1

Cloudflare Access is a new attractive feature from Cloudflare, based more or less on Google's BeyondCorp (a reverse-proxy with login which should replace VPN in accessing internal network applications).

I am concerned about how secure their implementation really is.

The idea behind BeyondCorp is that the server should be on the "edge" of the network, when protected application server does not have any public IPs and cannot be accessed directly from the internet.

In case of Cloudflare implementation - application server must have public IP (as with the rest of their CDN services) and it is "hidden" by their own IPs.

Hidden IP can be mistakenly exposed (even by some JavaScript) or detecte by some other techniques. And even if your applications has Firewall which limits traffic only from Cloudflare IPs - those IPs can be spoofed.

Am I missing something?

Hopefully someone from Cloudflare would address those concerns.

Thanks

kubanczyk
  • 13,502
  • 5
  • 40
  • 55
Miro
  • 151
  • 6
  • 2
    [sf] is a community Q&A site. No vendor that I know of guarantees a response here. If you need a response from the vendor, you should contact the vendor directly. – Michael Hampton Apr 27 '18 at 20:22
  • This comment is an exact reason why StackExchange network became so much unwelcoming.... Actually I made an effort to find an answer on different resources before posting - and I think an answer to this question will serve many people. Did I explicitly asked for a vendor response? Obviously an answer from a security researcher would do perfectly well. I just thought that a developer can answer such an obvious observation a lot more easier than anyone else..... – Miro Apr 28 '18 at 18:36
  • Actually, you did explicitly ask for a vendor response. You said: "Hopefully someone from Cloudflare would address those concerns." My comment is not meant to be "unwelcoming". It's meant to remind you that you are not likely to get a vendor response here. – Michael Hampton Apr 28 '18 at 20:51

2 Answers2

3

The best way to solve this problem is to use Cloudflare's Argo Tunnel to connect your server to Cloudflare. With Argo Tunnel, your server connects to Cloudflare, rather than Cloudflare connecting to your server. Therefore, your server does not need to have a public IP address or be exposed to the internet at all -- it only needs to be able to make outgoing connections.

If Argo Tunnel doesn't work for you, another option is to configure your server so that it accepts connections only from Cloudflare. You can do this by configuring your firewall to accept connections only from Cloudflare's IP addresses, or by enabling Authenticated Origin Pulls and then configuring your server to require HTTPS connections to authenticate with Cloudflare's client certificate. WARNING: In either of these non-Argo-Tunnel solutions, it is important that your server only accepts HTTP requests where the Host header includes your domain. Otherwise, an attacker could sign up for their own Cloudflare account and enter your IP address in their DNS settings, thus causing requests to go to your server "from Cloudflare" -- but they will have the attacker's domain in the Host header. To verify the Host header, you could, for example, set up nginx as a reverse proxy in front your server, and configure it with a default_server that always return 404. If you use Argo Tunnel, though, then you don't need to worry about the Host header.

Kenton Varda
  • 251
  • 1
  • 7
1

Dont forget to verify the json webtoken in the header of requests in ADDITION to whitelisting cloudflare source IPs if you decide for that option. Just enabling the whitelist would not guarantee security as other users of cloudflare could use a cloudflare webworker to hit your exposed enpoint in case they somehow get the information about your origin IP addresses.

Jan Johannes
  • 11
  • 1