I am currently setting up a server using cloudflare to proxy requests.
Everything works as intended however I am worried because one might scan ip ranges and access my server without going through my domain name that uses cloudflare.
Currently on my router I am forwarding port 80 and 443 for every source to my server. I think I have 2 solutions :
Forward only for specific ip source (cloudflare IP)
Accept only connections on the nginx server for the cloudflare IP
The first solution might be better, but I’m wondering in both cases how to get the cloudflare IPs. Do I have to take the ip I get when checking the A records?
They aren’t quite as easy to set up for some people, and there’s overhead due to running the tunnel that lowers bandwidth, as well as adding a bit more load. Minor things that will only really worry you if they site is busy or bandwidth/CPU contrained.
Forgot to say, unless you have a need to deliver content over HTTP on port 80, you don’t need to forward that on your router. Redirection to HTTPS can be done on Cloudflare by switching on “Always use HTTPS” keeping the origin configuration more simple.