I’m a big fan of Cloudflare for all the services they offer to accelerate and protect your website. In a typical setup, Cloudflare handles your DNS so that queries for your site are sent to their proxies. However, your site is still accessible directly by IP address, which leaves it open to abuse by bots etc.
Cloudflare Tunnels can solve this issue. With a typical cloud provider setup, where you have a virtual machine serving your site, your server has both public and private IP addresses. In the absence of a tunnel, Cloudflare has to connect to the public IP address, which isn’t ideal, because others can connect to that address as well.
With a tunnel established, you can do one of two things:
- Change firewall settings at the cloud provider to deny HTTP/TLS traffic on the public IP.
- Remove the public IP address entirely
Both will work, but there are considerations. You will set up the tunnel to connect to your server on the private, internal IP address. So, blocking web connections on the public IP will still allow Cloudflare to reach your site. Same goes for entirely removing the public IP. The difference is, if you remove the public IP, you will no longer be able to SSH in to your server. Your cloud provider may offer an alternative way to reach your server for management access, so look into this before choosing this option.
Removing the ability to make direct connections to your origin server will increase the security of your site and give you a bit more peace of mind, since all access definitely now needs to come through the proxy layer, which offers numerous protections. I’ve found it’s worth the time investment to set up.