Cloudflare rule for securing admin.php?

[Alvin63]

Ok I read it again more carefully. It seems the only risk mentioned is if an attacker knows the Server's IP address as that would bypass Cloudflare. So I don't really understand that. But presumably that's about Server security. The other thing I think was missing from the info was that it isn't just Zero Trust - it is also having the domain with Cloudflare which adds additional security anyway.

So I guess it's fine with just the Zero Trust Although I don't understand all the business about hackers obtaining server IP addresses to get into server files. Presumably if that happened, it would affect a lot of people!

 

[ENF]

So I guess it's fine with just the Zero Trust Although I don't understand all the business about hackers obtaining server IP addresses to get into server files. Presumably if that happened, it would affect a lot of people!

In the original plain old internet world, there wasn't a cloudflare. You built your own firewalls/borders to protect your servers and the hosted sites within. Most of us that came up during that period from 1995 onwards (dot com boom and whatnot) learned how to protect equipment that was exposed to the internet. I cut my teeth in the days of ethernet over serial/coax, VAX/VMS (the old DEC iron) and a T1 line was the beesknees of epic net access. (oh yeah, Token Ring, let's not forget that nightmare)

Hiding your server IP's wasn't as easily done as it is nowadays. You can still operate a server in the open so long as you know what you're doing and have the appropriate protections in place. Hackers will go after sites/servers that aren't configured properly... looking for the low hanging fruit. As soon as they hit a wall, they won't try so hard unless there's a specific target that's truly valuable. Humans are still the weakest link... you can have all the fancy protection in the world, but if you or someone with access to internal workings of your site/company gets successfully phished or socially engineered, none of that protection matters when someone has the keys to the front and back doors.

Anyways... I'm sure there are still some professionals around here with those deep skills, I just don't see many new people taking up the same knowledge that we had in the past. A lot of people just want fast fixes and fast answers without understanding why.

 

[Alvin63]

Just following up on this I'm wondering if it works better on some servers than others, having read my server's information sheet which says Cloudflare Access (Zero Trust) is only supported on their VPS server plans. I'm on a web server plan. Does this make sense? Ok this was from the server's bot so AI but

Me: "The article says "As for the following Cloudflare services:
...... Cloudflare Access: Restrict access to your website based on user identity

Bot: They are only supported on our VPS Hosting plans since they require root access to your server."

Me: I am using Cloudflare Access and Zero Trust and have set up a policy for my admin.php file, to whitelist my ip address and authenticate me by email if I'm away from my IP address. But I'm not on VPS hosting. I'm on web hosting. So will it work for me?

Bot: Cloudflare Access and Zero Trust features, like restricting access to specific pages (e.g., admin.php), officially require VPS hosting at Hostinger because they need root access to fully function. On web hosting plans, these features may not work as intended or could be limited. For full compatibility with Cloudflare Access and Zero Trust, a VPS plan is recommended.

Me: In what way would they not work as intended or be limited?

Bot:
On web hosting, you don’t have root access or the ability to run background processes and custom server configurations, which are sometimes required for Cloudflare Access, Zero Trust, and related features like Cloudflare Tunnel or Workers. This means:

You may not be able to enforce access rules at the server level (e.g., block direct access to admin.php if someone bypasses Cloudflare).Some advanced policies or integrations (like Cloudflare Tunnel) won’t be possible since they require software installation or configuration changes on the server.If someone discovers your hosting IP and accesses it directly, they could potentially bypass Cloudflare’s restrictions.
On VPS, you can fully manage and secure your server, ensuring Cloudflare’s protections can’t be bypassed.

On web hosting, you’re limited to what can be configured via Cloudflare’s dashboard and standard .htaccess rules.

 

[bzcomputers]

Just following up on this I'm wondering if it works better on some servers than others, having read my server's information sheet which says Cloudflare Access (Zero Trust) is only supported on their VPS server plans. I'm on a web server plan. Does this make sense? Ok this was from the server's bot so AI but

Me: "The article says "As for the following Cloudflare services:
...... Cloudflare Access: Restrict access to your website based on user identity

Bot: They are only supported on our VPS Hosting plans since they require root access to your server."

Me: I am using Cloudflare Access and Zero Trust and have set up a policy for my admin.php file, to whitelist my ip address and authenticate me by email if I'm away from my IP address. But I'm not on VPS hosting. I'm on web hosting. So will it work for me?

