My first experience with Cloudflare

I first got exposure to Cloudflare in my current role. It’s used as a reverse proxy to websites mainly to benefit from its security features such as the WAF.

I first came across WAFs in my first SOC role years ago as a fresh grad. We sat in an access controlled SOC room, locked away from anyone else in the business. There was barely any cross learning. There was a phone at the front that was supposed to be a sort of emergency phone for incidents. It was called “The Bat Phone” which I cringe about now and we hoped it would never ring. It rarely did. The few times I remember it did ring, the shift lead would answer, nod his head, say a few yes’ and okays and then put the phone down. The conversation that followed each time was something like

“Who was it?”

“It was the WAF company”

“What did they say?”

“They said something happened and they took some action and there’s no further actions for us to take”

And that was all I heard about the WAF there. Nobody actually knew what it was all about or what those calls meant. Everyone was buried in SOC alerts and just carried on.

When I became a Security Engineer, one of my first tasks was to configure Cloudflare. I was given a spreadsheet and told I need to “onboard Cloudflare”. Documentation was scarce but what this really meant was make Cloudflare a proxy between the internet and our websites. The main purpose of this is to vet traffic through the Cloudflare WAF before it hits our websites. e.g. bots, high volume, malicious requests.

So with zero Cloudflare experience, I did what anyone would do, googled stuff and read Cloudflare documentation. This is what I learnt.

We can set up Cloudflare as a proxy in several ways.

• Full DNS — This is where Cloudflare becomes your DNS provider and manages all your DNS records.
• Partial Setup — You use your own DNS provider but use Cloudflare’s DNS to proxy only the domains you choose through Cloudflare.

We had a Partial setup. This is how I explained it to myself:

No Cloudflare

With Cloudflare as a reverse proxy

So effectively, the way to get domains proxying through Cloudflare is to set the DNS records correctly in our DNS and Cloudflare’s DNS. So that’s what I did for about 30–40 domains. It sounds simple but doing so took a long time.

• I had to have change records in place for auditing and troubleshooting, complete with detailed steps and roll back plans.
• I had to organise a change window with the correct people, often out of hours, for the changes to be made.
• Conduct testing until stakeholders are satisfied.
• Send out updates to stakeholders.

Any mistakes here would lead to an unreachable site. There were several issues along the way.

• Mistakes in DNS Records. Literally typos.
• DNS propagation delays causing panic amongst stakeholders
• Cloudflare certificate issues
• Not taking into account user locations with split DNS in place.

I might write another blog going into the specifics of these issues. That’s all for now.