I've just discovered that one of our customers is using CloudFlare and I can see from the website stats that most of the IPs visiting the site are CloudFlare's.
I know there's a plugin CloudFlare Apache module for later versions of plesk but we are on Plesk 10.4.4, Apache 2.2 and I don't really know the way forward at this point. Yes, Plesk 12.5 upgrades are in the pipeline, but I'm more worried about right now this minute....
Obviously in theory I can download, compile and install mod_cloudflare for 2.2.
Is this the way to go? What about ASL? I've read too many confusing and conflicting things here about the use of CloudFlare that I've lost the plot a bit, so could do with some pointers please!
CloudFlare question
CloudFlare question
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: CloudFlare question
As with any proxy, you need something to trust the X-Forwarded-For header they send with their queries (and to not to trust it from any other IPs as this header commonly sent by the badguys with their attacks, to take advantage of systems incorrectly configured blindly trust this header. Never trust that header.). They have a module that is supposed to this, there is also mod_rpaf. Both options are documented at the URL below:
https://www.atomicorp.com/wiki/index.php?title=Proxy
Once you do that, you're good to go. You can also configure ASL to shun IPs upstream at the cloudflare proxies, but I'm pretty sure CF limits the number of IPs you can add upstream.
https://www.atomicorp.com/wiki/index.php?title=Proxy
Once you do that, you're good to go. You can also configure ASL to shun IPs upstream at the cloudflare proxies, but I'm pretty sure CF limits the number of IPs you can add upstream.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: CloudFlare question
Thanks Mike,
Finally I understand. I'm not sure why it wasn't clear before.
And it also explains the CloudFlare support option (or whatever it might be called) in the ASL config, which I presume does a callback to CF and gives it the IP to shun.
Essentially, then, unless ASL is configured to pass bad IPs back to CF, and unless CF actually acts on the callback, the attacking IP will never be shunned although the attack will at least be blocked without shunning innocent visitors.
** For those using CF, is using mod_rpaf or using CF's native apache module the best option? I'd have thought CF's own module would be the one to go for, but there are always surprises
Finally I understand. I'm not sure why it wasn't clear before.
And it also explains the CloudFlare support option (or whatever it might be called) in the ASL config, which I presume does a callback to CF and gives it the IP to shun.
Essentially, then, unless ASL is configured to pass bad IPs back to CF, and unless CF actually acts on the callback, the attacking IP will never be shunned although the attack will at least be blocked without shunning innocent visitors.
** For those using CF, is using mod_rpaf or using CF's native apache module the best option? I'd have thought CF's own module would be the one to go for, but there are always surprises
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>