Prevent Users Bypassing Cloudflare To Access My Site


#1

How can I prevent malicious users, hackers, from bypassing cloudflare to get to my site? I’m assuming a hacker is smarter than me and can do this.

Clurrently I plan to point api.mydomain.com to my loadbalancer hosted in AWS which has a public DNS entry blah.blah.blah.amazonaws.com. Can a malicious user find out my AWS endpoint and bypass Cloudflare to attack my website. If so how can I prevent this?


#2

You can simply use the :orange: cloud mode.

Note that Cloudflare is not intended to hide the IP address of your origin server.

What you can do is to whitelist traffic coming from Cloudflare’s IP address and reject others IP at the AWS Management Console. That way, only visitors coming from Cloudflare can access your origin server. Rate limiting would also help to protect your endpoint.


#3

No as long as you don’t reveal it to public. That’s why a website which migrates to Cloudflare due to previous attacks should change the server IP.
For average websites just updating softwares ASAP is the best practice to remain secure.


#4

Thanks.


#5

Update

It is a good practice to block all other IPs except CF ones. Using this tool someone can find your IP even behind CF by Internet-wide scan data from Censys to find exposed IPv4 hosts presenting an SSL certificate associated with the target’s domain name.