Traffic on origin server that isn't allowed by Access


#1

I have a domain hosted on Cloudflare and setup Cloudflare Access to get to a few different services via subdomains. All subdomains are restricted to only 2 authorized email addresses (via Access) and the root domain has a rule to deny all traffic. The only exception to this is a CNAME record which points to mailgun for the ability to get email forwarded. I wouldn’t see this traffic anyways.

With this setup, I would expect that my local Nginx logs should only ever show traffic from IPs I recognize to access locally hosted services after being authorized by Google authentication from Access. This is the case for 99% of the traffic. There are a few exceptions though and I’m looking for feedback on understanding why they go through to my local server. I’d like to make sure I’m not missing something important.

Here are a few examples with IPs redacted:

x.x.x.x - - [18/Jan/2019:01:05:56 -0800] “GET / HTTP/1.1” 400 262 “-” “Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2; http://cloudsystemnetworks.com)” - I see this entry every few days or so - Scanner bot - Working on getting the IP ranges to block these - How did it get through?

x.x.x.x - - [17/Jan/2019:22:35:51 -0800] “GET / HTTP/1.1” 400 664 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36” - I don’t own any Apple equipment. How did this get through? Its not looking at any specific web page that I can tell from the logs.

x.x.x.x - - [17/Jan/2019:21:38:01 -0800] “OPTIONS sip:[email protected] SIP/2.0” 400 182 “-” “-” - Can SIP traffic get through Access??

x.x.x.x - - [17/Jan/2019:21:04:36 -0800] “GET / HTTP/1.1” 400 182 “-” “-”

x.x.x.x - - [17/Jan/2019:20:42:33 -0800] “\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr” 400 182 “-” “-”

Some additional details:

  • My local Nginx server only listens on Port 443 and uses Authenticated Origin Pulls
  • I have a catch all rule to deny all traffic not to designated subdomains, although there are no additional DNS entries and Access should prevent this anyways.
  • All traffic is secured (Full - Strict)
  • Again, Cloudflare Access has a rule for every subdomain setup through a CNAME entry pointing to the root domain. I do it this way so I can use dynamic IP updates to one domain only.
  • I am not using any kind of wildcard domain rule
  • Root domain is set to block all traffic through Access
  • The two email accounts authorized are through Gmail and use 2FA. No indication of unauthorized access in either gmail account.

I appreciate any feedback.

EDIT: Added more examples.

EDIT 2: This is likely just someone connecting directly to my IP address and not through the domain.


#2

Exaclty my first thought.

Did you block direct Access to your host? Only


should be allowed


#3

I do use authorized origin pulls. I removed the IP block because it didn’t work with the real IP module. I believe traffic is still being blocked since the origin pull certificate doesn’t show the traffic from Cloudflare.

Thanks.