Hi there. I’m not actually a Cloudflare customer but I have a serious question about it; it seems that someone has put a Cloudflare cache in front of my website without my knowledge or permission… is that even possible?!
I was recently notified in my AdSense account that my ads are appearing on another domain; when I visit that domain (it’s actually someone’s subdomain for their main site) I see my own site! I haven’t set this up, I have no idea what’s going on.
They haven’t put my site in an IFrame or anything like that, it’s being hosted on that actual domain. When I do a View Source, I see my actual HTML. When I make a request for an intentionally incorrect url on the imitation website, I get the 404 error as expected AND I see that request 404 in my web server logs at the same time - somehow that 404 request is actually getting through to my server!
And the site is even functional; I can log in to it as if it were my normal site.
Dig and other DNS tools confirm that their subdomain has an A Record which points to a Cloudflare IP.
Can someone please explain how this is possible and what I can do to stop them from using Cloudflare to impersonate me.
This appeared to fix the problem; the site works normally, doing curl https://184.108.40.206 -k now showed the 410 Gone as expected, and accessing the impersonating site now showed a “There is a problem with the TLS cert”.
So far so good!
I thought that was it, however now I’ve found that one or two users have been getting certificate issues when they access the site normally and when I use Qualys SSL checker it complains that there’s a certificate mismatch. This seems to be because they’re accessing the ip addresses directly (which would use the self-signed cert) instead of my proper cert for the real domain.
Is this a misconfiguration issue? Is it possible to have a default site for the servers that some clients and Qualys SSL checker don’t complain about? Thanks
ok, i sorted this out; it was a misconfiguration issue on my servers.
for reference, i did have the fallback site configured correctly (along with the self-signed tls cert), my issue was that my server config that forces a redirect so that “www.” appears in the url DIDN’T have a TLS cert for it, so some people were now getting cert warnings (along with Qualys’s tool).