Versions Compared

Old Version 4

changes.mady.by.user Marius Ciepluch

Saved on

compared with

New Version 5

changes.mady.by.user Marius Ciepluch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Schematically, the service architecture looks like this:

Drawio sketch
mVer2
simple0
zoom1
inCommentsimple0
pageIdinComment432865500
custContentId42926147
diagramDisplayNamepageIdcloudflared43286550
lbox1
diagramDisplayNamecloudflared
contentVer1
revision1
baseUrlhttps://because-security.atlassian.net/wiki
diagramNamecloudflared
pCenter0
width868.5
links
tbstyle
height687

...

Note

If you use Cloudflare as a mere CDN, you have to ensure that requests don’t bypass the CDN front. Clients can override DNS entries and directly connect to the web servers. Sure, that may not be an issue for small-scale services. But it’s an issue because:

  • no Web App Firewall

  • no Rate Limits (for login brute forcing)

  • no DDoS protection

  • ….

Why pay for a security-featured CDN if an attacker needs 10s to bypass all the controls.

With the cloudflared approach, you don’t have that problem. Cloudflare publishes a list of IPv4 and IPv6 endpoints, which you can allow when you want to glue the CDN / Service Edge to your Load Balancer / web-front.

https://www.cloudflare.com/en-gb/ips/

Restricting this channel via AWS Security Groups, IPtables etc. can be complex.

...