Inadvertent leak of the server's origin IP

recently i was reviewing my server logs and noticed strange hits to my default/fall-through site. all my dns entries are proxied (orange cloud, no ip exposure) and Cloudflare’s ip’s are the only whitelisted addresses to my server.

was a bit of head scratcher until it occurred to me that people can setup a random domain on Cloudflare, create an A record and point it to an arbitrary ip address and scrape the content. if they choose my origin ip, then my whitelist lets them in but since the domain is unknown on my server they just end up on the fall-through site.

expanding this further, they can have a robot that updates the A record, scrapes content and moves on to the next ip sequentially using the Cloudflare’s api. expanding even further, they use multiple A records, multiple accounts, multiple bots, etc.

i suppose a line of defense is to return 404 from my server if the domain is not in the approved/recognized list. any other or better ways to defend against this at an earlier stage, say at Cloudflare level?

Your server should only be serving the website if the Host header matches.

http://nginx.org/en/docs/http/server_names.html
https://httpd.apache.org/docs/2.2/vhosts/name-based.html

2 Likes

correct, keying on host headers makes sense unless one has a custom server that doesn’t have that capability built-in, as in no name based virtual hosting, just ip based.

thought perhaps Cloudflare has a way around this, like blocking others from using an ip for an A record, if an account can prove sole possession, such as via a ptr record, etc. but can see managing that can be complex and can get messy.

Authenticated Origin Pull with customer provided certificates is the solution here. Essentially you can attach a client certificate to your Cloudflare account, and then you require that certificate to be presented by any incoming connections. No other Cloudflare zone will have that certificate, so your Origin will 403 the request.

https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/#zone-level--customer-certificates

You should also log the host header and report abuse to Cloudflare.

You are doing this with a firewall on your network/server? (Just in case you have added your own IP to the Cloudflare WAF, which is essentially just allowing loopback requests.)

3 Likes

an interesting solution i was unaware of. of course a custom web server would need to support client certs for this to work, but pretty sure all popular web servers can handle that.

indeed.

Yes, Cloudflare Authenticated Origin Pull certificates with custom client TLS certificates will protect your origin from other Cloudflare proxied domains trying to connect to your origin. Just know that Authenticated Origin Pull’s aren’t compatible with CF Tunnels if you ever decide to put your origins behind CF Tunnels.

You can use Cloudflare’s cfssl tool GitHub - cloudflare/cfssl: CFSSL: Cloudflare's PKI and TLS toolkit to make it easier in creating CA root/intermediate SSL certs to sign the custom client TLS certificates which you upload to Cloudflare API.

I wrote a wrapper script using cfssl tool to do this and you can see an example for generating and signing custom client TLS certificates here and uploading those generated custom client TLS certs via CF API to Authenticated Origin Pull endpoints at here.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.