Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
M
M
Max2019-03-07 18:08:28
Nginx
Max, 2019-03-07 18:08:28

VestaCP Firewalld behind CloudFlare Doesn't block requests - why?

Good afternoon!
1. Inside the server, the setting is nginx(front)+apache2(back) for domains.
2. Websites are behind Cloudflare.
3. Switching settings for a domain with or without nginx - doesn't change anything, the rules still don't work for blocking.
If I do SUSPEND to the rule 0.0.0.0/0 ACCEPT 80,443 (WEB), then everything is "ok" - the server does not accept any connections :)
It is necessary to accept everything, EXCEPT for those that are entered in the rules where DROP is set.
I also tried changing the rules. First, specify the ACCEPT rule, and then everything on DROP, and vice versa (as by the standard, rules are added up in the web interface, and they go down in the config), but nothing has changed either.
If I check Netstat, I see connections only from Cloudflare IP Addresses, although the standard nginx config seems to show the correct IP.
In the Apache logs for domains themselves, real IPs are already displayed, that is, Nginx accepts a request from the cloud and passes the correct IP to Apache. Here it becomes especially strange that in the Apache logs, if you remove nginx on the front, the correct IP is displayed.
The problem is that through the web interface I enter the rules for blocking by IP and they do not work. At the same time, everything else works for other mysql / vnc ports and the rest.
What can be done?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
M
Max, 2019-03-07
@wtfowned

Figured it out on the advice of Vladimir googled the optimal solution for himself through GEO.
https://nginx.org/ru/docs/http/ngx_http_geo_module.html
In the main nginx config in the http directive we write:

#Cloudflare CIDR IP BAN
  geo $http_x_forwarded_for $allowed {
    	default allow;
    82.118.227.0/24 deny;
    #any ip or CIDR 
  }
  #/Cloudflare CIDR IP BAN

In the config for a specific domain, add the following to the server > location / directive:
#Блокировка по IP#
    if ( $allowed = "deny" ) { 
      return 403; 
    }

But this scheme is not very convenient because it needs to be added for each domain, in my case such delights are not convenient and not needed. Is there a scheme where it would be enough to change only the main nginx.conf in the http directive without getting into the server ?

Report
V
Vladimir, 2019-03-07
@MechanID

The fact is that cloudflare gives you a real address in the http headers - just for statistics, and nginx or Apache already writes it to the log, but in fact all requests come from cloudflare and the firewall sees them.
Your options:
1 - block ips directly on cloudflare
2 - if you don't have https - parse packages with the necessary ips via iptables -m string --string '1.1.1.1' and then drop them

Similar questions
N
Nikita2019-12-07 16:33:20
Why does "tbody" "tfoot" stop rowspan from working? 2Reply
S
StynuBlizz2017-06-14 06:07:05
Error connecting nginx-rtmp-module, how to fix? 1Reply
L
Loopst2019-11-15 01:20:00
PHP Fatal error: Cannot redeclare ihc_init() How to fix? 1Reply
S
Stok292015-07-07 16:14:24
What ports are needed for normal operation of LGSL? 1Reply
G
Galdar Turin2019-11-15 09:10:21
How to use a regular expression to select a folder with any name? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question