Understand the process

avoda.iria · August 14, 2023, 1:26pm

We have a website that we host on-prem ,and we are interested in Cloudflare DDOS protection.
I want to understand the process from the technical point of view
I understand that I will need to create a CNAME record that points to NS Cloudflare servers.
What happens next?
Let’s say my site’s domain is www.example.com
the client will ask your NS servers who is the DNS server of www.example.com and then you will direct it to me, but what happens in between -what tests do you perform to prevent DDOS ?
And where exactly the SSL decrypt ?
and do I need to create additional DNS records since I implement a Apache reverse proxy before backend (www.be-example.com)

I would appreciate it if you could explain the process to me.

oneandonlyjason · August 14, 2023, 1:42pm

Hello and Welcome to the Cloudflare Community,

The First Step would be to change your Nameservers to the ones that Cloudflare provides.
You will then add your DNS Records to Cloudflare. (Cloudflare should copy all Records it finds when you onboard your Domain)

When the Cloud is activated cloudflare will return Cloudflare IP Adresses for every Lookup of your Domain.
Your Clients will then Request your Website from Cloudflare. Cloudflare will terminate the TLS Connections of your Clients on their Edge Servers and will Forward the Request to your Server. When Cloudflare should have a Requested Resource in their Cache they will not forward the Request to your Server and instead serve the Asset from Cache.
Their is a way to tell Cloudflare to not terminate the TLS Connection, but thats only Avaible in the Enterprise Plan

The Protection Part is a little bit more complicated because Cloudflare cant really tell you all the Rules they use. They have different managend Rulesets that are Active for all Zones in the Cloudflare Network. They work with a IP Reputation Database and filter for Known Attack Patterns and Stuff like that.

On top of that you can also configure Firewall and IP Access Rules. Lets say you have a Country were the Most attacks on your Site are comming from. Now you could configure the Cloudflare Firewall in a way that every Connection from that Country gets challenged with a Javascript Challenge. Or you could block them completely.

I hope this could give you a basic Understanding of the Process

avoda.iria · August 14, 2023, 2:57pm

Thank you for the quick reply
I want to focus on the sentence you wrote:

“Your customers will request your website from Cloudflare.”

But my site is hosted locally, because it’s a dynamic site with many large databases, so what does “request your site from Cloudflare” mean?

epic.network · August 14, 2023, 3:01pm

This page illustrates the answer quite nicely and very simply.

avoda.iria · August 14, 2023, 3:29pm

Thanks, I already saw this post earlier
Do I understand correctly - that every request (via DNS of course) goes through CF, then CF adds a HEADAER to the request before FORWARD to our servers

To protect against an attacker who can bypass this mechanism by directly contacting my website thru IP address, would I have to block all IP addresses in my APACHE that is acting as reverse proxy and allowlist the only CF IP addresses ?

epic.network · August 14, 2023, 3:39pm

It is desirable to limit access to only Cloudflare IPs using a firewall at or in front of your origin server.

Authenticated Origin Pulls are another good option.

avoda.iria · August 14, 2023, 3:58pm

thanks!

epic.network · August 14, 2023, 4:21pm

Note that neither of the two items I was referring to require a Pro plan.

system · August 17, 2023, 4:21pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.