Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Catalyst and Cloudflare

by QuillMeantTen (Friar)
on Apr 25, 2016 at 08:59 UTC ( #1161423=perlquestion: print w/replies, xml ) Need Help??

QuillMeantTen has asked for the wisdom of the Perl Monks concerning the following question:

Greetings fellow monks, I come to you with a simple question: I set up a web server using catalyst and put it behind cloudflare fore security reasons, is there any way in catalyst to prevent a direct access using the server's ip address (thus bypassing cloudflare)?

I think one could deny by default and whitelist cloudflare's ip ranges but I would like to know if there is a way to do it using catalyst itself? Maybe a way to formulate a controller for this case.

Replies are listed 'Best First'.
Re: Catalyst and Cloudflare
by Corion (Patriarch) on Apr 25, 2016 at 09:12 UTC

    I think if you're using Cloudflare for (D)DoS protection, handling anything non-Cloudflare in your web application will still enable an adversary to DoS your application by talking to it directly. Rejecting IP (or DNS) packets should be done at the lowest level possible, that is, preferrably upstream or in the kernel or in your web server. Not in the application.

    The easiest way within the application is to check for specific headers that Cloudflare will set and other accesses will not set. Maybe you can also look at the Host: header - this should show http://www.quillmeantten.com and not a raw IP. Both of these checks are easily circumvented by configuring your browser/ access tool to send the headers.

    You could add a special secret header or cookie to Cloudflare maybe and check for the presence of that.

    Personally, I would consider that a task to be performed by the webserver and not by the application though. Whitelisting Cloudflare and your local network seems a prudent approach and allows you to change hosting/network boundary providers without any change to your code should Cloudflare not meet your criteria anymore.

    Update: Cloudflare publishes its outbound IP addresses, so you could even dynamically generate your HTTP server configuration or make these checks in your web application.

      Thanks corion, I had a hunch that this would be the right way but wanted to confirm it!
Re: Catalyst and Cloudflare
by Anonymous Monk on Apr 25, 2016 at 09:19 UTC

    I set up a web server using catalyst and put it behind cloudflare fore security reasons, is there any way in catalyst to prevent a direct access using the server's ip address (thus bypassing cloudflare)?

    Its a cloudflare question; answer is probably no, check with cloudflare

    I think one could deny by default and whitelist cloudflare's ip ranges but I would like to know if there is a way to do it using catalyst itself? Maybe a way to formulate a controller for this case.

    Yes, you can do pretty much anything you want, easiest option is is use Plack/plackup to load your catalyst app with a simple sub that checks IPs

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://1161423]
Approved by ww
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (4)
As of 2022-05-16 17:35 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Do you prefer to work remotely?



    Results (63 votes). Check out past polls.

    Notices?