Premium Shogun 4587 Posted May 16, 2014 Premium Share Posted May 16, 2014 (edited) Hi guys, Today I will show you how to use the popular Cloudflare solution to add an extra layer of security to your website. The best about it: it's free if you don't want to spend on the paid plans. I will assume that you already have a website online and working, and your own domain name (if you don't have one, I recommend EasyDNS). The first step will be to sign up on the Cloudflare website. Registration is straightforward so I won't go into details about it. Once your account is created, it's time to add your website on the Dashboard: Cloudflare will scan your current DNS records for the domain Once scanned, we can review our DNS records. You will be able to change them at any time later. Just for this feature alone, it's worth using the service: We can choose whether a domain or subdomain should be filtered through Cloudflare. When the little cloud is grey, Cloudflare will simply act as a DNS server forwarding users to your server. When it's orange, we gain a series of security and performance features, even with the free plan. One worth noting is that your IP becomes private so your real location and hosting provider cannot be found. This is a great privacy enhancement! ¿Is it worth paying for the paid plans? Depends. If you expect large attacks and don't have DDoS protection on your website host, you should go for the business plan definately. Otherwise, free or pro will do. ¿Why use it if I already have DDoS protection on my server? Well, some extra security isn't a bad idea. Usually DDoS mitigation systems such as those offered by OVH or Solarcom filter mostly Layer 4 attacks, while Cloudflare works better with Layer 7 attacks. Therefore they complement each other. The final step to let Cloudflare take control of our domain records is to change the name servers. This is usually done in the control panel of the provider where you bought your domain name, in my case EasyDNS: Finally your site is added but it will take some hours -might even be a day or two- before the name server and DNS changes are in effect, and it's time for me to stop writing this tutorial temporarily In the next post I will explain you which are the best settings to choose among the many offered by Cloudflare. To be continued. Edited August 18, 2022 by Metin2 Dev Core X - External 2 Internal 1 5 Link to comment Share on other sites More sharing options...
Despero 130 Posted May 16, 2014 Share Posted May 16, 2014 (edited) Thanks. How can i make this ? Edited August 18, 2022 by Metin2 Dev Core X - External 2 Internal Link to comment Share on other sites More sharing options...
Premium Shogun 4587 Posted May 16, 2014 Author Premium Share Posted May 16, 2014 I will explain in the next post Link to comment Share on other sites More sharing options...
Bot Metin2 Dev 4874 Posted May 16, 2014 Bot Share Posted May 16, 2014 cloud flare is by far the safest way to protect your website , they even have a free package to get started Link to comment Share on other sites More sharing options...
Despero 130 Posted May 16, 2014 Share Posted May 16, 2014 I will explain in the next post thanks nice men Link to comment Share on other sites More sharing options...
Stefan 92 Posted May 16, 2014 Share Posted May 16, 2014 Thx for info I have just set it for my website:) Link to comment Share on other sites More sharing options...
Premium Shogun 4587 Posted May 17, 2014 Author Premium Share Posted May 17, 2014 (edited) In this second part of the tutorial I will show you how to take advantage of Cloudflare options to speed up or protect your website. The first thing that you should be aware of is the "I'm under attack" mode. This mode inspects every incoming request for malicious traffic, showing a captcha to the suspicious users to confirm they are human. This will block pretty much any Layer 7 ddos attack going against your site. Why not leave this mode on permanently? Well, some websites do this but in my eyes it's not a good idea to make every user go through the inspection process. You may also be punished on your google ranking for this, so I suggest enabling it only when you are actually getting attacked. Another security feature found in the setting is this one. I tend to leave this always on as I haven't heard of any false positives. Finally, for the experts, we have the Web Application Firewall, which is only available for paying customers. I think it's worth paying the Pro subscription for this feature as it will watch over SQL injections and other security vulnerabilities for us. If we have a custom made website which has not been tested thorougly for security, this is a must have. We can manage the firewall by turning rules on and off and watch for false positives in the Events screen which will show us every IP which has been challenged or blocked. It's recommended to have some knowledge of programming and security to make the most out of this feature. Remember that you can always turn features on or off for a specific part of your site by using the Page Rules option in the Dashboard. And this is all about the security features in Cloudflare. You can ask any question about it here and I will try to answer when I have time. Please do not pm me with questions related to this or any other of my tutorials or releases. Edited August 15, 2022 by Metin2 Dev Core X - External 2 Internal 3 Link to comment Share on other sites More sharing options...
