How to block ports with Cloudflare

0

If you are utilizing Cloudflare as a reverse proxy service for your backend webserver, you may desire to have Cloudflare block certain ports back to your webserver.  Cloudlfare passes along more ports than just 80 and 443 by default as they have expanded their supported ports which means “ports they can pass traffic through” basically.  Below are the ports they support:

HTTP Requests:

80
8080
8880
2052
2082
2086
2095

HTTPS requests:
443
2053
2083
2087
2096
8443

The problem with the way their proxy works, is that there is no way for you to select which ports you want them to pass onto you.  Unfortunately, there appears to be no way to do this if you are using the free plan as you have very few options under their security panel.

However, if you are at least a Pro plan, there is a way to block ports coming to you from Cloudflare other than 80 and 443.

WAF Rule

The following WAF ruleset is found under the Security page and then WAF.  You will see an option for Cloudflare Rule Set.

blockports01-300x114 How to block ports with Cloudflare

When you select that option, you will have roughly 4 pages of rules.  All the way at the end, there is the rule – Block requests on non standard ports.  The rule language is a little non intuitive, however, you need to set the Mode to Block which sets the rule to active.  In my testing, this blocks everything besides 80 and 443.  Even WHM and cPanel ports look to be blocked with this rule.


blockports02-300x223 How to block ports with Cloudflare

 

This is especially useful if you utilize Cloudflare and want to restrict these other ports at the cloud level instead of having to deal with it at the server level.  The problem with thinking about having to restrict at the server level is that Cloudflare works as a reverse proxy, so traffic appears to come to you from the Cloudflare IPs so it makes restriction tricky to say the least when trying to differentiate legitimate from illegitimate traffic.