Someone is impersonating me with CloudFlare..?!

Hi there. I’m not actually a Cloudflare customer but I have a serious question about it; it seems that someone has put a Cloudflare cache in front of my website without my knowledge or permission… is that even possible?!

I was recently notified in my AdSense account that my ads are appearing on another domain; when I visit that domain (it’s actually someone’s subdomain for their main site) I see my own site! I haven’t set this up, I have no idea what’s going on.

They haven’t put my site in an IFrame or anything like that, it’s being hosted on that actual domain. When I do a View Source, I see my actual HTML. When I make a request for an intentionally incorrect url on the imitation website, I get the 404 error as expected AND I see that request 404 in my web server logs at the same time - somehow that 404 request is actually getting through to my server!

And the site is even functional; I can log in to it as if it were my normal site.

Dig and other DNS tools confirm that their subdomain has an A Record which points to a Cloudflare IP.

Can someone please explain how this is possible and what I can do to stop them from using Cloudflare to impersonate me.

Thank you.

This usually happens if your web server is misconfigured. A proper configuration will ignore all requests that don’t match your domain name.

Do you see these requests in your server logs? You may have to contact your Host support for help with this.

1 Like

When you send a request to that domain, does it show up in your log files? If so, with what IP address?

Thanks for the replies!

So I found the other thread on this forum with basically the same problem and followed the instructions/guidance there:

However I ran into some problems.

  • Both before and after I started tweaking the config, directly accessing the site via the IP address(es) in a browser automatically redirects to the domain, which is good and expected behaviour.

  • I created a self signed TLS cert and added a config to nginx for the default site to serve a 410 Gone response if the default site (the ip address) is requested

server {
server_name _;
listen 80 default_server ;
listen 443 ssl default_server;
ssl_certificate “/etc/ssl/private/fallback.crt”;
ssl_certificate_key “/etc/ssl/private/fallback.key”;
return 410;
}

This appeared to fix the problem; the site works normally, doing curl https://123.123.123.123 -k now showed the 410 Gone as expected, and accessing the impersonating site now showed a “There is a problem with the TLS cert”.

So far so good!

I thought that was it, however now I’ve found that one or two users have been getting certificate issues when they access the site normally and when I use Qualys SSL checker it complains that there’s a certificate mismatch. This seems to be because they’re accessing the ip addresses directly (which would use the self-signed cert) instead of my proper cert for the real domain.

Is this a misconfiguration issue? Is it possible to have a default site for the servers that some clients and Qualys SSL checker don’t complain about? Thanks

@sandro

Yes, the request shows up in my logs, it comes from a cloudfront ip address in my country.

This is Amazon Web Services

ok, i sorted this out; it was a misconfiguration issue on my servers.

for reference, i did have the fallback site configured correctly (along with the self-signed tls cert), my issue was that my server config that forces a redirect so that “www.” appears in the url DIDN’T have a TLS cert for it, so some people were now getting cert warnings (along with Qualys’s tool).

thanks for the help.

1 Like

For the record, I still think it’s pretty ■■■■ that Cloudflare will just mirror a site without any sort of verification whatsoever.

Cloudflare didnt mirror anything, they simply proxied the content like with any other domain.

You didn’t clarify this.

Typo, or is it a Cloudfront IP?

This topic was automatically closed after 30 days. New replies are no longer allowed.