Versions Compared

Old Version 5

changes.mady.by.user Marius Ciepluch

Saved on

compared with

New Version Current

changes.mady.by.user Marius Ciepluch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: draw.io diagram "cloudflared" edited

...

Panel
panelIconId1f441
panelIcon:eye:
panelIconText👁️👁️
bgColor#DEEBFF

In simple terms: it’s a combination of

  • application level routing (Network Address Translation via a reverse tunnel which translates between HTTP and TCP, for example),

  • authentication (TOTP, PINs, …),

  • DNS management and

  • protocol encapsulation.

You can archive roughly the same with SSH reverse shells and tunnels. But you won’t because you want someone else to simplify this for you. At scale.

...

Drawio sketch
mVer2
zoom1
simple0
inComment0
custContentId42926147
pageId43286550
lbox1
diagramDisplayNamecloudflared
contentVer12
revision12
baseUrlhttps://because-security.atlassian.net/wiki
diagramNamecloudflared
pCenter0
width868.5
links
tbstyle
height687

...

  • access on the Service Edge (perimeter)

  • DNS (probably)

  • tunnel termination (cloudflared uses QUIC or Wireguard)

    • channels get opened, HTTP ↔︎ ↔︎ TCP (for SSH or RDP) ↔︎ ↔︎ trusted request (identified)

    • HTTP ↔︎ ↔︎ request (reverse tunneled via the Service Edge, CDN - accelerated)

...

Note

If you use Cloudflare as a mere CDN, you have to ensure that requests don’t bypass the CDN front. Clients can override DNS entries and directly connect to the web servers. Sure, that may not be an issue for small-scale services. But it’s an issue because:

  • no Web App Firewall

  • no Rate Limits (for login brute forcing)

  • no DDoS protection

  • ….

Why pay for a CDN security-featured CDN feature if an attacker needs 10s to bypass all the controls.

With the cloudflared approach, you don’t have that problem. Cloudflare publishes a list of IPv4 and IPv6 endpoints, which you can allow when you want to glue the CDN / Service Edge to your Load Balancer / web-front.

https://www.cloudflare.com/en-gb/ips/

Restricting this channel via AWS Security Groups, IPtables etc. can be complex.

...

Login policies etc. are applied. This is a useless host. When people hear fuzzing, they associate Zero Days. I assure you, if I had many Zero Days, I’d be somewhere in the Bahamas. And I wouldn’t host them this way (wink)

Screenshot 2024-02-09 at 17.29.47.png

A request comes in:

  1. DNS resolution of fuzzing.osroadwarrior.info to Service Edge

  2. Request gets forwarded to the public hostname of that tunnel service (HTTP)

  3. Request gets translated here (RDP), and routed to the cloudflared daemon

  4. The daemon takes the request and forwards it to our KVM guest (192.168/24)

...

Essentially, this is application level NATing. Or Zero Trust RDP (smile)

On my local laptop here, I may not be on the WARP+ network. WARP is the Wireguard-based VPN service, which is linked to the Zero Trust / Secure Gateway architecture. Essentially, you can use Cloudflare tools to interconnect various systems. With, or without VPN:

...