I set up DNS server using CloudFlare few days ago. After then I found that CloudFlare provides reverse proxy. In "off-the-orange" state, I can connect server through ssh but In "orange" state, it's not.
Now I know that I have to register other A-Record like "ssh.domain.com" In "off-the-orange" then I can get what I want. However I can't sure it's right.
Is there other way to connect server through other protocol?
No, there is no other way, that's exactly what Cloudflare expects you to do, see: How do I SSH? and DDoS Prevention: Protecting The Origin. Cloudflare doesn't offer reverse proxy without DDoS protection.
If you have only one domain, you add subdomain A record for actual server, pointing to the server IP. Then you add CNAME for protected website. Cloudflare uses CNAME flattening so it's possible to have CNAME like my-domain.com -> actual.my-domain.com.
That setup has security implications: If someone finds out the subdomain, it exposes the real IP address and attacker can bypass Cloudflare protection.
Cloudflare DNS is very strict on how they respond. They don't leak anything, you have to explicitly know domain and record type to get the answer. Ie. digmy-domain.com ANY does not give away anything, you have to ask for a record type: dig my-domain.com A which returns Cloudflare proxy IP. And obviously, they don't respond to AXFR request either so only way to get actual IP from Cloudflare DNS is brute-force. I have feeling Cloudflare might detect and block such attempt.
Of course, you don't want to rely on obscurity only. Some things you could do to protect your server in case IP/subdomain is exposed:
throttle ssh connections (ufw tutorial)
configure your HTTP server to respond only desired host names ie. my-domain.com and maybe www.my-domain.com (nginx example)
also, you could deny HTTP(s) connections coming outside of Cloudflare Network.
The "Orange Cloud" icon on the DNS tab of your CloudFlare Dashboard indicates that all HTTP/HTTPs requests sent to that address are going to be forwarded through CloudFlare's reverse proxy system. This means that all connections will actually hit CloudFlare's server, then CloudFlare will "proxy" the connection and pull the page from your webserver.
When you proxy connection through CloudFlare, no direct connections are created between the client and your actual web server. If you have an "A Record" in place for a purpose other than HTTP requests, you will need to create a new record without the "Orange Cloud" icon.
How to create a new record:
Select the website you would like to create a new record for.
Select the "DNS" tab.
Select the record type you would like to create.
Enter the subdomain or record name you would like to create.
Enter in the details or IP you would like to point this record to.
Example:
If you create a new record (Like sshdirect.example.com) and point it to your server's IP, and ensure that the cloud icon is grey. You can then attempt to connect to that hostname instead of your standard one.
Related
I am setting up a WebDAV server behind traefik using docker compose. Also,I want to add HTTPS support to it, so that keeping my data private. I bought a domain name and prefer to use Let's Encrypt, because it's free of charge.
But as far as I know, Let's Encrypt requires TLS, HTTP or DNS challenge. While last option seems only for big companies who owns the public DNS server, other two options need port 80 or 443. The problem is that these 2 port are all blocked by the ISP. So is there any workaround? How to make it work?
While last option seems only for big companies who owns the public DNS server
If you own the domain, you should have full control over the DNS records — free of charge, by going to the vendor you bought the domain from, and finding the section for the DNS controls. If you have your domain pointing your IP address, you've already used it, probably by adding an A or AAAA record. Let's Encrypt DNS challenge requires only a TXT record, which should be available on virtually every domain registrar's DNS controls.
I set up cloudflare with ssl and a 301 redirect to ssl this morning. Everything seemed to work, but now, i'm back on http and the redirect is not working. I'm trying to figure out why and the DNS-system is sometimes a bit hard to decipher. I'm using a swedish registrar, Loopia. Loopia in turn passes the DNS-records to cloudflare.
Is there some way to figure out if I even go through cloudflare any more?
