Halo, i’m a dev recently diving into cloudflare security layers and got few questions on a website security which is deployed to cloudflare. I’m using Pages and my domain is directly hosted by cloudflare Registrar. I’m also using the security layers provided with cloudflare infrastructure, including [ Bots, DDos, Settings, Page Shield ], which can be found in security tab of my domain in cloudflare dashboard. Below list is my questions:
security layers in use: [ Bots, DDos, Settings, Page Shield ]
I’m using firebase hosting to link my firebase functions with the domain which is hosted by cloudflare. In this case, do the above listed security layers of cloudflare automatically protect the firebase hosting resources or traffics?
I’m using cloudflare workers to manage Durable Objects. The Workers’ functions are also linked to the same root domain with different subdomain. In this case, do the above listed security layers of cloudflare automatically protect the Worker traffics?
the proxy status of firebase hosting connection is “DNS only” mode(not “Proxied” mode), since in the case of Proxied, the dns connection does not work(i didn't figure out the reason yet..). In this case, it makes me feel like the firebase hosting resources are not being protected since the orange switch in DNS dash is turned off
please consider the cloudflare plan is Pro
Thank you in advance [:
For the products you are listing, Cloudflare is implemented as a reverse proxy.
This means that from an end user perspective, when they try to connect to your services, their traffic reaches Cloudflare first (since a proxied record resolves to a Cloudflare anycast IP). Cloudflare carries out the features and security services that are configured, then forwards the HTTP requests to your origin infrastructure as specified in your Cloudflare DNS tab. This is true when the traffic is directed to proxied records.
For records in DNS-only mode, Cloudflare only performs DNS resolution (answering to the DNS query for that DNS record). Once this is done, the client will connect directly to the specified resource and the traffic will not be flowing through the Cloudflare network, meaning Cloudflare cannot provide proxy services in this scenario.
For a full explanation, I recommend the following documentation page
Related
I am very new to Cloudflare. So please bear with me. I need to access my website (hosted in Microsoft Azure - App Services) via IP address instead of the domain name.
To do this, I need to add HOST=www.mydomain.com into the HTTP header when requesting the website via IP address.
I heard it can be solved via Cloudflare, but the person I asked will not elaborate further. Is it possible? If yes, what service should I purchase? Any manual or instruction will be appreciated.
If Cloudflare isn't possible, do you have any service recommendations?
Thanks :)
The reason the host header is needed is because Azure App Services are multi-tenant (multiple apps on a single IP) by default. So, the server needs some way to know where to route your request to (the host name). In addition, IPs are not guaranteed to be static (they can change as you scale for instance).
It should be possible to secure a single static IP address using the following method -
https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips#get-a-static-inbound-ip
What is unclear is whether or not this IP would also be dedicated (meaning only your domain would use it). This is what would be required in order to allow you to access the app service without a hostname specified.
Cloudflare will not solve this issue, as it sits at the DNS layer (domain name access). Accessing a server via IP would bypass Cloudflare entirely.
We have a cisco load balancer on-premise which routes traffic to our DMZ Servers on-premise
We want to use Azure Load Balancer or Azure Solutions (AG) which can balance traffic to our DMZ Servers on-premise, basically replace the CISCO with Azure
Is it possible? we have SFT/HTTPS sites currently hosted on our DMZ Environment.
TIA
What you're proposing isn't the use-case for Application Gateways. Application Gateways are Layer 7 load balancers / reverse proxies. What you want to do is almost treat them as a one-site forward proxy. It's not a good architecture and even if it were possible would ultimately be more costly in the long-run since you would pay for data egress as your App Gateway accepts requests and then forwards on to your web servers via an outbound connection over the Internet. They then receive the response headers/body from your web servers and again send that result on to the original caller.
In that scenario, you are forced to have to use end-to-end SSL for your applications, removing any possibility of using the App Gateway for SSL offload in the future. If your traffic isn't encrypted or doesn't need to be, the predictability of the source and destination of your traffic increases the security risk to your website's users and your company.
