Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Is the (Cloudflare) auto-DNS setup secure using "DNS Only", as opposed to "Proxied"

    Discuss
    cloudflare dns security
    4
    7
    594
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • marcusquinn
      marcusquinn last edited by girish

      "DNS Only" exposes the server IP address.

      Doesn't this make DDOS on the server IP more likely if an attacker bypasses the Cloudflare WAF on the domain to go straight for the server IP?

      We're not here for a long time - but we are here for a good time :)
      Jersey/UK
      Work & Ecommerce Advice: https://brandlight.org
      Personal & Software Tips: https://marcusquinn.com

      1 Reply Last reply Reply Quote 0
      • girish
        girish Staff last edited by girish

        @marcuswquinn Yes, the default setup is simply to setup the DNS to point to the server IP. One can enable provider specific options like Proxied mode, WAF etc from the Cloudflare's control panel. If you switch to Proxied, Cloudron won't overwrite flag during future DNS operations (there is special code for this)

        The default is chosen for various reasons:

        • Email server does not work with cloudflare proxying since cloudflare will only proxy http. Email server is used a lot on Cloudron.

        • SFTP does not work

        • A typical support request we get is people trying to SSH into the server as ssh root@my.domain.com and then telling us the server is unreachable. We have to then tell them it's because of cloudflare proxying.

        • Many users (of cloudflare) don't understand the implications of proxying i.e all traffic goes via Cloudflare now and Cloudflare can read it. Whether this is a privacy issue or not, is entirely based on whether you trust Cloudflare.

        With this in mind, we decided it's not our decision to make and it's best if customer makes this choice explicitly by themselves instead of us doing this auto-magically. Maybe, we can add an option to turn this on in Cloudron's control panel (if only for convenience)? I am open to other ideas.

        marcusquinn 1 Reply Last reply Reply Quote 3
        • marcusquinn
          marcusquinn @girish last edited by

          @girish I seeeeee! You've thought all this through before! OK, I learned new things from your explanation.

          Prob one just for the documentations then unless you think a per-App setting would be easy enough? It's only saving going into Cloudflare to delete and re-add the records but then my next research is going to be into https://dnsmadeeasy.com.

          TBH as I think Cloudflare is more a pied-piper following for their good marketing than for the essentials that are often better handled at the host (like Anti-DDoS, for which I do like Hetzner covering on the network level).

          We're not here for a long time - but we are here for a good time :)
          Jersey/UK
          Work & Ecommerce Advice: https://brandlight.org
          Personal & Software Tips: https://marcusquinn.com

          1 Reply Last reply Reply Quote 1
          • jimcavoli
            jimcavoli App Dev last edited by

            Figured it'd be better to revive this thread than to start a new one at the moment, but given the split of box vs app concerns, and the new addition of being able to separate the mail server from the my subdomain, it seems more likely that the option to check a box for setting up proxied records could be added for the cloudflare dns provider.

            girish 1 Reply Last reply Reply Quote 2
            • girish
              girish Staff @jimcavoli last edited by

              @jimcavoli Yes, I think that's a good idea. Can you open a new thread in https://forum.cloudron.io/category/97/feature-requests ?

              mehdi jimcavoli 2 Replies Last reply Reply Quote 0
              • mehdi
                mehdi App Dev @girish last edited by

                @girish if you guys decide to implement a checkbox for this, I strongly suggest a warning message to warn the users that Cloudflare will be able to read all their traffic.

                1 Reply Last reply Reply Quote 3
                • jimcavoli
                  jimcavoli App Dev @girish last edited by

                  @girish Done - https://forum.cloudron.io/topic/3777/support-optional-cloudflare-proxied-record-creation

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Powered by NodeBB