Join the community today
Become a Member

What's the BEST practice to fully hide our origin server IP when using Cloudflare?

Discussion in 'System Administration' started by rdan, Jun 2, 2021.

  1. rdan

    rdan Premium Member Premium Member

    5,301
    1,328
    113
    May 25, 2014
    Ratings:
    +2,052
    Local Time:
    5:38 AM
    Mainline
    10.2
    I've just found out my server IP is still leaking on shodan.io :/.
    Now sure how they got my IP?


    I'm not using Letsencrypt, just using CF own certificate.
    No other domain is hosted on the server.

    Maybe removing port 80 and 443 on CSF TCP_IN and OUT?
    Or I'll just use Cloudflare Authenticated Origin Pulls

    Anything else? :|
     
  2. rdan

    rdan Premium Member Premium Member

    5,301
    1,328
    113
    May 25, 2014
    Ratings:
    +2,052
    Local Time:
    5:38 AM
    Mainline
    10.2
  3. eva2000

    eva2000 Administrator Staff Member

    49,034
    11,234
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,485
    Local Time:
    7:38 AM
    Nginx 1.21.x
    MariaDB 10.x
    Nope that is my HTTP forward proxy DDOS protected VPS server for Xenforo image proxy to prevent server IP leakage :D

    Xenforo config has an option to setup a HTTP forward proxy server for Xenforo image proxy & link protection
     
  4. rdan

    rdan Premium Member Premium Member

    5,301
    1,328
    113
    May 25, 2014
    Ratings:
    +2,052
    Local Time:
    5:38 AM
    Mainline
    10.2
    I already have that setup several years ago after xenforo introduce it.

    But it displays the forum correctly.

    Please remove if it's not allowed here.
     
    Last edited by a moderator: Jun 3, 2021
  5. eva2000

    eva2000 Administrator Staff Member

    49,034
    11,234
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,485
    Local Time:
    7:38 AM
    Nginx 1.21.x
    MariaDB 10.x
    I see what you mean by that!
     
  6. rdan

    rdan Premium Member Premium Member

    5,301
    1,328
    113
    May 25, 2014
    Ratings:
    +2,052
    Local Time:
    5:38 AM
    Mainline
    10.2
    And I'm not really sure how they got your IP.
    And mine too... :unsure:
     
  7. eva2000

    eva2000 Administrator Staff Member

    49,034
    11,234
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,485
    Local Time:
    7:38 AM
    Nginx 1.21.x
    MariaDB 10.x
    They get it from Xenforo image proxy, it's not meant to mask the IP but to provide a IP different from your real server IP when queried.
     
  8. Rake-GH

    Rake-GH Active Member

    178
    91
    28
    Jul 29, 2019
    USA
    Ratings:
    +140
    Local Time:
    5:38 PM
    default
    default
    Make sure your HTTP outgoing proxy for Xenforo is set to be anonymous, or else it forwards the source IP in the header

    Make sure your reverse lookup PTR record is not obviously connected to your site

    That's all I can think of
     
  9. rdan

    rdan Premium Member Premium Member

    5,301
    1,328
    113
    May 25, 2014
    Ratings:
    +2,052
    Local Time:
    5:38 AM
    Mainline
    10.2
    Yes it's done already.
    Maybe, but my server don't have a custom set (just the default hostname from provider) just to avoid this issue.

    Hmmm.