Using Cloudflare workers to block other hosts


#1

I’ve noticed that another domain with its DNS hosted on Cloudflare has been set up to point to my domain. Let’s say my domain is called mydomain and the other domain is called otherdomain. If I load otherdomain in my browser it returns the content that’s hosted at mydomin. I want to stop this behaviour and only allow my origin content to be returned if it’s being requested from mydomain.

I’ve tried setting up the following Cloudflare worker to block all hosts except for mine but it’s not working as expected and is still returning content from my origin if I load otherdomain

addEventListener(‘fetch’, event => {
event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
var host = request.headers.get(‘host’)
if (!host.includes(‘mydomain’)) {
return new Response(‘Access denied’, {
status: 403, statusText: ‘Access denied’
})
}
return fetch(request)
}

Can someone tell me what I’m doing wrong and let me know how I get achieve what I’m after?


#2

Assuming they do not proxy your host but only point to it you could easily fix that server-side. Either set up a dedicated virtual host for your domain (so the other domain would hit the default host and not your site’s) or block the host in your server configuration. Both approaches are probably easier and cheaper than using workers.


#3

Thanks for your reply. I know I could achieve this the way you’ve described, however I’d like to prevent the requests from even reaching my origin if possible.


#4

Alright, do you know how exactly they achieve it? Is it really a DNS pointer or could it be some proxying or crawling?


#5

Unfortunately I’m not entirely sure but I’m guessing that they’ve set up CNAME records to point to my site. Adding the following to my nginx config results in cloudflare returning HTTP 520 when loading the other domain:

if ( host !~* ^(mydomain\\.com|www\\.mydomain\\.com) ) {
return 444;
}


#6

Okay, then lets assume the simply point*). Unfortunately I am not all that familiar with Cloudflare’s worker API so its difficult for me to tell exactly if there is an issue with the code, but there is an example at https://developers.cloudflare.com/workers/recipes/hotlink-protection/ which is pretty close to what you want to achieve.

*) If they had proxied or crawled your site you could have also blocked their IP address in Cloudflare.


#7

I had a look at the link and I don’t think it’s quite what I’m after. I’m not sure how I could adapt it for my use case without blocking all requests where the referer hostname doesn’t match my domain, which is something I don’t want to do either. Instead I just want to block requests where the host header isn’t my domain. Thanks for sending this example through anyway though!


#8

Thats why I said pretty close. The example checks the referrer, you’d need to go for the host header.


#9

Correct, though this is what I already tried and posted in my original question


#10

I havent compared the two scripts? Are they identical in that regard?


#11

If the other domain is pointing at your machine (even if its a CNAME / orange clouded), it will never hit your worker. Cloudflare will go back directly to your origin.

I guess this kind of ‘attack’ is easily solvable by setting up end to end encryption (Origin certificates (full strict)).


#12

@sandro They’re not quite identical but I believe they’re similar in that they’re trying to limit requests by hostname.

@martin2 I’ve got an origin certificate installed and full (strict) encryption enabled but that doesn’t seem to make a difference.


#13

Hmm, allright. Probably the certificates are not isolated on a per-account basis then (I assumed that).


#14

Can you post the domains in question?


#15

My domain is: accroo.io
The domain that’s pointing to mine is: curlai.com


#16

I presume you are right now blocking it in nginx as it returns an error.


#17

Please try again now - I’ve temporarily unblocked it


#18

It should not be a CNAME as Cloudflare appears to block that. Check it out at accroo[dot]sitemeer[dot]com

Could it be that they know your IP address and point directly to the host?


#19

I can’t imagine that they’d know my origin IP. I don’t think that Cloudflare are blocking this as you suspect because I have another domain on Cloudflare and I can replicate the behaviour of this other site by creating a CNAME record that points to accroo.io


#20

Well, the example I provided returns a 1014.

Anyhow, I’d compare your worker code with the example provided by Cloudflare and contact Cloudflare’s support if it does match but still not block it.