Whitelist Cloudflare IPs allows access to all Cloudflare users?

stjepan.buljat · 2019-02-08 08:41:37 UTC

I would like to use Cloudflare Access to add authentication to my backend service on AWS. Additional step to do is whitelist Cloudflare IPs on AWS security group to prevent access from outside. This is all fine but what prevents another Cloudflare user to point to my AWS endpoint (ie AWS load balancer) and completely circumvent settings I did in Cloudflare Access?

Thanks!

matteo · 2019-02-08 09:59:22 UTC

This is prevented by the fact that Cloudflare never allow (except Enterprise, but it’s manually activated and verified) users to change their Host header, so if the load balancer checks for that no one can go around Access.

stjepan.buljat · 2019-02-08 09:59:10 UTC

Thanks. I will add host based check on AWS ALB and that will prevent it… thanks again.