[pt]

Besides Cloudflare being the biggest man-in-the-middle on the internet, their DDoS mitigation offering is also questionable. If you google "clouflare bypass" [1], you get to websites that can tell you the origin IP address of a cloudflare customer's domain name. So, malicious guys could hit the real IP directly.

[1] https://www.google.com/search?q=cloudflare+bypass

[ceejayoz]

> If you google "clouflare bypass", you get to websites that can tell you the origin IP address of a cloudflare customer's domain name.

Those rely on a known DNS history from before CloudFlare was added to a domain. If bypass is a concern, changing the server's IP and making sure it never shows up in a public DNS record again solves things.

[pt]

Yes, DNS history is one way to leak your IP. There are several other ways that the origin IP may get leaked, so you should be very careful if you use Cloudflare:

* Keep all subdomains on CloudFlare

* Don't use wildcard subdomains if you are not on Pro account

* Don't host mail or other services on the same server as your web server (email headers have origin IP)

* Never initiate an outbound connection based on user action

* Make sure that your web server and web application are patched against all known information disclosure vulnerabilities.

* Change your origin IP once configured for maximum DDoS protection on CloudFlare

Cloudflare documents it here: https://blog.cloudflare.com/ddos-prevention-protecting-the-o...