Trigger cloudflare verify platform with header

Hello,

It would be nice to trigger cloudflare verify with header from application.

Problem:

  • People are pointing their domains to our servers and sometimes they disable all limitation.
  • Cloudflare ip addresses are allowlisted so we cannot ban them the usual way. We don’t receive the attacker’s ja3hash if its coming from cloudflare

Current solution:
In this case we just disable the vhost of the user and ask them not to use cloudflare. But this is bad for user experience.

Issue:
The customer’s code sometimes slow and getting attacked at the same time.

Expected:
So if they use more resource than a predefined variable we would just send a header from lua, indicating that we only accept request after the client is validated by cloudflare. For example: X-Challenge-Required: 1

By that time, Cloudflare has already allowed the request through.

Why would these requests hit one of your customer’s sites if the hostname doesn’t match?

Flow

  1. User buys a domain or we provide them a subdomain.
  2. After that the domain should point to our IP addresses.
  3. We check if the 3rd party domain’s IP is ours, then we the registration gets approved.
  4. From this point we create a lets encrypt cert and serve the requests for that vhost.

Issue starting with
For some reason users might change to Cloudflare’s proxy mode to get their own analytics or for any reason.
It is easy to ban based on the headers and we can block Cloudflare’s proxy mode and the problem is solved, but I want to avoid this.

Actual issue
They are commonly targeted by malicious bots or large botnets. We usually tackle these by ja3/rtt/ip’s ttl field/probably ja4 in the future, and some other rules. But if the targeted site is behind Cloudflare and the defense is disabled in the config panel we have to disable the site automatically in case of a DDoS.

Goal
The goal is to avoid blocking the site and to support Cloudflare.

obvious tools
Obviously there are turnstile (free), google recaptcha (not free), hcaptcha(not free) and other tools and we could pay an extra to issue the challenge ourselves. Luckily Cloudflare already has its own verification platform especially in proxy-mode and would be nice to trigger this from server side.

By that time, Cloudflare has already allowed the request through.

The client’s code can be slow and CPU-intensive so it has to be defended. By using Cloudflare proxy we lose our own JA*hash info, TTL from IP header, RTT, etc so we would/could end up showing challenge to everyone in case of a DDoS attack and that’s not a user-friendly solution.

We have Openresty with Lua scripts (automatic Let’s Encrypt, basic WAF, etc). This could prevent actual requests getting*through to the user’s code. So in Lua we could just set the status code to 403/503 and another header indicating that we expect Cloudflare to issue it’s own challenge for the user or for the vhost.
If we indicate that challenge/verification is required on server side for the vhost, then cloudflare could remember this for like 1-5-10 minutes and only a few request got through and actually the user’s code was never executed once, only Openresty+Lua handled everything.

Alternative solution
Periodically Cloudflare could get info from a .well-known endpoint where the server’s owner could configure the DDoS settings for a Cloudflare site to strict or something.

Rather than bother with local headers to trigger a verification, why not have it trigger an API call to enable Under Attack Mode?

https://developers.cloudflare.com/api/operations/zone-settings-change-security-level-setting

Token Permission: Zone Settings Edit

Rather than bother with local headers to trigger a verification, why not have it trigger an API call to enable Under Attack Mode?

Quote from my previous message:

  • User buys a domain or we provide them a subdomain.
  • After that the domain should point to our IP addresses.

We don’t own our users’ domains or the users’ Cloudflare account and we do not have access to that.

We only provide the IP address where they can point their own domain names.

This is the reason why we would need a header.

Hi @user4563, I am not understanding the requirement here. Why not offer them a managed hostname?

Thank you.

2 Likes