Tranform rule to stop bypass cloudflare

What is the name of the domain?

What is the issue you’re encountering

Tranform rule

What steps have you taken to resolve the issue?

Read online docs

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full

What are the steps to reproduce the issue?

Hello.

Apparently I can setup a transform rule to ensure I can make sure that all traffic for my website goes through cloudlfare and to stop anyone bypassing cloudflare if they learn my proxied IP addresses (my webhost IP) ect ect.

I can there are a few ways of doing things, including getting my hosting provider to setup rule on thier own firewall. However, I found some intructions to do this via a tranform rule. However,. as per the screenshot image. I dont know what to popiulate in these boxed.

Not sure where you found that, but it’s not possible.

If someone learns your IP address and uses that to bypass Cloudflare, you can’t do anything to stop them in your Cloudflare settings.

That’s something you need to configure at your origin firewall.

I was referencing this

Thanks

I was also referring to these instructions I found

The Transform Rule

There are three types of Transform Rules: URL Rewrite, HTTP Request Header Modification, and HTTP Response Header Modification. For this solution, we need to create a single HTTP Request Header Modification.

Go to your Cloudflare Dashboard under Rules, and choose Transform Rules. Then click on Create Transform Rule, and Modify Request Header.

First, give it a name.

Then set the condition that will trigger the rule. In our case, we want the header to be added to all requests, so a matching condition could be

Hostname contains example.com

Then you click on Set Static, and fill up the name and value fields.

The header name and value could be anything permissible under Apache’s specifications. But you should refrain from using non-alphanumeric characters, other than perhaps a dash or an underscore, as they may lead to parsing issues somewhere down the processing pipeline.

For the method you linked, you can use whatever you want. It just needs to be secret.

In the example, @cbrandt used Secret-Header and SeCrEt-k3y, but you can really use whatever you want.

But with this method, the blocking still takes place on your server, not on Cloudflare.

Thanks

There seems to be many different methods, its become confusing as to which one to use.

What would you recommend?

As I don’t know anything about your setup, I can’t make any recommendations.

Cheers.

I would describe it to you. However, those details pose a security risk in a public forum.

Thanks for your time again

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.