2

I have a Web Apps (Linux) application on Azure, and I added a custom domain which I have protected with CloudFlare.

I added Azure Security Center to my subscription.

At the moment one can access the application either

  1. directly via example.azurewebsites.net or
  2. via www.example.com which is protected by CloudFlare

How do I configure the Azure portal so that the only access to my web application is via CloudFlare?

One idea I had is to add an Azure Firewall, and set it to white list the CloudFlare IP Addresses, but I wondered if there is an easier way (and anyway I am not sure how to configure it)

gordon613
  • 271
  • 2
  • 7

4 Answers4

4

There are two main ways to do this. One is to restrict the allowable origins of web requests, which will need to be done by IP filtering. The other is to require extra authentication - specifically, TLS mutual authentication - on your server, using a TLS client certificate that only Cloudflare has; this will cause any web request from a host that doesn't have Cloudflare's TLS client cert to fail during the TLS handshake, before the request is sent. You can, if you want, use both approaches.

First approach

The firewall is the easiest and most logical way. You could also edit your web application to reject any incoming requests from outside of Cloudflare's IP range, but that's almost certainly both more work and less secure than just using the firewall.

Cloudflare has published an article explaining how to whitelist to them, and mentions either doing it using the web app config (such as a .htaccess file) or using a firewall (such as iptables). The IP address ranges used are documented here.

Second approach

Cloudflare calls this feature "Authenticated Origin Pulls", and it might be easier than setting up and maintaining your IP range filter. The instructions are here, but they boil down to "turn on the feature, download the client cert, install it in your web application, and tell your web application to require mutual TLS using that client cert". Most web servers support mutual TLS, although the exact steps to configure it vary and I've never tried doing it from within Azure Web Apps.

Obviously, for this to be a meaningful security boundary, your app needs to not be usable over plain-text HTTP, since there's nowhere to get a TLS client certificate when not using TLS and therefore you can't check if the client has the right one. Ideally, you wouldn't even listen for non-HTTPS connections.

Also note that, because this is depending on the HTTPS server for security (much like application-level filtering depends on the web app server), it might be vulnerable to attacks that the firewall would block. (Of course, it is theoretically possible for the firewall to be vulnerable to attacks as well, but in general I trust firewall implementations more than I trust web server or TLS implementations.)

Community
  • 1
CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • Thank you! When you say "edit your web application" in the first approach are you referring to - in Azure Portal - Network>Access Restrictions>Configure Access Restrictions https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions – gordon613 Dec 04 '19 at 12:53
  • 1
    I was intentionally being generic - it could have been done via a config interface, a text config file, or in the application code - but that link looks like it would probably work, yes. – CBHacking Dec 04 '19 at 21:39
  • Appreciated. Thank you. – gordon613 Dec 08 '19 at 10:57
3

One idea I had is to add an Azure Firewall, and set it to white list the CloudFlare IP Addresses, but I wondered if there is an easier way (and anyway I am not sure how to configure it)

I'm afraid this is the only option: otherwise anyone could send a direct request to example.azurewebsites.net using your domain in the HTTP headers:

GET / HTTP/1.1
Host: www.example.com
Albert Gomà
  • 434
  • 2
  • 10
  • The "Authenticated Origin Pulls" approach by CBHacking is rather interesting. However, as it is enforced at the server level, it might not prevent Resource Exhaustion Denial of Service attacks targeted against the client authentication itself. – Albert Gomà Dec 03 '19 at 22:42
  • Good point; I edited in a mention of that risk. With that said, DoS attacks are one of the things that Cloudflare tries to protect people from (through DDoS mitigation tools, caching, monitoring, and so on). – CBHacking Dec 04 '19 at 01:29
2

One way to allow HTTP/HTTPS requests from Cloudflare's IP space, but block HTTP/HTTPS requests from all other IP's, without using an Azure Firewall, is to run a firewall on your VPS. This can be done using ufw. See https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw/ for a guide that will help you setup the necessary rules for what you are trying to do.

mti2935
  • 19,868
  • 2
  • 45
  • 64
1

Apart from IP address filtering mentioned in other answers, Cloudflare has a specific solution for this: Cloudflare Argo Tunnel.

We are proud to announce an application for Cloudflare Argo Tunnel within the Azure marketplace. As a quick reminder, Argo Tunnel establishes an encrypted connection between the origin and the Cloudflare edge. The small tunnel daemon establishes outbound connections to the two nearest Cloudflare PoPs, and the origin is only accessible via the tunnel between Cloudflare and origin.

Because these are outbound connections, there is likely no need to modify firewall rules, configure DNS records, etc. You can even go so far as to block all IPs on the origin and allow traffic only to flow through the tunnel. You can learn more here. The only prerequisite for using Argo Tunnel is to have Argo enabled on your Cloudflare zone.

You can find instructions on how to configure Argo Tunnel through the Azure interface here.

McKabue
  • 111
  • 3