Restricting Origin Access to Cloudflare Without Root Access on the Origin

Security is a layered process and Cloudflare plays a key role in defence against attacks. The ability to block-out malicious/suspicious requests before they reach your origin server is an excellent asset. Obviously though, this only works if Cloudflare is positioned in-front of your origin server, and requests are forced through Cloudflare.

It’s important to only permit requests to your origin server from Cloudflare’s proxy. Otherwise, bad actors could bypass Cloudflare and directly connect to your origin server, should they obtain the IP address(es) of your origin server.

The ideal solution would be to make use of Authenticated Origin Pulls. However, without root access to your origin server, you’re likely unable to make use of that feature… Unless, of course, you can get your Web host to make the necessary server-side configurations for you. In most cases of shared hosting, that’s an impossibility, as they either can’t or simply won’t do it for you.

With that said, there are other Cloudflare features which you can utilize to better control direct access to your origin for HTTP/HTTPS requests. This post will show you how to do so with a combination of .htaccess directives, firewall rules, and transform rules.

By way of a transform rule, a request header will be added by Cloudflare and presented to your origin server for all requests proxied through Cloudflare. Should someone attempt to directly-access your origin server, this secret header will not be present, and your server would know to act by redirecting the request to Cloudflare for blocking.

You must keep this header name and its value a secret though. Think of it like a password of sorts. If you were to reveal it to somebody, they could forge the correct header/value.

Transform Rule

Firstly, we’ll configure the transform rule from within your Cloudflare dashboard. Within your dashboard, navigate to Rules » Transform Rules.

  1. Click on the Create transform rule button and select Modify Request Header from the drop-down.
  2. Set Rule name to anything that you like.
  3. Under When incoming requests match…:
    • Field » Hostname
    • Operator » equals
    • Value » yourdomain.net
      • Put your own domain in this field.
  4. Under Then…:
    • Set Static
    • Header Name » ZwdEMaCbKDR2Q6MaFTDbMunaLmquPe2gVKZf6fsyvG6XyBKjob8TqZAFdnvqHCjH
      • Don’t, actually, use this value. It’s an example only. I’d suggest using a randomly generated alphanumeric string.
    • Header Value » zTGA6TFiBKHFyEwWcx24iK4E7yygJCPPETAuLEEvUBrsakokbFdr2gUqgjNn8fze
      • Don’t, actually, use this value. It’s an example only. I’d suggest using a randomly generated alphanumeric string.
  5. Click the Deploy button.

.htaccess File

Next, we’ll configure the .htaccess directives. Place the following at the top of the .htaccess file within the Web root of your Web site.

<IfModule mod_rewrite.c>
    RewriteEngine On

    RewriteCond %{HTTP:ZwdEMaCbKDR2Q6MaFTDbMunaLmquPe2gVKZf6fsyvG6XyBKjob8TqZAFdnvqHCjH} !^zTGA6TFiBKHFyEwWcx24iK4E7yygJCPPETAuLEEvUBrsakokbFdr2gUqgjNn8fze$
    RewriteCond "%{REMOTE_ADDR}" "!^000\.000\.000\.000$"
    RewriteRule .* "https://yourdomain.net/tasCe9hzxXoqwhVJT3MPwUxDxH2fLtVdAEvwzoPjw2qGoPhhN4nyZPJZKyrfecPY.php" [R=302,L]
</IfModule>

Replace 000\.000\.000\.000 with the IP address of your origin server. For example, let us assume your origin’s IP address is 192.168.1.1, you’d change it to 192\.168\.1\.1 then. This line will allow direct connections from your own Web server for things such as cron. However, if your server doesn’t make direct-connections to your Web site, you may want to comment-out or remove the REMOTE_ADDR condition altogether.

Be sure to replace yourdomain.net with your own domain. You can change tasCe9hzxXoqwhVJT3MPwUxDxH2fLtVdAEvwzoPjw2qGoPhhN4nyZPJZKyrfecPY.php to any random filename that you want. It should be set to a non-existent file.

Firewall Rule

Lastly, we’ll configure the firewall rule to handle the redirect triggered by the abovementioned RewriteRule directive and block the request.

Within your Cloudflare dashboard, navigate to Security » WAF » Firewall Rules.

  1. Click the Create a Firewall rule button.
  2. Set Rule name to anything that you like.
  3. Under When incoming requests match…:
    • Field » URI Path
    • Operator » equals
    • Value » /tasCe9hzxXoqwhVJT3MPwUxDxH2fLtVdAEvwzoPjw2qGoPhhN4nyZPJZKyrfecPY.php
      • Set this to whatever filename you specified for the RedirectRule directive within the .htaccess file.
  4. Under Then…:
    • Block
  5. Click the Deploy button.

Assuming that everything has been configured correctly and is working as-intended, requests through the Cloudflare proxy will be accepted by your origin server. And should somebody attempt to bypass Cloudflare by directly accessing your origin server, they should be redirected back to Cloudflare and that request blocked.

Author

  • I tried to fix the world, but God wouldn't give me his source code.

    Formerly, CEO and lead developer of a technology company, focusing on the merchant services space. Formerly, of WHMCompleteSolution (WHMCS).

    An avid gamer.

Leave a comment

lexical-absolute
lexical-absolute
lexical-absolute
lexical-absolute
%d bloggers like this: