How do I deny all requests not from cloudflare?

Question

I've recently gotten denial of service attacks from multiple proxy ips, so I installed cloudflare to prevent this. Then I started noticing that they're bypassing cloudflare by connecting directly to the server's ip address and forging the host header.

What is the most performant way to return 403 on connections that aren't from the 18 ip addresses used by cloudflare?
I tried denying all then explicitly allowing the cloudflare ips but this doesn't work since I've set it up so that CF-Connecting-IP sets the ip allow tests for.

I'm using nginx 1.6.0.

Not sure if I understand your question. When they DoS me from cloudflare they just get locked out by cloudflare's captcha page. Now they're bypassing cloudflare by going straight to my actual IP. — phillips1012, Jun 03 '14 at 01:49
Might be easier to do it with `iptables` rules by allowing traffic from the CloudFlare IPs + your own IPs (so you can check if your site is up without going through CloudFlare) and drop everything else sent to port 80. This way the traffic never reaches your web server. — Brian, Jun 03 '14 at 01:49
Hmm. The iptables solution seems to work fine. Thanks! I used the longer script here: http://rietta.com/blog/2012/09/10/using-iptables-to-require-cloudflare/ for anyone wondering. I'm going to leave this question open in case someone comes up with a nginx-config-file solution so people googling this problem can see it. — phillips1012, Jun 03 '14 at 03:00
https://blog.cloudflare.com/ddos-prevention-protecting-the-origin/ — ceejayoz, Jan 15 '17 at 19:24

score 7 · Answer 1 · edited Jan 07 '19 at 15:25

7

As described here, you can only allow ip addresses from cloudflare.

https://erichelgeson.github.io/blog/2014/01/18/whitelisting-cloudflare-in-nginx/

# https://www.cloudflare.com/ips
# IPv4
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 104.16.0.0/12;
allow 108.162.192.0/18;
allow 131.0.72.0/22;
allow 141.101.64.0/18;
allow 162.158.0.0/15;
allow 172.64.0.0/13;
allow 173.245.48.0/20;
allow 188.114.96.0/20;
allow 190.93.240.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;

# IPv6
allow 2400:cb00::/32;
allow 2405:b500::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2c0f:f248::/32;
allow 2a06:98c0::/29;

deny all; # deny all remaining ips

Note that you will have to update this configuration every one in a while as Cloudflare's IP address ranges might change. To autogenerate this configuration you can use this script

edited Jan 07 '19 at 15:25

mkg20001

308
3
7

answered Dec 08 '17 at 13:10

user6327

171
1
1

2

This also works `(curl -s https://www.cloudflare.com/ips-v{4,6} | sed "s|^|allow |g" | sed "s|\$|;|g" && echo "deny all;")>cloudflare-only.conf` – a55 Dec 05 '20 at 15:53
@a55 awesome, I've created a .sh command with that, then on my nginx.conf I included the generated file and works perfectly ! Thank you ! – Pablo Camara Dec 14 '20 at 01:46
2

It's not working with `set_real_ip_from ` together :( – Sky Jan 17 '21 at 09:05

score 6 · Answer 2 · answered Jan 15 '17 at 18:36

The only solution I came up with that can be done with nginx by itself requires nginx version 1.9.7 or higher.

You can use the ngx_http_geo_module to identify and return a 403 response for any ip's that aren't cloudflare ip's.

Using this geo block.

geo $realip_remote_addr $cloudflare_ip {
    default          0;
    103.21.244.0/22  1;
    103.22.200.0/22  1;
    103.31.4.0/22    1;
    104.16.0.0/12    1;
    108.162.192.0/18 1;
    131.0.72.0/22    1;
    141.101.64.0/18  1;
    162.158.0.0/15   1;
    172.64.0.0/13    1;
    173.245.48.0/20  1;
    188.114.96.0/20  1;
    190.93.240.0/20  1;
    197.234.240.0/22 1;
    198.41.128.0/17  1;
    199.27.128.0/21  1;
    2400:cb00::/32   1;
    2405:8100::/32   1;
    2405:b500::/32   1;
    2606:4700::/32   1;
    2803:f800::/32   1;
    2c0f:f248::/32   1;
    2a06:98c0::/29   1;
}

You can then add this to your server block.

if ($cloudflare_ip != 1) {
    return 403;
}

Which will return a 403 for any connections not originating from a $cloudflare_ip.

This works because I'm using $realip_remote_addr in the geo block which keeps the original client address when using real_ip_header CF-Connecting-IP.

It works great, I'd like to mention that the geo module works on http level (so no server or location blocks), the 403 part works everywhere. — aseques, Apr 18 '19 at 12:31

score 3 · Answer 3 · answered Jun 03 '14 at 02:44

The most performant way is a hardware firewall in front of the server. Or asking your datacenter/upstream provider for help mitigating attack.

Block things it in the webserver or iptables may help, but still uses bandwidth and system resources so DoS attacks are still possible. What you want is to block the traffic as far upstream as possible - so the traffic never reaches your server, and doesn't flood your link to the rest of the world. A hardware firewall can filter traffic much, much faster than your webserver, and uses no server resources. You will want them to allow traffic from cloudflare as well as your office or other servers for when you need to connect directly.

Changing the IP of the server may help as well - only cloudflare should need to know the new IP, don't publish it in public DNS records.

score 0 · Answer 4 · answered Sep 21 '21 at 10:09

Here's a one-liner that generate the geo mapping from Cloudflare's IPs. Not necessarily the cutest one, perhaps a pro can correct me. I'm unable to fetch and parse v4 & v6 in one command because the files lack a carriage return at the end and the first v6 address is concatenated to the last v4.

(echo -e "geo \$realip_remote_addr \$cloudflare_ip {\n\tdefault\t0;" && curl -s https://www.cloudflare.com/ips-v4 | sed "s|^|\t|g" | sed "s|\$|\t1;|g" && echo -e  && curl -s https://www.cloudflare.com/ips-v6 | sed "s|^|\t|g" | sed "s|\$|\t1;|g" && echo -e "\n}")>cloudflare-only.conf

Inspired by a55 script above

score 0 · Answer 5 · answered Jul 12 '22 at 13:11

I have merged the answers from jhilliar and from user6327 to get something OK to me. When using Cloudflare, you usually wish getting the origin client IP in your logs thanks to "set_real_ip_from".

But mixing set_real_ip_from and the solution given by user6327 does not work (as pointed by Sky). That's why Jhilliar solution with geo module should be used (and it seems to be more flexible by the way).

But it would be better to use a script to update cloudlfare IP list as user6327 has suggested. So here's the script.

How do I deny all requests not from cloudflare?

5 Answers5