Jump to content

[ Dead Download Link ] Protecting your Website with Cloudflare [ We Need You ]


Recommended Posts

  • VIP

Hi guys,

 

Today I will show you how to use the popular Cloudflare solution to add an extra layer of security to your website. The best about it: it's free if you don't want to spend on the paid plans.

 

I will assume that you already have a website online and working, and your own domain name (if you don't have one, I recommend EasyDNS). The first step will be to sign up on the Cloudflare website. Registration is straightforward so I won't go into details about it. Once your account is created, it's time to add your website on the Dashboard: Cloudflare will scan your current DNS records for the domain

8Onov.png

 

 

Once scanned, we can review our DNS records. You will be able to change them at any time later. Just for this feature alone, it's worth using the service:

 

8OnuH.png

 

We can choose whether a domain or subdomain should be filtered through Cloudflare. When the little cloud is grey, Cloudflare will simply act as a DNS server forwarding users to your server. When it's orange, we gain a series of security and performance features, even with the free plan. One worth noting is that your IP becomes private so your real location and hosting provider cannot be found. This is a great privacy enhancement!

 

8OnBW.png

 

 

¿Is it worth paying for the paid plans? Depends. If you expect large attacks and don't have DDoS protection on your website host, you should go for the business plan definately. Otherwise, free or pro will do. 

 

¿Why use it if I already have DDoS protection on my server? Well, some extra security isn't a bad idea. Usually DDoS mitigation systems such as those offered by OVH or Solarcom filter mostly Layer 4 attacks, while Cloudflare works better with Layer 7 attacks. Therefore they complement each other.

 

8OnLY.png

 

The final step to let Cloudflare take control of our domain records is to change the name servers. This is usually done in the control panel of the provider where you bought your domain name, in my case EasyDNS:

 

8OoPL.png

 

Finally your site is added but it will take some hours -might even be a day or two- before the name server and DNS changes are in effect, and it's time for me to stop writing this tutorial temporarily :)

 

In the next post I will explain you which are the best settings to choose among the many offered by Cloudflare.

 

To be continued.

  • Love 5

 

 

Link to comment
  • Replies 20
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Shogun

Hi guys,   Today I will show you how to use the popular Cloudflare solution to add an extra layer of security to your website. The best about it: it's free if you don't want to spend on the paid plans.   I will assume that you already have a website online and working, and your own domain name (if you don't have one, I recommend EasyDNS). The first step will be to sign up on the Cloudflare website. Registration is straightforward so I won't go into details about it. Once your account is crea

Shogun

In this second part of the tutorial I will show you how to take advantage of Cloudflare options to speed up or protect your website. The first thing that you should be aware of is the "I'm under attack" mode.     This mode inspects every incoming request for malicious traffic, showing a captcha to the suspicious users to confirm they are human. This will block pretty much any Layer 7 ddos attack going against your site.   Why not leave this mode on permanently? Well, some websites do this

Shogun

In the third part of this tutorial we will learn how to see the user's original IP on nginx logs instead of Cloudflare's.   First we have to rebuild nginx with the REAL IP module:   portsnap fetch update cd /usr/ports/www/nginx make config build reinstall clean   In the configuration screen navigate to the REAL IP module with down arrow and mark it for installation with the space bar. Then press enter to proceed with the building.   Once it's finished we can add the following lines in

  • VIP

In this second part of the tutorial I will show you how to take advantage of Cloudflare options to speed up or protect your website. The first thing that you should be aware of is the "I'm under attack" mode.

 

d9414bf32a.png

 

This mode inspects every incoming request for malicious traffic, showing a captcha to the suspicious users to confirm they are human. This will block pretty much any Layer 7 ddos attack going against your site.

 

Why not leave this mode on permanently? Well, some websites do this but in my eyes it's not a good idea to make every user go through the inspection process. You may also be punished on your google ranking for this, so I suggest enabling it only when you are actually getting attacked.

 

Another security feature found in the setting is this one. I tend to leave this always on as I haven't heard of any false positives.

 

2d32f02e81.png

 

Finally, for the experts, we have the Web Application Firewall, which is only available for paying customers. I think it's worth paying the Pro subscription for this feature as it will watch over SQL injections and other security vulnerabilities for us. If we have a custom made website which has not been tested thorougly for security, this is a must have.

 

3be67f77a8.png

We can manage the firewall by turning rules on and off and watch for false positives in the Events screen which will show us every IP which has been challenged or blocked. It's recommended to have some knowledge of programming and security to make the most out of this feature.

 

Remember that you can always turn features on or off for a specific part of your site by using the Page Rules option in the Dashboard.

 

And this is all about the security features in Cloudflare. You can ask any question about it here and I will try to answer when I have time. Please do not pm me with questions related to this or any other of my tutorials or releases.

  • Love 3

 

 

Link to comment
  • VIP

In the third part of this tutorial we will learn how to see the user's original IP on nginx logs instead of Cloudflare's.

 

First we have to rebuild nginx with the REAL IP module:

 

portsnap fetch update

cd /usr/ports/www/nginx

make config build reinstall clean

 

In the configuration screen navigate to the REAL IP module with down arrow and mark it for installation with the space bar. Then press enter to proceed with the building.

 

Once it's finished we can add the following lines in /usr/local/etc/nginx/nginx.conf in the http part:

 

        set_real_ip_from   204.93.240.0/24;
        set_real_ip_from   204.93.177.0/24;
        set_real_ip_from   199.27.128.0/21;
        set_real_ip_from   173.245.48.0/20;
        set_real_ip_from   103.21.244.0/22;
        set_real_ip_from   103.22.200.0/22;
        set_real_ip_from   103.31.4.0/22;
        set_real_ip_from   141.101.64.0/18;
        set_real_ip_from   108.162.192.0/18;
        set_real_ip_from   190.93.240.0/20;
        set_real_ip_from   188.114.96.0/20;
        set_real_ip_from   197.234.240.0/22;
        set_real_ip_from   198.41.128.0/17;
        set_real_ip_from   162.158.0.0/15;
        set_real_ip_from   2400:cb00::/32;
        set_real_ip_from   2606:4700::/32;
        set_real_ip_from   2803:f800::/32;
        set_real_ip_from   2405:b500::/32;
        set_real_ip_from   2405:8100::/32;
        real_ip_header     CF-Connecting-IP;
 
Thereafter, we can restart nginx:
 
service nginx restart
 
Our visitors will appear with their real IP in the server logs now. If you are writing php code, remember to use $_SERVER["HTTP_CF_CONNECTING_IP"] instead of $_SERVER["REMOTE_ADDR"] to get the user's real IP.
  • Love 1

 

 

Link to comment

You should add this:

if ($http_user_agent ~* <span class="searchlite">wordpress</span>){
        return 403;
}

to your nginx, otherwise Cloudflare will be useless against XML-RPC attacks. Even the Browser check wont block all of the requests.

  • Love 1
Link to comment
  • VIP

You won't find anything like Cloudflare at these prices. But I suggest hosting on a ddos protected server anyway because cloudflare is great when coupled with a ddos mitigation system as cf works best with Layer 7 attacks while DDoS mitigation systems work on Layer 4 mostly.

 

 

Link to comment
  • 7 months later...
  • 3 months later...
  • VIP

Shogun maybe you can make a guide how to protect against vulnerabilitys like SQL injections XXS?

 

Why just not search on google? There are plenty of them

Link to comment
  • 7 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.