Skip to main content

Security controls bypass or absence - Cloudflare

Need

Implementation of robust security controls and measures to prevent bypassing of Cloudflare

Context

  • Usage of Go 1.16 for building high-performance and scalable applications
  • Usage of gin-gonic/gin for building web applications in Go

Description

Non compliant code

package main

import (
	"github.com/gin-gonic/gin"
)

func main() {
	r := gin.Default()
	r.GET("/ping", func(c *gin.Context) {
		c.JSON(200, gin.H{
			"message": "pong",
		})
	})
	r.Run(":8080") // listen and serve on 0.0.0.0:8080
}

This is a simple Go application using the Gin framework. The application listens on all network interfaces (0.0.0.0) and port 8080. It has a single route ("/ping") that responds with a JSON containing the message "pong".

The vulnerability lies in the fact that the application is listening on all network interfaces, including the public one. This means that if someone knows the server's IP address, they can bypass Cloudflare and make requests directly to the server. This bypasses any security measures provided by Cloudflare, such as DDoS protection, Web Application Firewall (WAF), etc.

The application should be configured to only listen on the localhost interface (127.0.0.1) or a private network interface, and all public traffic should be routed through Cloudflare. This way, if someone tries to connect directly to the server's IP, they will not be able to reach the application.

Steps

  • Implement proper security controls to prevent direct access to the server's IP address.
  • Configure Cloudflare to enforce all traffic to go through its network.
  • Ensure that the server's IP address is not exposed in any public DNS records or other public sources.
  • Regularly monitor and review the server's access logs for any unauthorized direct access attempts.
  • Consider implementing additional security measures such as rate limiting, IP whitelisting, or firewall rules to further protect the server.

Compliant code

package main

import (
	"github.com/gin-gonic/gin"
	"github.com/cloudflare/cf-ip-rewrite"
)

func main() {
	r := gin.Default()
	r.Use(cfiprewrite.Default())
	r.GET("/ping", func(c *gin.Context) {
		c.JSON(200, gin.H{
			"message": "pong",
		})
	})
	r.Run(":8080") // listen and serve on 0.0.0.0:8080
}

The updated code includes the use of the cf-ip-rewrite middleware from Cloudflare. This middleware helps to ensure that all incoming traffic to the server is routed through Cloudflare's network, thus preventing direct access to the server's IP address.

The middleware is added to the Gin engine using the Use() function, which applies it to all incoming HTTP requests. This means that any attempt to bypass Cloudflare and directly access the server's IP address will be blocked.

In addition to this code change, it's important to also configure Cloudflare to enforce all traffic to go through its network. This can be done in the Cloudflare dashboard under the settings for your domain.

Furthermore, ensure that the server's IP address is not exposed in any public DNS records or other public sources. Regularly monitor and review the server's access logs for any unauthorized direct access attempts.

Consider implementing additional security measures such as rate limiting, IP whitelisting, or firewall rules to further protect the server. These measures can help to mitigate the risk of a security breach and ensure that your server remains secure.

References

Last updated on