Cloudflare rule for securing admin.php?
- Thread starter Alvin63
- Start date
"How much of a target has my site been? If your answer is that it has been running for years with basically no security with zero issues then adding 2 new layers of additional security to the exact same places may not be the best use of your time."
Going back to this. Yes my site was running for nearly three years with no specific server protection and no issues. But then I changed something - I did the robots.txt file, have 3 times as many bots on the site now and any bad ones can see I'm telling them to keep out of admin.php, so that is more of a target than it was before.
And yes I have the cloudflare zero trust but the origin ip is almost certainly easy to find somehow. Now if I had a static IP the next bit is simple and free - just whitelist the Cloudflare IP's and my IP in the server IP manager. Job done (apart from remembering to update Cloudflare's IP's). But I don't have a static IP.
I am still thinking about the idea of a vpn static ip. If it's a dedicated static IP it should be ok surely?
Well that's annoying. I took out the dedicated static vpn ip with a 30 day money back option to try out.
Entered the email address in my zero trust policy. And it's not working. I'm still getting asked for email authentication. I assume Cloudflare knows it's a vpn address? But it's still a static ip address!
Entered the email address in my zero trust policy. And it's not working. I'm still getting asked for email authentication. I assume Cloudflare knows it's a vpn address? But it's still a static ip address!
Just going back to that. I think I've set it up wrong. I have Policy Name - Allow - Duration,
Then under that I have 2 rules
Selector/Emails: and my email addresses
Then selected Add/include then
Selector/IP addresses: with my ip address/32
Email authentication is the only thing working. So it's not prioritising the IP address. I'm sure I did the same thing the other day and it worked.
You mentioned "bypass" but the only place to select that is at the top next to policy name - ie only one option for both rules.
Edit: I know what it is now. I later set up a second application for /install and a second policy for /install and added that to the second application, and the only authentication I added for that was email only.
So I have
Application1/policy 1 admin.php - IP and email
Application 2/policy 2 /install - email only
So Application 2 must be overriding application 1
Last edited:
Ok deleted one application and just have the one for admin.php and it's still not working with IP - keeps asking for email authentication (tried my original IP as well as the VPN one so it's not the IP address).
So not sure what's going on there. But there doesn't seem to be the option to set two separate paths in one application.
Wondering if I could just leave it as /
ie protect everything? Would that just protect everything in public_html?
So not sure what's going on there. But there doesn't seem to be the option to set two separate paths in one application.
Wondering if I could just leave it as /
ie protect everything? Would that just protect everything in public_html?
digitalpoint
Well-known member
You could probably save yourself a lot of headaches/aggravation by using this addon.
Clicking the "Create admin access policy" does all the config or your Zero Trust applications without even needing to go to Cloudflare's dashboard.
...or not.
Clicking the "Create admin access policy" does all the config or your Zero Trust applications without even needing to go to Cloudflare's dashboard.
...or not.
I know it's very popular and can see the advantage 
The annoying thing is I had it all set up and working fine! And then found I had a dynamic IP address so only email authentication was working. Which was also fine. I think even with your addon I'd still be restricted to email authentication only without an IP address. Hence today I decided to sign up for a dedicated VPN IP, Mainly so I could whitelist it in the server, along with Cloudflare IP's. But also add it to Zero trust so I had the full options again.
Something went very weird with Zero trust today though. It wouldn't recognise either my VPN IP or my actual IP and still kept doing email authentication. Deleted everything - no applications, no policies. Made a new policy and application just for IP no email. Now technically that should either have let me login or blocked me if the IP wasn't working - but email authentication STILL came up (even though there was no longer any email rule set or email address entered. So something gone wrong with it somewhere. I'll need to contact Cloudflare.
I'm still thinking about your app as well but I didn't actually need it yesterday as had everything set up My main issue was not having a static IP address.
