How to allow HTTP and HTTPS traffic coming ONLY from CloudFlare

[isscbta]

This script is modifying the firewall rules on a server using myVesta Control Panel to allow HTTP and HTPS incoming traffic only from Cloudflare IPs.
This is useful when using Cloudflare to protect your website against DDoS attacks (so nobody can flood your site by avoiding CloudFlare, for example, by targeting your server's IP directly).

Here's a step-by-step explanation:

The script searches for a firewall rule (that allows http and https traffic from all IP addresses) in the /usr/local/vesta/data/firewall/rules.conf file and assigns the result to the $rules variable.
It evaluates the content of the $rules variable.
The script suspends the firewall rule by executing the v-suspend-firewall-rule command with found rule number.
Next, the script adds new firewall rules for a list of Cloudflare IP ranges:

It sets the IP range and comment for each Cloudflare IP block (e.g., IP='173.245.48.0/20' COMMENT='CloudFlare_1').
The script calls v-add-firewall-rule command to add a new firewall rule that allows incoming traffic from the specified IP range on ports 80 and 443 using the TCP protocol and adds the corresponding comment.

That way, incoming traffic would be allowed only from Cloudflare IPs for HTTP (port 80) and HTTPS (port 443) services.

Script code:

Code: Select all

rules=$(grep "PORT='80,443' IP='0.0.0.0/0' COMMENT='WEB'" /usr/local/vesta/data/firewall/rules.conf)
eval $rules
/usr/local/vesta/bin/v-suspend-firewall-rule "$RULE"

IP='173.245.48.0/20' COMMENT='CloudFlare_1'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='103.21.244.0/22' COMMENT='CloudFlare_2'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='103.22.200.0/22' COMMENT='CloudFlare_3'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='103.31.4.0/22' COMMENT='CloudFlare_4'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='141.101.64.0/18' COMMENT='CloudFlare_5'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='108.162.192.0/18' COMMENT='CloudFlare_6'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='190.93.240.0/20' COMMENT='CloudFlare_7'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='188.114.96.0/20' COMMENT='CloudFlare_8'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='197.234.240.0/22' COMMENT='CloudFlare_9'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='198.41.128.0/17' COMMENT='CloudFlare_10'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='162.158.0.0/15' COMMENT='CloudFlare_11'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='104.16.0.0/13' COMMENT='CloudFlare_12'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='104.24.0.0/14' COMMENT='CloudFlare_13'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='172.64.0.0/13' COMMENT='CloudFlare_14'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='131.0.72.0/22' COMMENT='CloudFlare_15'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"

[Salazarski]

Is it possible to do the same for UDP but whitelisting certain aspects like vestacp and ssh access?

[myVesta]

Is it possible to do the same for UDP but whitelisting certain aspects like vestacp and ssh access?

Yes, the principle for UDP is the same as for TCP.

[lgreen]

The hardest part is handling DDoS L7, that's sucks, I need to check a ton of logs, some DDoS L7 using query pattern like

Code: Select all

?news=Random-Query

and it's easy to block via Cloudflare.
Rate limit doesn't help too much since they are using a thousand of IPs, my CPU usage growing like hell, I still don't know how to handle it