CloudFlare
Posted: 15 Mar 2013, 21:19
I've seen some minor discussion about CloudFlare here on these forums, but haven't really seen any working solutions, especially for what I'm trying to do. Right now, I'm having two issues with the setup between CSF and CloudFlare.
The first issue is, we use csf.allow to whitelist for non-standard ports (WHM/cPanel, FTP, SSH, etc.), but with CloudFlare, we end up having to whitelist those IP's as well (which doesn't effect us for the most part). The issue with it is that it gives them access to areas such as WHM/cPanel if the user is using the domain. I've tried restricting CloudFlare's ranges to only work for port 80, however, whenever I try doing that, the site no longer works.
This is what was tried:
If the syntax is incorrect, please do let me know.
My second issue is that I'm trying to restrict port 80/443 to only whitelisted traffic (ie: CloudFlare). This would help protect us against majority of the Apache-based attacks we receive (which happens near daily). Whenever I remove port 80 and 443 from TCP-In in the configuration, about half of our users (several hundred) are unable to connect to the site. I've ensured that the CloudFlare proxy IP that they get assigned is whitelisted in csf.allow, but even when they're in the same range as someone else (who is able to connect), they're unable to connect.
Any help in this matter would be greatly appreciated.
The first issue is, we use csf.allow to whitelist for non-standard ports (WHM/cPanel, FTP, SSH, etc.), but with CloudFlare, we end up having to whitelist those IP's as well (which doesn't effect us for the most part). The issue with it is that it gives them access to areas such as WHM/cPanel if the user is using the domain. I've tried restricting CloudFlare's ranges to only work for port 80, however, whenever I try doing that, the site no longer works.
This is what was tried:
Code: Select all
d=80:s=204.93.240.0/24
My second issue is that I'm trying to restrict port 80/443 to only whitelisted traffic (ie: CloudFlare). This would help protect us against majority of the Apache-based attacks we receive (which happens near daily). Whenever I remove port 80 and 443 from TCP-In in the configuration, about half of our users (several hundred) are unable to connect to the site. I've ensured that the CloudFlare proxy IP that they get assigned is whitelisted in csf.allow, but even when they're in the same range as someone else (who is able to connect), they're unable to connect.
Any help in this matter would be greatly appreciated.