Hey, so I have a secure tunnel to link my domain to my http application on port 80, and this works perfectly. However, I am still able to connect to my application through its direct IP, I thought the purpose of the tunnel was to block this, how would I go about making it so that my application is not directly accessible?
You’d want to use a firewall on your system or network to block port 80, or realistically probably all ports except any you need for management.
Cloudflare Tunnels do not need any inbound ports, so you’re safe to completely block port 80, 443, etc.
When blocking port 80 using “ufw deny in http” the result I get is the tunnel no longer working but the direct-ip connection still working
This directly controdicts
If it was truly blocking all requests, then a direct IP connection wouldn’t work either. What is your Cloudflared config?
I am connecting to a Cloudflare access tunnel using the pre-made docker command given to me by Cloudflare, under the configuration panel on the access website I have my service under HTTP with my IP and port 80. I am then using a docker connector to connect to this tunnel.
Is your setup
user -> cloudfared (docker) -> host listening on port 80
user -> cloudflared (docker) -> app running in docker container.
If it is 1, then when you disable port 80 it would block the connection. One way to fix is to make your app listen on
127.0.0.1:80 so that the port isn’t even open externally.
It’s the second one
Then I’m confused why you need to block port 80? If you are using docker → docker communication, then the port isn’t open unless you use bind the port in the docker config.
From my understanding, if Cloudflare is only allowed to connect to the origin host (https://developers.cloudflare.com/fundamentals/get-started/setup/allow-cloudflare-ip-addresses/), despite the Tunnel, you can allow requests passing only on HTTP port 80 (block HTTPS 443, or some other like 2083, 2096 etc. …) using a Firewall Rule as follows from below:
NOTE: You’d have to switch to expression builder and write that down into the input field and then save.
A list of campatible ports and the ones which are open, therefore which can be used with Cloudflare can be found on the below article:
May I ask, are you using an insecure setup and no HTTPS at all?, therefore SSL option is set to the “Flexible SSL” at Cloudflare dashboard for your domain?
Sounds like he is doing this, if not direct IP access will not work.
The issue is that people are able to connect to my website directly through its external IP, this bypasses any firewalls in place on Cloudflare as they are not proxying through Cloudflare. As for your question, yes, I am using an insecure setup with no HTTPs at all, and my SSL option is set to Flexible.
Assume that you have already done this, consider executing another command to allow localhost talk to localhost port 80:
ufw allow from 127.0.0.1 proto tcp to 127.0.0.1 port 80
This fixed the tunnel, the tunnel now works - However direct IP connection also still works.
Did you run
ufw deny in http too?
Yes, “Skipping adding existing rule, Skipping adding existing rule (v6)”
Thank you for feedback.
Oh, well, that’s not so great, if so as far as Flexible SSL is really not recommended to use as there could be multiple issues caused by using it as follows at the below article like Mixed Content or Redirect Loops, etc.:
SSL mode doesn’t really make a big difference if the user is using Cloudflare Tunnel for all websites. But yes, according to best practices, go for Full (strict).
Everything on the machine is proxied through Cloudflare, but for peace of mind I’ll secure the origin server. This does not however fix the issue I’m having, please answer my original post.
Frankly speaking once you configured UFW properly to block incoming port 80 requests from outside and only allow localhost to talk to localhost, I don’t really see a problem here.
I might miss something, so someone else might be able to spot the problem.
My UFW status;
To Action From -- ------ ---- 22/tcp ALLOW Anywhere 80/tcp DENY Anywhere 443/tcp DENY Anywhere 80 DENY Anywhere 127.0.0.1 80/tcp ALLOW 127.0.0.1 4200 ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 80/tcp (v6) DENY Anywhere (v6) 443/tcp (v6) DENY Anywhere (v6) 80 (v6) DENY Anywhere (v6) 4200 (v6) ALLOW Anywhere (v6) 80/tcp DENY OUT Anywhere 80 DENY OUT Anywhere 80/tcp (v6) DENY OUT Anywhere (v6) 80 (v6) DENY OUT Anywhere (v6)
Is there anything that you see wrong?