Preventing Cloud WAF Bypass by limiting HTTP Access
When your website is online, it’s potentially vulnerable. To combat this, online services are utilized to mask or ‘hide’ the website’s origin IP address. This is handled by using services such as CloudFlare, Incapsula or Sucuri that offer a Website Application Firewall. These services are dependent by a large majority of individuals in today’s internet environment. The protective capabilities of these CDNs make it difficult to find the websites origin IP address. However, these CDNs are not bullet proof. There are ways to obtain the origin IP address behind such service. When this has happened, it creates a attack vector on your websites web server.
When an attacker has the origin IP for your website it allows them to hit the web server directly as they’ve now fully circumvented the protective cloud service. Your web service is now at the mercy of the attack that’s likely occurring or going to occur in the future. This isn’t being said to alarm you, just bring attention to the possibilities of what could happen. Such attack vectors as this can be mitigated when you introduce a layered configuration into your environment. Utilizing configurations that allow the origin web server to restrict all inbound traffic to the set IP addresses of the chosen Cloud services WAF.
Such a configuration will prevent malicious requests from bypassing the WAF even if they have the servers origin IP address. Attempts made would result in a 403 Forbidden error or a web server timeout. which given would depend on the CDN/WAF service used. Attackers with the origin IP would no longer be able to negatively affect your website operations since the malicious requests are now being filtered.
This is a hardening technique that isn’t as common as it should be, some WordPress Plugins (like Sucuri) can do it natively. This hardening technique is accomplished by utilizing the webservers configuration, whether it be Apache or Nginx. It’s important to know that this won’t prevent DDoS attacks against the origin IP as those attack vectors are usually not towards the web server and more other services.
Preventing WAF Bypass
CloudFlare
Apache (.htaccess):
Servers using the Apache webserver should add the following to the top of their .htaccess file
<FilesMatch ".*">
Order deny,allow
Deny from all
Allow from 103.21.244.0/22
Allow from 173.245.48.0/20
Allow from 103.21.244.0/22
Allow from 103.22.200.0/22
Allow from 103.31.4.0/22
Allow from 141.101.64.0/18
Allow from 108.162.192.0/18
Allow from 190.93.240.0/20
Allow from 188.114.96.0/20
Allow from 197.234.240.0/22
Allow from 198.41.128.0/17
Allow from 162.158.0.0/15
Allow from 104.16.0.0/13
Allow from 104.24.0.0/14
Allow from 172.64.0.0/13
Allow from 131.0.72.0/22
Allow from 2400:cb00::/32
Allow from 2405:8100::/32
Allow from 2405:b500::/32
Allow from 2606:4700::/32
Allow from 2803:f800::/32
Allow from 2c0f:f248::/32
Allow from 2a06:98c0::/29
</FilesMatch>
Nginx (ngx_http_access_module):
Servers using Nginx would add this to their site configuration file
location / {
Allow 173.245.48.0/20;
Allow 103.21.244.0/22;
Allow 103.22.200.0/2;2
Allow 103.31.4.0/22;
Allow 141.101.64.0/18;
Allow 108.162.192.0/18;
Allow 190.93.240.0/20;
Allow 188.114.96.0/20;
Allow 197.234.240.0/22;
Allow 198.41.128.0/17;
Allow 162.158.0.0/15;
Allow 104.16.0.0/13;
Allow 104.24.0.0/14;
Allow 172.64.0.0/13;
Allow 131.0.72.0/22;
Allow 2400:cb00::/32;
Allow 2405:8100::/32;
Allow 2405:b500::/32;
Allow 2606:4700::/32;
Allow 2803:f800::/32;
Allow 2c0f:f248::/32;
Allow 2a06:98c0::/29;
deny all;
# Existing NGINX rules
}
Incapsula
Apache (.htaccess):
Servers using the Apache webserver should add the following to the top of their .htaccess file
<FilesMatch ".*">
Order deny,allow
Deny from all
allow from 199.83.128.0/21
allow from 198.143.32.0/19
allow from 149.126.72.0/21
allow from 103.28.248.0/22
allow from 185.11.124.0/22
allow from 45.64.64.0/22
allow from 192.230.64.0/18
allow from 107.154.126.0/24
allow from 2a02:e980::/29
</FilesMatch>
Nginx (ngx_http_access_module):
Servers using Ngix would add this to their site configuration file
location / {
# allow Incapsula
allow 199.83.128.0/21;
allow 198.143.32.0/19;
allow 149.126.72.0/21;
allow 103.28.248.0/22;
allow 185.11.124.0/22;
allow 45.64.64.0/22;
allow 192.230.64.0/18;
allow 107.154.126.0/24;
allow 2a02:e980::/29;
# nobody else gets in
deny all;
}
Sucuri
Apache & Nginx Instructions:
Sucuri has a section within their dashboard that provides instructions on how to limit HTTP Access to only their Sucuri CloudProxy. Found in Settings > Security (tab).
Alternatively, you can find it here: docs.sucuri.net/website-firewall/configuration/prevent-sucuri-firewall-bypass/
Conclusion
We’ve covered how to prevent WAF bypassing and hardening the configuration to further protect your website when using a CDN service. We hope that this was informational.
KnownHost offers 365 days a year, 24 hours a day, all 7 days of the week best in class technical support. A dedicated team ready to help you should you need our assistance. You’re not using KnownHost for the best webhosting experience? Well, why not? Check with our Sales team to see what can KnownHost do for you in improving your webhosting experience.