Self-host-cloudflare-tunnels: Difference between revisions

From Irregularpedia
Jump to navigation Jump to search
Newer edit →
VisualWikitext
Initial
(No difference)

Revision as of 05:34, 7 September 2024

Self-host with Cloudflare

source: DarkWeb 







How to use Cloudflare






Why use Cloudflare






Securing Cloudflare Tunnels


I saw many Clearnet websites related to DNM, especially (Link Rotators, Link Dirs, News, etc.)

That host on Cloudflare is OK.

But they don’t take measures to prevent bots from scanning their HTTP services (Bots like Shodan, Censys, etc.)

Which then causes their backend IP address to be exposed.

To verify that you are affected, do this:



telnet YOU-BACKEND-IP 80



or



 nmap YOU-BACKEND-IP



if you get connected to telnet or if Nmap returns your HTTP port then read below 1 simple way to help you against this is by blocking any traffic from outside Cloudflare on HTTP port 80, or whatever port you have proxied with Cloudflare. This script does:

 Allow SSH traffic (depending on your setup, you can modify this rule)
 Fetches Cloudflare current IP both v4 & v6
 Add iptables rule to allow ip’s of Cloudflare.
 Add iptables rule to block all connections on HTTP 80



  • Allow localhost and other essential traffic (you can modify/delete these rules, depending on your requirements)


#!/bin/bash


CLOUDFLARE_IPV4_URL="https://www.cloudflare.com/ips-v4"
CLOUDFLARE_IPV6_URL="https://www.cloudflare.com/ips-v6"

CLOUDFLARE_IPV4=$(curl -s $CLOUDFLARE_IPV4_URL)
CLOUDFLARE_IPV6=$(curl -s $CLOUDFLARE_IPV6_URL)


iptables -F INPUT
ip6tables -F INPUT


iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


iptables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT


for ip in $CLOUDFLARE_IPV4; do
    iptables -A INPUT -p tcp -s $ip --dport 80 -j ACCEPT
done

for ip in $CLOUDFLARE_IPV6; do
    ip6tables -A INPUT -p tcp -s $ip --dport 80 -j ACCEPT
done


iptables -A INPUT -p tcp --dport 80 -j DROP
ip6tables -A INPUT -p tcp --dport 80 -j DROP


iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT



_Note: If your SSL Mode is ran on Full or Full Strict, you will probably need also to do the same with SSL port 443

Another thing is if you run a hidden service with #tor, you can do the same by allowing traffic only from Tor exit IPs, I will make a separate post for Hidden Services.



Retrieved from "https://irregularpedia.org/index.php?title=Self-host-cloudflare-tunnels&oldid=234"