Following some really great advice from someone who was kind enough to give it, I decided to devote some time to Web Application Firewalls (WAF), IP masking, and network security, particularly using Cloudflare’s free tier.
Over a year ago, as part of my course's challenge at ATEC, I launched my own website: www.kernelcoredive.org (don’t rush to open this link—it's still under construction). It was a small space where I documented low-level programming concepts, mostly focusing on Assembly and computer architecture.
As time went on, I got caught up in my internship and stopped updating the site, shifting my focus to both LinkedIn and this blog.
But as this challenge came up, I went ahead and renewed my domain name on Namecheap.
This post (and the next one) will document my process, some issues I found and the subsequent solutions. If you’ve ever wanted to host your own website, this should help you get started. It’s surprisingly easy, costs about €15/year, and might introduce you to essential networking and security concepts.
📌 Step 1: Registering a Domain
First things first—you will need a domain name. This was done through a domain registrar. You can pick one from providers like GoDaddy, Namecheap, or the Cloudflare Registrar.
Once you choose a name and pay a small yearly fee, the domain is yours (and will be as long as you pay up). Now, we need a web server to actually host the website.
📌 Step 2: Setting Up an Apache Server
I set up an Apache web server on my machine to host the website. Since I don’t want to clutter this post with step-by-step Apache setup instructions, I'll just point you to an excellent guide: Server World.
Follow that documentation, and you’ll have Apache running locally in no time.
And do take a look at the site. I found it really helpful a year ago during my Linux classes.
📌 Step 3: Connecting My Domain to Cloudflare
Next, I signed up for a free Cloudflare account. This gives me access to DDoS protection, caching, and security tools.
Adding my domain was pretty simple—you just have to follow Cloudflare’s setup guide, and it will automatically scan your DNS records.
At this stage, I also updated my domain registrar’s DNS settings to use Cloudflare’s nameservers (again, follow the instructions set up by Cloudflare). This ensures all traffic is routed through Cloudflare before reaching my server.
🫢 Step 4: Issue: My ISP Blocks All Inbound Traffic
This is where I got to metaphorically bang my head against a wall and was failing at reaching my server.
I needed to link my public IP address to my domain—something I had done in the past without issues. But this time, no matter how hard I tried, I couldn’t access my public IP.
After testing with nmap and other tools, I confirmed that my ISP was blocking all inbound traffic. My router was not allowing requests to reach my server, no matter what ports I used.
I also couldn’t simply port-forward my way out of this. After carefully checking my ISP router settings, I found that port forwarding wasn’t available at all.
A possible solution? Creating a Cloudflare Tunnel.
📌 Step 4: Setting Up a Cloudflare Tunnel
A Cloudflare Tunnel allows outbound connections from my server to Cloudflare, bypassing ISP restrictions entirely.
I installed it with:
However, I ran into a DNS conflict issue. While cloudflare had created a couple of A records for my server, I needed in fact a CNAME record instead. While A records point towards an IP, a CNAME record would allow for cloudflare to route traffic through the tunnel. So, I deleted the A records and created the necessary CNAME record.
This is all done under the DNS tab on cloudflare, btw.
📌 Step 5: Enabling HTTPS with Free SSL
With my tunnel working, my website was now accessible over HTTP. But I wanted encryption (HTTPS), so I added a free SSL certificate from Let’s Encrypt. I had done this a year ago, and it was as simple as it was before.
Again, I won’t bore you with the step-by-step setup—Let’s Encrypt is easy to install, free, and a game-changer for web security.
Then, I went to Cloudflare > SSL/TLS > Edge Certificates and enabled:
✅ Always Use HTTPS
✅ Full (Strict) SSL mode
📌 Step 6: Configuring Apache & Cloudflare
Cloudflare was now handling HTTPS redirection, so I had to disable Apache’s HTTPS redirect to prevent a redirect loop.
I edited /etc/apache2/sites-available/kernelcoredive.conf and commented out these lines:
And restarted Apache.
Note that these lines might not be exactly like this in your setup. Look for any lines handling redirection in your configuration file and comment them out to avoid conflicts with Cloudflare’s HTTPS enforcement.
Now, my website was fully accessible, bypassing my ISP’s filtering.
🔒 Step 7: Adding Security – WAF & Bot Protection
With my site running through Cloudflare, I started testing Web Application Firewall (WAF) rules.
I created two rules:
1️⃣ Blocking a specific country (e.g., blocking all traffic from a particular region).
2️⃣ Configured a CAPTCHA challenge for any requests using the python-requests User-Agent.
I tested this out with:
You might be a bit more refined in your tastes, and have a test that actually addresses the Captcha part. Either way, and as you can see, the logs can show us these failed communication attempts.
I also enabled Cloudflare’s basic bot fight mode, which is included in the Free Tier:
📌 Step 8: Next Steps
Right now, the Cloudflare Tunnel is running manually, meaning if my machine reboots, or if I close the service, the tunnel stops.
Tomorrow, I’ll create a systemd service to keep my tunnel online 24/7 on a Raspberry Pi.
I'm also going to subscribe to the pro tier, in order to practice with these and other concepts for the next month. This stuff is fun, and gives us a ton of flexibility on what and how many tiers of protection we want to implement.I also want to explore the Cloudflare API to see what kind of automation and security controls I can implement.
Fun! There's more tomorrow.
No comments:
Post a Comment