Proxy blocks access

Hi!
I have 5 domains that use CF dns. 2 is webshops. I use webmin on the VPS and to secure it I have changed the webmin port. But that means that I cant use CF proxy because then I cant access the webmin interface. I know CF only accept a limited nember of ports but for me that means much less security because these ports are published for anyone to test.

May I ask which port do you use with Webmin?

Did you changed the port to the one which is supported and compatible with Cloudflare proxy :orange:?

The supported and compatible ports with Cloudflare proxy :orange: are listed at the below article:

Do you get some error or it’s due to the SSL?

From my point of view, depending where you are located and what options have you got, where you run Webmin behind a server hostname domain and one of the supported and compatible ports with Cloudflare, meaning it’s proxied :orange:.

As on the server there could be a lot of domains, and if it could be possible to access Webmin from any domain - that would be terrible and possibly dangerous (why allow access to anyone?).

Therefore, if I manage all the domains on the server (assume they are all using Cloudflare services), I would create a Firewall Rule to block any request made to each of the hosted domains which is not being over the port 80 or 443 - where I obviously blocked access to my Webmin panel via any of the hosted domains (like webshop1.com:port, webshop2.com:port, someothersite.com:port) with it which is actually a good thing to do.

Nevertheless, to access to my Webmin panel, by visiting my hostname:port, I would only limit the access to my VPN IP address (or even better to use Cloudflare Access for it) by a Firewall Rule.

Or, you could create a Firewall Rule which contains your hostname, therefore block each request which is not over the port 80 or 443 and is not your IP or the IP is not in your AS number or the IP is not in your home country:

  • (http.host contains "hostname.com" and not cf.edge.server_port in {80 443} and ip.geoip.asnum ne 12345)

or

  • (http.host contains "hostname.com" and not cf.edge.server_port in {80 443} and ip.src ne 1.2.3.4)

or

  • (http.host contains "hostname.com" and not cf.edge.server_port in {80 443} and ip.geoip.country ne "HR")

Hopefully you would manage to create your specific one. I hope above suggestions could help a bit with it.

As I wrote in my last post I have not changed to any cloudflare approved port. These ports are public and for an intruser it make it easier to find out what port I use.,
Its relly know problem because I only allow access now from my own IP. Then I dont need the CDN. But its inconvenient when I am away and I cant access webmin.

True, but may I ask what is the issue here? I mean, anyone that way can ping and sniiff out any of the open port on the origin host / server if they know the IP address, even using online tools, if so.
Why not running it over one of the supported and compatible to be proxied :orange: and protected via Cloudflare? (the IP would be masked that way and protected)

May I ask, does it mean that if Cloudflare would add more compatible ports, would it be more secure? - I am afraid not.

Is the thing where you could be in a worry due to the UDP or TCP floods?

In case if you need some more ports, I would suggest using Business or Enterprise plan for it.
Or, I think you could install some Load Balancer at the origin host, therefore proxy the “local” ports as you need, while having the same port for the “outside” world, which can be even proxied :orange: on the basic 443 port.

Cloudflare Access / Teams maybe to look up for:
https://developers.cloudflare.com/cloudflare-one/

Or if we want to make it simple we could use 401 authorization for the hostname:port.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.