Learn about Centmin Mod LEMP Stack today
Become a Member

Cloudflare Cloudflare users: check to see if your origin server's IP address is exposed

Discussion in 'Domains, DNS, Email & SSL Certificates' started by deltahf, Feb 24, 2019.

  1. deltahf

    deltahf Premium Member Premium Member

    Jun 8, 2014
    Local Time:
    5:35 PM
    I read this article about how to find a site's origin server if it is using Cloudflare with Censys.io. I would encourage all Cloudflare users who want to protect their origin IP to give it a try right now.

    Of course, my own domain was the first thing I checked, and sure enough, an SSL certificate has exposed my origin IP. I've been very careful to not expose my origin IP since I last moved servers (while staying behind Cloudflare), so this is really quite a bummer. Adding insult to injury, it was exposed by a Cloudflare Origin Certificate that I used to set up Authenticated Origin Pulls.

    Ugh! :mad:

    Correct me if I'm wrong, but does this mean there is no way to completely hide my origin IP while using Authenticated Origin Pulls?
  2. eva2000

    eva2000 Administrator Staff Member

    May 24, 2014
    Brisbane, Australia
    Local Time:
    7:35 AM
    Nginx 1.25.x
    MariaDB 10.x
    It's a known issue with Censys.io but rarely talked about unfortunately. If folks really want to spend time digging they will find it. The usual methods of hiding origin IP are just to protect from the usual attacks or automated methods.

    Cloudflare Argo Tunnels is one way of completely hiding origin IPs but it's expensive as you need to enable Cloudflare Argo. The other way is setup your own remote Gre tunnels via a separate DDOS protected server. Which is what I do via BuyVM.net KVM VPS with 500+ Gbps DDOS protection. And/or you can get origin server which already has native DDOS protection before Cloudflare.

    Pricing for Cloudflare Argo https://support.cloudflare.com/hc/en-us/articles/115000224192

    That means Cloudflare Argo costs around US$100/TB per month + US$5/month and it has to be enabled on all Cloudflare Orange cloud protected domains/subdomains under the single domain. It can't be selectively enabled.

    Double edge sword, Cloudflare Authenticated Origin Pulls still protect you if they're trying to do Layer 7 application level attacks as even if they know your real IP, trying to connect to your site/web app by bypassing Cloudflare won't work as your origin Centmin Mod Nginx with be verifying the Cloudflare Origin SSL cert to allow access only to Cloudflare connections. But it does mean other attacks at network level are possible with origin IP knowledge.