Restrict NGINX to Cloudflare IPs only #3439
Comments
|
+1 I guess using iptables configuration might be better to avoid server overload, but if NGINX config is much easier to change, it's fine too. |
Wouldn't the solution to that be to copy the cloudflare agent filtering rules down to NGINX for the requests to the direct.nodejs.org. |
Maybe it is, and I've misunderstood its purpose. If that is the case though, it is forever going to get used by folks who want to get around blocking etc., or just don't know any better, and will keep putting additional load on the origin with no caching (and leave the origin incredibly open to DDoS etc.). |
I'm not saying proxying it through cloudflare, I mean just copy those same firewall rules to nginx https://www.cyberciti.biz/faq/unix-linux-appleosx-bsd-nginx-block-user-agent/ if you think people are using it to bypass those specific rules |
|
Ah yeah, we could move the restrictions to NGINX as well as Cloudflare (or remove them from Cloudflare at that point). It still leaves the origin exposed to the world without caching though, which isn't great :/ |
|
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made. |
|
I don't believe this is stale, as NGINX is still serving some routes via Cloudflare. |
Currently, anyone can access direct.nodejs.org, bypassing the Cloudflare CDN, caching and protection. It is relatively well documented that folks are using this to get around some of the blocking that was put in place for misconfigured Artifactory instances etc.
The NGINX config should be updated such that it only accepts connections from Cloudflare, removing the ability to make HTTP requests to direct.nodejs.org. As I understand it, the hostname itself needs to remain (unproxied) for SSH access etc., but I don't believe there is any need for direct HTTP access, so I believe this should be fine to do?
The text was updated successfully, but these errors were encountered: