GlitchWitch/cloudflare-reverse-proxy.sh

## readme.md

      
    Raw
  

              readme.md
            
          
    Purpose:

Helps facilitate the ability to run internet facing web apps on a homelab ($desinationip) without exposing the homelab's IP address and forcing the use of CloudFlare for incoming traffic. Tunnels both incoming web traffic and outgoing traffic. Uses public cloud VPS ($serverip) as the reverse proxy and VPN.
This setup should hide the homelab's IP even in the event of compromise, end-to-end encrypt all web traffic between CloudFlare and the homelab, and prevents the proxy server from being accessed directly.
Internet --> Cloudflare (80/443) --> Cloud Provider (cloudflare-reverse-proxy.sh) --> Homelab (port forward + nginx-proxy-manager)
Homelab (all traffic) --> Cloud Provider (OpenVPN on 4443) --> Internet

If Homelab's IP is discovered, it will only accept traffic from the proxy server, directed at a specific domain, and that traffic will only hit the web apps if it is properly encrypted from CloudFlare.
If the proxy's IP is discovered, it will only accept incoming connections from HomeLab's IP on port 4443 and a managment IP on port 22. Additonally traffic sent to 80/443 will only be forwarded to the homelab if it's from CloudFlare.
If the Homelab web app is pwnd, all outbound connections will be forced through the proxy, hiding the homelab's location.

Prerequisites:


Setup $serverip OpenVPN server on port 4443
Setup VM's running on $destinationip to connect to $serverip OpenVPN (ideally using pfsense with killswitch). This should prevent accidental IP disclosure.
Setup $destinationip port 80/443 forwarding to nginx-proxy-manager, only allow from $serverip
Setup $destinationip nginx-proxy-manager domains and only allow access from $serverip, import Cloudflare SSL origin certs.
Setup cloudflare domains and point to $serverip, enable proxying and "Full Strict SSL".
Run the script  wget https://gist.githubusercontent.com/GlitchWitch/207d18c8902fcb5e1c5f0e043f8e9101/raw/862bf56e2fe02e09f3dec22a218824990bb18079/cloudflare-reverse-proxy.sh && bash cloudflare-reverse-proxy.sh desinationip managmentip && rm cloudflare-reverse-proxy.sh

This script should do the following assuming I didn't fuck it up:


Blocks all incoming SSH traffic on $serverip
Whitelists $managmentip to access SSH port on $serverip
Blocks all web (80/443) traffic on $serverip
Forwards all web traffic (80/443) on on $serverip to $destinationip only if received from cloudflare
Whitelist $destinationip to access OpenVPN on $serverip


## cloudflare-reverse-proxy.sh
# !/bin/bash
#
# Configure server to act as a reverse proxy for port 80/443 and only allow Cloudflare IPs
# Usage: bash cloudflare-reverse-proxy.sh destinationip managmentip

# Clear existing iptables

iptables -F

# Forward traffic from Cloudflare
for i in `curl https://www.cloudflare.com/ips-v4`; do
iptables -t nat -A PREROUTING -s $i -p tcp --dport 80 -j DNAT --to-destination $1:80;
done
for i in `curl https://www.cloudflare.com/ips-v4`; do
      iptables -t nat -A PREROUTING -s $i -p tcp --dport 443 -j DNAT --to-destination $1:443;
done

# Block all other web traffic
iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 80 -j DROP
iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 443 -j DROP

# Block SSH Traffic not from our Managment IP
iptables -I INPUT -p tcp -s $2 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 22 -j DROP

# Allow access to OpenVPN
iptables -I INPUT -p tcp -s $1 --dport 4443 -j ACCEPT
iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 4443 -j DROP
iptables -I INPUT -p udp -s $1 --dport 4443 -j ACCEPT
iptables -A INPUT -p udp -s 0.0.0.0/0 --dport 4443 -j DROP

iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.1/24 -j ACCEPT


iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT

# Enable IP Forwarding
sysctl net.ipv4.ip_forward=1
#iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE
	# !/bin/bash
	#
	# Configure server to act as a reverse proxy for port 80/443 and only allow Cloudflare IPs
	# Usage: bash cloudflare-reverse-proxy.sh destinationip managmentip

	# Clear existing iptables

	iptables -F

	# Forward traffic from Cloudflare
	for i in `curl https://www.cloudflare.com/ips-v4`; do
	iptables -t nat -A PREROUTING -s $i -p tcp --dport 80 -j DNAT --to-destination $1:80;
	done
	for i in `curl https://www.cloudflare.com/ips-v4`; do
	iptables -t nat -A PREROUTING -s $i -p tcp --dport 443 -j DNAT --to-destination $1:443;
	done

	# Block all other web traffic
	iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 80 -j DROP
	iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 443 -j DROP

	# Block SSH Traffic not from our Managment IP
	iptables -I INPUT -p tcp -s $2 --dport 22 -j ACCEPT
	iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 22 -j DROP

	# Allow access to OpenVPN
	iptables -I INPUT -p tcp -s $1 --dport 4443 -j ACCEPT
	iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 4443 -j DROP
	iptables -I INPUT -p udp -s $1 --dport 4443 -j ACCEPT
	iptables -A INPUT -p udp -s 0.0.0.0/0 --dport 4443 -j DROP

	iptables -A FORWARD -i tun+ -j ACCEPT
	iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -s 10.8.0.1/24 -j ACCEPT


	iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
	iptables -A OUTPUT -o tun+ -j ACCEPT

	# Enable IP Forwarding
	sysctl net.ipv4.ip_forward=1
	#iptables -t nat -A POSTROUTING -j MASQUERADE
	iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE
	iptables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE