0

I have my site xyz.mysite.com this is sitting on Cloudflare. I was reviewing my Apache logs and I saw a website as a referrer I did not recognise. I went to the site and it redirected to my site xyz.mysite.com totally bypassing Cloudflare. How can I break this link?

My .htaccess seems just not to work.

RewriteEngine on RewriteCond %{HTTP_REFERER} !^https://(www.)?referrer.com/ [NC] RewriteRule .* - [F,L]

Blocks with a forbidden 403 legitimate url access and the forwarding site. If you could correct my .htaccess I would appreciate it.

Your advice will be most welcome.

cmceachern
  • 11
  • 2
  • If xyz.mysite.com is on Cloudflare, it could not bypass it. Is xyz.mysite.com being served by Cloudflare as a different host name, and you want that one to be used rather than xyz.mysite.com? What is exactly the problem? – Ángel Nov 21 '20 at 01:14
  • the problem is if I use xyz.mysite.com then I get the Cloudflare controls. If I type www.referrer.com I get mysite still but without the Cloudflare controls. The browser address field shows www.referrer.com not xyz.mysite.com. Its not an iframe and its not a redirect. Does that help? – cmceachern Nov 21 '20 at 01:29
  • *"... it redirected to my site xyz.mysite.com totally bypassing Cloudflare. ..."* what you describe here is a __redirect__, i.e. you access the foreign site and got an explicit HTTP redirect to your site. What you instead describe in *"... The browser address field shows www.referrer.com not xyz.mysite.com. Its not an iframe and its not a redirect. ..."*, i.e. __not a redirect__. Please clarify __in your question__ what exactly is happening since without this it is hard to say how to prevent it. If you are not sure what is happening provide enough details for other to reproduce it (the URLs) – Steffen Ullrich Nov 21 '20 at 09:10
  • Its fixed it was a unauthorised use of our IP in the Cloudflare DNS. We will put a edge worker in to address this. thx for your help especially Angel. – cmceachern Nov 21 '20 at 23:14
  • this article talks about the problem and the fix: https://community.cloudflare.com/t/stop-cloudflare-bypassing-on-shared-hosting/91203 – cmceachern Nov 21 '20 at 23:21

2 Answers2

2

Description of the problem

You have a site xyz.mysite.com on Cloudflare (ip 1.1.1.2) which sits in front of your real server (ip 9.9.9.9). A different page, www.othersite.com is showing the contents of your site and you want to block it.

Possibilities

I see a few options on what could be happening:

  • www.othersite.com is resolving directly to your real ip 9.9.9.9 You get the connections directly from the clients
  • www.othersite.com is proxying your content by connecting directly to 9.9.9.9
  • www.othersite.com is proxying your content by connecting through Coudflare (1.1.1.2)

If the issue is the first one, you could simply filter based on the host header used, blocking them:

RewriteEngine on
RewriteCond expr "%{HTTP_HOST} != %{SERVER_NAME}"
RewriteRule .* - [F,L]

Or just redirect them to your real site:

RewriteEngine on
RewriteCond expr "%{HTTP_HOST} != %{SERVER_NAME}"
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [R=permanent,L]

If the issue is the second one, you could block the IP addresses they are using, althouth they might then change how they connect to bypass it. So instead of blocking the addresses you don't want to connect, you can simply allow just those that are allowed. Since you only want those accesses from Cloudflare, you can filter that. Cloudflare publishes their IP ranges at https://www.cloudflare.com/ips/ and your problem the one stated on Only allow certain IP addresses to access site with mod_rewrite? or Redirect a range of IPs using RewriteCond.

Thus your .htaccess may end up as

RewriteEngine on
RewriteCond expr "! -R '173.245.48.0/20'"
RewriteCond expr "! -R '103.21.244.0/22'"
RewriteCond expr "! -R '103.22.200.0/22'"
RewriteCond expr "! -R '103.31.4.0/22'"
RewriteCond expr "! -R '141.101.64.0/18'"
RewriteCond expr "! -R '108.162.192.0/18'"
RewriteCond expr "! -R '190.93.240.0/20'"
RewriteCond expr "! -R '188.114.96.0/20'"
RewriteCond expr "! -R '197.234.240.0/22'"
RewriteCond expr "! -R '198.41.128.0/17'"
RewriteCond expr "! -R '162.158.0.0/15'"
RewriteCond expr "! -R '104.16.0.0/12'"
RewriteCond expr "! -R '172.64.0.0/13'"
RewriteCond expr "! -R '131.0.72.0/22'"
RewriteCond expr "! -R '2400:cb00::/32'"
RewriteCond expr "! -R '2606:4700::/32'"
RewriteCond expr "! -R '2803:f800::/32'"
RewriteCond expr "! -R '2405:b500::/32'"
RewriteCond expr "! -R '2405:8100::/32'"
RewriteCond expr "! -R '2a06:98c0::/29'"
RewriteCond expr "! -R '2c0f:f248::/32'"
RewriteRule .* - [F,L]

(ranges of Cloudflare as of November 2020)

This would work for case #1 as well.

Finally, in the third case, they could be hitting through Cloudflare. You could block them based on the CF-Connecting-IP header provided by Cloudflare, but they should really get blocked at Cloudflare level rather than at your server. I suspect you won't be on this third case.

Ángel
  • 17,578
  • 3
  • 25
  • 60
  • Thanks Angel, great detail. I added item one and two the .htaccess. No luck. The content is still being displayed. The Ip address of the site www.othersite.com points to Cloudflare. Can you please give me a couple of tips on how to deploy the CF-Connecting-IP header to block? – cmceachern Nov 21 '20 at 02:45
  • I don't understand: if the IP of othersite.com points to either Cloudflare or the original server, shouldn't the connection be refused? Like: "host not found on this server". If the server (or Cloudflare) accepts any hosts in the HTTP request, then it's misconfigured, isn't it? – reed Nov 21 '20 at 14:31
  • @reed: yes, case #1 requires that the xyz.mysite.com page is the default virtualhost. I'm sure Cloudflare doesn't allow it, but the original server could. As if misconfigured, there may be different views on it, but that could certainly be problematic (such as generating the scenario shown here). – Ángel Nov 21 '20 at 23:47
0

If you configure the firewall on your web server to block all HTTP and HTTPS connections to your server, except those originating from Cloudflare's network, then this will prevent any requests attempting to bypass Cloudlare from reaching your web server. See Does Cloudflare masking my IP make my server more secure? for more info.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • thank you mti2935 yes doing that at the moment and will be adding a Cloudflare edge worker. My concern tho is it should be pretty easy to just block the referring domain, but its just not working as per the above directives. I will do the policy changes and revert. – cmceachern Nov 21 '20 at 01:58
  • Its not the firewall. Cloudflare IPs are loaded only. I was told it has something to do with an entry in the hijackers VirtualHosts file that points to my content. Can I block this? – cmceachern Nov 21 '20 at 02:33