If your webserver is configured to have a default site that just returns a 403, and then a specific site with server host ‘example.com’, wouldn’t that solve your problem?
(and I’m ignoring for a moment the fact that the attacker somehow needs to find out your LB IP - that once behind Cloudflare, is only known to Cloudflare, to outsiders they would see a Cloudflare IP)
Not really. The idea here is more around the fact that AWS ELB allow all the requests from Cloudflare and it doesn’t care about the Cloudflare account making requests to origin server.
Right (I think - someone would still need to know your ELB IP), but once they get to your server, they’ll just get a 403… no access to your actual website.
I don’t think there’s a proper solution for that - after all a single IP may host multiple sites and multiple Cloudflare users can host on a single target IP, and in fact most websites today are hosted that way. To achieve what you want, it sounds like Cloudflare would have to have connections to your domain origin from specific IPs (in many regions in the world) which are a subset of their whole network and block other Cloudflare users from originating through them - and dedicated IPs cost money. If such a thing exists, I do not recall seeing it, and would bet it would be an Enterprise feature, where price is set based on a more tailor-made suite of services.
One Cloudflare service I can think of that may be proper for this, is to use Cloudflare Tunnel (under “Traffic” tab). That costs money:
Thanks. I totally agree with you that I will need dedicated IP from Cloudflare. Worst part is you can easily find the ELB IP using services like https://censys.io/
For now I have harden and added page rules using ALB but other than that I don’t see a clear solution without it.