Traffic on origin server that isn't allowed by Access

I have a domain hosted on Cloudflare and setup Cloudflare Access to get to a few different services via subdomains. All subdomains are restricted to only 2 authorized email addresses (via Access) and the root domain has a rule to deny all traffic. The only exception to this is a CNAME record which points to mailgun for the ability to get email forwarded. I wouldn’t see this traffic anyways.

With this setup, I would expect that my local Nginx logs should only ever show traffic from IPs I recognize to access locally hosted services after being authorized by Google authentication from Access. This is the case for 99% of the traffic. There are a few exceptions though and I’m looking for feedback on understanding why they go through to my local server. I’d like to make sure I’m not missing something important.

Here are a few examples with IPs redacted:

x.x.x.x - - [18/Jan/2019:01:05:56 -0800] “GET / HTTP/1.1” 400 262 “-” “Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2;” - I see this entry every few days or so - Scanner bot - Working on getting the IP ranges to block these - How did it get through?

x.x.x.x - - [17/Jan/2019:22:35:51 -0800] “GET / HTTP/1.1” 400 664 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36” - I don’t own any Apple equipment. How did this get through? Its not looking at any specific web page that I can tell from the logs.

x.x.x.x - - [17/Jan/2019:21:38:01 -0800] “OPTIONS sip:[email protected] SIP/2.0” 400 182 “-” “-” - Can SIP traffic get through Access??

x.x.x.x - - [17/Jan/2019:21:04:36 -0800] “GET / HTTP/1.1” 400 182 “-” “-”

x.x.x.x - - [17/Jan/2019:20:42:33 -0800] “\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr” 400 182 “-” “-”

Some additional details:

  • My local Nginx server only listens on Port 443 and uses Authenticated Origin Pulls
  • I have a catch all rule to deny all traffic not to designated subdomains, although there are no additional DNS entries and Access should prevent this anyways.
  • All traffic is secured (Full - Strict)
  • Again, Cloudflare Access has a rule for every subdomain setup through a CNAME entry pointing to the root domain. I do it this way so I can use dynamic IP updates to one domain only.
  • I am not using any kind of wildcard domain rule
  • Root domain is set to block all traffic through Access
  • The two email accounts authorized are through Gmail and use 2FA. No indication of unauthorized access in either gmail account.

I appreciate any feedback.

EDIT: Added more examples.

EDIT 2: This is likely just someone connecting directly to my IP address and not through the domain.

Exaclty my first thought.

Did you block direct Access to your host? Only

should be allowed

I do use authorized origin pulls. I removed the IP block because it didn’t work with the real IP module. I believe traffic is still being blocked since the origin pull certificate doesn’t show the traffic from Cloudflare.