Locking down the origin server

Hello,

I am new to Cloudflare and I tried to do some searching for this answer but was finding mixed information about it. I know based on this page IP Ranges | Cloudflare I can limit my origin server to these IP’s so only Cloudflare can talk to it. But does WARP utilize those IP addresses? I don’t see a call out anywhere where WARP clients have a different range of IP’s from that list and that concerns me?

I’ve seen some other random chatter where people claim services can be deployed in Cloudflare to utilize the same IP ranges to scrape/access sites. Is that possible through say a worker or something?

Next, is it possible to implement some form of HTTP header from Cloudflare to the origin server that the origin server will accept and the requesting client will not see? This would be just another layer of security.

Would it be possible to use Cloudflare tunnel with WAF/proxy rules? I do see this being limiting potentially because of source/destination port limits, so not my number 1 option.

2 Likes

Take a look at Authenticated Origin Pull. When configured, your origin will only serve requests from the Cloudflare proxies.

2 Likes

Ok, cool. I’ll check that out and see if it works out. Thanks for the response and the solution.

1 Like

The most secure option (and IMO the easiest) is Cloudflare Tunnel with JWT validation. If this is a public website, create an Access application and a policy with Action: Service Auth and Include: Everyone. This will transparently generate a JWT that can be validated by cloudflared.

If you don’t want to use Cloudflare Tunnel, you can implement Authenticated Origin Pull with a custom certificate. You must use a custom certificate for this to be secure, as otherwise someone with access to Host Header Override (Enterprise customers) and knowledge of your origin IP could theoretically bypass your zone security. This is because the standard Authenticated Origin Pull configuration uses a shared certificate authority to generate a client certificate matching the host header. It is also imperative that you configure your origin server to block connections without a valid client certificate. Otherwise enabling Authenticated Origin Pull won’t help at all.

3 Likes

The JWT validation also looks like a better solution than this other solution I found Avoid Cloudflare bypassing by using secret headers. | Obytes. By chance do you know how many sessions a tunnel is rated for? I am worried about source/destination port limits with that model and would potentially want to run several tunnels to help with that.

I did question the Cloudflare cert when I was reading about Authenticated Origin Pull. Thank you for thinking ahead and indicating my suspicions were accurate and that I would need/want to use a custom certificate instead.

That’s borderline “security through obscurity” IMO, but I guess it’s better than nothing. There are much better ways to secure your site though - such as with an Access JWT - that don’t fall apart if the request headers are leaked.

TCP is inherently limited to 65K concurrent connections from one IP address to a single target port. If cloudflared and the origin web-server run on the same machine, you can instead use UNIX sockets which - after some tweaks - are limited to 1 million concurrent connections.

I think cloudflared will handle 65K concurrent connections just fine given adequate compute and network resources, but you may want to load balance across multiple cloudflared instances for higher availability.

1 Like

I understand where you are coming from, though I still wouldn’t call it that :slight_smile:. It certainly is a rather basic solution, but that would not necessarily mean it is insecure. It’s a shared secret and if that leaks, you’ll always have the same issue. Same with client certificate authentication.

As far as the web token validation is concerned, isn’t that rather for client authentication than proxy authentication? Especially in a Tunnel context I wouldn’t expect a lot of authentication as Cloudflare won’t establish the connection but actually your server.

Generally speaking, I would assume a proper firewall configuration with a proper virtual hostname setup should do the trick. Of course, @epic.network’s client certificate authentication and your (@albert) Tunnel setup are perfectly viable solutions as well.

3 Likes

Actually client certificates are not shared secrets. The private key is only stored on Cloudflare, so the origin server would not be able to leak it. Request headers are different - those could be leaked by a debug page or similar.

You’re right, JWTs aren’t necessary when using Cloudflare Tunnel if you assume Cloudflare is 100% secure. That’s unfortunately not the case. I have personally found several vulnerabilities that allowed a malicious actor to bypass zone security and send requests to a tunnel owned by another account (see https://hackerone.com/reports/1478633 and https://hackerone.com/reports/1575912). In these cases JWT validation would have prevented the attack.

Although, JWT validation is not 100% secure as the JWT signing keys could still be compromised. But I would guess that is much less likely to happen since the attack surface is smaller: Cloudflare Access vs the entire Cloudflare CDN (for a request smuggling/cross-user resolve override vulnerability).

This can unfortunately be bypassed with knowledge of the origin IP and access to Host Header Override.

1 Like

That’s not what I was hinting at :wink:. Leak the private key and you have the same issue.

Agreed, but that’s something that needs to be fixed primarily on Cloudflare’s side.

Sure, but - and the OP may correct me - I do believe this is getting over-engineered at this point :slight_smile:. If the OP really has all these concerns, then it really may be a good choice to follow that advice. If not, he probably made his entire setup unnecessarily overly complex.

Keep in mind, I read that only today → I wonder how much it would cost to run if it were designed and run with 2022 mod... | Hacker News :smile:

2 Likes

I completely agree with Sandro. Host header validation + proper firewall rules should be more than enough to prevent web scraping. If you need more security (usually only needed for an internal site), Cloudflare Tunnel with Access JWT validation is the way to go.

3 Likes

That was an awesome back and forth to follow. Thanks for the help all, I have some things to try :slight_smile:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.