How do I deny all requests not from cloudflare?

I've recently gotten denial of service attacks from multiple proxy ips, so I installed cloudflare to prevent this. Then I started noticing that they're bypassing cloudflare by connecting directly to the server's ip address and forging the host header.

What is the most performant way to return 403 on connections that aren't from the 18 ip addresses used by cloudflare?
I tried denying all then explicitly allowing the cloudflare ips but this doesn't work since I've set it up so that CF-Connecting-IP sets the ip allow tests for.

I'm using nginx 1.6.0.

Solution 1:

As described here, you can only allow ip addresses from cloudflare.

https://erichelgeson.github.io/blog/2014/01/18/whitelisting-cloudflare-in-nginx/

# https://www.cloudflare.com/ips
# IPv4
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 104.16.0.0/12;
allow 108.162.192.0/18;
allow 131.0.72.0/22;
allow 141.101.64.0/18;
allow 162.158.0.0/15;
allow 172.64.0.0/13;
allow 173.245.48.0/20;
allow 188.114.96.0/20;
allow 190.93.240.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;

# IPv6
allow 2400:cb00::/32;
allow 2405:b500::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2c0f:f248::/32;
allow 2a06:98c0::/29;

deny all; # deny all remaining ips

Note that you will have to update this configuration every one in a while as Cloudflare's IP address ranges might change. To autogenerate this configuration you can use this script

Solution 2:

The only solution I came up with that can be done with nginx by itself requires nginx version 1.9.7 or higher.

You can use the ngx_http_geo_module to identify and return a 403 response for any ip's that aren't cloudflare ip's.

Using this geo block.

geo $realip_remote_addr $cloudflare_ip {
    default          0;
    103.21.244.0/22  1;
    103.22.200.0/22  1;
    103.31.4.0/22    1;
    104.16.0.0/12    1;
    108.162.192.0/18 1;
    131.0.72.0/22    1;
    141.101.64.0/18  1;
    162.158.0.0/15   1;
    172.64.0.0/13    1;
    173.245.48.0/20  1;
    188.114.96.0/20  1;
    190.93.240.0/20  1;
    197.234.240.0/22 1;
    198.41.128.0/17  1;
    199.27.128.0/21  1;
    2400:cb00::/32   1;
    2405:8100::/32   1;
    2405:b500::/32   1;
    2606:4700::/32   1;
    2803:f800::/32   1;
    2c0f:f248::/32   1;
    2a06:98c0::/29   1;
}

You can then add this to your server block.

if ($cloudflare_ip != 1) {
    return 403;
}

Which will return a 403 for any connections not originating from a $cloudflare_ip.

This works because I'm using $realip_remote_addr in the geo block which keeps the original client address when using real_ip_header CF-Connecting-IP.

Solution 3:

The most performant way is a hardware firewall in front of the server. Or asking your datacenter/upstream provider for help mitigating attack.

Block things it in the webserver or iptables may help, but still uses bandwidth and system resources so DoS attacks are still possible. What you want is to block the traffic as far upstream as possible - so the traffic never reaches your server, and doesn't flood your link to the rest of the world. A hardware firewall can filter traffic much, much faster than your webserver, and uses no server resources. You will want them to allow traffic from cloudflare as well as your office or other servers for when you need to connect directly.

Changing the IP of the server may help as well - only cloudflare should need to know the new IP, don't publish it in public DNS records.