Swag only allow cloudflare IP

LSIO Discussion Container Support
,
1

I am using Cloudflare as a proxy for all of my containers. I’d like to be able to block all non-Cloudflare IP’s. In a non-Docker system, I would use UFW and deny all with a script running to pull the IP list from cloudflare.com/ips to whitelist 443 incoming.

Given docker messes up your ability to use UFW and IPTables, what method would you recommend to block traffic. I know Swag has fail2ban built in, but I haven’t come up with a method to use it to restrict to Cloudflare and update the IP ranges regularly.

1 Like
2

Answering my own question here. I opted to go with Cloudflare authenticated origin. The link explains and has the cert you’ll need.
https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull#certificate-value

Create the .crt file (I just created it at the base of my SWAG config folder) you can get from the above link. Then, in the ssl.conf file, add the following line:

client certificate

ssl_client_certificate /config/cloudflare.crt;
ssl_verify_client on;

I added it just after the Certificates section and the Diffie-Hellman Paramters sections.

Now, using the cloudflare instructions, turn on Authenticated Origin Pulls. Now Cloudflare handshakes with their key and your Swag. If you attempt to contact your swag server bypassing the Cloudflare proxy, you get a 400 error.

3

This is a bit over my head, so hopefully my question makes sense.

My NAT doesn’t support hairpinning, so I have added CNAME records to my LAN’s DNS server so LAN clients can access the Swag services by their public hostnames, so they use HTTPS. If I understand this correctly that wouldn’t work anymore, since my LAN client wouldn’t have a Cloudflare client cert obviously.

Is there a way to do this where clients on the same network as the SWAG server are allowed access?

4

To answer my own question it looks like no, unless someone else knows more: Authenticated Origin Pulls from inside network - Security - Cloudflare Community

5

I ended up using fail2ban. Cloudflare has a cert that they will always present to your origin server. Download the origin cert to your swag config.

Changes in ssl.conf to require cloudflare cert along with an error log of failed requests.

client certificate

ssl_client_certificate /config/cloudflare.crt;
ssl_verify_client on;
error_log /config/log/nginx/cert.log info;

Then create fal2ban filter:

[Definition]

failregex = client sent no required SSL certificate while reading client request headers, client:

ignoreregex =

Now create rule in jail.local. Be sure to exclude the Cloudflare IP ranges.

enabled = true
port = http,https
filter = ssl-origin
logpath = /config/log/nginx/cert.log
maxretry = 1
findtime = 43200
bantime = -1
ignoreip = 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22

Now your server will serve an error if you attempt to bypass cloudflare. When it does, it automatically bans that IP.

6

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.