Just another Perl shrine | |
PerlMonks |
Re: Catalyst and Cloudflareby Corion (Patriarch) |
on Apr 25, 2016 at 09:12 UTC ( [id://1161424]=note: print w/replies, xml ) | Need Help?? |
I think if you're using Cloudflare for (D)DoS protection, handling anything non-Cloudflare in your web application will still enable an adversary to DoS your application by talking to it directly. Rejecting IP (or DNS) packets should be done at the lowest level possible, that is, preferrably upstream or in the kernel or in your web server. Not in the application. The easiest way within the application is to check for specific headers that Cloudflare will set and other accesses will not set. Maybe you can also look at the Host: header - this should show http://www.quillmeantten.com and not a raw IP. Both of these checks are easily circumvented by configuring your browser/ access tool to send the headers. You could add a special secret header or cookie to Cloudflare maybe and check for the presence of that. Personally, I would consider that a task to be performed by the webserver and not by the application though. Whitelisting Cloudflare and your local network seems a prudent approach and allows you to change hosting/network boundary providers without any change to your code should Cloudflare not meet your criteria anymore. Update: Cloudflare publishes its outbound IP addresses, so you could even dynamically generate your HTTP server configuration or make these checks in your web application.
In Section
Seekers of Perl Wisdom
|
|