Premium Shogun 4587 Posted May 20, 2014 Author Premium Share Posted May 20, 2014 In the third part of this tutorial we will learn how to see the user's original IP on nginx logs instead of Cloudflare's. First we have to rebuild nginx with the REAL IP module: portsnap fetch update cd /usr/ports/www/nginx make config build reinstall clean In the configuration screen navigate to the REAL IP module with down arrow and mark it for installation with the space bar. Then press enter to proceed with the building. Once it's finished we can add the following lines in /usr/local/etc/nginx/nginx.conf in the http part: set_real_ip_from 204.93.240.0/24; set_real_ip_from 204.93.177.0/24; set_real_ip_from 199.27.128.0/21; set_real_ip_from 173.245.48.0/20; set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 108.162.192.0/18; set_real_ip_from 190.93.240.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 162.158.0.0/15; set_real_ip_from 2400:cb00::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2405:8100::/32; real_ip_header CF-Connecting-IP; Thereafter, we can restart nginx: service nginx restart Our visitors will appear with their real IP in the server logs now. If you are writing php code, remember to use $_SERVER["HTTP_CF_CONNECTING_IP"] instead of $_SERVER["REMOTE_ADDR"] to get the user's real IP. 1 Link to comment Share on other sites More sharing options...
.CHHorny 6 Posted May 21, 2014 Share Posted May 21, 2014 You should add this: if ($http_user_agent ~* <span class="searchlite">wordpress</span>){ return 403; } to your nginx, otherwise Cloudflare will be useless against XML-RPC attacks. Even the Browser check wont block all of the requests. 1 Link to comment Share on other sites More sharing options...
Premium Shogun 4587 Posted May 21, 2014 Author Premium Share Posted May 21, 2014 There's a WAF rule that does though. Thanks for pointing it out! Link to comment Share on other sites More sharing options...
.CHHorny 6 Posted May 21, 2014 Share Posted May 21, 2014 Sure there is, but not even 5% of the Servers bought Cloudflare Pro+ But when they find out your real ip, you are protected from this attack too. 1 Link to comment Share on other sites More sharing options...
Premium Shogun 4587 Posted May 21, 2014 Author Premium Share Posted May 21, 2014 I tried your code in both http and server location but nginx refuses to start 1 Link to comment Share on other sites More sharing options...
.CHHorny 6 Posted May 21, 2014 Share Posted May 21, 2014 if ($http_user_agent ~* wordpress){ return 403; } Dont know why the code option show it so. Link to comment Share on other sites More sharing options...
Premium Shogun 4587 Posted May 21, 2014 Author Premium Share Posted May 21, 2014 Thanks it worked now. Link to comment Share on other sites More sharing options...
Night 366 Posted May 23, 2014 Share Posted May 23, 2014 great tuto but is cloudflar the best in the website protection ? Link to comment Share on other sites More sharing options...
Premium Shogun 4587 Posted May 23, 2014 Author Premium Share Posted May 23, 2014 You won't find anything like Cloudflare at these prices. But I suggest hosting on a ddos protected server anyway because cloudflare is great when coupled with a ddos mitigation system as cf works best with Layer 7 attacks while DDoS mitigation systems work on Layer 4 mostly. Link to comment Share on other sites More sharing options...
Aemon 7 Posted January 2, 2015 Share Posted January 2, 2015 Can you re-make the tut? We can't see pictures. Link to comment Share on other sites More sharing options...
Aurora 46 Posted April 5, 2015 Share Posted April 5, 2015 Shogun maybe you can make a guide how to protect against vulnerabilitys like SQL injections XXS? Link to comment Share on other sites More sharing options...
Premium Izaya 15 Posted April 5, 2015 Premium Share Posted April 5, 2015 Shogun maybe you can make a guide how to protect against vulnerabilitys like SQL injections XXS? Why just not search on google? There are plenty of them Link to comment Share on other sites More sharing options...
Premium phayara 424 Posted April 5, 2015 Premium Share Posted April 5, 2015 Please reupload images. Link to comment Share on other sites More sharing options...
Metin2Place 30 Posted November 15, 2015 Share Posted November 15, 2015 Please reupload images. Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now