Possible to bypass Cloudflare for hostname?

Hi. I’m curious, is it possibly for an attacker to bypass Cloudflare for a specific host name if they know the origin IP? I already know anyone can access the server directly if they know the IP, but this doesn’t worry me because the NGINX server will just respond with a 444 code when the request doesn’t point to a host name that exists on server.

Could anyone for instance request somehost.com bypassing Cloudflare by using their own DNS or hosts file?

I also already have a firewall to accept only Cloudflare IP’s, but I’m just curious if it’s theoretically possible that attackers can access a specific hostname while bypassing Cloudflare?

You don’t need a special DNS server or hosts file, just something that can set the hostname in the request.

If it concerns you, firewalling everything but Cloudflare IPs is effective. You can also use Authenticated Origin Pulls to secure connections with mTLS.

1 Like

Thanks, I thought it was most likely, but wanted to confirm for the sake of my logic.

I already use Vultr firewall to only allow incoming IPv6 requests from Cloudflare, so this is pretty secure of course. I only accept IPv6 also, so it’s also pretty difficult to guess the IP, even if that would simply return 444 anyway.

I was looking at this, but it seems pointless if one already uses a firewall that only accepts Cloudflare IP’s.

AOP, if using your own certificate, allows your origin to reject requests that come to it because someone is using your IP address in another Cloudflare zone (either in error, or far bad reasons such as using low security settings) in a more efficient way than handling a 444 response. Such requests would not be blocked by the firewall IP restrictions.

In your case, with a hard-to-guess IPv6 address you are probably ok, but if that IP address has ever been used in DNS without the Cloudflare proxy, securitytrails.com and other history sites probably have it logged.

2 Likes

True that. Thanks for pointing it out.

The simple websites I will host are neither sensitive nor vulnerable (or even attractive to attackers), but I am setting up new servers and want to start with a smart secure defaults. Most importantly, I want to avoid obvious unwelcome requests connecting from outside Cloudflare.

You could connect your server to Cloudflare via a Cloudflare tunnel, that way you need no open ports on your origin.

3 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

Hi from the product team! I would highly recommend using Cloudflare Tunnel and/or doing JWT validation in your origin server. The Cloudflare IPs are shared across many customers and don’t provide that much protection.

1 Like