Tunnel
Hello, I need help in making a tunnel.
It is assumed that when making a tunnel it only receives the traffic from Cloudflare. I already have it installed as it appears in the dashboard but it is still possible to attack. Do I need something else to install?
25 Replies
It is assumed that when making a tunnel it only receives the traffic from CloudflareIf you don't have the web server's ports open/forwarded on your machine, and the tunnel installed, then the only way to access the web server would be via your tunnel yea
it appears in the dashboard but it is still possible to attack.What do you mean it's still possible to attack? Attack what, and in what way?
Attack the server, when I put the ip of the vps it keeps receiving the evil traffic
Close the web server ports then, if you're using something like UFW deny default incoming and don't open those ports.
Cloudflare Tunnel doesn't do anything magically for your security for you. It's just a service that runs on your VPS, and connects out to Cloudflare, and then proxies requests to the services you specify. Since it connects out, you don't need to have any web server ports (usually 80/443) open to incoming traffic externally
It's not the tunnel receiving traffic directly, it's your web server itself
But if it blocks those ports, how will they enter the machine?
The tunnel is supposed to prevent them from bypassing cloudflare, right?
The tunnel connector (cloudflared daemon) connects OUT to Cloudflare's Edge, and then proxies incoming requests locally to your configured service. If you installed the connector onto the VPS that has the web server (typical install), then no you don't need any web server ports open externally
I mean close all the ports of the vps?
You don't need any open incoming ports for the web server. I wouldn't close all, you would want to keep ssh and anything else that you want open, open, but yes you don't need to have web server (typically on 80/443) open ports
what should i do here?
So they would be attacking the machine through the ssh port
it's whatever your web server is running on. If you installed the tunnel connector onto the same machine as the web server, it's going to be 127.0.0.1:443 for https, 127.0.0.1:80 for http typically
I have several websites hosted on the vps
Sure they could still do that, if they discovered the machine's real IP (which you would have to leak somehow, CF will hide that with Proxy on), you could use the tunnel with cloudflared access or WARP Private Networking for SSH as well if you wanted
Do you know that it is possible to skip cloudflare to get the real ip address?
If you set up your origin incorrectly yea
and how is that done then?
Tunnels are really useful and cool, but they're not a one click magical install, and while they can help with security, you can achieve relatively the same level of security by just configuring your Origin correctly.
Your Origin's Real IP is usually exposed by either DNS History (having it unproxied at one point in time) or Scanners like Shodan/Censys which scan the Entire IPv4 space (surpisingly easy) and your web server responding with a certificate or some other match that exposes it. The bare minimum is only allowing Cloudflare IPs to connect to your web server (something lke this UFW Script can be helpful: https://github.com/Paul-Reed/cloudflare-ufw), and verifying host headers, the server_name directive in nginx)
Perfect, do you do the job of installing everything? Clearly with remuneration?
Nah sorry, not for hire. I believe fiverr or upwork are where you could find people to hire and help you with your setup, no personal experience with them though. I'm happy to answer questions about best setup and such, but of course can't guide you through every step: https://developers.cloudflare.com/fundamentals/get-started/task-guides/origin-health/free/
Free plans — Protect your origin server · Cloudflare Fundamentals d...
Your origin server is a physical or virtual machine that is not owned by Cloudflare and hosts your application content (data, webpages, etc.).
I understand, do not worry. for last thing
Do I have to put the same command or replacing my ip address?
The point of that rule is to avoid locking yourself out, in this case they were securing a vps on their same local network. If you are securing a rented VPS, and haven't used UFW before, just make sure to allow for ssh (if using an alt. port, make sure to allow that), and any other software/ports other then the web server that you want publicity available
I mean put my IP address? Excuse me, I'm very stupid haha
ah sorry I wasn't clear, it's not necessary unless your worker is on local lan and you want local devices/etc to be able to access it. My advice was just to make sure you are allowing everything you need public (ssh, potentially any other programs like game servers/etc) through