...
Panel | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
In simple terms: it’s a combination of
You can archive roughly the same with SSH reverse shells and tunnels. But you won’t because you want someone else to simplify this for you. At scale. |
...
Schematically, the service architecture looks like this:
Drawio sketch | ||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
access on the Service Edge (perimeter)
DNS (probably)
tunnel termination (cloudflared uses QUIC or Wireguard)
channels get opened, HTTP ↔︎ ↔ï¸ TCP (for SSH or RDP) ↔︎ ↔ï¸ trusted request (identified)
HTTP ↔︎ ↔ï¸ request (reverse tunneled via the Service Edge, CDN - accelerated)
...
Note |
---|
If you use Cloudflare as a mere CDN, you have to ensure that requests don’t bypass the CDN front. Clients can override DNS entries and directly connect to the web servers. Sure, that may not be an issue for small-scale services. But it’s an issue because:
Why pay for a CDN security-feature if an attacker needs 10s to bypass all the controls. With the https://www.cloudflare.com/en-gb/ips/ Restricting this channel via AWS Security Groups, IPtables etc. can be complex. |
...
Login policies etc. are applied. This is a useless host. When people hear fuzzing, they associate Zero Days. I assure you, if I had many Zero Days, I’d be somewhere in the Bahamas. And I wouldn’t host them this way
A request comes in:
DNS resolution of
fuzzing.osroadwarrior.info
to Service EdgeRequest gets forwarded to the public hostname of that tunnel service (HTTP)
Request gets translated here (RDP), and routed to the
cloudflared
daemonThe daemon takes the request and forwards it to our KVM guest (
192.168/24
)
...
Essentially, this is application level NATing. Or Zero Trust RDP
On my local laptop here, I may not be on the WARP+ network. WARP is the Wireguard-based VPN service, which is linked to the Zero Trust / Secure Gateway architecture. Essentially, you can use Cloudflare tools to interconnect various systems. With, or without VPN:
...