How to block all connections other than Cloudflare on port 80 through tunnel?

Hey, so I have a secure tunnel to link my domain to my http application on port 80, and this works perfectly. However, I am still able to connect to my application through its direct IP, I thought the purpose of the tunnel was to block this, how would I go about making it so that my application is not directly accessible?

You’d want to use a firewall on your system or network to block port 80, or realistically probably all ports except any you need for management.

Cloudflare Tunnels do not need any inbound ports, so you’re safe to completely block port 80, 443, etc.

2 Likes

When blocking port 80 using “ufw deny in http” the result I get is the tunnel no longer working but the direct-ip connection still working

This directly controdicts

this

If it was truly blocking all requests, then a direct IP connection wouldn’t work either. What is your Cloudflared config?

I am connecting to a Cloudflare access tunnel using the pre-made docker command given to me by Cloudflare, under the configuration panel on the access website I have my service under HTTP with my IP and port 80. I am then using a docker connector to connect to this tunnel.

Is your setup
user -> cloudfared (docker) -> host listening on port 80
or
user -> cloudflared (docker) -> app running in docker container.

If it is 1, then when you disable port 80 it would block the connection. One way to fix is to make your app listen on 127.0.0.1:80 so that the port isn’t even open externally.

1 Like

It’s the second one

Then I’m confused why you need to block port 80? If you are using docker → docker communication, then the port isn’t open unless you use bind the port in the docker config.

2 Likes

From my understanding, if Cloudflare is only allowed to connect to the origin host (https://developers.cloudflare.com/fundamentals/get-started/setup/allow-cloudflare-ip-addresses/), despite the Tunnel, you can allow requests passing only on HTTP port 80 (block HTTPS 443, or some other like 2083, 2096 etc. …) using a Firewall Rule as follows from below:

NOTE: You’d have to switch to expression builder and write that down into the input field and then save.

A list of campatible ports and the ones which are open, therefore which can be used with Cloudflare can be found on the below article:

May I ask, are you using an insecure setup and no HTTPS at all?, therefore SSL option is set to the “Flexible SSL” at Cloudflare dashboard for your domain? :thinking:

Sounds like he is doing this, if not direct IP access will not work.

The issue is that people are able to connect to my website directly through its external IP, this bypasses any firewalls in place on Cloudflare as they are not proxying through Cloudflare. As for your question, yes, I am using an insecure setup with no HTTPs at all, and my SSL option is set to Flexible.

Assume that you have already done this, consider executing another command to allow localhost talk to localhost port 80:

ufw allow from 127.0.0.1 proto tcp to 127.0.0.1 port 80

This fixed the tunnel, the tunnel now works - However direct IP connection also still works.

Did you run ufw deny in http too?

Yes, “Skipping adding existing rule, Skipping adding existing rule (v6)”

Thank you for feedback.

Oh, well, that’s not so great, if so as far as Flexible SSL is really not recommended to use as there could be multiple issues caused by using it as follows at the below article like Mixed Content or Redirect Loops, etc.:

1 Like

SSL mode doesn’t really make a big difference if the user is using Cloudflare Tunnel for all websites. But yes, according to best practices, go for Full (strict).

Everything on the machine is proxied through Cloudflare, but for peace of mind I’ll secure the origin server. This does not however fix the issue I’m having, please answer my original post.

Frankly speaking once you configured UFW properly to block incoming port 80 requests from outside and only allow localhost to talk to localhost, I don’t really see a problem here.

I might miss something, so someone else might be able to spot the problem.

My UFW status;

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
80/tcp                     DENY        Anywhere                  
443/tcp                    DENY        Anywhere                  
80                         DENY        Anywhere                  
127.0.0.1 80/tcp           ALLOW       127.0.0.1                 
4200                       ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
80/tcp (v6)                DENY        Anywhere (v6)             
443/tcp (v6)               DENY        Anywhere (v6)             
80 (v6)                    DENY        Anywhere (v6)             
4200 (v6)                  ALLOW       Anywhere (v6)             

80/tcp                     DENY OUT    Anywhere                  
80                         DENY OUT    Anywhere                  
80/tcp (v6)                DENY OUT    Anywhere (v6)             
80 (v6)                    DENY OUT    Anywhere (v6)  

Is there anything that you see wrong?