← All articles

Why Cloudflare Proxying Alone Isn't Enough

Alexander Norman
cloudflarewaf-bypassorigin-securityzero-trust

Many organizations put Cloudflare in front of their web applications and assume they're protected. WAF rules, DDoS mitigation, bot management — all handled by Cloudflare's edge network.

But there's a fundamental problem with the most common setup: if your origin server accepts traffic from any Cloudflare IP, every Cloudflare customer can reach it directly.

The Problem: Shared IP Ranges

When you proxy your domain through Cloudflare, traffic flows like this:

User → Cloudflare Edge → Your Origin Server

To "protect" the origin, many teams add firewall rules:

Allow inbound HTTP/HTTPS from Cloudflare IP ranges

This seems logical. Only Cloudflare can reach your origin. Except...

Cloudflare's IP ranges are shared across all ~30 million domains on their network. Any Cloudflare customer can route traffic through those same IPs using:

  • Cloudflare Workers — deploy a Worker that fetches your origin with a custom Host header
  • Proxied DNS — create an A record pointing to your origin IP in their own CF zone
  • Cloudflare Tunnel — configure a tunnel ingress rule with httpHostHeader override

    • All three methods cause traffic to arrive at your origin from Cloudflare's IP ranges, bypassing your firewall rules completely.

    Finding the Origin IP

    The first step for an attacker is discovering your origin IP. Despite Cloudflare proxying, this is often trivial:

    Non-proxied subdomains

    mail.example.com    → 203.0.113.10  (Oderland, direct)
www.example.com     → 104.16.x.x   (Cloudflare, proxied)

    Mail servers, FTP, cPanel, staging environments — these commonly point directly to the origin.

    Certificate Transparency logs

    Every TLS certificate issued is logged publicly. Searching crt.sh reveals subdomains that may have existed before Cloudflare was added, or internal services with their own certificates.

    Historical DNS

    Services like SecurityTrails, RapidDNS, and Shodan maintain historical DNS records. Even if you moved behind Cloudflare years ago, the old A record pointing to your origin is preserved.

    Shodan / Censys

    Search engines for internet-connected devices index your origin's IP, ports, and TLS certificates — often revealing the exact hostname served.

    The Bypass in Practice

    Once an attacker has the origin IP, they can:

  • Connect directly — if the origin accepts traffic from any source (no firewall at all)
  • Route through Cloudflare — if the origin only accepts CF IPs, use a Worker/proxied DNS/tunnel

    • In the second case, your Cloudflare WAF rules, rate limiting, bot management, and Access policies are completely bypassed. The attacker's traffic arrives at your origin through Cloudflare's network — but through their zone, not yours. Your WAF rules don't apply.

    The Fix: Cloudflare Tunnel (cloudflared)

    The correct architecture uses Cloudflare Tunnel (formerly Argo Tunnel):

    User → Cloudflare Edge → cloudflared daemon → Your Origin

    Key difference: the origin never listens on a public IP. The cloudflared daemon runs on your server and initiates an outbound connection to Cloudflare's edge. No inbound firewall rules are needed.

    This means:

  • No origin IP to discover
  • No way to connect directly
  • No way to route through another CF zone
  • All traffic passes through YOUR Cloudflare zone's WAF/Access rules

    • Alternative: Authenticated Origin Pulls

    If you can't use Tunnel, enable Authenticated Origin Pulls — mTLS between Cloudflare's edge and your origin. Your origin verifies a client certificate that only YOUR zone presents.

    This doesn't hide your origin IP, but it ensures that even if an attacker routes through Cloudflare, your origin rejects the connection because they don't have the right client certificate.

    Checklist for Defenders

    Origin server has no public IP (uses Cloudflare Tunnel)
    OR: Authenticated Origin Pulls enabled with mTLS verification
    No non-proxied subdomains leaking origin IP (check: dig +short mail.example.com)
    Historical DNS records don't reveal origin (check SecurityTrails)
    Origin TLS certificate doesn't leak in Shodan/Censys
    NSG/firewall blocks ALL inbound except tunnel traffic
    DNSSEC enabled on the domain

    Our Automated Detection

    Pentesting.se now automatically detects Cloudflare origin bypass vulnerabilities as part of the discovery scan:

  • Identifies CF-proxied domains
  • Probes common non-proxied subdomains (mail, ftp, cpanel, staging, dev)
  • Checks Shodan for origin IP confirmation
  • Tests origin accessibility on port 80 and 443
  • Reports findings with specific remediation advice

    • This runs on every discovery scan — no manual configuration needed.

    ---

    Alexander Norman is the founder of Adminor AB and Pentesting.se, a continuous security monitoring platform for Nordic businesses.