You also have the possible security implications of this type of architecture. Your web servers still need to be accessible at the very least by your Application Gateway, which means they are either freely available on the Internet anyway (in which case why bother with an App Gateways at all) or they're firewalled at a single layer and permit only traffic from the source IP address of your Application Gateway.
The bad news with the firewall approach is that you cannot assign a static public IP address to an Application Gateway, it is forced as Dynamic. Realistically the public IP won't change until the App Gateways are rebooted but you should know that when, not if, they do, your firewall rules will be wrong and your App Gateways won't be able to get to your DMZ servers any more, which means an outage. The only true solution for that is a firewall that can do URI based firewall rules...the impact there is cost (time and CPU) to perform a DNS lookup, see if the traffic is from the App Gateway by its DNS address - something like bd8f86bb-5d5a-4498-bc0c-e1a48b3873bf.cloudapp.net and then either permit or deny the request.
As discussed above, a further security consideration is that your traffic will be fairly consistently originating from one location (the App Gateways) and arriving at your DMZ. If there's a well defined source of traffic, that fact could be used in an attack against your servers/DMZ. While I'm sure attacking this is non-trivial, you damage your security posture by making source and destination traffic predictable across the Internet.
I've configured a good number of Application Gateways now for Enterprise applications and out of morbid curiosity I had a go at configuring a very basic one using HTTP to do what you're attempting - fortunately (yes, fortunately) I received an HTTP 502 so I'm going say that this isn't possible. I'll add that I'm glad it isn't possible because it's a Bad Idea (TM).
My suggestion is that you either migrate your DMZ servers to Azure (for the best performance/network latency) or implement a VPN or (preferably) ExpressRoute. You'll then be able to deploy an Application Gateway using the correct architecture where you terminate your users' connections at the App Gateway and that re-transmits the request within your RFC1918 network to your DMZ servers which respond within the network back to the App Gateway and ultimately back to the requestor.
Sorry it's not what you wanted to hear. If you're determined to do this, perhaps nginx could be made to?
A client of ours has the domain client.com
Our application is at superapp.mycompany.com
We want the client to be able to access our application via their own subdomain, like: superapp.client.com.
Normally we'd just tell the client to add a cname for superapp and point it to superapp.mycompany.com. Then on our server (IIS) we'd bind their domain to our app and everything would work as intended.
However, we can't replicate this functionality when our mycompany.com domain is managed via cloudflare.
When we navigate to superapp.client.com we get the following error page:
Error 1001
What happened?
You've requested a page on a website (superapp.client.com) that is on the Cloudflare network. Cloudflare is currently unable to resolve your requested domain (superapp.client.com).
Is there any way that Cloudflare can be used in this fashion?, this seems like a pretty standard set up for a multi tenant application that supports custom domains.
We don't need all the protection that Cloudfront offers for these client domains, but we want to use the Cloudfront nameservers for out application (mainly for fast switching of DNS records in the event we migrate servers, etc).
Any help is appreciated.
I hope it's not too late. But just found a way to do so.
You just need to add your client's domain (Add site in Cloudflare) to your account.
You don't need to change client domain's NS. So in your Cloudflare panel this domain will showing as "Pending Nameserver Update".
Next step is add the CName record to this domain.
Although the NS of client domain is not changed to CF, but CF has a lookup record as CName for it.
Hope it helps.
Just in case someone arrived here with same issue as me. Here is the answer. For short, no that won't work.
Since Cloudflare is a reverse proxy for the domain that is on Cloudflare, the CNAME redirect for the domain (not on Cloudflare) wouldn't know where to send the traffic to.
