CloudFlare

[Faskis]

I've seen some minor discussion about CloudFlare here on these forums, but haven't really seen any working solutions, especially for what I'm trying to do. Right now, I'm having two issues with the setup between CSF and CloudFlare.

The first issue is, we use csf.allow to whitelist for non-standard ports (WHM/cPanel, FTP, SSH, etc.), but with CloudFlare, we end up having to whitelist those IP's as well (which doesn't effect us for the most part). The issue with it is that it gives them access to areas such as WHM/cPanel if the user is using the domain. I've tried restricting CloudFlare's ranges to only work for port 80, however, whenever I try doing that, the site no longer works.

This is what was tried:

Code: Select all

d=80:s=204.93.240.0/24

If the syntax is incorrect, please do let me know.


My second issue is that I'm trying to restrict port 80/443 to only whitelisted traffic (ie: CloudFlare). This would help protect us against majority of the Apache-based attacks we receive (which happens near daily). Whenever I remove port 80 and 443 from TCP-In in the configuration, about half of our users (several hundred) are unable to connect to the site. I've ensured that the CloudFlare proxy IP that they get assigned is whitelisted in csf.allow, but even when they're in the same range as someone else (who is able to connect), they're unable to connect.




Any help in this matter would be greatly appreciated.

[Faskis]

An update on this, particularly in regards to the second issue:

It seems this is only happening to UK traffic. If ports 80 and 443 aren't open to all traffic, they become unable to connect. Based on the messages log, they're more or less bypassing the CloudFlare proxy and trying to access the site directly. I know a couple of users had the server IP set in their hosts file, but even after that was removed, they were still unable to connect.