Get the most out of your Centmin Mod LEMP stack
Become a Member

What's the BEST practice to fully hide our origin server IP when using Cloudflare?

Discussion in 'System Administration' started by rdan, Jun 2, 2021.

  1. rdan

    rdan Well-Known Member

    5,074
    1,253
    113
    May 25, 2014
    Ratings:
    +1,905
    Local Time:
    8:17 AM
    Mainline
    10.2
    I've just found out my server IP is still leaking on shodan.io :/.
    Now sure how they got my IP?

    I'm not using Letsencrypt, just using CF own certificate.
    No other domain is hosted on the server.


    Maybe removing port 80 and 443 on CSF TCP_IN and OUT?
    Or I'll just use Cloudflare Authenticated Origin Pulls

    Anything else? :|
     
  2. rdan

    rdan Well-Known Member

    5,074
    1,253
    113
    May 25, 2014
    Ratings:
    +1,905
    Local Time:
    8:17 AM
    Mainline
    10.2
  3. eva2000

    eva2000 Administrator Staff Member

    47,223
    10,673
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,582
    Local Time:
    10:17 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Nope that is my HTTP forward proxy DDOS protected VPS server for Xenforo image proxy to prevent server IP leakage :D

    Xenforo config has an option to setup a HTTP forward proxy server for Xenforo image proxy & link protection
     
  4. rdan

    rdan Well-Known Member

    5,074
    1,253
    113
    May 25, 2014
    Ratings:
    +1,905
    Local Time:
    8:17 AM
    Mainline
    10.2
    I already have that setup several years ago after xenforo introduce it.

    But it displays the forum correctly.

    Please remove if it's not allowed here.
     
    Last edited by a moderator: Jun 3, 2021
  5. eva2000

    eva2000 Administrator Staff Member

    47,223
    10,673
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,582
    Local Time:
    10:17 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    I see what you mean by that!
     
  6. rdan

    rdan Well-Known Member

    5,074
    1,253
    113
    May 25, 2014
    Ratings:
    +1,905
    Local Time:
    8:17 AM
    Mainline
    10.2
    And I'm not really sure how they got your IP.
    And mine too... :unsure:
     
  7. eva2000

    eva2000 Administrator Staff Member

    47,223
    10,673
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,582
    Local Time:
    10:17 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    They get it from Xenforo image proxy, it's not meant to mask the IP but to provide a IP different from your real server IP when queried.
     
  8. Rake-GH

    Rake-GH Premium Member Premium Member

    174
    89
    28
    Jul 29, 2019
    USA
    Ratings:
    +136
    Local Time:
    8:17 PM
    default
    default
    Make sure your HTTP outgoing proxy for Xenforo is set to be anonymous, or else it forwards the source IP in the header

    Make sure your reverse lookup PTR record is not obviously connected to your site

    That's all I can think of
     
  9. rdan

    rdan Well-Known Member

    5,074
    1,253
    113
    May 25, 2014
    Ratings:
    +1,905
    Local Time:
    8:17 AM
    Mainline
    10.2
    Yes it's done already.
    Maybe, but my server don't have a custom set (just the default hostname from provider) just to avoid this issue.

    Hmmm.