Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare.
It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.
For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug.
I’m deploying SSL to one of my domains and some of his subdomains…
I was forcing any request to HTTP to be redirected to HTTPS with NGINX but…. it was causing a loop!
I had to disable the redirect at nginx and do it with Cloudflare Page Rules.
Rate limit specific traffic from IP addresses based on URI, threshold, and other attributes for added protection from attacks.
Configure load balancing and failover across multiple servers, data centers and geographic regions, based on active health checks.
Note: If you’re currently a part of the API-only Early Access program, this card will not update to reflect your status. Please consult the API documentation to configure your Load Balancers.
./certbot-auto certonly --webroot --webroot-path /usr/share/nginx/html/ --renew-by-default --email [email protected] --text --agree-tos -d example.tld -d www.example.tld
One of my clients asked me to BAN an specific country to one of his sites.
Since we have Cloudflare, this is how I made it…
On .htaccess I’v simply added the following lines – on the top of .htaccess -.
SetEnvIf CF-IPCountry IN BuzzOff=1 SetEnvIf CF-IPCountry PT BuzzOff=1 Order allow,deny Allow from all Deny from env=BuzzOff
Domain/subdomain must have Cloudflare active on DNS settings…