Bot: Cloudflare Access and Zero Trust features, like restricting access to specific pages (e.g., admin.php), officially require VPS hosting at Hostinger because they need root access to fully function. On web hosting plans, these features may not work as intended or could be limited. For full compatibility with Cloudflare Access and Zero Trust, a VPS plan is recommended.

Me: In what way would they not work as intended or be limited?

Bot:
On web hosting, you don’t have root access or the ability to run background processes and custom server configurations, which are sometimes required for Cloudflare Access, Zero Trust, and related features like Cloudflare Tunnel or Workers. This means:

You may not be able to enforce access rules at the server level (e.g., block direct access to admin.php if someone bypasses Cloudflare).Some advanced policies or integrations (like Cloudflare Tunnel) won’t be possible since they require software installation or configuration changes on the server.If someone discovers your hosting IP and accesses it directly, they could potentially bypass Cloudflare’s restrictions.
On VPS, you can fully manage and secure your server, ensuring Cloudflare’s protections can’t be bypassed.

On web hosting, you’re limited to what can be configured via Cloudflare’s dashboard and standard .htaccess rules.

The intricacies of Cloudflare are fast and always changing, relying on AI for Cloudflare information is not the best way to go. Cloudflare has very good documentation go there directly for the best answers.

Second, you need to be sure you are asking the right questions and providing enough accurate details so that AI can give you a reliable answer. Some of the answers your server's AI has given you are misleading at best because your questions are not clear and detailed enough. Some of the terms you are using are wrong. All hosting is "web hosting". The main types of "web hosting" include shared hosting (which is likely what you are on), VPS hosting, dedicated hosting, cloud hosting, managed hosting, reseller hosting, and a few others that are less popular.

The things you are currently attempting to do with Cloudflare Zero Trust do not require root access on your server, that means they do not require a VPS or dedicated server in order to work. Some features of Cloudflare Zero Trust do require root access, but again not what you are currently doing.

 

[Alvin63]

Thank you. I didn't quote the full article/question, which might have helped, which said they only supported Cloudflare Access on their VPS services. Hence querying that. But you've confirmed it will work for what I've set up, thank you.

 

[GrnEyedDvl]

If your IP accepts traffic from non CF IP addresses then yes they can bypass CF and hit you direct. If you have access to the firewall settings then there is a script to automatically update it when CF updates their address list.

If you do not have access to the firewall you can still use those IP addresses and set an access rule in your panel so that your webserver just rejects all traffic from non whitelisted addressed.

 

[Alvin63]

Thank you. I did enquire about that but apparently it could cause issues with a number of other things if I restrict to only incoming Cloudflare IP's. And also webmail via the server (I think).

 

[GrnEyedDvl]

Well you can add whatever IPs you want to allow. For instance mine has my local IP and all the IPs of the private network behind it.

Most of my rules are here. The script adds the Cloudflare IP lines. The Default is set to Deny, then just add what you want to allow.

Anywhere                   ALLOW       REDACTED        
443                        ALLOW       173.245.48.0/20            # Cloudflare IP
443                        ALLOW       103.21.244.0/22            # Cloudflare IP
443                        ALLOW       103.22.200.0/22            # Cloudflare IP
443                        ALLOW       103.31.4.0/22              # Cloudflare IP
443                        ALLOW       141.101.64.0/18            # Cloudflare IP
443                        ALLOW       108.162.192.0/18           # Cloudflare IP
443                        ALLOW       190.93.240.0/20            # Cloudflare IP
443                        ALLOW       188.114.96.0/20            # Cloudflare IP
443                        ALLOW       197.234.240.0/22           # Cloudflare IP
443                        ALLOW       198.41.128.0/17            # Cloudflare IP
443                        ALLOW       162.158.0.0/15             # Cloudflare IP
443                        ALLOW       104.16.0.0/13              # Cloudflare IP
443                        ALLOW       104.24.0.0/14              # Cloudflare IP
443                        ALLOW       172.64.0.0/13              # Cloudflare IP
443                        ALLOW       131.0.72.0/22              # Cloudflare IP
21                         ALLOW       Anywhere                
40110:40210/tcp            ALLOW       Anywhere                
443                        ALLOW       Anywhere                
80 (v6)                    DENY        Anywhere (v6)            
443                        ALLOW       2400:cb00::/32             # Cloudflare IP
443                        ALLOW       2606:4700::/32             # Cloudflare IP
443                        ALLOW       2803:f800::/32             # Cloudflare IP
443                        ALLOW       2405:b500::/32             # Cloudflare IP
443                        ALLOW       2405:8100::/32             # Cloudflare IP
443                        ALLOW       2a06:98c0::/29             # Cloudflare IP
443                        ALLOW       2c0f:f248::/32             # Cloudflare IP
21 (v6)                    ALLOW       Anywhere (v6)            
40110:40210/tcp (v6)       ALLOW       Anywhere (v6)            
443 (v6)                   ALLOW       Anywhere (v6)

