-
@ Alex Gleason
2024-08-17 16:59:15Cloudflare is controversial among FOSS/decentralization enthusiasts due to its reliance on a centralized third-party. But if you're going to use it, you should at least use it right.
By default, Cloudflare intercepts DNS traffic, but does not protect your webserver at all. This means anyone with your server's direct IP address can still attack it. Attackers might be crawling all IPs, or they might be able to figure out your server's IP if it makes outgoing requests.
When you use Cloudflare, requests should only be coming from Cloudflare's upstream IPs: https://www.cloudflare.com/ips/
Therefore, you should block traffic from all IPs by default, and whitelist only Cloudflare's IPs for the best protection. UFW is a firewall that comes installed by default on most Linux distros, so you only need to configure it.
Default rules
First configure ufw defaults, so that outgoing requests are allowed and incoming requests are denied by default.
sh ufw default deny incoming ufw default allow outgoingAllow ssh
Next enable ssh so you can still shell in from anywhere.
sh ufw allow sshFor extra security, you should also edit
/etc/ssh/sshd_configand setPasswordAuthentication noso only login by key is supported.You can also whitelist certain IPs for SSH, but you can accidentally lock yourself out this way. For most sites I run, I find this is good enough security (as long as something like Heartbleed doesn't happen again).
Enable UFW
Now you're ready to enable UFW. Your SSH connection should stay intact since you allowed ssh, but this will block all incoming web requests. If you're doing this on an existing production webserver, delay this step until the very end.
sh ufw enableWhitelist Cloudflare IPs
Next we allow traffic from Cloudflare's upstream webservers. This will allow our website to work normally as long as requests go through Cloudflare first, essentially blocking any sort of direct attack on the webserver.
Cloudflare IPs are taken from: https://www.cloudflare.com/ips/
```sh
ipv4
ufw allow from 173.245.48.0/20 to any port 80 ufw allow from 103.21.244.0/22 to any port 80 ufw allow from 103.22.200.0/22 to any port 80 ufw allow from 103.31.4.0/22 to any port 80 ufw allow from 141.101.64.0/18 to any port 80 ufw allow from 108.162.192.0/18 to any port 80 ufw allow from 190.93.240.0/20 to any port 80 ufw allow from 188.114.96.0/20 to any port 80 ufw allow from 197.234.240.0/22 to any port 80 ufw allow from 198.41.128.0/17 to any port 80 ufw allow from 162.158.0.0/15 to any port 80 ufw allow from 172.64.0.0/13 to any port 80 ufw allow from 131.0.72.0/22 to any port 80 ufw allow from 104.16.0.0/13 to any port 80 ufw allow from 104.24.0.0/14 to any port 80 ufw allow from 2400:cb00::/32 to any port 80 ufw allow from 2606:4700::/32 to any port 80 ufw allow from 2803:f800::/32 to any port 80 ufw allow from 2405:b500::/32 to any port 80 ufw allow from 2405:8100::/32 to any port 80 ufw allow from 2a06:98c0::/29 to any port 80 ufw allow from 2c0f:f248::/32 to any port 80
ipv6
ufw allow from 173.245.48.0/20 to any port 443 ufw allow from 103.21.244.0/22 to any port 443 ufw allow from 103.22.200.0/22 to any port 443 ufw allow from 103.31.4.0/22 to any port 443 ufw allow from 141.101.64.0/18 to any port 443 ufw allow from 108.162.192.0/18 to any port 443 ufw allow from 190.93.240.0/20 to any port 443 ufw allow from 188.114.96.0/20 to any port 443 ufw allow from 197.234.240.0/22 to any port 443 ufw allow from 198.41.128.0/17 to any port 443 ufw allow from 162.158.0.0/15 to any port 443 ufw allow from 172.64.0.0/13 to any port 443 ufw allow from 131.0.72.0/22 to any port 443 ufw allow from 104.16.0.0/13 to any port 443 ufw allow from 104.24.0.0/14 to any port 443 ufw allow from 2400:cb00::/32 to any port 443 ufw allow from 2606:4700::/32 to any port 443 ufw allow from 2803:f800::/32 to any port 443 ufw allow from 2405:b500::/32 to any port 443 ufw allow from 2405:8100::/32 to any port 443 ufw allow from 2a06:98c0::/29 to any port 443 ufw allow from 2c0f:f248::/32 to any port 443 ```
That's it!
Now your server is protected from direct IP traffic, and requests must go through Cloudflare.