[mattlondon]

> This means that if people want to play nasty and find issues in our services, they first need to bypass Cloudflare’s WAF. And this is not an easy thing to do.

Is it not the case that you just need to use their IP address and you bypass essentially 100% of what cloudflare offers?

I guess a targeted attack is hard (how do you find the "real" IP?), but there.may be speculative attacks just scanning through IP ranges

[bamfly]

You default-deny all source IPs, then allowlist your CDN's IPs on your "origin server" or its network's firewall box (if you have such a thing). Is the usual way to solve this problem, anyway, IDK if that's what they're doing.

Then it doesn't matter if someone finds the IP of the actual server. Worst they can do is flood you with instantly-dropped connection attempts, but not probe services or run up your server hosting bill with large data transfers or anything like that. Scans won't find listening ports.

[jcrawfordor]

You can also set up TLS client authentication as a more complicated but a bit more assured method of refusing connections from anyone other than Cloudflare.

[viraptor]

There are two ways you can handle this:

- accept traffic only from the published CloudFlare IP ranges

- connect to CloudFlare rather than accept traffic (Argo tunnel)

The first one unfortunately doesn't protect you from someone scanning from the CloudFlare ranges themselves. You can add a custom header in that case so that any traffic without the shared secret is not accepted.