 

[Alvin63]

So the script automatically updates the cloudflare IP addresses when they change then? I'm trying to remember what I was told wouldn't work if I only whitelisted Cloudflare IP addresses. I'm sure my email service was one thing - but that was the server's bot so might not have been correct.

Trying to get my head round it as it would exclude the server's own IP ....... not sure what effect that would have.

 

[Alvin63]

Ok so yes if I include my own IP as well as whitelisting Cloudflare IP's then there are no site restrictions or webmail restrictions apparently.

My server says no option to automatically run a script to update IP's in IP manager, but you can run a script in htaccess to whitelist/update cloudflare IP address there. Feel like I'm going round in circles now!

 

[GrnEyedDvl]

So the script automatically updates the cloudflare IP addresses when they change then?

CF maintains a text only list of the IP addresses for both Ipv4 and Ipv6. The script performs a WGET on those text files daily or however often you set the cronjob to run, then inserts them into UFW as an access rule. UFW will not allow a double insert of a rule so anything that is already there is just ignored and you end up with new inserts only.

I'm trying to remember what I was told wouldn't work if I only whitelisted Cloudflare IP addresses. I'm sure my email service was one thing - but that was the server's bot so might not have been correct.

This only blocks incoming traffic. So outgoing mail would not be impacted. If you have a mail server on the same IP then that would be an issue, but if its webmail and you have a proper subdomain setup that uses SSL (443) then you should be fine.

You have to manually allow anything else you want, such as FTP ports and SSH ports. Start with a blank set of rules and set the default to DENY, run the CF address script, then add in whatever else you need.

This is a dedicated server or shared hosting?

Have someone run nmap on your machine. My web server responds like this. That 10.2.1.20 address is the internal network between my servers but you can run it against a public IP too.

root@thor:/# nmap odin
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-27 13:25 MDT
Nmap scan report for odin (10.2.1.20)
Host is up (0.00020s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT      STATE  SERVICE
21/tcp    open   ftp
22/tcp    open   ssh
443/tcp   open   https

And my mail/other stuff server responds like this. Notice all the open ports for mail, 587, 993, 995, etc

Nmap scan report for thor (10.2.1.19)
Host is up (0.00020s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT      STATE  SERVICE
21/tcp    open   ftp
22/tcp    open   ssh
25/tcp    open   smtp
53/tcp    open   domain
80/tcp    open   http
110/tcp   open   pop3
143/tcp   open   imap
443/tcp   open   https
465/tcp   open   smtps
587/tcp   open   submission
993/tcp   open   imaps
995/tcp   open   pop3s
8080/tcp  open   http-proxy
8081/tcp  open   blackice-icecap

 

[Alvin63]

The main issue seems to be my server and hosting plan. Server doesn't really protect the origin IP. (Asked what protection they have in place and ran that by Chat GPT who interpreted it and it's lacking). It might be low risk. But whitelisting Cloudflare IP and my IP mitigates for it. Except I'd have to manually check and update the Cloudflare IP list and if I forget I could get locked out. Or use a server that protects the origin IP (but most of those are VPS and I'd be out of my depth there).

There's an article about it here

"As we often say in the security industry: a chain is as strong as its weakest link. No matter how much time you’ve spent to configure Cloudflare, if it can be bypassed and if your web app can be directly reached through the server IP, then all protections offered by Cloudflare are also bypassed. They become totally useless as you’re not protected anymore."

Bypassing Cloudflare WAF with origin server IP - Blog Detectify

Crowdsource hacker Gwendal shares tutorial on how he bypassed Cloudflare WAF, commonly used by companies, with the origin server IP.

blog.detectify.com

 

[GrnEyedDvl]

Yeah well chatgpt is a bit lacking. If you haven't had an issue yet I wouldn't be too concerned though. Most attacks are either bot scrapes or DDoS, someone targeting your admincp is possible but a bit lower possibility.

