Join the community today
Register Now

Cloudflare Stop serving SSL cert during direct IP Access

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Rake-GH, Sep 10, 2019.

  1. Rake-GH

    Rake-GH Premium Member Premium Member

    30
    16
    8
    Jul 29, 2019
    USA
    Ratings:
    +22
    Local Time:
    2:35 AM
    default
    default
    My main goal is to stop serving the SSL cert when connecting via https://IP_address

    Why? because I need to hide my origin IP and currently when you connect https://ipaddress it serves the certificate for my domain which is invalid but still lists the domain name, so people can trace my domain to the origin, like what Censys does.

    In CSF I want to block port 443 to all IP addresses except for Cloudflare.

    My csf.allow includes all coudflare ranges listed like so:
    Code:
    tcp|in/out|d=80,443|s=173.245.48.0/20 # cloudflare
    My csf.deny includes this:
    Code:
    tcp|in/out|d=80,443|s=0.0.0.0/0 # block all connections to port 80/443, except cloudflare which is whitelisted in csf.allow
    This is currently working ok, is this good, bad or is there a better alternative?
    As long as connection goes through cloudflare on port 80 and 443 everything is working fine. Other ports are not affected by this rule, which is good. All important things are whitelisted.

    I tried a million different ways to block it via nginx rules but could not find anything that worked.
     
  2. Rake-GH

    Rake-GH Premium Member Premium Member

    30
    16
    8
    Jul 29, 2019
    USA
    Ratings:
    +22
    Local Time:
    2:35 AM
    default
    default
    no matter what kind of deny rules I put in nginx, it always starts the connection by serving the SSL cert, I could not find a way around it
     
  3. eva2000

    eva2000 Administrator Staff Member

    41,350
    9,279
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,236
    Local Time:
    4:35 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    If using cloudflare, best way to block all traffic other than cloudflare is to just whitelist cloudflare IPs and block non-cloudflare at CSF Firewall level i.e. once whitelisted IPs, remove from /etc/csf/csf.conf TCP_IN and TCP6_IN port 80 and 443 from whitelisted ports and restart CSF Firewall Security - CSF Block the SSH Port to All Except the Specific IP's. Then non-cloudflare IPs access will be blocked on port 80 and 443
    then check system /var/log/messages for all blocked CSF Firewall results for destination ports 80 and 443
    Code (Text):
    grep 'Firewall' /var/log/messages | egrep 'DPT=80 |DPT=443 '


    As to hiding IP, there's many ways to reveal your IP if it's leaked already unfortunately.
     
    • Like Like x 2