i have massive connection requests from Cloudflare ip addresses that are allowed/whitelisted as described in documentation https://developers.cloudflare.com/fundamentals/get-started/setup/allow-cloudflare-ip-addresses/. The problem is that these CF IPs do not access domains protected via reverse proxy. So my current assumption is that someone is abusing a Cloudflare worker to bypass the corresponding whitelist.
In the end, can the issue only be solved with the “Full (strict)” ssl/tls mode?
I hope that Cloudflare defines the IP ranges more precisely between “used by reverse proxy of Cloudflare” and used by “workers by customers”.
No, but you shouldn’t need to ask that question in the first place, as you should be already on Full Strict. Otherwise you have an insecure site with no encryption.
Workers cannot request IPs, only domains - if a Worker requests your domain, it will go through Cloudflare as normal. There is no way to use a Worker as a bypass.
If you don’t want Workers requesting your site, just block them with a firewall rule.
how is it then possible that requests from Cloudflare ips arrive at the origin, on domains for which no reverse proxy is activated in Cloudflare or on domains which do not exist at the origin?
i tried this topic once, it is possible. you can simply set as attacker e.g. the “a record” of a domain for which Cloudflare name server is local on attacker side/dns to a cf ip which is used e.g. also by other subdomains and it arrives via cf ip at the origin, because the attacker comes through via cf as valid.
my expectation here would be that cf prevents/blocks such behavior, since cf knows for which domains the “proxy protection” is enabled or not.
these requests sometimes show up in Cloudflare’s dashboard, but from my point of view they should never get through cf, because there is simply no proxy protection set for them.
This should be irrelevant and is only possible due to poor practices by a customer who lacks a secured origin. Use tunnels or Full Strict, as suggested earlier, to ensure nobody else can point Cloudflare (or any IP really) to your origin.
That being said, if you are saying these requests are only for domains which are not on Cloudflare, the encryption mode will be completely irrelevant, as there’s no encryption mode to begin with.
And yes, Workers can (naturally) send requests to such domains. If you do not want to get such requests you simply block the given Cloudflare IP addresses. All of that is not really proxy related.
So, Cloudflare domains or not? If so, my previous advice applies, otherwise you simply block the IP addresses.