For DDoS prevention, why isnt restricting your origin to Cloudflare IP's recommended?

Security
#1

The Cloudflare page below has some good tips, but there is no mention of locking down your Origin (eg at its firewall) to only accept traffic from Cloudflare IP’s, instead it just recommends hiding your IP by changing it after proxying traffic via CF.

Surely doing this would go a long way to prevent attackers targeting your origin IP directly - or am I missing something here? Even if instructions are different depending on your Origin setup i would have expected some mention if it was generally a recommended thing to do - but cant see it mentioned anywhere on the CF docs so it has me wondering. Cheers!

1 Like
#2

Hi @unearth,

You are absolutely correct and we do recommend doing that. It is mentioned in a couple of support articles, but I agree that it could probably be clearer.

It’s also mentioned in our own DDoS - First Steps #tutorials here.

6 Likes
#3

Thanks @domjh. Good to see it mentioned in your post, as the official support article you linked at the start (which is also the kind of article that cropped up while I was searching) doesnt reference this, so it would be great to get something both in there and the original page I linked.

I’ll continue down this track then - I just wanted to make sure it was still a recommended step, and not something that had been left out intentionally as there was better/other ways to accomplish the same.

Cheers!

1 Like
#4

IPs are hard to maintain and configure. Here’s the alternative approach in my opinion.

  1. Block port 80 at your origin. Enable Automatic HTTPS via Cloudflare.
  2. Now, all you need to accept just 443 from your visitor. So, enable the feature Authenticated Origin Pull and this will only accept requests from Cloudflare.

In-depth

Authenticated Origin Pull

  1. Set your server to not listen over port 80
  2. Enable Cloudflare Proxy for your DNS non-www, www, subdomain whatever you want to protect
  3. Install Cloudflare Origin SSL at your server. It’s a wildcard SSL with 15 years max validity. :heart_eyes:
  4. Enable Automatic HTTPS and Authenticated Origin Pulls at TLS/SSL settings of Cloudflare.
  5. Put below code in Apache Virtual host file
   # Enable Cloudflare Origin SSL with Authenticated Origin Pulls | Apache
   SSLEngine On
   SSLVerifyClient require
   SSLVerifyDepth 1
   SSLCACertificateFile /etc/ssl/cloudflare/origin-pull-ca.pem
   SSLCertificateFile /var/www/example.com/ssl/cert.pem
   SSLCertificateKeyFile /var/www/example.com/ssl/private.pem
   For more details read at https://origin-pull.cloudflare.com/
  1. This way your site can be accessed only and only over valid hostname and Cloudflare proxy, else it will return ERR_BAD_SSL_CLIENT_AUTH_CERT one cannot bypass Cloudflare this way.

Worth mentioning, this valuable post :pray:

3 Likes
#5

No problem, there are alternative ways as well, but that is reasonably reliable.

I will pass your post on to the documentation team, to see if they want to add a section on it.

1 Like
#6

Though tempting on security grounds, the idea of blocking port 80 is rejected by no other than the vastly popular SSL certificate issuer and HTTPS advocate Let’s Encrypt.

Among other reasons, there’s the potential SEO and user experience impact of blocking it:

There are various situations beyond your control that might briefly land someone on the HTTP version of your site - for instance, automatic linkification in emails, or manually typing a domain name. It’s better for them to get a redirect than an error.

1 Like
#7

Solution: Use certbot with Cloudflare API. It will use TXT record for validating. This is most amazing reason I use Cloudflare.

https://certbot-dns-cloudflare.readthedocs.io/en/stable/

No worries! Just Enable ‘Automatic HTTPS’ at Cloudflare. The proxy will do HTTP to HTTPS redirect.

1 Like
#8

It does.

Once you proxy traffic to Cloudflare, connections to your origin web server come from Cloudflare’s IP addresses. Therefore, it is important that your origin web server whitelists Cloudflare IPs and explicitly blocks traffic not from Cloudflare or your trusted partner, vendor, or application IP addresses.

Emphasis added.

7 Likes
#9

Thanks all. I can see the page has now been updated to suggest using Authenticated Origin Pulls for this purpose, instead of blocking it at the firewall.

The reason I hadn’t gone down this route, was I figured the Origin would still use some effort to check the TLS certificate and drop the connections (and therefore be susceptible to DDoS), and that it would be would be more efficient at dropping it at the firewall based on IP. It also looks like more effort involved to setup than simply creating an IP allow/blocklist on the firewall. But, i guess it completely depends on what firewall and what origin you are using?

I also note this method is incompatible if you have Railgun in place.

1 Like
#10

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.