Ref: https://support.cloudflare.com/hc/en-us/articles/360017421192-Cloudflare-DNS-FAQ#CloudflareDNSFAQ-CanICNAMEadomainnotonCloudflaretoadomainthatisonCloudflare
If you don't need the CDN benefits, you can still use Cloudflare nameservers to manage your DNS zone and keep your current configuration. Just make sure the CDN is deactivated for the target subdomain in your zone (superapp.mycompany.com in your case).
You can tell if the CDN is activated or deactivated for a subdomain by looking at the cloud icon on the right of each DNS entry: if the cloud is orange the CDN is active, if it is gray, it isn't.
Cloudflare also supports external CNAME resolution in their CDN infrastructure, but it's only available for its Enterprise customers:
https://support.cloudflare.com/hc/en-us/articles/217371987-Managed-CNAME
Is it possible to move my domain from one.com to cloudflare?
If so, can I then buy an ssl from them?
Also, any resources on how to do this would be great.
My biggest concern is the downtime when switching over.
Cloudflare is not a webhost and domain registrar services are only available to Enterprise customers. It provides DNS, proxy, CDN and various other tools.
SSL is provided free to all customers on all plans, but your certificate will be shared. If you need/desire a dedicated certificate that can be purchased as an add-on to any account for $5 a month.
If you are worried about downtime when you begin routing your traffic through Cloudflare (assuming that's what you mean by "move" to) just make sure you follow steps 1 and 2 of the Cloudflare 101 tutorials in the Knowledge Base before changing your nameservers in Step 3. It should be seamless.
A little more detail to answer the follow-up:
After adding your domain to Cloudflare, and setting up your DNS records, you will be provided with details for two Cloudflare nameservers. Take them to your registrar (in this case one.com) and update your nameserver information. As soon as the changes take effect with your registrar your traffic will begin routing through Cloudflare which is waiting and ready to go.
One.com is shared hosting and you can not change DNS settings on it aside from creating new subdomains. Also, your shared host will change its IP pretty frequently, so pointing a non-one.com managed domain to your one webspace's IP will break faster than you can update it. There is a reason that you can't even see your IP in your account settings.
If you really want to use cloudflare for DDoS protection and its other benefits, one.com and most other shared hosting is not a good choice.
When you search for a new web&domain host, confirm that they allow you to move your DNS to cloudflare before you sign up.
I am looking for an easy way to fail over to a different DC quickly, does CloudFlare offer anything special in this regards with things like health checks or is it just like a standard DNS service?
Update: CloudFlare started a closed beta for the Traffic Manager feature which allows to do exactly this kind of failover:
https://www.cloudflare.com/traffic-manager/
AWS Failover:
The following solution seems to work well when you are hosting your backend system on AWS:
I setup a AWS Route 53 zone with a separate domain (e.g. failover-example.com). Route 53 allows you to setup health checks on the backend server (e.g. the load balancer) with DNS failover. AWS will remove the unhealthy backend system from the DNS record list.
In cloudflare I setup a CNAME for example.com record to failover-example.com and activate the cloudflare proxy on example.com.
The result is that the browser resolves the IP address of example.com to a cloudflare IP address. Cloudflare queries the AWS DNS server to lockup failover-example.com. Cloudflare fetches the content from the resolved IP address and returns the content back to the browser.
In my tests the switch to the other backend system occurs after ca. 20 seconds.
The separate domain is required because cloudflare does not route the traffic through the proxy when the CNAME is a subdomain of example.com.
I have tried to visualize the failover. In theory the failover works with any DNS failover capable service and not only with Route53:
The browser connects always with CloudFlare and hence a DNS failover of the backend system does never effect the browser of the user.
We don't have automatic failover at this time (something we're looking at). We can support the additional DNS entries in your zone file, of course, but you would currently have to manually make the change in that circumstance.
To add -- in the mean time, I'd recommend looking at https://runbook.io
Several other DIY options:
http://blog.booru.org/?p=12
https://vpsboard.com/topic/3341-running-your-own-failover-dns-setup/
https://github.com/marccerrato/python-dns-failover
You'd want to decide if these are the right options for you, of course.