"Allow traffic from Cloudflare only" only applies to port 443, not port 80 #65

New Issue

MrUnknownDE · 2026-04-05T20:25:23+02:00

MrUnknownDE commented

2026-04-05 20:25:23 +02:00

Originally created by @bkremenovic on 7/15/2025

CloudPanel version(s) affected

2.5.1

Description

CloudPanel’s "Allow traffic from Cloudflare only" option currently restricts traffic on port 443 (HTTPS) correctly, returning a 403 when accessed via server IP. However, the same protection does not apply to port 80 (HTTP). When accessing the server via its IP on port 80 with a spoofed Host header, the website is returned as normal, which defeats the purpose of the protection.

This issue was discovered while hosting a WordPress website, so I assume the default WordPress NGINX vhost template is being used.

This allows visitors to bypass Cloudflare entirely by using HTTP and targeting the server IP directly.

How to reproduce

Enable “Allow traffic from Cloudflare only” in the CloudPanel settings.
Make sure DNS is proxied through Cloudflare (orange cloud).
From an external machine, run the following:

# This returns 403 (✅ expected)
curl --location 'https://YOUR_SERVER_IP' \
  --header 'Host: yourdomain.com'

# This returns the website (❌ not expected)
curl --location 'http://YOUR_SERVER_IP' \
  --header 'Host: yourdomain.com'

Possible Solution

Extend the logic of the "Allow traffic from Cloudflare only" feature to apply to port 80 in addition to port 443. This could be done via:

Adjusting the UFW or iptables rules
Modifying the NGINX config to include deny rules for non-Cloudflare IPs on port 80

Additional Context

No response

*Originally created by @bkremenovic on 7/15/2025* ### CloudPanel version(s) affected 2.5.1 ### Description CloudPanel’s "Allow traffic from Cloudflare only" option currently restricts traffic on port 443 (HTTPS) correctly, returning a 403 when accessed via server IP. However, the same protection does not apply to port 80 (HTTP). When accessing the server via its IP on port 80 with a spoofed Host header, the website is returned as normal, which defeats the purpose of the protection. This issue was discovered while hosting a WordPress website, so I assume the default WordPress NGINX vhost template is being used. This allows visitors to bypass Cloudflare entirely by using HTTP and targeting the server IP directly. <img width="718" height="173" alt="Image" src="https://github.com/user-attachments/assets/c6e7f406-7221-40e0-bfcb-5c46e5b12517" /> ### How to reproduce 1. Enable “Allow traffic from Cloudflare only” in the CloudPanel settings. 2. Make sure DNS is proxied through Cloudflare (orange cloud). 3. From an external machine, run the following: ```bash # This returns 403 (✅ expected) curl --location 'https://YOUR_SERVER_IP' \ --header 'Host: yourdomain.com' # This returns the website (❌ not expected) curl --location 'http://YOUR_SERVER_IP' \ --header 'Host: yourdomain.com' ``` ### Possible Solution Extend the logic of the "Allow traffic from Cloudflare only" feature to apply to **port 80** in addition to port 443. This could be done via: * Adjusting the UFW or iptables rules * Modifying the NGINX config to include deny rules for non-Cloudflare IPs on port 80 ### Additional Context _No response_

MrUnknownDE closed this issue

2026-04-05 20:25:23 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/cloudpanel-ce#65