Discover Centmin Mod today
Register Now

Tunning the server exclusively for the cloudflare

Discussion in 'System Administration' started by Eduardo, Dec 2, 2019 at 10:30 AM.

  1. Eduardo

    Eduardo Member

    36
    3
    8
    Feb 7, 2015
    Ratings:
    +5
    Local Time:
    3:28 AM
    1.7.9
    Hello,

    I'm working with my server to only allow my sites to cloudflare using autenticated origin pulls, now I want to block everything/everyone its not cloudflare or myself using ssh.

    How to do it in the right way?

    My thinking:
    1) allow only tls 1.3 in nginx
    2) create rules on nginx to block all ips4/6 and only allow cf ips
    3) remove all ports on csf leaving: tcp in/out: 80,443,12345(my ssh port) and removing all udp ports

    I'm missing something else? Should I block ips on nginx or directly on csf/iptables?

    Thank you
     
  2. eva2000

    eva2000 Administrator Staff Member

    42,269
    9,550
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,708
    Local Time:
    4:28 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    First ensure Centmin Mod Nginx is setup to detect real IP addresses behind Cloudflare. For my Centmin Mod Nginx users I wrote a specific guide for them including a script to auto generate the latest Cloudflare IPs for the configuration at Nginx Cloudflare & Incapsula (reverse proxy HttpRealIpModule) - CentminMod.com LEMP Nginx web stack for CentOS

    If using Centmin Mod 123.09beta01 or newer branches, the generated Nginx vhost already have setup automated script to pull latest Cloudflare IPs for CSF Firewall whitelisting outlined here. The generated Nginx vhost will have an include file /usr/local/nginx/conf/cloudflare.conf that is prepopulated with Cloudflare IPs pulled in via a cronjob you manually setup as outlined here.
    Code (Text):
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      include /usr/local/nginx/conf/cloudflare.conf;
    

    cronjob you manually setup once only
    Code (Text):
    23 */36 * * * /usr/local/src/centminmod/tools/csfcf.sh auto >/dev/null 2>&1
    


    Then ensure to whitelist your ISP ip address in CSF Firewall
    Code (Text):
    csf -a youripaddress

    add ip to /etc/csf/csf.ignore as well

    Then backup CSF Firewall config naming backup profile = b4-cfsecurity
    Code (Text):
    csf --profile backup b4-cfsecurity


    Then just remove port 80 and 443 only from CSF Firewall's /etc/csf/csf.conf config file for TCP_IN/TCP6_IN whitelisted ports. Don't remove all ports as you may not be able to update Centmin Mod if you do.

    Then restart CSF Firewall
    Code (Text):
    csf -ra

    Then keep existing SSH client window session connected and try a 2nd new SSH connection to server to make sure you can still SSH into server properly. If you can't connect, then use existing connected SSH client window session to reverse and fix changes you made.
     
  3. Eduardo

    Eduardo Member

    36
    3
    8
    Feb 7, 2015
    Ratings:
    +5
    Local Time:
    3:28 AM
    1.7.9
  4. eva2000

    eva2000 Administrator Staff Member

    42,269
    9,550
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,708
    Local Time:
    4:28 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    yeah those still valid ports

    CSF Firewall supports whitelisting dynamic ISP addresses via dynamic hostname setups too. See CSF Firewall section titled How To Whitelist ISP Dynamic IP Address In CSF Firewall? Or use a dedicated VPN IP to whitelist too just as added precaution.
     
  5. Eduardo

    Eduardo Member

    36
    3
    8
    Feb 7, 2015
    Ratings:
    +5
    Local Time:
    3:28 AM
    1.7.9
    Im using aws and every bit is charged (in aws Brazil we pay 25c per gb of traffic), thats why I'm looking for ideas how to harden my server from sniffers, scanners and DoS from competitors.
    Thanks for the help.
     
  6. eva2000

    eva2000 Administrator Staff Member

    42,269
    9,550
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,708
    Local Time:
    4:28 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x