Can I configure a whitelist for a NodeBalancer public IP?
I currently have cloudflare set up to pass traffic from my domain to my NodeBalancer IP. I'm still able to bypass cloudflare and load my site if I use the public ip. Is there a method to establish a whitelist for incoming connections? (e.g. iptables or something equivalent that can be used with a nodebalancer)
Hey @aphares - you can absolutely use iptables to do this by configuring your backend nodes to only accept connections from Cloudflare. Someone asked a similar question on the Cloudflare forums, and here was the solution:
You’d need to configure your load balancer to only accept connections from Cloudflare addresses and drop everything else.
The good news is that Cloudflare has a guide on how to set this up using iptables: Allowing Cloudflare IP addresses
You could also do this using the X-Forwarded-For header with your webserver; this is a pretty common webserver configuration method for load balancing solutions. I'm not sure which webserver you're using, but NGINX has a pretty good guide on how to configure the header: https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
Thank you for the reply - I can look into incorporating that into my project. In the future, would the cloud firewall also be a solution? (https://www.linode.com/products/cloud-firewall/)
While the person in the Cloudflare forums suggested only allowing connections to your NodeBalancer from CloudFlare resolved their issue, this isn't something that is achievable at the moment. NodeBalancers are open to all connections and those connections cannot be limited by Cloud Firewalls or iptables rules.
I was, however, able to limit connections to my public IP address using iptables while still allowing connections to my NodeBalancer through CloudFlare DNS by specifying the virtual IP interface:
iptables -A INPUT -j DROP -p tcp --destination-port 80 -i eth0 -d <my.public.ip.address>
"When a NodeBalancer routes traffic to a backend node, the originating IP address becomes the NodeBalancer’s private IP address."
With that in mind, I attempted to work through the process of limiting the allowed connections on the backend nodes to only CloudFlare IPs. As expected, connections began to timeout when I added the rule to block other IP addresses.
My suggestion would be to reconfigure your site so that it's no longer serving to your public IP or use HAProxy as a load balancer to allow for a bit more configuration options.