CloudFlare question

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

CloudFlare question

Unread post by faris »

I've just discovered that one of our customers is using CloudFlare and I can see from the website stats that most of the IPs visiting the site are CloudFlare's.

I know there's a plugin CloudFlare Apache module for later versions of plesk but we are on Plesk 10.4.4, Apache 2.2 and I don't really know the way forward at this point. Yes, Plesk 12.5 upgrades are in the pipeline, but I'm more worried about right now this minute....

Obviously in theory I can download, compile and install mod_cloudflare for 2.2.

Is this the way to go? What about ASL? I've read too many confusing and conflicting things here about the use of CloudFlare that I've lost the plot a bit, so could do with some pointers please!
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: CloudFlare question

Unread post by mikeshinn »

As with any proxy, you need something to trust the X-Forwarded-For header they send with their queries (and to not to trust it from any other IPs as this header commonly sent by the badguys with their attacks, to take advantage of systems incorrectly configured blindly trust this header. Never trust that header.). They have a module that is supposed to this, there is also mod_rpaf. Both options are documented at the URL below:

https://www.atomicorp.com/wiki/index.php?title=Proxy

Once you do that, you're good to go. You can also configure ASL to shun IPs upstream at the cloudflare proxies, but I'm pretty sure CF limits the number of IPs you can add upstream.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: CloudFlare question

Unread post by faris »

Thanks Mike,

Finally I understand. I'm not sure why it wasn't clear before.

And it also explains the CloudFlare support option (or whatever it might be called) in the ASL config, which I presume does a callback to CF and gives it the IP to shun.

Essentially, then, unless ASL is configured to pass bad IPs back to CF, and unless CF actually acts on the callback, the attacking IP will never be shunned although the attack will at least be blocked without shunning innocent visitors.

** For those using CF, is using mod_rpaf or using CF's native apache module the best option? I'd have thought CF's own module would be the one to go for, but there are always surprises :-)
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply