Self-host-cloudflare-tunnels: Difference between revisions

From Irregularpedia
Jump to navigation Jump to search
VisualWikitext
Initial
 
No edit summary
Tag: 2017 source edit
 
Line 1: Line 1:
<span id="self-host-with-cloudflare"></span>
== Self-host with Cloudflare ==
= Self-host with Cloudflare =


[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/7e8844ae785bb9d88a20 source: DarkWeb]
[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion|source: DarkWeb]


<pre class="toc"></pre>
<pre class="toc"></pre>
<span id="how-to-use-cloudflare"></span>
 
== How to use Cloudflare ==
== How to use Cloudflare ==


<span id="why-use-cloudflare"></span>
== Why use Cloudflare ==
== Why use Cloudflare ==


<span id="securing-cloudflare-tunnels"></span>
== Securing Cloudflare Tunnels ==
== Securing Cloudflare Tunnels ==


I saw many Clearnet websites related to DNM, especially (Link Rotators, Link Dirs, News, etc.)<br />
Many clearnet websites related to DNM, such as link rotators and directories, host on Cloudflare. However, they often fail to take measures to prevent bots from scanning their HTTP services (e.g., Shodan, Censys), which can expose their backend IP addresses.
That host on Cloudflare is OK.


But they don’t take measures to prevent bots from scanning their HTTP services (Bots like Shodan, Censys, etc.)<br />
To verify if you are affected, you can use:
Which then causes their backend IP address to be exposed.


To verify that you are affected, do this:
<pre>
telnet YOUR-BACKEND-IP 80
</pre>


<syntaxhighlight lang="bash">telnet YOU-BACKEND-IP 80</syntaxhighlight>
or
or


<syntaxhighlight lang="bash"> nmap YOU-BACKEND-IP</syntaxhighlight>
<pre>
if you get connected to telnet or if Nmap returns your HTTP port then read below 1 simple way to help you against this is by blocking any traffic from outside Cloudflare on HTTP port 80, or whatever port you have proxied with Cloudflare. '''This script does:'''
nmap YOUR-BACKEND-IP
</pre>


'' Allow SSH traffic (depending on your setup, you can modify this rule)
If you can connect via telnet or Nmap returns your HTTP port, follow the steps below to enhance your security. A simple way to protect yourself is to block any traffic from outside Cloudflare on HTTP port 80 (or whatever port you have proxied with Cloudflare).
'' Fetches Cloudflare current IP both v4 &amp; v6
'' Add iptables rule to allow ip’s of Cloudflare.
'' Add iptables rule to block all connections on HTTP 80
* Allow localhost and other essential traffic (you can modify/delete these rules, depending on your requirements)


<syntaxhighlight lang="bash">#!/bin/bash
'''This script does:'''
* Allows SSH traffic (customizable based on your setup)
* Fetches Cloudflare's current IPs (both IPv4 and IPv6)
* Adds iptables rules to allow connections from Cloudflare's IPs
* Adds iptables rules to block all connections on HTTP port 80
* Allows localhost and other essential traffic (these rules can be modified or deleted based on your requirements)


<pre>
#!/bin/bash


CLOUDFLARE_IPV4_URL="https://www.cloudflare.com/ips-v4"
CLOUDFLARE_IPV4_URL="https://www.cloudflare.com/ips-v4"
Line 42: Line 42:
CLOUDFLARE_IPV4=$(curl -s $CLOUDFLARE_IPV4_URL)
CLOUDFLARE_IPV4=$(curl -s $CLOUDFLARE_IPV4_URL)
CLOUDFLARE_IPV6=$(curl -s $CLOUDFLARE_IPV6_URL)
CLOUDFLARE_IPV6=$(curl -s $CLOUDFLARE_IPV6_URL)


iptables -F INPUT
iptables -F INPUT
ip6tables -F INPUT
ip6tables -F INPUT


iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT


for ip in $CLOUDFLARE_IPV4; do
for ip in $CLOUDFLARE_IPV4; do
Line 63: Line 59:
     ip6tables -A INPUT -p tcp -s $ip --dport 80 -j ACCEPT
     ip6tables -A INPUT -p tcp -s $ip --dport 80 -j ACCEPT
done
done


iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 80 -j DROP
ip6tables -A INPUT -p tcp --dport 80 -j DROP
ip6tables -A INPUT -p tcp --dport 80 -j DROP


iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT</syntaxhighlight>
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
_Note: If your SSL Mode is ran on '''Full or Full Strict''', you will probably need also to do the same with SSL port 443
</pre>
 
_Note: If your SSL mode is set to '''Full''' or '''Full Strict''', you will also need to apply similar rules to SSL port 443._
 
Additionally, if you run a hidden service with Tor, you can further enhance security by allowing traffic only from Tor exit IPs. A separate post will be made for Hidden Services.


Another thing is if you run a hidden service with #tor, you can do the same by allowing traffic only from Tor exit IPs, I will make a separate post for Hidden Services.
[[Category:Self-hosting]]
[[Category:Security]]
[[Category:Cloudflare]]
[[Category:Network]]
[[Category:Privacy]]
[[Category:Server]]

Latest revision as of 04:41, 22 September 2024

Self-host with Cloudflare

DarkWeb 



How to use Cloudflare


Why use Cloudflare


Securing Cloudflare Tunnels


Many clearnet websites related to DNM, such as link rotators and directories, host on Cloudflare. However, they often fail to take measures to prevent bots from scanning their HTTP services (e.g., Shodan, Censys), which can expose their backend IP addresses.

To verify if you are affected, you can use:



telnet YOUR-BACKEND-IP 80



or



nmap YOUR-BACKEND-IP



If you can connect via telnet or Nmap returns your HTTP port, follow the steps below to enhance your security. A simple way to protect yourself is to block any traffic from outside Cloudflare on HTTP port 80 (or whatever port you have proxied with Cloudflare). 

This script does:



  • Allows SSH traffic (customizable based on your setup)
    • 

  • Fetches Cloudflare's current IPs (both IPv4 and IPv6)
    • 

  • Adds iptables rules to allow connections from Cloudflare's IPs
    • 

  • Adds iptables rules to block all connections on HTTP port 80
    • 

  • Allows localhost and other essential traffic (these rules can be modified or deleted based on your requirements)


#!/bin/bash

CLOUDFLARE_IPV4_URL="https://www.cloudflare.com/ips-v4"
CLOUDFLARE_IPV6_URL="https://www.cloudflare.com/ips-v6"

CLOUDFLARE_IPV4=$(curl -s $CLOUDFLARE_IPV4_URL)
CLOUDFLARE_IPV6=$(curl -s $CLOUDFLARE_IPV6_URL)

iptables -F INPUT
ip6tables -F INPUT

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT

for ip in $CLOUDFLARE_IPV4; do
    iptables -A INPUT -p tcp -s $ip --dport 80 -j ACCEPT
done

for ip in $CLOUDFLARE_IPV6; do
    ip6tables -A INPUT -p tcp -s $ip --dport 80 -j ACCEPT
done

iptables -A INPUT -p tcp --dport 80 -j DROP
ip6tables -A INPUT -p tcp --dport 80 -j DROP

iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT



_Note: If your SSL mode is set to Full or Full Strict, you will also need to apply similar rules to SSL port 443._

Additionally, if you run a hidden service with Tor, you can further enhance security by allowing traffic only from Tor exit IPs. A separate post will be made for Hidden Services.



Retrieved from "https://irregularpedia.org/index.php?title=Self-host-cloudflare-tunnels&oldid=398"