Oct 1, 2016

AWS: Allowing CloudFlare Access Only



If you are using the CloudFlare solution to protect your AWS server, remember! your server still be able to be accessed directly by its IP. So why not block everyone and allow just the CloudFlare access? look here how to do this!

After you put the CloudFlare as your domain DNS host, remember, your server can still be accessed by its IP, look:


CF will never solve and expose your domain.com real server IP, which is your AWS IP, but if you exposed your AWS before put the CF solution and even after, bots and crawlers will discover it and will access it, and then undesirable things like DDoS can still be able to affect your server!

Fortunately CF supply us a list with all its ipv4 and ipv6 range that will ever be used to access our server, so all we need to do is whitelist them, the list can be found here. Now go to your AWS web management console, select your server security group and edit the 'inbound rules', add every IP range from the list to the desired port, below you can see an example which allows just the PORT 80 / HTTP to be accessed from the CF ipv4 range list:


If your server uses SSL/HTTPS then you should select HTTPS port 443 instead. If your server supports both, HTTP and HTTPS, you will have to do the same for each one, OR, you can just place a page rule that forces any HTTP access to be done as an HTTPS, this way you just need put the HTTPS/443 inbound rules. Thats's all !

0 comentários :

Post a Comment