Setup Firewall Allowing Cloudflare Traffic Only
Install Cloudflare Certificates
Under ‘SSL/TLS’ - ‘Original Server’ menu, create a new certificates. Choose a expire time, and then click next button.
Keep the default PEM format key selection, copy all the content in ‘Origin Certificate’ and paste it to /etc/ssl/cert.pem , and copy all content in Private key and paste it to /etc/ssl/cert.key . Open the site setting files in /etc/nginx/sites-enabled/site.name , add the following line:
server{
listen 443;
server_name keep.your.setting;
ssl on;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/cert.key;
# root /dir/to/web-root;
# keep your web settings here
location /{
# keep your settings here
}
}
# if you're still listening on http port, say 80 or 8080, delete them.
# Use full encryption communication between cloudflare and web server.
Then restart Nginx server by running sudo systemctl restart nginx or sudo /etc/init.d/nginx restart. Now your server will respond with a Cloudflare issued certificates for all incoming https requests.
Whitelist Cloudflare connections
For one of the security concerns, hacker could scan through all the ipv4 address range and keep scanning 443 port on each address to get the certificate on server. This certificate could reveal the domain name that the current server binds to, which pose a threat for those who want to hide their server address from the domain name. To resolve this issue, we can whitelist the Cloudflare ip address range, so that only Cloudflare connections are allowed to visit our web server. To achieve that, we need to install a firewall application, or set the firewall on the cloud platform. In this section, we try to demonstrate how ufw could help achieve this.
First, install ufw on ubuntu server by running sudo apt-get install ufw . This command will install the ufw firewall to the current system. The default setting of ufw should be like following:
sudo ufw default deny incoming
sudo ufw default allow outgoing
which denies all the incoming connections and allows all outgoing connections. In other words, this will protect the server in a whitelist mode, refusing all the incoming request. Before we enable the ufw, we should at least allow ssh connections to make sure our remote console will still be available. By default, we could type sudo ufw allow ssh to update the firewall rules for ssh connections if the ssh port is set to default 22. However, if you set another ssh port, or wish to allow only a specific ip ranges to connect, then you could customize this by:
sudo ufw allow from 0.0.0.0/0 to any port 10549
in which address setting could be an subnet range 0.0.0.0/0 and port setting could be a port range 1001:1003.
Visit this link to check the latest cloudflare ip ranges. You could hard-code it into ufw rules since it doesn’t change frequently, but you could always set a scheduled scripts to ensure your config is up-to-date all the time. Simply apply the rules to Cloudflare ip address e.g.
sudo ufw allow from 173.245.48.0/20 to any port 443
Do not forget to enable the ufw and check the status by:
sudo ufw enable
sudo ufw status verbose
If you need to check the ufw logs,
Perform sudo ufw status verbose to see if you’re even logging in the first place. If you’re not, perform sudo ufw logging on if it isn’t. If it is logging, check /var/log/ for files starting with ufw. For example, sudo ls /var/log/ufw*
If you are logging, but there are no /var/log/ufw* files, check to see if rsyslog is running: sudo service rsyslog status. If rsyslog is running, ufw is logging, and there are still no logs files, search through common log files for any mention of UFW. For example: grep -i ufw /var/log/syslog and grep -i ufw /var/log/messages as well as grep -i ufw /var/log/kern.log.
If you find a ton of ufw messages in the syslog, messages, and kern.log file, then rsyslog might need to be told to log all UFW messages to a separate file. Add a line to the top of /etc/rsyslog.d/50-default.conf that says the following two lines:
:msg, contains, “UFW” -/var/log/ufw.log
& ~
And you should then have a ufw.log file that contains all ufw messages!
NOTE
Check the 50-default.conf file for pre-existing configurations.
Make sure to backup the file before saving edits!