What enables Cloudflare to disable direct IP address access? [closed]
When I visit a website that has Cloudflare, using the website's IP address, I get this message:
Error 1003
Direct IP access not allowed
What happened?
You've requested an IP address that is part of the Cloudflare network.
A valid Host header must be supplied to reach the desired website.
I am a student.
- What does allow Cloudflare to block direct IP address access?
- Is not DNS a layer above the IP address? If yes, being Cloudflare a DNS service, why does Cloudflare have the capacity to block IP addresses?
Solution 1:
There's nothing special in the cloudflare setup. This is just a property of HTTP.
When a client opens a URL, there are three important steps:
- If required, it makes a DNS (or other resolution method) to turn a hostname into an IP address. If the URL specifies an IP address for the host, use that.
- It makes a connection to that IP address on a well-known port number, normally 80 (unless it's overridden in the URL)
- It asks the server for the page, including the desired hostname.
A classical example looks like this:
GET /pub/WWW/TheProject.html HTTP/1.1
Host: www.w3.org
Consider a large host with many web sites on it. For simplicity let's say it has a single IP address. Hundreds of domain names resolve to this address. How does the server decide which pages to deliver? It uses the host detail given by the client in the HTTP request. If you ask for something it doesn't have or want to give you, it will give you an error response.
In your case, the request contains an IP address for the host specifier.
GET /whatever HTTP/1.1
Host: a.b.c.d
Very many hosts decide not to give out pages when the host is specified by IP address. There's nothing special about Cloudflare here, nor is it to do with DNS. It's about how the server responds to requests for the host specified by IP address, and you can see that this error message specifies that A valid Host header must be supplied.
Here's an answer which describes how to configure a server in this way: https://serverfault.com/a/607222
You can easily verify this kind of behaviour by using telnet to connect to a server and issue the HTTP request manually.
PS. The same general answer applies to an HTTPS request, but using Server Name Indication in the setup. It's worth noting that Host came in with HTTP 1.1 (1997). Prior to that, the mechanism described here didn't exist, and a server had no way to reliably tell if the client had asked for a name which legitimately resolved to its IP address, or had asked for the host by IP address directly. As this was an important development for the explosive growth in web sites, many older clients were updated to send Host. [Thanks commenters for picking up on details.]
Solution 2:
The system you are trying to contact has multiple sites listed in its httpd config.
The only way the HTTP server can differentiate the various sites hosted on it are with direct URLs.
Since those sites are hosted on CloudFlare's hardware, they can provide whatever error the wish. CDN's (Content Delivery Networks) shift the connection to the closest cached copy across their network based on several factors.
If you look at what CloudFlare offers as a service, you will see that part of the setup process you repoint your domains DNS records to their dns servers which then utilize only their CDN systems. As a developer, If you are using a CDN, you still know where your actual hosts are located and can contact them directly, customers no longer have that access.
That also helps isolate your hosts from DDos Attacks. The CDN still contacts your host for content unless your entire infrastructure is hosted within the CDNs network.