We use Cloudflare for our DNS and as a firewall.
To cut down on the BS traffic we are getting, I am considering creating a firewall table on the server (it’s a dedicated server) that allows only Cloudflare IP’s and certain specific ones - like ours, paypal, etc.
Naturally, we will still have jackasses that make it pass the Cloudflare firewall and come through on Cloudflare IP’s, but at least we will stop the ones coming direct to our ‘true’ IP address.
But I wanted to check if there were any known problems or issues with this ‘extra security’ approach?
I Did look around the Cloudflare and the community, but didn’t find much about this particular idea.
Generally this is the preferred method to go - it will stop these bots as well as many all-web scanners like censys from scanning and indexing your server’s open ports.
There is also Authenticated Origin Pulls you can install in apache/nginx. Cloudflare’s requests will be signed with their client certificate and your origin would make sure all requests are signed with this certificate. The only downside to this approach is layer 3/4 attacks (packet flood) might still be possible with enough bandwidth, so usually the firewall approach is favorable.
Authenticated Origin Pulls is a good idea, except probably more complicated on our OVH server, as it uses Plesk and a combination/pairing of NGINX and Apache.
The firewall approach will take a bit of initial work, but should be simpler to implement.
I am curious as to if origin pulls will slow down the home page load time? First byte time is already taking about 4 seconds, which is all about DNS lookup, and other such processes, before the content even starts appearing.