Prevent IP Spoofing of Origin Servers

I’m able to restrict access to my origin servers from Cloudflare IP ranges. But these are publicly available so I guess it’s pretty easy to fake them - IP Spoofing. As this traffic will skip Cloudflare network it can’t be filtered out by the proxy.

Is there an option how to block such attempts on my edge Fortigate firewall?

My idea is that CF proxy will add some HTTP header with secret known only to my firewall and Cloudflare. Every other communication will be dropped.

It’s not. Limiting requests to Cloudflare IP addresses is pretty much all you need to do, but if you really want to make sure only requests for your domain are accepted, you can certainly also check out https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/

1 Like

Ha seems that you think to everything! Thank you for pointing me to the right direction

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.