Site Level Option: Block all IP's except for Cloudflare IP Ranges

Jordan

When utilizing Cloudflare, it's important to block all connects to a site at the webserver level from IP's that are not within Cloudflare's IP range. Granted you could do this with iptables, however if you have sites that are not protected by Cloudflare this will break those sites. This should be easily implemented within nginx, openlitespeed, lsws, and apache.

Even if you didn't want to implement this specific feature. There should still be an option to be able to block all, only allow specific IPs, and reverse. Allow all and block specific IP's.

XN-Matt

This can easily be done via .htaccess (or nginx rules per site). Once you've got your rule-set, you can copy/paste across.

I doubt this would be a priority as it can easily already be achieved, especially when there are so many core (can't do now at all) features to have added.

JohnBee

XN-Matt

.htaccess rules are processed by request, thus leading to a performance dependency and /or vulnerability
Insecure, htaccess will only provide application level performance, meaning, the server will still receive requests, exposing it to dos etc.

In short, firewall approach is best

PS, there is also Cloudflare level control, though exploitable by discovery

Shaijee

XN-Matt This can easily be done via .htaccess (or nginx rules per site).

It's not a wise decision at all.

IPtable is the best and most efficient way to achieve this.

Jordan

XN-Matt This can easily be done via .htaccess (or nginx rules per site). Once you've got your rule-set, you can copy/paste across.

Correct, it's possible for all web servers .htaccess for Apache and LSWS and Nginx rules for Nginx.

Since there is already a list of Cloudflare addresses that need to be maintained to show the real IP of a connecting client when a site is behind Cloudflare. It should be easy to setup a block all, allow Cloudflare ranges.

XN-Matt I doubt this would be a priority as it can easily already be achieved, especially when there are so many core (can't do now at all) features to have added.

Yes, it can easily be done via .htaccess, but Nginx requires modifying a configuration file outside of a site's home directory that only root can access. Having the option to override the Nginx config via files within the sites home directory is beneficial. Adding in a UI would be above and beyond.

There are instances where a dedicated instance is provide with just a control panel to a customer, and they're not given root. They can't easily add in Nginx config because they can't access it.

Not looking for a priority, just creating a request and leaving it up to Enhance to prioritize.

Jordan

JohnBee .htaccess rules are processed by request, thus leading to a performance dependency and /or vulnerability
Insecure, htaccess will only provide application level performance, meaning, the server will still receive requests, exposing it to dos etc.

In short, firewall approach is best

I agree, however not all sites on a server can be protected by Cloudflare, even using partial zones with Cloudflare if the DNS server doesn't support CNAME flattening. This is an alternative.

JohnBee PS, there is also Cloudflare level control, though exploitable by discovery

I'm confused. If you're using Cloudflare for a site, you should be blocking all requests except for Cloudflares edge network ranges. So you can't use Cloudflare for this.

XN-Matt

Firewall maybe best approach but the OP ruled that out for the reason stated. As such, .htaccess is the only viable alternative in how the system currently works.

XN-Matt

Shaijee Yes do enlighten us how this is done noting what the OP says about blocking at the firewall level which will then break non-CF sites oh wise one.

Jordan

Shaijee It's not a wise decision at all.

IPtable is the best and most efficient way to achieve this.

Can you elaborate? How do you work around sites on the same server that aren't on Cloudflare or using another WAF/CDN similar to Cloudflare?

This isn't about DoS or DDoS protection, it's so that all traffic flows through Cloudflare and any WAF or other rules is applied to traffic.

Shaijee

Jordan Can you elaborate? How do you work around sites on the same server that aren't on Cloudflare or using another WAF/CDN similar to Cloudflare?

This isn't about DoS or DDoS protection, it's so that all traffic flows through Cloudflare and any WAF or other rules is applied to traffic.

My bad; I overlooked the shared platform and responded based on our specific setup. We provide managed services (beyond just hosting) and use Cloudflare on every site, making it easy to manage through IPtable.

Jordan

Shaijee My bad; I overlooked the shared platform and responded based on our specific setup. We provide managed services (beyond just hosting) and use Cloudflare on every site, making it easy to manage through IPtable.

All good. I'm in the same boat, we have clients who are managed and we have full control of their domain and DNS via Cloudflare.

But we also service agencies and there are clients of the agency that just won't use Cloudflare. They have their own IT department with 50 staff, so changing the name servers isn't possible at all. Cloudflare partial zones would work here, but that means the current DNS servers for the domain have to support apex CNAME flattening, which is only sometimes the case.

There is also cases where we don't use Cloudflare, there is also clients using Akamai, Imperva, and Fastly.

cosmoshosting

Agree, give users an option at a website level.
If this option was only visible for domains who are using Cloudflare proxying that would be great. It would be great if this was under the security tab and could be enabled on a domain by domain basis.

I've fired up the graphics department as an example:

CloudPanel does this well already for comparison:

Adding to the rules to the .htaccess or Nginx config file is likely fine.

If someone wants to do this via IPtables for maximum efficiency, at best just create a guide on how they can break their own server!

Jordan

cosmoshosting buy a coffee for the graphics department for me 🙂

Shaijee

cosmoshosting Request this feature for both server and site; it will be a great security tool.