I have a domain hosted on Cloudflare and setup Cloudflare Access to get to a few different services via subdomains. All subdomains are restricted to only 2 authorized email addresses (via Access) and the root domain has a rule to deny all traffic. The only exception to this is a CNAME record which points to mailgun for the ability to get email forwarded. I wouldn’t see this traffic anyways.
With this setup, I would expect that my local Nginx logs should only ever show traffic from IPs I recognize to access locally hosted services after being authorized by Google authentication from Access. This is the case for 99% of the traffic. There are a few exceptions though and I’m looking for feedback on understanding why they go through to my local server. I’d like to make sure I’m not missing something important.
Here are a few examples with IPs redacted:
x.x.x.x - - [18/Jan/2019:01:05:56 -0800] “GET / HTTP/1.1” 400 262 “-” “Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2; http://cloudsystemnetworks.com)” - I see this entry every few days or so - Scanner bot - Working on getting the IP ranges to block these - How did it get through?
x.x.x.x - - [17/Jan/2019:22:35:51 -0800] “GET / HTTP/1.1” 400 664 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36” - I don’t own any Apple equipment. How did this get through? Its not looking at any specific web page that I can tell from the logs.
x.x.x.x - - [17/Jan/2019:21:38:01 -0800] “OPTIONS sip:[email protected] SIP/2.0” 400 182 “-” “-” - Can SIP traffic get through Access??
x.x.x.x - - [17/Jan/2019:21:04:36 -0800] “GET / HTTP/1.1” 400 182 “-” “-”
x.x.x.x - - [17/Jan/2019:20:42:33 -0800] “\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr” 400 182 “-” “-”
Some additional details:
- My local Nginx server only listens on Port 443 and uses Authenticated Origin Pulls
- I have a catch all rule to deny all traffic not to designated subdomains, although there are no additional DNS entries and Access should prevent this anyways.
- All traffic is secured (Full - Strict)
- Again, Cloudflare Access has a rule for every subdomain setup through a CNAME entry pointing to the root domain. I do it this way so I can use dynamic IP updates to one domain only.
- I am not using any kind of wildcard domain rule
- Root domain is set to block all traffic through Access
- The two email accounts authorized are through Gmail and use 2FA. No indication of unauthorized access in either gmail account.
I appreciate any feedback.
EDIT: Added more examples.
EDIT 2: This is likely just someone connecting directly to my IP address and not through the domain.