This guide looks at adding a proxied Cloudflare service to a server set up with RunCloud and fail2ban with a WordPress jail conf set up.
Once you start using Cloudflare as a CDN solution for your hosting, you are adding another firewall into the equation, albeit a very good one, but you may want to pass your servers local firewall fail2bans IP blocks over to Cloudflare and keep the two firewalls synchronised. This guide is using a RunCloud/fail2ban set up with Cloudflare as a proxy.
2 problems need to be overcome, the first is the transparency of Cloudflare’s IP addresses and the second is pushing the fail2ban IP bans on your server firewall over to the Cloudflare firewall.
Reveal Visitor True IP Addresses
Cloudflare wraps a visitors IP address in its own address, this can cause issues with the fail2ban IP rules as you may be blocking the wrong addresses, so the real IPs need to be revealed – this is referenced on the Cloudflare site, and has a number of solutions for different web serving apps.
Runcloud uses nginx as a webserver and this extra config for Cloudflare is available in an addon to their default nginx config: wpbeaches.location.main-before.cloudflare-realip.conf
# CloudFlare proxy addresses. set_real_ip_from 184.108.40.206/22; set_real_ip_from 220.127.116.11/22; set_real_ip_from 18.104.22.168/22; set_real_ip_from 22.214.171.124/12; set_real_ip_from 126.96.36.199/18; set_real_ip_from 188.8.131.52/22; set_real_ip_from 184.108.40.206/18; set_real_ip_from 220.127.116.11/15; set_real_ip_from 18.104.22.168/13; set_real_ip_from 22.214.171.124/20; set_real_ip_from 126.96.36.199/20; set_real_ip_from 188.8.131.52/20; set_real_ip_from 184.108.40.206/22; set_real_ip_from 220.127.116.11/17; set_real_ip_from 18.104.22.168/21; set_real_ip_from 2400:cb00::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2405:8100::/32; set_real_ip_from 2c0f:f248::/32; set_real_ip_from 2a06:98c0::/29; real_ip_header X-Forwarded-For;
So login to your RunCloud panel and app and select nginx config > Create Config and choose the Cloudflare one from the list
Pushing fail2ban IP rules to Cloudflare
For every fail2ban jail client you set up, as in the one set up for wordpress you can add an action when the fail2ban rule is triggered, there is a whole bunch of actions in /etc/fail2ban/action.d/ directory including a cloudflare.conf one, which synchronises your local firewall to the Cloudflare one.
However the cloudflare.conf one supplied fails to work depending on the version, the one on github is updated and a better source, last updated Jan 2021.
RunClouds fail2ban version is 0.10.2, the conf below is from 0.11.2
You just rename/backup the old cloudflare.conf and add in the new one above best a new file name so it doesn’t get overwritten cloudflare-runcloud.conf
Then add in your Cloudflare username/email and API key at the bottom where indicated on lines 81 & 83.
Then you reference the action in your jail.local file under the WordPress defined jail.
[wordpress] enabled = true filter = wordpress logpath = /home/*/logs/nginx/*_access.log maxretry = 3 port = http,https action = cloudflare-runcloud
service fail2ban restart
Now you will see your Cloudflare firewall updated with your RunClouds fail2ban banned IP addresses and if you unban addresses they will also be sync’ed.
So if you ban an IP address at your server firewall (example below uses our wordpress jail…
fail2ban-client set wordpress banip 22.214.171.124
It will be sync’ed to Cloudflare.
Then remove it from your local server firewall.
fail2ban-client set wordpress unbanip 126.96.36.199
And again it will be sync’ed to Cloudflare.