Pantheon Community

CloudFlare for blocking unwanted traffic

I’m looking into putting CloudFlare out in front of a site so we can block unwanted traffic and have an extra layer of protection from DDoS attacks etc etc. I see that Pantheon recommends we use the “DNS only” approach. I did this and then added my own IP address to be blocked with a firewall rule… but I wasn’t block.

So then some googling and I found this [Firewall Rules on IP address not working - Security - Cloudflare Community] which tells me I have to implement CloudFlare as a proxy instead of DNS only. So it appears I need to use Option 2 [https://pantheon.io/docs/cloudflare] but I’m wary of the affect this will have on cache invalidation… would I then need to do extra work in Drupal to invalidate CloudFlare CDN cache?

Thanks for the pro tips!

Cross posted to Slack: https://pantheon-community.slack.com/archives/C2GJ3JG7Q/p1618608830071200

1 Like

Reporting back that I’ve experimented with the Proxy configuration.

  1. I pointed a spare domain name that was already pointed to ClouldFlare from our DNS server to a Live environment we have in development.
  2. I followed the Option 2 instructions [https://pantheon.io/docs/cloudflare#option-2-use-cloudflares-cdn-stacked-on-top-of-pantheons-global-cdn]
  3. I tested cache invalidation by conducting common content editing tasks. We have some custom cache tag hooks on this site. Those all work “out of the box.” I didn’t have to do any configuration in ClouldFlare for cache nor did I have to do anything special.
  4. I added an IP Access Rule to block my IP address and it worked immediately.

Everything behaved as needed!

1 Like