Validating Cloudflare Access using NGINX

I have a self hosted application with access to sensitive information. I’ve setup Cloudflare Zero Trust Access and restricted incoming IPs on that subdomain to Cloudflare’s IPV4 IPs. Is there anything else I should do from the NGINX config to make sure my application isn’t leaking data?

From Nginx point ov view, you should use SSL for your sub-domain.
From the application point of view, I’d suggest to debug and review the code to double-check for possible issues and check the permissions to the database, if so.
From my point of view, I’d suggest a Pro plan as far as it offers WAF and Managed WAF Rules for better security & web application protection (XSS, MySQLi, CSRF …) :wink:

I’m not worried about the web application layer right now because if Cloudflare’s Access control works I’m the only one who can get into the application anyways. What I’m looking for is to be confident that nobody can bypass Cloudflare’s Access.

Good for you then :wink:

I haven’t heard for this kind of an incident, yet, which might depend on the policies which you have configured.

You can enable Authenticated Origin Pull with customer certificates.

Essentially this configuration on your Origin means that your web server will only respond to requests that come from your Cloudflare account. All other requests will be dropped.

3 Likes

I can give you an example. Before I restricted incoming IPs, you could bypass Cloudflare Access by making a request to “https://:grey:.domain.com/” with the header “Host: :orange:.domain.com”.

Use Cloudflare Tunnels and an appropriate Access policy.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.