|
|
|
|
|
|
by rdl
2467 days ago
|
|
|
I haven’t set this up in a while but I think you can set up a “fake” cert on the origin to Cloudflare portion and then also pin that cert into Cloudflare, so you get protection against MITM on top of protection from scanning (and from accidentally serving directly from your host). They should probably support “secret name” http headers instead of the normal host, too. So e.g. your site is set to serve for fjeiiejdndjs.dhdjdj.com and publishes via Cloudflare as www.riskysite.com Cloudflare also has (had? I haven’t kept up) some special accelerated serving products which would de facto protect from this. Doesn’t help if you just have https vs a full vps though. It would be awesome to have some standardized containers/ami/etc which were set up for “concealed hosting” via cf, ipfs, tor, etc. |
|
|
And even if you don't lock it down to their CDN, it may still never be discovered if your origin only serves the relevant content when a specific host header and SNI are passed (rather than served by default regardless of host header or SNI), which Censys/Shodan may never try. Someone could still scan a huge chunk of the Internet to try to look specifically for your origin, though. Anyone using Cloudflare or a similar CDN should always spend the minute or so it requires to restrict inbound 80/443 to only Cloudflare's published IPs at https://www.cloudflare.com/ips/