HTTP headers leaking domain on 301 redirect?

Hello everyone, I’ve recently set up a small home server routing my domain through cloudflare. Also, for reference, this server isn’t incredibly top-secret (it’s an art portfolio for my SO) I would just like to be as security conscious as a noob can be. When I bought the domain I instantly linked it to cloudflare before ever even touching my server so-as to hopefully mitigate whois leaks, but recently I’ve noticed when searching www.mydomain.com, shodan and censys return 0 results which I find promising. The bad part is when I just search mydomain.com, shodan and censys show that my home IP address returns the following:

Results for MY_IP: HTTP/1.1 301 Moved Permanently Server: openresty Date: TODAY Content-Type: text/html Content-Length: XXX Connection: keep-alive Location: https://mydomain.com

Meaning that when searching for mydomain.com, we are presented with the HTTP headers from my home ip address, redirecting traffic to mydomain.com. I’m using AOPs but I am not using the Argo tunnel and I’m wondering if that is my problem? I’m using the free cloudflare plan and just have an http server running. I understand this problem is purely from misconfiguration on my part, so any help would be greatly appreciated. (Also any future tips are great as well). Thank you all for the help! :slight_smile:

They are finding your service because it is open to the Internet. You should restrict access to your web server by following the instructions here:

If your Cloudflare setup is Full or better, you could also stop your web server listening on port 80.

2 Likes

Thanks for your reply!

I believe I’ve performed all recommended steps (I’ve set my name servers to that of cloudflares and I have whitelisted cloudflare’s IP address range) and I believe I have achieved the intended outcome? Anytime I try to connect directly to the server using direct IP access (i.e. https://MYIP) it yields a 400 error of “No required SSL certificate was sent” (whereas before http://MYIP gave the 301 response with the leaking header) which I presume is the desired response from direct ip access, correct? I’m no longer able to read the URL from the headers of this 400 error so it seems to work rather well. Thank you very much for your help :slight_smile:

This topic was automatically closed after 14 days. New replies are no longer allowed.