DigitalOcean Kubernetes: new control plane is faster and free, enable HA for 99.95% uptime SLA

Related

My website is unresponsive! What do I do?
Question
Anybody who has set up Postfix/Dovecot with TLS?
Question

Question

UFW Setup - Cloudflare IPs and apt-get and SSH

Hi,

I’m a little unsure on how to handle this:

I have a Dokku droplet which sits behind my Cloudflare. Now I want to whitelist only cloud flare IPs to access that droplet, however I also need to be able to SSH into that droplet (from anywhere I may be, so a fixed IP isn’t possible), need to be able to push code to my dokku master and I would also like things like apt-get to work without causing an issue.

So, are these the ports I need to allow - and would Cloudflare only need 443 (as I’m using Full Strict SSL on their side)

22 443 2375 2376

Or do i also need port 80? As surely my node app, when doing a build may require things from npm?

A little confused. It just feels like there’s not much I can do. I don;t see the point of even adding those Cloudflare IPs, if say something like NPM would require port 80 from anywhere.

Regards.

Subscribe
Share
Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Jonathan TittleJanuary 26, 2017

@psmod2

If you setup ufw with a default policy to deny incoming connections and selectively add the ports that you want to allow incoming connections on, you shouldn’t need to be too specific or restrictive.

Before enabling ufw, running:

sudo ufw default deny

Sets a policy to deny all incoming connections. We then extend the rule set by allowing connection to ports 80 (HTTP), 443 (HTTPS), and 22 (SSH).

sudo ufw allow 22/tcp \
&& sudo ufw allow 80/tcp \
&& sudo ufw allow 443/tcp

With those rules, only incoming connections on those ports will be permitted.

You really don’t want to disable incoming connections on Port 80. You should, instead, redirect those connections to Port 443 using a 301 or similar redirect. By blocking Port 80, you won’t be able to use redirects, so if someone visits:

http://yoursite.com

They aren’t going to see anything, instead, they’ll receive a failure to connect. What should happen is that when someone visits

http://yoursite.com

… they get redirected to https://yoursite.com.

That being said, the above rules will allow you to use apt-get, whether it’s to update, upgrade, install, remove or purge a package or multiple packages.

As far as CloudFlare goes, there’s no reason to specifically only allow connections from their IP’s or IP ranges. As long as SSL is properly setup and working, and you have your redirects in place, all connections will connect over SSL.

WoetJanuary 26, 2017

If you use a stateful firewall you will have no trouble with outgoing connections despite blocked ports.

Join the DigitalOcean CommunityCommunity

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner

Related

My website is unresponsive! What do I do?
Question
Anybody who has set up Postfix/Dovecot with TLS?
Question

Try DigitalOcean for free

Click below to sign up and get $100 of credit to try our products over 60 days!

Sign up