Configure the server to act as a forwarder for port 80/443 While only allowing traffic from Cloudflare IPs

readme.md

Purpose:

Helps facilitate the ability to run internet facing web apps on a homelab ($desinationip) without exposing the homelab's IP address and forcing the use of CloudFlare for incoming traffic. Tunnels both incoming web traffic and outgoing traffic. Uses public cloud VPS ($serverip) as the reverse proxy and VPN.

This setup should hide the homelab's IP even in the event of compromise, end-to-end encrypt all web traffic between CloudFlare and the homelab, and prevents the proxy server from being accessed directly.

Internet --> Cloudflare (80/443) --> Cloud Provider (cloudflare-reverse-proxy.sh) --> Homelab (port forward + nginx-proxy-manager)

Homelab (all traffic) --> Cloud Provider (OpenVPN on 4443) --> Internet

• If Homelab's IP is discovered, it will only accept traffic from the proxy server, directed at a specific domain, and that traffic will only hit the web apps if it is properly encrypted from CloudFlare.
• If the proxy's IP is discovered, it will only accept incoming connections from HomeLab's IP on port 4443 and a managment IP on port 22. Additonally traffic sent to 80/443 will only be forwarded to the homelab if it's from CloudFlare.
• If the Homelab web app is pwnd, all outbound connections will be forced through the proxy, hiding the homelab's location.

Prerequisites:

• Setup $serverip OpenVPN server on port 4443
• Setup VM's running on $destinationip to connect to $serverip OpenVPN (ideally using pfsense with killswitch). This should prevent accidental IP disclosure.
• Setup $destinationip port 80/443 forwarding to nginx-proxy-manager, only allow from $serverip
• Setup $destinationip nginx-proxy-manager domains and only allow access from $serverip, import Cloudflare SSL origin certs.
• Setup cloudflare domains and point to $serverip, enable proxying and "Full Strict SSL".
• Run the script wget https://gist.githubusercontent.com/GlitchWitch/207d18c8902fcb5e1c5f0e043f8e9101/raw/862bf56e2fe02e09f3dec22a218824990bb18079/cloudflare-reverse-proxy.sh && bash cloudflare-reverse-proxy.sh desinationip managmentip && rm cloudflare-reverse-proxy.sh

This script should do the following assuming I didn't fuck it up:

• Blocks all incoming SSH traffic on $serverip
• Whitelists $managmentip to access SSH port on $serverip
• Blocks all web (80/443) traffic on $serverip
• Forwards all web traffic (80/443) on on $serverip to $destinationip only if received from cloudflare
• Whitelist $destinationip to access OpenVPN on $serverip

cloudflare-reverse-proxy.sh

# !/bin/bash
#
# Configure server to act as a reverse proxy for port 80/443 and only allow Cloudflare IPs
# Usage: bash cloudflare-reverse-proxy.sh destinationip managmentip

# Clear existing iptables

iptables -F

# Forward traffic from Cloudflare
for i in `curl https://www.cloudflare.com/ips-v4`; do
iptables -t nat -A PREROUTING -s $i -p tcp --dport 80 -j DNAT --to-destination $1:80;
done
for i in `curl https://www.cloudflare.com/ips-v4`; do
      iptables -t nat -A PREROUTING -s $i -p tcp --dport 443 -j DNAT --to-destination $1:443;
done

# Block all other web traffic
iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 80 -j DROP
iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 443 -j DROP

# Block SSH Traffic not from our Managment IP
iptables -I INPUT -p tcp -s $2 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 22 -j DROP

# Allow access to OpenVPN
iptables -I INPUT -p tcp -s $1 --dport 4443 -j ACCEPT
iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 4443 -j DROP
iptables -I INPUT -p udp -s $1 --dport 4443 -j ACCEPT
iptables -A INPUT -p udp -s 0.0.0.0/0 --dport 4443 -j DROP

iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.1/24 -j ACCEPT


iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT

# Enable IP Forwarding
sysctl net.ipv4.ip_forward=1
#iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE

Hi Dear, I want to use your .sh for ocserv in Ubuntu 23.10, but your iptables code not working and get error, bad argument, my interface is ens34, also, in Ubuntu 23.10 only UFW working, please tell me how can I convert your iptables code to UFW code to working well?
if you help me so many regards and thanks to you, it's too important, because ocserv with Cloudflare asking username and password, but not connecting, maybe with your script my probblem will be solve

@JellyVPN Sorry I'm not sure I can help. I did this as a proof of concept for something specific back in 2020-2021 and haven't used it since.

For handling inbound traffic I'd suggest looking into something like Cloudflare Tunnels which will largely achieve the same thing in a much more production friendly way. For outbound I'd suggest looking into Tailscale or Wireguard.

Thank you for your response, I just need to convert this code to UFW
iptables -t nat -A PREROUTING -s $i -p tcp --dport 443 -j DNAT --to-destination $1:443;
can you help me, please?
also, I will check Tailscale, but I"m providing VPN in restricted countries and main IP of my server will be block less than 1 hour, the only thing I can do is hiding real IP, if you help me I will so much appreciate it
thanks a lot

I'm not sure my hackey script is really the best thing to be emulating...

This might help you with the port forwarding from one IP to another using UFW: https://www.cyberciti.biz/faq/how-to-configure-ufw-to-forward-port-80443-to-internal-server-hosted-on-lan/

Also if you haven't heard of fly.io, based on the limited info I have about what you're working on I think it might be useful for some of your project's infrastructure.

thank you, Dear @GlitchWitch, I appreciate it