Other domains on Cloudflare load my website!

My domain: http://bit.ly/2BbqmZb
Some other guy on Cloudflare: http://bit.ly/2MF136B

Pretty crazy stuff

My infrastructure is this: Cloduflare -> vps with reverse proxy -> myserver

I recommend reading this post - WAF Security with AWS - I recommend reading the entire thing, but here’s the important part:

Whitelisting Cloudflare IPs in the EC2 security group (AWS firewall) is not foolproof either as someone can just create a Cloudflare account (with no or a different WAF) and point it to my IP.

The way to fight this is to make sure your EC2 load balancer, or your backend web server only respond to the right HOST header (this can be achieved with Apache/httpd VirtualHost or a bogus default nginx server block ). This also protects against XSS via cached host header (even though CF already protects against this now).

Make sure to follow the above suggestion on your origin server so that it only responds to the host header(s) of your website.

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.