1

I set up DNS server using CloudFlare few days ago. After then I found that CloudFlare provides reverse proxy. In "off-the-orange" state, I can connect server through ssh but In "orange" state, it's not.

Now I know that I have to register other A-Record like "ssh.domain.com" In "off-the-orange" then I can get what I want. However I can't sure it's right.

Is there other way to connect server through other protocol?

ian park
  • 122
  • 1
  • 8

2 Answers2

1

No, there is no other way, that's exactly what Cloudflare expects you to do, see: How do I SSH? and DDoS Prevention: Protecting The Origin. Cloudflare doesn't offer reverse proxy without DDoS protection.

If you have only one domain, you add subdomain A record for actual server, pointing to the server IP. Then you add CNAME for protected website. Cloudflare uses CNAME flattening so it's possible to have CNAME like my-domain.com -> actual.my-domain.com.

That setup has security implications: If someone finds out the subdomain, it exposes the real IP address and attacker can bypass Cloudflare protection.

Cloudflare DNS is very strict on how they respond. They don't leak anything, you have to explicitly know domain and record type to get the answer. Ie. digmy-domain.com ANY does not give away anything, you have to ask for a record type: dig my-domain.com A which returns Cloudflare proxy IP. And obviously, they don't respond to AXFR request either so only way to get actual IP from Cloudflare DNS is brute-force. I have feeling Cloudflare might detect and block such attempt.

Of course, you don't want to rely on obscurity only. Some things you could do to protect your server in case IP/subdomain is exposed:

  • throttle ssh connections (ufw tutorial)
  • configure your HTTP server to respond only desired host names ie. my-domain.com and maybe www.my-domain.com (nginx example)
  • also, you could deny HTTP(s) connections coming outside of Cloudflare Network.
Community
  • 1
  • 1
Antti Pihlaja
  • 442
  • 5
  • 14
  • OP might have got his answer but I had notes laying around so I thought I might as well publish those. I don't remember seeing definitive answer anywhere. – Antti Pihlaja Feb 08 '17 at 15:34
0

The "Orange Cloud" icon on the DNS tab of your CloudFlare Dashboard indicates that all HTTP/HTTPs requests sent to that address are going to be forwarded through CloudFlare's reverse proxy system. This means that all connections will actually hit CloudFlare's server, then CloudFlare will "proxy" the connection and pull the page from your webserver.

When you proxy connection through CloudFlare, no direct connections are created between the client and your actual web server. If you have an "A Record" in place for a purpose other than HTTP requests, you will need to create a new record without the "Orange Cloud" icon.

How to create a new record:

  1. Select the website you would like to create a new record for.
  2. Select the "DNS" tab.
  3. Select the record type you would like to create.
  4. Enter the subdomain or record name you would like to create.
  5. Enter in the details or IP you would like to point this record to.

Example: Example on how to create an "A" record for CloudFlare

If you create a new record (Like sshdirect.example.com) and point it to your server's IP, and ensure that the cloud icon is grey. You can then attempt to connect to that hostname instead of your standard one.

BinaryEvolved
  • 900
  • 9
  • 18
  • Thank you but I already know about that. My question is "Is there any other way?" can you suggest about it? – ian park Jan 08 '16 at 08:17
  • @SeongHyeonPark Are you looking for a way to still be able to enter your root domain as a hostname, but have it resolve to a different IP different to your standard A record? – BinaryEvolved Jan 11 '16 at 01:33