Restrict access to only traffic from Cloudflare

After finding it confusing and difficult to find clear information on this, even after checking Cloudflare’s own documentation, I’ve decided to put this post together in the hope of helping others.

The issue:

You have a website you protect (among other things) using Cloudflare. However, it’s still possible for traffic to reach your website directly, ie going around Cloudflare. This is quite easy if you do manage to find out the IP address a website is running on.

Side point: Cloudflare offer solutions such as Cloudflare Access which allow you to have VPN level protection for your website (or a section of it if you choose). These are great solutions, but only work properly if you can ensure that ALL traffic is forced to go via Cloudflare (and the protection they offer).

The solution:

After wasting days with keywords like: cloudflare restrict access, lock down traffic to only Cloudflare, restrict access to only Cloudflare IP addresses etc etc.. I stumbled on this post: Stop Cloudflare bypassing on shared hosting unfortunately the title is not as intuitive as it could be, however the solution is excellent (bar one small technicality which I will explain later). And I quote:


With a very simple Cloudflare Worker, we can add a request header, a header that will be sent from the edge (any of Cloudflare’s 180+ data centers) to the origin (your server), and therefore won’t be visible to site visitors. As long as the header name and value are kept secret by the site admin, any requests not coming through Cloudflare will not have this header, and will therefore trigger a rewrite condition at the origin server, and be redirected back to, well, Cloudflare – where a Firewall Rule will block it.

The Cloudflare worker (taken from this recipe 18). You’ll need to configure the Cloudflare worker via your Cloudflare account. For most sites, this will be free.

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

/**
 * Send header to origin, allowing for
 * .htaccess to block requests
 * not coming from Cloudflare
 */

async function handleRequest(request) {
  // Make the headers mutable by re-constructing the Request.
  request = new Request(request)
  request.headers.set('Secret-Header', 'SeCrEt-kEy')

  return await fetch(request)
}

And then on your own website the following .htaccess directives (place them at the top of the file):

# Route visitors not coming from Cloudflare to, well, Cloudflare
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	# Both the header and the value should be kept secret
	RewriteCond "%{HTTP:Secret-Header}" "!SeCrEt-kEy"
	# Uncomment and edit w/ IP of services such as certs, cron, Softaculous etc
	# RewriteCond "%{REMOTE_HOST}" "!^xxx\.xxx\.xxx\.xxx$"
	RewriteRule .* "accessdenied.php" [R,L]
</IfModule>

What these directives do is check every request to see if it has a request header named “Secret-Header” and whether its value does not contain the string “SeCrEt-kEy”. If the header does not exist, or does not contain the key, the request will be redirected to a non-existing URI named here “accessdenied.php”, (a fictitious, non-existing file) which must be added in a Firewall Rule.


/end quote.

This works wonderfully. The problem with the suggested firewall rule (at Cloudflare) is that it won’t be triggered if traffic comes in from somewhere other than Cloudflare.. makes it redundant/useless. So, well.. edit that yourself or find another solution if you wish to gracefully block traffic this way.

Conclusion:

While the concept of restricting access to IP addresses and/or blocking access to some (via .htaccess) is fairly well documented, using Cloudflare (and I do recommend it) makes some of this quite complex when wanting to restrict access to ONLY traffic via Cloudflare. The solution above is elegant in that it adds a header to each request (via Cloudflare Worker) and then the .htaccess file checks to make sure that header is present (ie did it come from Cloudflare), if not, traffic is blocked or redirected to a file of your choosing (or even a 404 if you wish). Sadly not enough airtime is given to this solution, perhaps due to the wrong keywords being used. Hopefully this post help with that.

PS If you wish to avail yourself of our services for things like this (securing your existing or new website, website hosting that ensures your site is always kept up to date and secure along with regular off-site backups (which we can automatically send to you each time) be sure to get in touch with us to find out more.

DNSSEC is awesome!

Whether you think DNS is just one of those boring things you’ve heard IT nerds talking about, or something you’d like to understand, you should know that DNS is very important for the security of your website and emails.

DNS in a nutshell
DNS or domain name system is the internet “telephone directory” that connects your domain name (ie https://xyzulu.hosting ) to the webserver where the actual website is stored. It’s also the system that directs the emails that are sent to you.

At your domain registrar (where you register and renew your domain) a record is kept of the Domain Name Server that holds the records of where your domain and email is hosted. These records point names, ie xyzulu.hosting to numbers (IP addresses) that correspond to the address of the server that hosts your website or accepts your emails.

What you need to know
It’s a very old system, but it works. It does however rely on a measure of trust between ISP’s and other main providers of the internet infrastructure.

If someone gains access to your domain name or DNS record, they can easily hijack your emails and redirect all visitors away from your website to a fake page. You probably know some of this, which is why you secure the logins to your domain name registrar and store that login securely. (For security tips see our previous articles: Overwhelmed with passwords? and Why do I need 2FA? )

How can you make your DNS more secure?
The best way you can secure your DNS is by implementing DNSSEC.

What is DNSSEC?
DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored at your domain registrar, and at your authoritative domain name server. By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and wasn’t altered.

When a potential customer attempts to visit your website or send you an email, DNSSEC (if enabled) will protect your traffic from being hijacked.

To enforce or implement this system, a record needs to exist at your domain name registrar and your domain name server. These cryptographic records “match” one another and ensure another server cannot pretend to host the correct records and redirect your traffic and emails elsewhere.

The technical explanation is here. An easier to understand explanation is here.

How do I enable DNSSEC?
Transfer your domain names to us and submit a request via our Customer Portal. If you are an exiting customer, simply request this be setup for your domain via a support request and we’ll make it happen for you. Your security is important to us, we offer this service at no additional charge.

This is how a successful DNSSEC test should look <– feel free to test your own domain using the same tool.

xyzulu.hosting DNSSEC test

We hope this has helped you understand more about how to secure your domain and remember, we’re ready to help.

Not all web hosts are equal xyzulu.hosting take the blah blah out of technical information and empower our customers with knowledge, this can protect and increase productivity for your business.

Your security is so important to us, we are constantly striving to serve you better.

Google’s strongest security, do you need it?

Do you want the reassurance of knowing your Google account is properly secured? Have you had your Google account compromised before and never want to have to go through that mess again?

Previously we have written articles on important steps for all Google users (this means anyone that has a Gmail or GSuite account). Here are the most important ones:

If you don’t have 2FA (two factor authentication) enabled yet, you should probably do that first and then come back and read on. Sadly, only 10% of Google users have enabled 2FA  although it has been available for over 7 years and is dead simple to use. Don’t be in that 10%!

Google has recently released an even stronger form of authentication utilizing a physical device instead of a 2 factor code you receive via SMS or an app on your device. This may not be for everyone, but if you want the strongest protection for your Google account make sure you read all about it on their site here: Google Advanced Protection Program

So in review, if you don’t have 2FA enabled yet, you should that now. If you want even stronger protection, maybe this new Google device is for you.

Don’t wait until it’s too late before securing your online accounts.