"Hardening" a Go origin


I wanted to “harden” a Go origin server. Not a security expert, so bear with me.

At a minimum, I wanted to implement authenticated origin pulls (which is simple enough, though I didn’t find any sample code).

The most straightforward implementation of that, though, will leak the server certificate (so, the domain name) to a random client that tries to connect (which it eventually will on port 443).

So I came up with: https://github.com/ncruces/cforigin

Here, I’m also filtering for Cloudflare IPs, and cancelling the connection if no/unknown SNI is provided. Also requiring TLS 1.2.

Any comments/feedback?
Other settings I should use?
Other things I should check?

Thanks in advance!

That’s a fairly bulletproof solution. If you want to go one step further filtering for CF IPs is almost always more efficiently handled at your router/firewall, but your current setup will work as long as you’re not seeing extremely volumetric TCP attacks.

And then you could look into TLS 1.3 if you’d like - CF supports it Cloudflare speak TLS 1.3 0-RTT with Origin Backend?.

1 Like

Thanks for the feedback.

Filtering IPs at the firewall would certainly be an improvement.
Anyone has a script to keep such a rule updated on Windows?

TLS 1.3 requires configuration (opt-in) for Go 1.12 (stable).
I’ll setup a reminder to require it once that changes.

OK, that was easier than I thought, here’s a gist:

This topic was automatically closed after 30 days. New replies are no longer allowed.