Self-host-cloudflare-tunnels: Difference between revisions

Line 1:

~~~~

== Self-host with Cloudflare ==

= Self-host with Cloudflare =

[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion~~/post/7e8844ae785bb9d88a20~~ source: DarkWeb]

[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion|source: DarkWeb]

~~~~

== How to use Cloudflare ==

~~~~

== Why use Cloudflare ==

~~~~

== Securing Cloudflare Tunnels ==

~~I saw many Clearnet~~ websites related to DNM, ~~especially~~ (~~Link Rotators~~, ~~Link Dirs~~, ~~News~~, ~~etc.) ~~

Many clearnet websites related to DNM, such as link rotators and directories, host on Cloudflare. However, they often fail to take measures to prevent bots from scanning their HTTP services (e.g., Shodan, Censys), which can expose their backend IP addresses.

~~That host on Cloudflare is OK~~.

~~But they don’t take measures to prevent bots from scanning their HTTP services (Bots like Shodan~~, ~~Censys, etc.) ~~

To verify if you are affected, you can use:

~~Which then causes their backend IP address to be exposed.~~

~~To verify that you are affected, do this:~~

<pre>

telnet YOUR-BACKEND-IP 80

</pre>

~~<syntaxhighlight lang="bash">telnet YOU-BACKEND-IP 80</syntaxhighlight>~~

or

<~~syntaxhighlight lang="bash"~~> nmap ~~YOU~~-BACKEND-IP</~~syntaxhighlight~~>

<pre>

if you get connected to telnet or if Nmap returns your HTTP port then read below 1 simple way to help you against this is by blocking any traffic from outside Cloudflare on HTTP port 80, or whatever port you have proxied with Cloudflare. '''This script does:'''

nmap YOUR-BACKEND-IP

</pre>

~~'' Allow SSH traffic (depending on~~ your ~~setup~~, ~~you can modify this rule)~~

If you can connect via telnet or Nmap returns your HTTP port, follow the steps below to enhance your security. A simple way to protect yourself is to block any traffic from outside Cloudflare on HTTP port 80 (or whatever port you have proxied with Cloudflare).

~~'' Fetches Cloudflare current IP both v4 & v6~~

~~'' Add iptables rule~~ to ~~allow ip’s of Cloudflare~~.

~~'' Add iptables rule~~ to block ~~all connections~~ on HTTP 80

* Allow localhost and other essential traffic (you ~~can modify/delete these rules, depending on your requirements~~)

~~<syntaxhighlight lang="bash">#!/bin/bash~~

'''This script does:'''

* Allows SSH traffic (customizable based on your setup)

* Fetches Cloudflare's current IPs (both IPv4 and IPv6)

* Adds iptables rules to allow connections from Cloudflare's IPs

* Adds iptables rules to block all connections on HTTP port 80

* Allows localhost and other essential traffic (these rules can be modified or deleted based on your requirements)

<pre>

#!/bin/bash

CLOUDFLARE_IPV4_URL="https://www.cloudflare.com/ips-v4"

Line 42:

CLOUDFLARE_IPV4=$(curl -s $CLOUDFLARE_IPV4_URL)

CLOUDFLARE_IPV6=$(curl -s $CLOUDFLARE_IPV6_URL)

iptables -F INPUT

ip6tables -F INPUT

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT

for ip in $CLOUDFLARE_IPV4; do

Line 63:

Line 59:

ip6tables -A INPUT -p tcp -s $ip --dport 80 -j ACCEPT

done

iptables -A INPUT -p tcp --dport 80 -j DROP

ip6tables -A INPUT -p tcp --dport 80 -j DROP

iptables -A INPUT -i lo -j ACCEPT

ip6tables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

ip6tables -A INPUT -p ipv6-icmp -j ACCEPT</~~syntaxhighlight~~>

ip6tables -A INPUT -p ipv6-icmp -j ACCEPT

_Note: If your SSL ~~Mode~~ is ~~ran on~~ '''Full or Full Strict''', you will ~~probably~~ need ~~also~~ to ~~do the same with~~ SSL port 443

</pre>

_Note: If your SSL mode is set to '''Full''' or '''Full Strict''', you will also need to apply similar rules to SSL port 443._

Additionally, if you run a hidden service with Tor, you can further enhance security by allowing traffic only from Tor exit IPs. A separate post will be made for Hidden Services.

