Comment by ndesaulniers
8 years ago
Couldn't someone DDoS'ing a site use this to get around Cloudflare "protection?"
Uh, asking for a friend.
8 years ago
Couldn't someone DDoS'ing a site use this to get around Cloudflare "protection?"
Uh, asking for a friend.
Yes. One can identify the IP address of the origin server behind a reverse proxy if the server responds to direct requests in a way that identifies itself. See: https://cloudpiercer.org/
Two steps towards obscuring the origin server include requiring that the HTTP Host header is set and only responding to Cloudflare IP ranges: https://www.cloudflare.com/ips/