Create a DigitalOcean Firewall that only accepts inbound connections from Cloudflare
This module allows you to create a DigitalOcean Firewall that only accepts inbound connections from Cloudflare’s published list of IP addresses.
Cloudflare provides DDOS protection for domains using its DNS. If an attacker knows the IP address of your origin server, this can easily be circumvented. Using the approach in this module prevents incoming connections to the server from all non-Cloudflare IPs.
This could be done at the server level using iptables
or other firewall software. Though a missconfigured firewall could prevent you from accessing your server. Using a DigitalOcean Firewall, you can open or close additional ports as needed.
This can also be achieved at the web server level using the DenyAllButCloudFlare
rule from Cloudflare’s Mod_Cloudflare Apache extension or similar tools for Nginx. Though this still uses bandwidth and system resources on the origin server. Using a DigitalOcean Firewall means the un-wanted traffic will be blocked before it ever reaches you.
Cloudflare IP addresses may also change. Tracking those changes and applying them by hand in the DigitalOcean control panel can be tedious. Using this module, re-running terraform apply
will pick up those changes and reconfigure your Firewall.
name
- The name of the firewall to be created.droplet_ids
- A list of the IDs of the Droplets assigned to the Firewall.tags
- A list of tag names assigned to the Firewall.This example creates a Firewall and a tag named allow_inbound_cloudflare
. Any Droplet with this tag applied to it will only allow inbound connections to ports 80 and 443 from Cloudflare IPs.
module "firewall_inbound_cloudflare" {
source = "andrewsomething/firewall-cloudflare/digitalocean"
name = "inbound-cloudflare"
tags = ["allow_inbound_cloudflare"]
}
resource "digitalocean_tag" "allow_inbound_cloudflare" {
name = "allow_inbound_cloudflare"
}
Note: DigitalOcean Firewalls are composable. Creating separate Firewalls for separate concerns is considered a best practice. When using the above example, additional Firewalls should be applied to the Droplets in order to allow for things like inbound SSH access and outbound DNS lookups.
MIT licensed. See LICENSE for full details.
by: Andrew Starr-BochicchioOctober 1, 2017Visit site
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Have you created an Integration, API Wrapper, Service, or other Tool that helps developers build on DigitalOcean? Help users find it by listing it in Community Tools.
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.