I never saw a content about THIS here on KZread. Thank you very much!!!! Subscribed.

Just subscribed and noticed your channel is still a small channel. Can't wait for the new content! Amazing quality.

good stuff! made be subscribed to your channel, looking forward for more awesome content.

Thx I find this very helpful. It's something I will be taking some notes on so that I can try it in my own home lab w/ a Debian VM I will spin up. I'm still a bit new to using this type of external connection but I'm trying to practice a bit before I go using it personally.

Thanks for sharing this. As for the solution, I thought setting up the "Authenticated Origin Pulls" in Cloudflare ensured requests to the origin server only come from the Cloudflare network and would be a cleaner solution instead of whitelisting IPs.

Thanks Laurence. I have been meaning to investigate this.

@GooseDave

Жыл бұрын

Worked a treat!

Thisi s interesting. Thank you for sharing.

Awesome. I thought I might be the only one who knew of security trails.

One of the least confusing videos :)

Great info

Thanks Bro !!

Thanks for making this. I always wondered about this. But was never sure how to go about blocking it or doing anything.

Fantastic content - you have earned another subscriber! Thank you Laurence. I use google cloud for hosting. I have followed your approach and specified the cloudflare IP addresses to be allowed through the Google Cloud Network firewall. Hopefully this is better than updating the firewall rules within the Ubuntu instance in my case. Do the cloudflare address ranges change over time?

@iiamloz

Жыл бұрын

They can, however, cloudflare normally announce it. which you would have to make the modifications. Like delete outdated rules. If you use GCP or other cloud providers, you can use their firewall as an allow list. It would make it more preformant for your box as it wouldn't need to handle the reject/drop

@abinalexpothen7072

Жыл бұрын

@@iiamloz thank you for your reply!

Hi thanks for this video. Is there anyway to make these port restrictions on the CloudFlare side or only in the host?

Thank you for sharing. Lol subscribing..

If the attacker knows the origin IP then you're asking for trouble, you can block all the ports you like but if they're a hacker worth their salt they'll find a way around your port restrictions. The way I do it for all my clients is to set up the domain on Cloudflare before pointing it to my origin server (before installing the origin server / VPS). If you're moving an existing domain with old dns records then keep in mind that most VPS hosting companies have the option to backup a server instance, then restore that image to another instance (with a new IP obviously), which is also an option (takes me less than 10-15 minutes to do it this way).

Would it be possible to spoof cloudflare's ip address to get to the server directly?

why dont you use the Authenticated Origin Pulls?

But that will block email traffic since Cloudflare needs to expose IPs. right?

good stuff, server side firewall (pfsesnse) create an alias 'cloudflare_IP_List_V4' then make firewall rule to allow alias 'cloudflare_IP_List_V4' and block all other.

@Darkk6969

Жыл бұрын

Yep, I do the same thing with my pfsense. Alias makes things alot easier to manage the IPs and hosts.

Is anyone here familiar with Windows Server (more recent iterations) would expose the private IP in this way? (and if so, how to mask it)

Hmm, this seems to assume the DNS before CloudFlare leaked the IP. By by then, even if you move to CloudFlare, the past IP may be leaked. You have to literally move to a new address

@iiamloz

Жыл бұрын

Yes, that was a presumption. In most cases, people move to cloudflare. If you start start with cloudflare and proxy enabled by default this is not affected

Correct me if I’m wrong, I’m still learning. But would using Cloudflare’s tunneling (not opening any ports on my network) prevent this. When I follow your steps, I’m only seeing Cloudflare IP addresses.

@iiamloz

Жыл бұрын

Yes, that would work. However, depending on your business, you may not be able to run it. Also, I don't know when, but it didn't use to be a free feature, so many businesses have it set up like this

@50_Pence

Жыл бұрын

@@iiamloz yeah its free with limitaions. you cant do udp etc. hence doing things your way will be best for things such as udp . great vid!

Thx man. Nice!

i do basically the same but on vps provider firewall. Only added cloudflare ips to acess 80.443

@iiamloz

11 ай бұрын

Awesome! My provider does offer that but I dont use it at that level

@Richard-kl8wr

11 ай бұрын

@@iiamloz It is necessary in cloudflare tunnel configuration ?

@iiamloz

11 ай бұрын

Nope, as there are no open ports unless you misconfig it

ummm i have question, then what will happen with ftp since its require real ip address (but with port 21 tho)??

@iiamloz

Жыл бұрын

You wouldn't proxy from cloudflare any ports that are not 80 or 443. Unless you use cloudflared, then you would just use access controls to only allow certain ips

Hi sir I need your help.. I have a dynamic website hosting on AWS EC2, added to Cloud Faler recently (cloud front+ cloud flare dns proxy) . But some issues are facing, Some IPV6(not all isp ipv6 requests) requests are not allowing images to load.No problem with the IPV4 request.give me a suggestion.pls.

Hey your audio sounds like -12 db and 720p video upscaled to 4k!

Or just use your own reverseproxy

@iiamloz

Жыл бұрын

Of course you can! But most people don't want to handle ddos or learn how to handle traffic via terminal