Irregularpedia

Self-host-cloudflare-tunnels

Revision as of 05:34, 7 September 2024 by Maintenance script (talk | contribs) (Initial)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Self-host with Cloudflare

source: DarkWeb 







How to use Cloudflare






Why use Cloudflare






Securing Cloudflare Tunnels


I saw many Clearnet websites related to DNM, especially (Link Rotators, Link Dirs, News, etc.)

That host on Cloudflare is OK.

But they don’t take measures to prevent bots from scanning their HTTP services (Bots like Shodan, Censys, etc.)

Which then causes their backend IP address to be exposed.

To verify that you are affected, do this:

<syntaxhighlight lang="bash">telnet YOU-BACKEND-IP 80</syntaxhighlight>
or

<syntaxhighlight lang="bash"> nmap YOU-BACKEND-IP</syntaxhighlight>
if you get connected to telnet or if Nmap returns your HTTP port then read below 1 simple way to help you against this is by blocking any traffic from outside Cloudflare on HTTP port 80, or whatever port you have proxied with Cloudflare. This script does:

 Allow SSH traffic (depending on your setup, you can modify this rule)
 Fetches Cloudflare current IP both v4 & v6
 Add iptables rule to allow ip’s of Cloudflare.
 Add iptables rule to block all connections on HTTP 80



  • Allow localhost and other essential traffic (you can modify/delete these rules, depending on your requirements)


<syntaxhighlight lang="bash">#!/bin/bash



CLOUDFLARE_IPV4_URL="https://www.cloudflare.com/ips-v4"
CLOUDFLARE_IPV6_URL="https://www.cloudflare.com/ips-v6"

CLOUDFLARE_IPV4=$(curl -s $CLOUDFLARE_IPV4_URL)
CLOUDFLARE_IPV6=$(curl -s $CLOUDFLARE_IPV6_URL)



iptables -F INPUT
ip6tables -F INPUT



iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT



iptables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT



for ip in $CLOUDFLARE_IPV4; do



   iptables -A INPUT -p tcp -s $ip --dport 80 -j ACCEPT



done

for ip in $CLOUDFLARE_IPV6; do



   ip6tables -A INPUT -p tcp -s $ip --dport 80 -j ACCEPT



done



iptables -A INPUT -p tcp --dport 80 -j DROP
ip6tables -A INPUT -p tcp --dport 80 -j DROP



iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT</syntaxhighlight>
_Note: If your SSL Mode is ran on Full or Full Strict, you will probably need also to do the same with SSL port 443

Another thing is if you run a hidden service with #tor, you can do the same by allowing traffic only from Tor exit IPs, I will make a separate post for Hidden Services.










Retrieved from "https://irregularpedia.org/index.php?title=Self-host-cloudflare-tunnels&oldid=234"