How to block all connections other than Cloudflare on port 80 through tunnel?

Then I’m confused why you need to block port 80? If you are using docker → docker communication, then the port isn’t open unless you use bind the port in the docker config.

2 Likes

From my understanding, if Cloudflare is only allowed to connect to the origin host (https://developers.cloudflare.com/fundamentals/get-started/setup/allow-cloudflare-ip-addresses/), despite the Tunnel, you can allow requests passing only on HTTP port 80 (block HTTPS 443, or some other like 2083, 2096 etc. …) using a Firewall Rule as follows from below:

NOTE: You’d have to switch to expression builder and write that down into the input field and then save.

A list of campatible ports and the ones which are open, therefore which can be used with Cloudflare can be found on the below article:

May I ask, are you using an insecure setup and no HTTPS at all?, therefore SSL option is set to the “Flexible SSL” at Cloudflare dashboard for your domain? :thinking:

Sounds like he is doing this, if not direct IP access will not work.

The issue is that people are able to connect to my website directly through its external IP, this bypasses any firewalls in place on Cloudflare as they are not proxying through Cloudflare. As for your question, yes, I am using an insecure setup with no HTTPs at all, and my SSL option is set to Flexible.

Assume that you have already done this, consider executing another command to allow localhost talk to localhost port 80:

ufw allow from 127.0.0.1 proto tcp to 127.0.0.1 port 80

This fixed the tunnel, the tunnel now works - However direct IP connection also still works.

Did you run ufw deny in http too?

Yes, “Skipping adding existing rule, Skipping adding existing rule (v6)”

Thank you for feedback.

Oh, well, that’s not so great, if so as far as Flexible SSL is really not recommended to use as there could be multiple issues caused by using it as follows at the below article like Mixed Content or Redirect Loops, etc.:

1 Like

SSL mode doesn’t really make a big difference if the user is using Cloudflare Tunnel for all websites. But yes, according to best practices, go for Full (strict).

Everything on the machine is proxied through Cloudflare, but for peace of mind I’ll secure the origin server. This does not however fix the issue I’m having, please answer my original post.

Frankly speaking once you configured UFW properly to block incoming port 80 requests from outside and only allow localhost to talk to localhost, I don’t really see a problem here.

I might miss something, so someone else might be able to spot the problem.

My UFW status;

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
80/tcp                     DENY        Anywhere                  
443/tcp                    DENY        Anywhere                  
80                         DENY        Anywhere                  
127.0.0.1 80/tcp           ALLOW       127.0.0.1                 
4200                       ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
80/tcp (v6)                DENY        Anywhere (v6)             
443/tcp (v6)               DENY        Anywhere (v6)             
80 (v6)                    DENY        Anywhere (v6)             
4200 (v6)                  ALLOW       Anywhere (v6)             

80/tcp                     DENY OUT    Anywhere                  
80                         DENY OUT    Anywhere                  
80/tcp (v6)                DENY OUT    Anywhere (v6)             
80 (v6)                    DENY OUT    Anywhere (v6)  

Is there anything that you see wrong?

Noting that with this config both the direct ip connection and the Cloudflare tunnel work

You need to change this listening port for the docker container. My guess is you have something like --port 80:80 and you need to change this to 127.0.0.1:80:80 or you can remove the port bind entirely as you are access from a container in the same network.
The reason is that docker manipulates iptables when creating a container so all of your UFW rules get bypassed (docs).

2 Likes

Both of the options make it so that both the Cloudflare tunnel doesn’t work and the direct IP connection doesn’t work. Cloudflare throws a 502 Bad Gateway.

  1. What does your docker networking look like?
  2. Are the two containers (cloudflared & your application) on the same docker network?

Here is an example compose file I whipped up that works fine.

version: '3.9'

services:
  cloudflared:
    image: cloudflare/cloudflared:2022.6.3
    command: tunnel run --token <Token>
  

  apache:
    image: httpd:2.4-alpine
    volumes:
      - ./index.html:/usr/local/apache2/htdocs/index.html:ro

Accessible at https://apache-example.cybertestdomain.uk/

Oh **** you’re right they’re on different docker networks. How would I revise this command to run on a specific docker network?


stak

Apologies for being the party pooper, but this really is not Cloudflare related any more and better discussed on a Docker forum.

This topic was automatically closed 11 hours after the last reply. New replies are no longer allowed.