I'm trying to use CloudFlare as a proxy in front of Umbraco hosted on IIS. Prior to this we could whitelist IPs to limit access to the backoffice. However, with the switch to CloudFlare all traffic is coming from their proxy. Is there a way to limit access to the backoffice with this setup?
You can add a different hostname to the site which resolves (on your internal dns) allowing content editors to use the "backoffice" DNS name.
Based on the same idea as the previous one: make two deployments (on the same server if you need) as if you are load balancing, one for the front-end and one for the back-end. If you host the backend on a different hostname, you can add your good old IP restrictions. The advantage of this setup is that you can diminish the attack surface on the front-end by removing the " .AddBackOffice() "
Turns out we have the IP ranges of our organization. Is it secure to move the entire URL rewrite rule from IIS to the CloudFlare WAF rules? Would these be equivalent to what's suggested by umbraco?
CloudFlare Backoffice Security and IP Whitelisting?
I'm trying to use CloudFlare as a proxy in front of Umbraco hosted on IIS. Prior to this we could whitelist IPs to limit access to the backoffice. However, with the switch to CloudFlare all traffic is coming from their proxy. Is there a way to limit access to the backoffice with this setup?
I think there are two solutions:
You can add a different hostname to the site which resolves (on your internal dns) allowing content editors to use the "backoffice" DNS name.
Based on the same idea as the previous one: make two deployments (on the same server if you need) as if you are load balancing, one for the front-end and one for the back-end. If you host the backend on a different hostname, you can add your good old IP restrictions. The advantage of this setup is that you can diminish the attack surface on the front-end by removing the " .AddBackOffice() "
Turns out we have the IP ranges of our organization. Is it secure to move the entire URL rewrite rule from IIS to the CloudFlare WAF rules? Would these be equivalent to what's suggested by umbraco?
is working on a reply...