Hi,
I’m a little unsure on how to handle this:
I have a Dokku droplet which sits behind my Cloudflare. Now I want to whitelist only cloud flare IPs to access that droplet, however I also need to be able to SSH into that droplet (from anywhere I may be, so a fixed IP isn’t possible), need to be able to push code to my dokku master and I would also like things like apt-get to work without causing an issue.
So, are these the ports I need to allow - and would Cloudflare only need 443 (as I’m using Full Strict SSL on their side)
22 443 2375 2376
Or do i also need port 80? As surely my node app, when doing a build may require things from npm?
A little confused. It just feels like there’s not much I can do. I don;t see the point of even adding those Cloudflare IPs, if say something like NPM would require port 80 from anywhere.
Regards.
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Click below to sign up and get $100 of credit to try our products over 60 days!
@psmod2
If you setup
ufw
with a default policy to deny incoming connections and selectively add the ports that you want to allow incoming connections on, you shouldn’t need to be too specific or restrictive.Before enabling
ufw
, running:Sets a policy to deny all incoming connections. We then extend the rule set by allowing connection to ports 80 (HTTP), 443 (HTTPS), and 22 (SSH).
With those rules, only incoming connections on those ports will be permitted.
You really don’t want to disable incoming connections on Port 80. You should, instead, redirect those connections to Port 443 using a 301 or similar redirect. By blocking Port 80, you won’t be able to use redirects, so if someone visits:
http://yoursite.com
They aren’t going to see anything, instead, they’ll receive a failure to connect. What should happen is that when someone visits
http://yoursite.com
… they get redirected to https://yoursite.com.
That being said, the above rules will allow you to use
apt-get
, whether it’s to update, upgrade, install, remove or purge a package or multiple packages.As far as CloudFlare goes, there’s no reason to specifically only allow connections from their IP’s or IP ranges. As long as SSL is properly setup and working, and you have your redirects in place, all connections will connect over SSL.
If you use a stateful firewall you will have no trouble with outgoing connections despite blocked ports.