Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare.
It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.
For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug.
I’m deploying SSL to one of my domains and some of his subdomains…
I was forcing any request to HTTP to be redirected to HTTPS with NGINX but…. it was causing a loop!
I had to disable the redirect at nginx and do it with Cloudflare Page Rules.
One of my clients asked me to BAN an specific country to one of his sites.
Since we have Cloudflare, this is how I made it…
On .htaccess I’v simply added the following lines – on the top of .htaccess -.
SetEnvIf CF-IPCountry IN BuzzOff=1
SetEnvIf CF-IPCountry PT BuzzOff=1
Allow from all
Deny from env=BuzzOff
Domain/subdomain must have Cloudflare active on DNS settings…
Discourse has a recent (5month old?) template to handle with this.
Lets add – “templates/cloudflare.template.yml” to our templates scheme…
Save it and rebuild the app! 🙂
./launcher rebuild app
Et voilá!, my ISP (portuguese) IP! 🙂