The annoying thing is I had it all set up and working fine! And then found I had a dynamic IP address so only email authentication was working. Which was also fine. I think even with your addon I'd still be restricted to email authentication only without an IP address. Hence today I decided to sign up for a dedicated VPN IP, Mainly so I could whitelist it in the server, along with Cloudflare IP's. But also add it to Zero trust so I had the full options again.Something went very weird with Zero trust today though. It wouldn't recognise either my VPN IP or my actual IP and still kept doing email authentication. Deleted everything - no applications, no policies. Made a new policy and application just for IP no email. Now technically that should either have let me login or blocked me if the IP wasn't working - but email authentication STILL came up (even though there was no longer any email rule set or email address entered. So something gone wrong with it somewhere. I'll need to contact Cloudflare.
I'm still thinking about your app as well but I didn't actually need it yesterday as had everything set up
My main issue was not having a static IP address.Could I still use this if I've already set up Zero Trust for email authentication?You could probably save yourself a lot of headaches/aggravation by using this addon.
View attachment 323225
Clicking the "Create admin access policy" does all the config or your Zero Trust applications without even needing to go to Cloudflare's dashboard.
View attachment 323226
...or not.
digitalpoint
Well-known member
Ya... the Zero Trust config is like the tiniest part of what it does. All the "best" stuff is unrelated to Zero Trust... ability to cache pages in Cloudflare's network edge for guests (makes your site weirdly fast), ability to use R2 for attachments/avatars, etc.
digitalpoint
Well-known member
The addon doesn't work any better or worse than a normal Cloudflare setup. If your Cloudflare zone works with your VPN, it's fine. But VPN or not, it makes no difference to the addon.
As far as firewall, you can manage IP and user agent blocks pretty easily. There are also some pre-defined rules as well as the ability to manage country blocks. But if you want to do more advanced stuff that is specific to your site, you would probably want to make the rules within Cloudflare dashboard (you could seill view and/or delete those from XF admin).
Thank you. I can see it could help having everything in one place on Xenforo. I am actually set up with applications and policies to protect admin.php and /install already. However it will not work with IP. It WAS working with IP until my IP changed dynamically - now it won't work with any IP - it seems to ignore the rule and go straight to email authentification. I've checked and double checked. Deleted and started again. Cleared the cache. And everything is as it should be so I'm stumped as to why it won't now work with an IP address (ie only needing email authentification if I was on a different IP).
Finally got IP working. I had set it to allow instead of bypass. So it's working now. And I don't have to keep authenticating by email and OTP. However. I have set the path to /admin.php and I read somewhere that it should be admin.php* with a wildcard, Is that actually necessary?
So in the application. Two separate policies. One policy for IP address - set to bypass. The other policy set to allow for email address. And the Bypass policy needs to be listed at the top in the application. (If that helps anyone).
So now it's just the wild card I'm not sure about. ie whether it's ok to use * or whether just having admin.php would mean it doesn't protect admin.php?permissions/usergroup/
Actually the ? should mean just admin.php is ok shouldn't it? And no wildcard needed?
So in the application. Two separate policies. One policy for IP address - set to bypass. The other policy set to allow for email address. And the Bypass policy needs to be listed at the top in the application. (If that helps anyone).
So now it's just the wild card I'm not sure about. ie whether it's ok to use * or whether just having admin.php would mean it doesn't protect admin.php?permissions/usergroup/
Actually the ? should mean just admin.php is ok shouldn't it? And no wildcard needed?
Last edited:
Ready to do this now. I have the VPN dedicated static IP and have Zero trust set up. I will have to manually check when Cloudflare IP's change though and manually update them. Shame Cloudflare don't do email alerts.
GrnEyedDvl
Active member
Well that is why they post them in pure text form, so you can just do a WGET whenever you want.
GrnEyedDvl
Active member
Sorry if that was a bit cryptic. WGET is a command line function to grab something from a site. Like a text file. So you can run it like this whenever you want, and automate it with a cronjob.
Code:
wget https://www.cloudflare.com/ips-v4/