User agent vs Ip address vs ASN whitelist in firewall

After doing some research I came to know that you can whitelist a dynamic ip in firewall in few way’s

  1. Use a script that will automatically update the ip address using cloudflare API and white list it in firewall (some people said to use cloudflare workers for this, but I don’t know exactly how to achieve this)

  2. Second use ip range to whitelist. You can easy find your ISP ip ranges through there ASN

  3. Whitelist ASN of your ISP

  4. Using user agent in firewall this one I personally don’t if its safe to use. I want you to tell me below if it is :kissing:

Could you tell me which will be the best option to use and if there is more options then please tell.

This is the only secure option out of the four. Not sure how you’d do this with Workers - afaik it is usually done using a cron job on the server whose public IP is dynamic. You’d periodically get your public IP and then edit the Firewall/IP Access Rule using the Cloudflare API if the IP has changed.

1 Like

What are you actually trying to achieve? Access to a secure area of your site (such as the CMS), or something else?

Assuming you are trying to whitelist your home Internet connection and depending on the security of the underlying asset, there is a risk in using a dynamic IP address as a password. Somebody else might get that IP address before you update the firewall, and if you are offline that might be a long time.

I’d say the risk is pretty low but it’s something to consider.

Hence why it should be run on the same server. If the server can’t reach the internet, the internet probably can’t reach the server :slightly_smiling_face:

EDIT: this is of course assuming the client and server is on the same network. The better solution would probably be to use Cloudflare Access.

1 Like
  1. If it’s a an option buy a static IP from your ISP provider
  2. Use Cloudflare Access to determine legit access
1 Like
  1. Technically you could use Cloudflare API Shield too but Cloudflare Access much easier https://blog.cloudflare.com/introducing-api-shield/ & https://developers.cloudflare.com/firewall/cf-firewall-rules/api-shield

A website could still be considered a API end point

That is not determined, and depends on the underlying asset.

I’m assuming this is not the Origin, which would have needed the OP to have a mechanism in place to update the Origin IP in DNS also.

This is always preferred over “turn off the firewall”. Just depends on what the OP is trying to achieve.

2 Likes

Firstly thanks to you all for your response :pleading_face:

Wordpress login

Why I prefer firewall over access (I still use cloudflare access :stuck_out_tongue_winking_eye:)

  1. It doesn’t log who was blocked from authentication and who landed on that page

I think it only tells who was able blocked or allowed doesn’t log who visited that paths like bots

  1. Second Specially for wordpress, the login page is wp-login.php after login it’s redirected to wp-admin.

Access can protect the wp-login but what about Hackers that don’t directly login they some how get access to wp-admin through plugin or something.

For that I can create new application which will include path such as wp-admin/ but it will also lock down necessary paths like /wp-admin/admin-ajax.php and /wp-admin/theme-editor.php which is required for functioning. Firewall can exclude it

It would be good option if you could add multiple paths and also exclude a path from access

Just set a Cloudflare Access allow rule to whitelist for those urls just like with Firewall rules

Could also leverage group rules https://developers.cloudflare.com/cloudflare-one/tutorials/default-groups

Is that under application policy or gateway or http policy. I don’t see option for URL path

I might have been thinking of something else but CF Access works with just protecting Wordpress login and doesn’t interfere with Wordpress functionality from my experience so far. What Wordpress issues you having by using CF Access to lock down Wordpress login?

@eva2000 If cloudflare access url is set to /wp-admin/ then some features don’t work like elementor forms as it also blocks request to /wp-admin/admin-ajax.php thus showing error when submitting forms

You set it to /wp-login.php :slight_smile: Any access to /wp-admin/ requires authentication via /wp-login.php first

One thing I can do use cloudflare access for wp login, protect SSH and select correct file permissions for wp config so that no one can bypass wp login and also from SQL injection

The Developer docs used to include a Wordpress example for Cloudflare Access, but it appears to be gone. Essentially you should add a bypass rule for the wp-admin/admin-ajax.php endpoint.

Can you please tell me the exact steps as can’t find it here

Action - Bypass

@erictung Thanks, but where to enter the url path that I want to bypass like /wp-admin/admin-ajax.php

You create a new Access “application” to match the URL that you want to bypass, not adding a new policy to the existing Access application.

1 Like

I have 3 wordpress website behind cloudflare access so for each I need 2 bypass rule so for that I need to create 6 extra application :expressionless:, why can’t they add feature to bypass by path and around 5 original application total of 12 application. So won’t be it be too cluttered