You would not be locked out if you did not update your CF rules though. If you try to get in and you can't, then login to CF and update the rules.

 

[Alvin63]

Turns out I have a dynamic IP, not static. Switched providers a while back. I had to authenticate to get into ACP today. Checked and my IP address has changed. So that could be tricky to whitelist my own IP in the server along with Cloudflare IP's - probably just won't do that then. Bit pointless whitelisting it in Cloudflare as well then.

It'll do.

 

[Alvin63]

So as I have a dynamic IP I will also need to scrap the new htaccess file I created in /install (thought that was the easy option for that) and set up a zero trust policy for /install as well.

And it seems I'm limited to email authentication only with zero trust if I have a dynamic IP. Is there any way round that? If you have a dynamic IP? Because it was much easier just "allowing" my IP and only having email authentication if I was away from my IP.

 

[bzcomputers]

So as I have a dynamic IP I will also need to scrap the new htaccess file I created in /install (thought that was the easy option for that) and set up a zero trust policy for /install as well.

And it seems I'm limited to email authentication only with zero trust if I have a dynamic IP. Is there any way round that? If you have a dynamic IP? Because it was much easier just "allowing" my IP and only having email authentication if I was away from my IP.

No way around it with shared hosting and dynamic IP. Your security options are very limited with those server limitations. Sometimes dynamic IPs only change once in great while, but having it change right in the middle of trying to set up security is not a good sign it will remain the same for very long. Only real options are to just stick with email authentication or switch hosting plans and/or hosts.

 

[Alvin63]

Yes that's what I thought. So I've stuck with xero trust email authentication for admin.php and /install. No option to have a static IP. Would a cloudflare WAF firewall rule help as well?

How difficult is it to use a VPS server? There's a lot of manual setting up to do isn't there?

I guess the only other option is password protect ht access and /install instead.

Or how about using a VPN to set a static IP?

 

[bzcomputers]

Would a cloudflare WAF firewall rule help as well?

Almost every layer of security you put in place helps, but at what point do you decide your time is better spent on something else.

How much of a target has my site been? If your answer is that it has been running for years with basically no security with zero issues then adding 2 new layers of additional security to the exact same places may not be the best use of your time.

How difficult is it to use a VPS server? There's a lot of manual setting up to do isn't there?

A VPS takes a lot of knowledge and it is not something I'd recommend you switch to before that knowledge is already in place. Even if you get a "managed VPS" there is still some additional knowledge needed to be able to run it. I do not know your knowledge level on these things, but from your question I assume you would be starting with little server administration knowledge for areas like setup, maintenance, and technical operations.

I guess the only other option is password protect ht access and /install instead.

It's an option. It also has its limitations/weaknesses, but it takes just a minute to put in place so it's always a quick easy option for securing files or directories.

Or how about using a VPN to set a static IP?

I would not recommend this. Setting one up on a shared host may even be impossible with permission restrictions. VPNs are also not the most efficient way to transfer data.

 

[Alvin63]

Thank you. I have no server administration knowledge. I'm fairly familiar with linux but not that advanced.

Agree - how much time is it worth spending on it? I do have a bit of time at the moment (been laid up for over a month!) (won't do in a week or so) so I've been using it try and get a few things sorted so I can forget about them.

Another server upgrade option with my server is cloud hosting. It's not that much more and it has a dedicated IP address (which means it would be easier to protect an origin IP address presumably). Then that isn't a risk.

However, yes I'm kind of happy to just leave it as it is as well but now I've started I want to see what I can sort best - and then give up!

So password protecting admin.php and /install - how does that work? Presumably you have to enter a password every time you log in to ACP or do an upgrade? Remember a password, make sure it doesn't get hacked or lost.

 

[bzcomputers]

So password protecting admin.php and /install - how does that work? Presumably you have to enter a password every time you log in to ACP or do an upgrade? Remember a password, make sure it doesn't get hacked or lost.

https://help.dreamhost.com/hc/en-us/articles/216363187-Password-protecting-your-site-with-an-htaccess-file

Yes, a password would need to be entered every time you access a file or directory that is protected. The encrypted password needs to be stored on your server in a secure location outside of public_html. If you lose the password you will need to create a new one, encrypt it and update your .htpasswd file with the new encryption.