How do I deny all requests not from cloudflare?

Posted by phillips1012 on Server Fault See other posts from Server Fault or by phillips1012
Published on 2014-06-03T01:38:42Z Indexed on 2014/06/03 3:30 UTC
Read the original article Hit count: 506

Filed under:
|

I've recently gotten denial of service attacks from multiple proxy ips, so I installed cloudflare to prevent this. Then I started noticing that they're bypassing cloudflare by connecting directly to the server's ip address and forging the host header.

What is the most performant way to return 403 on connections that aren't from the 18 ip addresses used by cloudflare?
I tried denying all then explicitly allowing the cloudflare ips but this doesn't work since I've set it up so that CF-Connecting-IP sets the ip allow tests for.

I'm using nginx 1.6.0.

© Server Fault or respective owner

Related posts about nginx

Related posts about cloudflare

  • Using dd-wrt Dynamic DNS client with CloudFlare

    as seen on Server Fault - Search for 'Server Fault'
    I'm trying to configure Dynamic DNS client on my router with dd-wrt (v24-sp2) firmware so it would dynamically change IP address in one of the DNS records. Unfortunately I encountered a problem… Here is an example request from their ddclient configuration: https://www.cloudflare.com/api.html?a=DIUP&u=<my_login>&tkn=<my_token>&ip=<my_ip>&hosts=<my_record>… >>> More

  • powweb and cloudflare

    as seen on Server Fault - Search for 'Server Fault'
    i am using powweb as hosting provider and cloudflare as free cdn. Its been few weeks since my website is down and it says "website down, no cache version available". And to add more to it, I cannot access powweb or any website hosted from powweb from my ISP connection. So i am facing trouble solving… >>> More

  • fail2ban with Cloudflare

    as seen on Server Fault - Search for 'Server Fault'
    I'm using fail2ban to block web vulnerability scanners. It is working correctly when visiting the site if CloudFlare is bypassed, but a user can still access it if going through it. I have mod_cloudflare installed. Is it possible to block users with IPtables when using Cloudflare? Ubuntu Server… >>> More

  • Passing all traffic through Cloudflare

    as seen on Server Fault - Search for 'Server Fault'
    I am new to Linux System Administration and I am experimenting with iptables trying to learn how to really lock down a system with them. And one thing a friend of mine recommended was that there was a way to pass all incoming traffic through Cloudflare so even if attackers resolved the server ip they… >>> More

  • cloudflare's mx record should set cname or A records

    as seen on Pro Webmasters - Search for 'Pro Webmasters'
    The cloudflare offical support said https://support.cloudflare.com/hc/en-us/articles/200168876-My-email-or-mail-stopped-working-What-should-I-do- But traditionally mx record should not set as cname http://www.exchangepedia.com/blog/2006/12/should-mx-record-point-to-cname-records.html But cloudflare… >>> More