How to prevent to bypass CloudFlare Access by other CloudFlare customers?

• I configured my site with Authenticated Origin Pulls and on server side, I verify that connection comes from CloudFlare (I’m doing a ssl client verify operation).
• I configured CloudFlare Access to access some URLs on my server in an authenticated way. Access checks if the users are in some Github organisation etc… So its doing authorisation too: It works.

However: Can other customers of CloudFlare connect to my server?
In this case, they could bypass CloudFlare access. I found no way to send my CloudFlare email address or a secret token in the HTTP header that I’m sure that the request is incoming 100% of my CloudFlare account.

Is there a way to secure that no other customer of CloudFlare can access my server?

How are you thinking they’d do this? By adding your domain to their account? That’s not going to work for several reasons discussed in other posts. By adding your IP address(es) to their own domain? A properly configured server won’t respond to requests for other domains.

They could add into their CF account an A record that point to the IP address to my server, then maybe they could override the header Host field (I’m unsure if its possible, that the reason why I’m asking here).
Can they maybe use page rules or page worker to modify the “Host” HTTP Header?

Anyway: A “properly configured server” should not be a requirement for a zero trust plattform like CloudFlare. Normally it should use a custom SSL client certificate from the edge service to connect to the origin server.

Cloudflare won’t allow that. (caveat that Enterprise plans can override the host header, but Enterprise users don’t do dumb things like that).

Woah, hold on there. A properly configured server is definitely a requirement. It’s like having Cloudflare guard the front door of your house, but the back door is completely off its hinges.

Agreed. I wish it did, and don’t know why it doesn’t.

Strongly disagree. Zero Trust as a security model is a tool. Proper configuration of Cloudflare’s WAF, patching servers, using reasonable opsec and devsec practices are still fundamental aspects to protecting servers and sensitive data.

You can configure that. However if your origin isn’t locked down to only use that certificate then being improperly configured it isn’t providing the functionality one would want.

In addition to authenticated origin pulls you can validate the JWT https://developers.cloudflare.com/cloudflare-one/identity/users/validating-json or send a custom header using workers or use Argo tunnel to further secure your origin as well.

I will try to inject a secret token in the HTTP header with workers. Argo seems to be overkill, and it could become expensive with the costs.

JWT validation would mean, that I have to implement a JWT validation verification on my server or the special software I want to protect. I’m using CloudFlare to have less work, not more work than before.

The best would be really, if CloudFlare would use a custom client certificate by domain name or at least by CloudFlare account. Is it possible to add this somewhere as feature request?

As in Europe with the GDPR law we pay millions of euros if we get hacked, we can’t trust on the intelligence of people working with Enterprise plan.

Argo Tunnel is free. It’s the Smart Routing feature that costs money. Tunnel just connects to the local POP.

As with quite a few features, Enterprise Plans offer almost anything imaginable. Yeah, buckets of money usually does.

Thanks, I will look closer to that.

I do this

To someone else’s server without permission?

I tried now Argo Tunnel:
It increases the latency at about 100ms.
I think the best way to not loss performance is to create a worker and inject in the HTTP header a secret token, then on my origin server I could check it with a simple nginx configuration rule:

    if ($http_cf_authorization != "Bearer 1234")  {
        return 401;
    }

I will check that, I guess it would be the best in terms of performance and then I’m 100% sure connections came from CloudFlare from MY ACCOUNT.
by the way: I started to love Argo, its awesome how much better is now the latency, specially from connections from America to Europe (3 times faster).

I do that for my own server for legitmate reason. It’s kind of X-Forwarded-Host setup.

I’m a little surprised that CloudFlare has no feature out of the box for that.
It could for example include CF header fields which are impossible to override: One with the domain name, and one with the account ID. I’m really surprised that we need to make it ourself with tricks like page workers. And Argo Tunnel is not an option, as it increases the latency.