To determine which names servers you have set:
dig NS DOMAIN
This should only return Cloudflare name servers (unless you enabled Cloudflare via your hosting provider's integration). If you see other name servers in addition to the Cloudflare name servers that indicates you left your other names servers in place at the time you setup Cloudflare. To use Cloudflare you'd need to remove all other name servers other than the ones they provide. Other name servers being in place would return non-Cloudflare IPs which would explain the behavior you're seeing.
I have a question which I hope somebody can answer for me.
My situation: I have an Ubuntu Server running Apache2 on a EC2 Amazon instance, which is serving an OwnCloud instance.
My goal: I want to deploy HTTPS on this instance. I already configured the security group to allow HTTPS traffic from anywhere (as the server should be accessible from anywhere on the internet). We already have a domain name bar.com registered at another domain hosting company. But we want to point foo.bar.com to this owncloud installation.
My questions:
1) Which IP-address do I use to configure the DNS at this domain hosting company. Because the public ip-address and public DNS of the EC2 instance is renewed every time the instance restarts.
2) How do I generate the SSL certificate for HTTPS configuration of Apache2? More specifically, which common name (CN) do I need to put in the certificate. Because the public dns of the EC2 instance is changing on every restart. I think if I put the foo.bar.com CN in the certificate that the browser will throw a certificate error once the user gets redirected from foo.bar.com -> .compute.amazonaws.com, am I right?
In short: how do I deploy https on a EC2 instance at Amazon AWS with a dns at a third party domain name service?
To deal with the changing public ip address you've got two options, first and (for simple situations, best) go to the Elastic Ip Page, get an eip and associate it with your instance, this association and hence public IP will hang around even after start/stop. You can even move the eip over to a different machine if you need to. This option is very cheap (you only get charged for an eip if its not attached to a started server). You're then safe to point your dns at the eip. The alternative option is much more powerful and that is to use elb (load balancing) but it also involves a fair amount more work to setup.
I assume if you're asking about cn's you dont really want a "how to" on creating an ssl cert (please correct me if I'm wrong). For the cn you just use the domain name - it doesn't matter what ip address the name resolves to the cert is for the domain. If you have your own domain to point at your eip you dont need to care about the machines public hostname. A user will never see it.
Ok so I have a domain registered, for these purposes I will refer to it as mydomain.com.
I also have Shared Hosting (just fyi) so I may be restricted in doing what I am planning.
So basically I have a sub-domain, gserver.mydomain.com, which points to a directory on the Host server showing basically a seperate website for this subdomain displaying information about it's corresponding gameserver.
Since it's about a gameserver, naturally I would want gserver.mydomain.com to also direct users to the gameserver's IP but I can't have it both to the Web Server and Game Server in the zone record as they are seperate IPs.
If the gameserver listens on.. let's say port 2400, then is it possible to have gserver.mydomain.com:2400 point to another IP (the gameserver's IP) while still retaining the Web Hosts IP on port 80.
I have a general idea of how to go about it but with the current Hosting Plan, restrictions may be preventing me.
Talking about DNS, it's not possible to use port (tcp or udp) information, as it handles only name/ip's (basicaly).
So, gserver.mydomain.com will always be resolved to the IP in the DNS database, regardless of the :port. Actualy, the :port is not part of the DNS name.
If all of your server will be HTTP servers and you have access to an Apache web servers, you can use something like proxy_pass.
You can take a look at this link http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass
I have an apache HTTP server set up in my computer. Can I access it from anywhere over the internet? I don't have a registered domain for my server.
You can access it if you tell your router to forward your HTTP port. If your router does not know to forward it, you will only be able to access it on your local network. You do have to buy a domain, unless you just access the network-wide IP, you can find this on whatsmypi. So, to summarize, you need to do 2 things: (1) tell your router to forward the HTTP port, and (2) access it via the internet by means of your IP (unless you buy a domain name).
UPDATE
Of course this is one of those "easier said than done" and "one size does not fit all" things. There will probably be a set of difficulties that come along with your attempts to access your HTTP server. I would suggest googling some tutorials.