Welcome to Centmin Mod Community
Register Now

Cloudflare How does Cloudflare Authenticated Origin Pull protect the origin server's IP address?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by deltahf, Jul 10, 2018.

  1. deltahf

    deltahf Premium Member Premium Member

    341
    157
    43
    Jun 8, 2014
    Ratings:
    +252
    Local Time:
    7:40 PM
    I'm moving to a new server and want to do all that I can to protect its IP address. I've also recently configured Cloudflare with my current configuration, and before I move servers I want to setup Cloudflare's Authenticated Origin Pulls with Centminmod.

    From my understanding, Authenticated Origin Pulls ensures the origin server will authenticate every incoming request to verify that it is, in fact, coming from Cloudflare, and ignore/drop the rest.

    That's all well and good and I'm definitely going to use it, but I've seen this feature described as something that will "prevent IP leaks of your backend origin server's IP". From my current understanding of how this feature is described, I don't understand how it could prevent the IP from leaking. Wouldn't outgoing requests from the origin server — like those from XenForo's image proxy — still easily reveal its IP?

    This makes me think I don't understand how Authenticated Origin Pull actually works or what it really does. Can anyone explain or verify this?
     
  2. rdan

    rdan Well-Known Member

    4,742
    1,144
    113
    May 25, 2014
    Ratings:
    +1,711
    Local Time:
    8:40 AM
    Mainline
    10.2
    Yes drop request not coming from cloudflare.

    No it will not.
    Just prevent request that bypass cloudflare.
     
    • Like Like x 1
  3. eva2000

    eva2000 Administrator Staff Member

    42,386
    9,571
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,751
    Local Time:
    10:40 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    • Like Like x 1
  4. deltahf

    deltahf Premium Member Premium Member

    341
    157
    43
    Jun 8, 2014
    Ratings:
    +252
    Local Time:
    7:40 PM
    Ah, OK, good to know. Thought I must be really dense! :ROFLMAO:

    @eva2000 What is your recommended proxy configuration for the XF Image Proxy system (to hide origin server IP) these days? I recall you discussed this previously but I can't find that discussion now.
     
  5. eva2000

    eva2000 Administrator Staff Member

    42,386
    9,571
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,751
    Local Time:
    10:40 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    need a separate vps server running a HTTP forward proxy i.e. 3proxy, tinyproxy etc to enable config.php option to set $config['untrustedHttpClient'] Linode - After changing Linode main server IP, what else do I need to change or check?. Preferably separate VPS server has native DDOS protection so the IP used for $config['untrustedHttpClient'] which is leaked on XF image proxy/links reveals the DDOS protected IP of the HTTP forward proxy. That's how I have it setup on this forum.

    Config.php Options | XenForo
    XF image proxy is for more than just images
     
    • Informative Informative x 1
  6. Silv3er

    Silv3er New Member

    9
    1
    3
    Feb 7, 2018
    Ratings:
    +8
    Local Time:
    7:40 PM
    Nginx 1.15.x
    MariaDB 10.x
    Unmaintained - ImageProxy Host
     
  7. eva2000

    eva2000 Administrator Staff Member

    42,386
    9,571
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,751
    Local Time:
    10:40 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    That is for a reverse proxy (hide ip from inbound requests) not a forward proxy (hide ip from outbound requests) which is needed to prevent ip leaks
     
  8. Silv3er

    Silv3er New Member

    9
    1
    3
    Feb 7, 2018
    Ratings:
    +8
    Local Time:
    7:40 PM
    Nginx 1.15.x
    MariaDB 10.x
    Yes but we can always hide the ip backend to avoid ip leaks from the proxy image.:oops:
     
  9. eva2000

    eva2000 Administrator Staff Member

    42,386
    9,571
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,751
    Local Time:
    10:40 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    That's what Xenforo native Image Proxy does already. That linked addon is just for moving the native Image Proxy to a CDN via Xenforo Admin instead of via config.php edit.
     
    • Like Like x 1