Protecting Pritunl with CloudFlare
Protect the Pritunl web server using CloudFlare
CloudFlare is a reverse proxy service that can protect a web server from attacks. This tutorial will configure CloudFlare to protect a Pritunl server. For a secure configuration a valid SSL certificate should be configured on the Pritunl server which can be easily done with Let's Encrypt. Once a valid SSL certificate is configured on the Pritunl server enable Allow Reverse Proxy in the server settings and set the Web Console Port to 443.
After the Pritunl server is configured enable CloudFlare for the Pritunl DNS entry in the CloudFlare settings.
In the Crypto tab set SSL to Full (strict) if a valid SSL certificate is configured on the Pritunl server or Full if a self signed certificate is used.
In the Firewall tab disable Browser Integrity Check under Web Application Firewall settings.
Once configured CloudFlare will help protect the Pritunl server from attacks. Further restrictions such as IP ranges can also be added to improve the security of the server.
CloudFlare IP Ranges
It is import to configure the firewall of the Pritunl server to only allow access from CloudFlares IP ranges. If this is not done an attacker could attack the IP address of the Pritunl server directly avoiding any of the protections provided by CloudFlare. The CloudFlare IP Ranges can be found here.
Configuration Sync
When configuring load balancing the clients will not be able to access the hosts directly to sync the configuration. This is fixed by setting the Sync Address in the host settings to the domain name used on CloudFlare.
Updated over 4 years ago