lee
lee
PostsComments
CDCloudflare Developers
Created by lee on 6/11/2024 in #general-help
hostnames for hosts on cloudflared private networks
I'm looking for a sanity check - suppose the following: - Cloudflare Pro for the relevant zones - I would have a private network, say 10.0.0.0/24 as an example - hosts on that network are reachable by IP (and by local DNS, say server1.local for 10.0.0.123) - a host on said network runs cloudflare to plumb the hosts there Questions: - would I be able to configure addressable DNS for them, such that when I go to server1.privatesite.domain.tld for web or ssh, I can reach that server? Behind Cloudflare Access is perfect. - would I be able to wildcard that sort of access? somehost.privatesite.domain.tld would have the cloudflared host connect to somehost.local.
2 replies
CDCloudflare Developers
Created by lee on 1/19/2024 in #general-help
Cloudflare CA deprecated?
We've got multiple domains under different plans (one partial enterprise, most business, the rest free) that are proxied. Many/most of our domains were looking like CN=sni.cloudflaressl.com, CA=Cloudflare Inc - but nowadays we're getting a lot of Google and Let's Encrypt issuances with hostnames as CN. Are the: 
Issuer: CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
Issuer: CN=Cloudflare Inc RSA CA-2,O=Cloudflare\, Inc.,C=US
Issuer: CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
Issuer: CN=Cloudflare Inc RSA CA-2,O=Cloudflare\, Inc.,C=US
CAs being deprecated? If they're sticking around, we're missing an injected CAA record for it, should we have something?
17 replies
CDCloudflare Developers
Created by lee on 12/15/2023 in #general-help
Spiky traffic from an unannounced Cloudflare v6?
My site (on GCP, behind Cloudflare) saw a lot of heavy hits (about 200 in 3 minutes) from 2405:8100:8000:5ca1::1df:bd9b - which appears to be allocated to Cloudflare, but wasn't announced by Cloudflare or any ASN when looking at bgp.he.net. Is is address part of any announced prefix?
1 replies
CDCloudflare Developers
Created by lee on 10/13/2023 in #general-help
Page Rules WAF Off doesn't work
Hi friends, I have a zone on the Enterprise Plan, and previously we had some WAF Managed Rules. I recently migrated the zone to the new WAF, and the migration assistant had a few "generated from pagerule" entries that corresponded with some Page Rules I have that skip the WAF. I erroneously believed these exceptions were not necessary because traffic hits Page Rules first before the WAF, and if a pagerule exists to skip the WAF, then ostensibly traffic would never hit the WAF downstream. So I removed the exceptions and carried on... However this apparently isn't the case, and has been known for a while since the new WAF release (see https://community.cloudflare.com/t/bypass-waf-rule-inbound-anomaly-score-exceeded/278826/2) My question remains: in order to skip the WAF, is the best practice here on out to skip in the WAF and the relevant page rules are now deprecated, or is it the other way around but the WAF exceptions are a temprary mitigation until this long-standing misunderestanding is fixed?
16 replies