pulls and your webserver will only answer Cloudflare even if someone goes guessing.

This alone doesn’t completely protect you from a clever individual, but it certainly means scanners won’t stumble across anything unless they’re specifically looking for you.

Looks like the nginx will still answer the requests with 400 “No required SSL certificate was sent”.
Doesn’t this still leak the SSL certificate to others who try to connect directly to the origin?
The domain names in the certificate would affirm them that the server they are looking is there I think.

It might, but you can install a default certificate so that the server doesn’t broadcast any particular hostname. An inquisitive user could still connect and make SNI requests randomly looking for a response if they wanted, but they would still be just guessing (or more likely, confirming a guess obtained elsewhere).

You could also restrict connections to those from Cloudflare IP addresses, they do publish such a list, and you could drop to your IP on port 443 that don’t come from a Cloudflare origin. Or go all the way and set up an Argo Tunnel, so that your server is not actually listening for requests coming from the public at all and instead it initiates the connection to Cloudflare.

But if a user did have a suspicion about your server’s IP via another leaky mechanism (e.g. password reset email headers, triggering an action that causes your server to connect out, or even something that causes your server to make a DNS request), there is another way to confirm their suspicion: They just DDoS what they suspect is your IP and see if your website suddenly stops working through Cloudflare, if so then they know they found you. This too can be solved, with sufficient redundancy on your side (consider if your server needs to connect out, only do so on IPv4 while serving Cloudflare’s requests via a separate connectivity provider on IPv6).

It all depends whether you want to avoid leaking, or avoid being found, and how motivated someone is to find you.

1 Like

It sounds like you’ve partially answered your own question. It’s a lot harder for someone to get your origin’s IP address if you use the whitelist model and only allow requests from Cloudflare IP addresses; in particular, if you’ve configured it correctly, Censys and Shodan won’t show an open ports on 80 and 443.

Keep in mind that it is almost always possible to determine the underlying origin IP address. While you can certainly make it difficult, it’s unlikely that you’ll be able to make it impossible. You should assume that a skilled or privileged attacker (e.g., a government) can still determine your origin.


Yeah it starts to make little more sense now.
Is whitelisting the cloudflare ip ranges as efficient as using the Argo tunnel for purpose to keep the origins ip hidden?

Argo Tunnel is a little better, but it can be costly if your site receives a lot of traffic. Neither are perfect, and you should assume that a skilled attacker will be able to obtain your origin IP address no matter what you do.

Just to expand on the excellent info already given - if you whitelist the Cloudflare IP address ranges then the next best thing to do is have your site only reply with your site for the correct host header. I generally set my default vhost as just a blank site so any other requests (i.e. someone adding your server’s IP address to their Cloudflare-hosted domain to get around the IP block) don’t get your site. As already mentioned Authenticated Pulls can further mitigate that.

But wait I am not sure how it helps to check the Host header incase origin only replies to cloudflares http requests and drops rest? If I would allow anyone to send http requests to origin then I would see the security benefits of not sending response to requests without host header (like scanners)

If someone does manage to make a request to your IP address directly, perhaps due to a mistake that causes your firewall to stop working as expected, they still won’t see your website. These means that if Censys or Shodan is scanning your server at the time, someone who searches on Censys or Shodan later for your website won’t get any results.

Security in layers!

1 Like

Let’s say you ran your backend on

If I add a A record to my domain, www.saul.com, say which pointed to that same IP address then any visitors (inc. Shodan etc) would successfully connect to your backend via my host name as access would still be via Cloudflare and so pass your firewall checks. In this case, anyone visiting www.saul.com would see your site.

If your backend was configured to only display the site when the host header matches and by having a dummy or blank default site, then www.saul.com would just display that instead.

If you’re just trying to anonymise and/or hide your backend IP address it doesn’t add much but in the interest of locking down unauthorised access it’s worth doing IMO.

1 Like

Shodan scans by IP address; it won’t connect through a domain. The risk with Shodan/Censys is that someone can use those services to determine the origin IP address–but only if you allow traffic from non-Cloudflare IP addresses, don’t validate authenticated origin pulls, and have a catch-all vhost that will serve the website without a Host header. If you’re concerned about origin anonymity, the more layers you have protecting you, the harder it will be for someone to break through them, and the more insurance you have against mistakes.

All that being said, if someone really wants to find your origin IP address, they can. You can make it harder, but you can’t make it impossible.

Also I am not sure but I think that even with authenticated origin pulls if you allow empty host header, the SSL certificate could still leak and tell the domain names.

If your server is configured to use SNI, you can have it serve a different certificate for the default vhost.

Yep. Having the vhost for empty Host header requests with some dummy certificates will solve the problem.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.