Prevent Cloudflare Bypass with Authenticated Origin Pulls

IP address is a decent way. However regularly updating is tough for me.

So, I went through Authenticated Origin Pulls approach and really loving it. It was quite simple to configure.

There was one issue, port 80 was still open so I completely disallowed listening over it and made “refused to connect” error, and 443 is allowed but only over Cloudflare Certificate. :innocent:

I will make sure to keep changing origin IP address to prevent any kind of accidental leak.

Not using Mail server.

Is there anything else I can do to secure origin?

The IP addresses rarely change. So blocking by IP address still is a good option.

But Authenticated Pulls are certainly a possbility too. What that is, is essentally just the proxies using client certificate authentication to authenticate themselves against your server. Like with the IPs you just need to make sure you have the current certificate in place. IIRC the previous certificate expired this year and a lot of people complained here that there sites aren’t working any more (obviously, with an expired certificate).

Also, that kind of authentication requires your site to be on HTTPS. That is not necessarily a bad thing, but it is something to consider as well. You won’t be able to use HTTP any longer.

You nonetheless might want to restrict access to Cloudflare however, as you could still leak your domain name via SSL, especially if the certificate is the default one and not just configured via SNI. Another thing to consider is any potential DDoS attacks against your SSL port. These might be easier if your server accepts connections compared to when it only accepts Cloudflare connections.

Apart from that, you should be good to go. And, yes, it is a good idea to change the IP address, especially if it has been already archived for your domain somewhere.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.