~~Another thing is if you run a hidden service with #tor, you can do the same by allowing traffic only from Tor exit IPs, I will make a separate post for Hidden Services.~~

[[Category:Self-hosting]]

[[Category:Security]]

[[Category:Cloudflare]]

[[Category:Network]]

[[Category:Privacy]]

[[Category:Server]]

@@ Line 1: / Line 1: @@
-<span id="self-host-with-cloudflare"></span>
+== Self-host with Cloudflare ==
-= Self-host with Cloudflare =
-[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/7e8844ae785bb9d88a20 source: DarkWeb]
+[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion|source: DarkWeb]
 <pre class="toc"></pre>
-<span id="how-to-use-cloudflare"></span>
 == How to use Cloudflare ==
-<span id="why-use-cloudflare"></span>
 == Why use Cloudflare ==
-<span id="securing-cloudflare-tunnels"></span>
 == Securing Cloudflare Tunnels ==
-I saw many Clearnet websites related to DNM, especially (Link Rotators, Link Dirs, News, etc.)<br />
+Many clearnet websites related to DNM, such as link rotators and directories, host on Cloudflare. However, they often fail to take measures to prevent bots from scanning their HTTP services (e.g., Shodan, Censys), which can expose their backend IP addresses.
-That host on Cloudflare is OK.
-But they don’t take measures to prevent bots from scanning their HTTP services (Bots like Shodan, Censys, etc.)<br />
+To verify if you are affected, you can use:
-Which then causes their backend IP address to be exposed.
-To verify that you are affected, do this:
+<pre>
+telnet YOUR-BACKEND-IP 80
+</pre>
-<syntaxhighlight lang="bash">telnet YOU-BACKEND-IP 80</syntaxhighlight>
 or
-<syntaxhighlight lang="bash"> nmap YOU-BACKEND-IP</syntaxhighlight>
+<pre>
-if you get connected to telnet or if Nmap returns your HTTP port then read below 1 simple way to help you against this is by blocking any traffic from outside Cloudflare on HTTP port 80, or whatever port you have proxied with Cloudflare. '''This script does:'''
+nmap YOUR-BACKEND-IP
+</pre>
-'' Allow SSH traffic (depending on your setup, you can modify this rule)
+If you can connect via telnet or Nmap returns your HTTP port, follow the steps below to enhance your security. A simple way to protect yourself is to block any traffic from outside Cloudflare on HTTP port 80 (or whatever port you have proxied with Cloudflare).
-'' Fetches Cloudflare current IP both v4 &amp; v6
-'' Add iptables rule to allow ip’s of Cloudflare.
-'' Add iptables rule to block all connections on HTTP 80
-* Allow localhost and other essential traffic (you can modify/delete these rules, depending on your requirements)
-<syntaxhighlight lang="bash">#!/bin/bash
+'''This script does:'''
+* Allows SSH traffic (customizable based on your setup)
+* Fetches Cloudflare's current IPs (both IPv4 and IPv6)
+* Adds iptables rules to allow connections from Cloudflare's IPs
+* Adds iptables rules to block all connections on HTTP port 80
+* Allows localhost and other essential traffic (these rules can be modified or deleted based on your requirements)
+<pre>
+#!/bin/bash
 CLOUDFLARE_IPV4_URL="https://www.cloudflare.com/ips-v4"
@@ Line 42: / Line 42: @@
 CLOUDFLARE_IPV4=$(curl -s $CLOUDFLARE_IPV4_URL)
 CLOUDFLARE_IPV6=$(curl -s $CLOUDFLARE_IPV6_URL)
 iptables -F INPUT
 ip6tables -F INPUT
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
 for ip in $CLOUDFLARE_IPV4; do
@@ Line 63: / Line 59: @@
      ip6tables -A INPUT -p tcp -s $ip --dport 80 -j ACCEPT
 done
 iptables -A INPUT -p tcp --dport 80 -j DROP
 ip6tables -A INPUT -p tcp --dport 80 -j DROP
 iptables -A INPUT -i lo -j ACCEPT
 ip6tables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
-ip6tables -A INPUT -p ipv6-icmp -j ACCEPT</syntaxhighlight>
+ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
-_Note: If your SSL Mode is ran on '''Full or Full Strict''', you will probably need also to do the same with SSL port 443
+</pre>
+_Note: If your SSL mode is set to '''Full''' or '''Full Strict''', you will also need to apply similar rules to SSL port 443._
+Additionally, if you run a hidden service with Tor, you can further enhance security by allowing traffic only from Tor exit IPs. A separate post will be made for Hidden Services.
-Another thing is if you run a hidden service with #tor, you can do the same by allowing traffic only from Tor exit IPs, I will make a separate post for Hidden Services.
+[[Category:Self-hosting]]
+[[Category:Security]]
+[[Category:Cloudflare]]
+[[Category:Network]]
+[[Category:Privacy]]
+[[Category:Server]]