Hi Discourse Community,
usually when I run a webserver I will use this script in combination with cloudflare:
Im not a fan of a public backend IP since it can easily be found with Censys or similar even if its behind cloudflare reverse proxy.
I tried many ways to reproduce this with discourse, but it just won’t work.
I also tried this with IPTables:
Got somebody a similar solution working with discourse?
Docker does stuff that breaks IP tables. You should Google that, I think.
I also agree with him, wish discourse works like this: if you visit direct ip you see a white screen or literally anything, drop the connection without a domain idk
I think you could change the NGINX config so that it would accept connections only from cloudflare.
You could also change it so that it would not redirect the bare IP, but I’m not sure that would increase security by much.
It sure would, prevents ip being found by dns , censys/shodan etc.
I tried googling how to only allow cf but not much help, I don’t remember what the outcome was, plus if only allowing cf ip’s and im using the cf config to get real ip, would that mess it up? I’d really love if there was a doc.
and I don’t know how to edit the nginx config, when I enter app, can’t edit anything, im a bit of a noob sorry lol
The web template adds a redirect for the IP (and any connection), so you could un-do that bit.
Allowing Cloudflare IP addresses only in Nginx | inDev. Journal describes how to allow only cloudflare IPs. Figuring out how to get a template to do that is a bit of work for someone who understands the templates, but it should be possible.
No. The real address is in another header.
https://www.google.com/search?q=iptables+docker&oq=iptables+docker
and the first hit (Packet filtering and firewalls | Docker Docs) describes
So you’d need to change the cloudflare script accordingly.
this is way above my brain power, I do appreciate your response, will read those docs soon, hope someone sees this who have time and could write something up, ive seen quite a few posts here already regarding this issue
Unless you run a community that has a history of DDOS attacks for some particular reason and you expect more, I’d not use any more of your brain on it. It would take me an hour or three to figure it out and document it. I have been setting up Discourse for people for a long time and have never worked with someone for whom DDOS was an actual problem.
I do run a forum thats been targeted before, thanks to cf they helped (using pro plan), but it would be great to “prepare” for it before it happens, gotta have the best security right? but yeah I get it, its a lot of work.
I think ChatGPT and the script from the first post could solve it.
I see, hopefully OP can attempt that, I’ll have a look later too, appreciate your help