Implemented Option to globally disable ability to upload from URL

[imthebest]

As title says because when using CloudFlare to protect your server from DDoS attacks the "Upload from URL" feature is an easy way for atackers to find your real IP

 

[Martok]

How? Can you explain please?

 

[imthebest]

http://www.madleets.com/Thread-Bypass-CloudFlare-and-get-real-IP-from-forums

 

[Martok]

Have you tested this in XFMG on this site? On a Cloudflare site?

 

[imthebest]

No but pretty sure it will work.

 

[DeltaHF]

The image proxy, if a forum is using it, provides another way to retrieve the server's IP address, because it must reach out to third-party hosts to download image files and any logs will show this information.

I'm just getting familiar with CloudFlare, but I presume the best practice is to use the server's firewall to restrict incoming traffic from CloudFlare servers and a small subset of other trusted services which need to access it. That way, even though your server's public IP is known, it will be much easier to mitigate any attacks.