If you’re not using Cloudflare yet, maybe you should consider it
Here are all the good reasons why you should use it:
- It’s free.
Well the basic version is free, and it’s enough for most people. Really. - It can prevent DDoS attacks on your website.
- You get a free CDN.
It will speed up all the static files of your website by caching them in the Cloudflare servers: all your .css, .js and images. Even your static html pages if you have any.
And all of that is automatic: their servers keep your files in a cache as your visitors download them and they will send them directly after that. - It gives you a free SSL certificate.
Although I suppose nowadays most providers also give a letsencrypt certificate for free.
…and the reason why you wouldn’t want to use it:
- It is a man-in-the-middle.
It decrypts your HTTPS traffic. There’s a lot to say about that, but I’d refer to the security experts. This is a long article but it’s worth it: CloudFlare, SSL and unhealthy security absolutism
You’ve decided to go for it?
By now, you should know that when somebody browses your website, it goes through the Cloudflare platform, which gets the files from your server, then serves them back to your visitor.
The public IP of your website points to the Cloudflare servers, and no longer yours. This is a bit safer for you as nobody would know the IP of your servers.
First request:
sequenceDiagram
participant Client
participant Cloudflare
participant Server
Client->>Cloudflare: GET image.jpg
Note over Cloudflare: not in cache
Cloudflare->>Server: GET image.jpg
Server->>Cloudflare: image.jpg
Note over Cloudflare: save in cache
Cloudflare->>Client: image.jpg
Second request:
sequenceDiagram
participant Client
participant Cloudflare
participant Server
Client->>Cloudflare: GET image.jpg
Note over Cloudflare: already in cache
Cloudflare->>Client: image.jpg
But there’s still a risk that an attacker discovers the IP address of your server. And it’s much easier than you think:
if for example your web server sends contact emails, it’s very likely its IP address will end-up somewhere in the email headers.
You should restrict your website to the IP addresses of the Cloudflare servers only.
If your website is hosted on a Linux box, here’s a very quick script you can run on your server to enhance your security.
This script makes use of ufw, which is installed by default on Ubuntu, and should also be available as a native package in most distributions.
Please read the instructions on how to set up ufw if you haven’t done so (Instructions for Debian).
For the following script to work properly, it’s expected your default rule is to deny incoming traffic:
|
|
Generating ufw configuration for Cloudflare IPs
|
|
Simply copy and paste this script onto your Linux box, or download it via the link provided, then mark the script as executable and run it:
|
|
The script will download two files from Cloudflare: ipv4 and ipv6, which contain the IP addresses of the edge servers that Cloudflare is using to browse your website.
If we only allow these IPs to connect to your website, you’re completely safe against a DDoS on your website (but not a DDoS on ssh or whatever else you’re using on this server).
After running the script you will find it had created two scripts: install-v4.sh and install-v6.sh. Please check the content of these two files, because you shouldn’t trust any script downloaded or generated by a script from the Internet. You can see it contains all the IP addresses of the Cloudflare edge servers to be allowed through the Linux firewall.
Run these two scripts if you use IPv6, or only the first one if you don’t.
|
|
And you should see all the IPs allowed for HTTP (tcp 80) and HTTPS (tcp 443):
|
|
That’s it! A wee bit safer. I don’t know if Cloudflare is adding or removing servers very often, but they say they would update the list if they do. In which case, just clear up your ufw rules and run this script again.
Although if it ever happens, I shall write a script to flush the existing rules and regenerates the configuration automatically.
I haven’t had the need for it yet.
P.S. No I don’t have shares in Cloudflare, I’m just a simple subscriber of their free offering.