Cloudflare configuration for GUI DDoS Protection
Kolmisoft is not related to Cloudflare. Kolmisoft does not provide support for Cloudflare products and is not responsible for any damage caused using Cloudflare products. Please use this guide at your own risk.
Description
Cloudflare is a third-party company (not related to Kolimosft) that offers basic free Web DDoS Protection. This guide will show how to configure MOR GUI with Cloudflare protection. Make sure to read the notes below to decide if Cloudflare Web DDoS Protection is suitable in your case.
Important Notes
- This guide shows only how to configure basic Web DDoS Protection (HTTP and HTTPS) using the domain name. It will have no effect if DDoS attack uses other protocols.
- After configuration, switch GUI domain name will point to Cloudflare IPs. This means that the domain name can be used only for GUI access, it is not possible to use the same domain for GUI and SIP traffic. Any other non GUI traffic (for example SSH), will not work using the configured domain name.
- All GUI traffic using domain name will originate from Cloudflare IPs.
- Logs for GUI access in MOR will show Cloudflare IPs, not the real IPs.
- Cloudflare IPs must be whitelisted (not blocked) to access switch GUI in order for GUI to work.
- Blocked Countries will not block real IPs for GUI access as packets will reach the switch from Cloudflare IPs.
Configuration
Before Proceeding
Before Proceeding you must already have:
- Domain name which points to switch IP.
- Access to the admin account for your domain registrar.
Basic Setup
1. Go to https://www.cloudflare.com/ and sign up.
2. After Sign Up press on 'Add website or application' button
3. Enter the domain name which you control and which points to Switch GUI. Enter it in the format *example.com* (*not* www.example.com and not http(s)://www.example.com) and click 'Continue'
4. Cloudflare will show available plans. You can select a free one for basic protection, or paid options for more advanced configuration/protection.
5. After plan selection, in a few moments, Cloudflare will scan the domain for all the records associated with this domain and will show these records. Once Scan is complete, click 'Continue' (you will always be able to modify DNS records in DNS->Records section).
6. At this point, Cloudflare will show DNS nameservers that you will need to add from your domain registrar account.
In this example, the name servers in the red rectangle are old ones (you will need to remove them from your domain registrar account. ), and the nameservers in the green rectangle are new Cloudflare nameservers that you will need to add your domain registrar account (The values will be different than in this example).
To complete this step, please review the configuration here https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/
In Update your registrar section, you will find links to documentation for many common domain registrars, so follow the link that matches your domain registrars.
If your domain registrar is not documented here, please check the documentation on your domain registrar site or contact their support.
7. After name servers have been updated in your domain registrar to Cloudflare ones, Cloudflare will detect this automatically after some time. Once this is done configuration is completed. Check the 'Verify changes' section here to get more details on how to verify that Cloudflare is active.
After the Setup
Once the Basic setup is completed, and GUI traffic to switch domain is routed through Cloudflare, you might want to configure custom rules.
The main configuration is done in the Security -> WAF section. Here, for example, you can create rate limiting rules, o IP access rules (for example Block specific countries, or force catchpa on Specific countries, etc). For more information, please check the documentation for WAF
Blocking GUI access for non-Cloudflare IPs
When a domain name is imported into Cloudflare, it will point to Cloudflare IPs, so real server IP will not be visible by querying the domain, however, it is easy to leak real server IP. If an attacker knows a real server IP, it can launch an attack using the IP directly (not the domain name) and bypass Cloudflare protection.
So the best practice is to block GUI (80 and 443 ports) access for all IPs, except the Cloudflare IPs and servers' internal/external IPs. It is best to block GUI access both on the Data Center level and in iptables directly on the server
Blocking GUI access on the Data Center level
If the switch is hosted as a dedicated server or as VM in the cloud, it is best to block GUI access using Provider firewall, for example
- Hetzner Firewall if switch is hosted as dedicated server in Hetzner,
- OVH firewall If the Switch is hosted as a dedicated server in OVH,
- AWS Security Groups and/or NACL if the switch is hosted as an instance in AWS.
Blocking GUI access on the Server with iptables
...
Https
Once the domain name is added to Cloudflare, it will automatically add a valid TLS/SSL certificate.
If you want to use custom certificates, you will need to upload them into Cloudflare .
It is also possible to allow only https traffic (redirect http automatically to https) from Cloudflare. If you want this, follow the configuration here