Hide LoadBalancer URL that is behind cloudflare
Hello,
a noob question:
I’ve successfully configured CloudFlare to sit in front of our linode load balancer.
the DNS configuration in cloud flare looks like
CNAME nb-XX-XXX-XXX-XXX.newark.nodebalancer.linode.com
so our domain looks good at https://mydomain.com/api which hits that loadbalancer(SSL configured)"
HOWEVER,
Anyone can still get to { https://nb-XX-XXX-XXX-XXX.newark.nodebalancer.linode.com/api} bypassing Cloudflare…
is there a way to prevent this? I want to 'hide' all access to my cluster, and block any traffic that doesnt come from cloudflare(mydomain.com)….
2 Replies
Hello,
This is a great question!
It is a great idea to use Cloudflare to add a level of protection to your web domain. Even with Cloudflare, there is still no way to fully hide your origin IP address.
Please take a look at this Cloudflare Document about protecting your origin server.
In the link, you can see that when someone requests your hosting information, Cloudflare will provide them with an IP address within their network.
However, if someone learns of your origin server's information, they will still be able to send it traffic. There are additional recommendations from Cloudflare in the above link about taking additional steps!
I hope this information is helpful! If you have any other questions regarding this topic, please message them in this post and someone will be happy to help!
Thanks for the response @brianmont I figured out the approach that could help with what want which is whitelisting Cloudflare's IP address. I am using kubernetes/docker.
however, I ran into a roadblock using the Linode CCM Loadbalancer and asked this question in slack but didn't get a response:
does the 'loadBalancerSourceRanges' work with the Linode LoadBalancer? I am trying to hide my Loadbalancer behind Cloudflare….but it can still access the Loadblancer URL directly(via browser,etc.)
I have in my Service: …
[Code formatting
spec:
type: LoadBalancer
loadBalancerSourceRanges:
- 130.211.204.1/32
- 173.245.48.0/20
From the kubenetes documentation, it looks like I could also use something like this in annotations..
service.beta.kubernetes.io/load-balancer-source-ranges: \"130.211.204.1/32, 173.245.48.0/20,103.21.244.0/22'
however both approaches do not work., i can still access the loadbalancer directly from a IP that is not whitelisted.
is this feature suppose to work? if its not implemented can it be added to the roadmap to do.
reference:
https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/