How to avoid malicious access to the origin site behind Cloudflare

Original link:

Cloudflare is still very complete, we just don’t use it!


A long time ago I wrote an article about how to easily find the origin IP behind Cloudflare . Although I knew at the time that setting a firewall whitelist can effectively solve such problems.

However, as Cloudflare’s business becomes more and more extensive, I feel that the method of setting a whitelist is very unreliable. And recently encountered a problem, that is, some of the users of Hanako Academy will use automatic sign-in scripts, such as ForumSignin , using such scripts undermines the principle of fair competition. Although I used Cloudflare WAF to write a very simple rule to solve this problem, if someone quietly bypassed Cloudflare to directly access the origin site to sign in, the firewall I set up would be useless. I just saw the two-way authentication function of Cloudflare today, and I just shared it after configuring it.

Flaws about firewall whitelisting

We now know that Cloudflare has added a lot of fancy functions in addition to its own CDN business, such as Workers, WARP, etc. One feature of these functions is that they can use Cloudflare’s own IP to initiate requests arbitrarily, and the firewall originally passed the The way to detect whether the accessed IP is from Cloudflare is that if you can use these functions to initiate requests to my origin site, you can bypass WAF.


I used to think that if Cloudflare can send a request header that only me and Cloudflare know, that’s fine, such as Token, but I didn’t find this feature on Cloudflare. But today, I looked at Cloudflare’s function again, and found that there is actually a function called “authenticated source server pull”. After looking at the function explanation , it turns out that this is achieved through two-way authentication, which is also very simple to configure. , so follow the instructions in the configuration documentation to set it up.

If you don’t understand English, let me explain it. First download the Cloudflare client CA. If it is an Apache server, write it directly in the configuration file:

 SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile /path/to/authenticated_origin_pull_ca.pem

However, Nginx uses this function to seem to need a certificate in crt format. You can execute openssl x509 -in authenticated_origin_pull_ca.pem -out cloudflare.crt to obtain a crt certificate, and then configure:

 ssl_client_certificate /etc/nginx/certs/cloudflare.crt; ssl_verify_client on;

That’s it.

After setting, if I do not enable the “authenticated source server pull” function, it will report “400 Bad Request, No required SSL certificate was sent” error, I am very satisfied with this effect, so that even if other people Using functions such as Workers and WARP to request my origin site IP will also be inaccessible because there is no Cloudflare private key, so the problem of bypassing WAF through origin site IP can be completely avoided.


However, this configuration is really not conspicuous enough. I hope Cloudflare can put it in the novice tutorial, so that more people can avoid the security problems caused by the IP leak of the origin site.

This article is reprinted from:
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment